Infected msxchhcvo.dll, then file not found

Avast told me that this file was infected, so I clicked to move it to the chest, it then immediately said that the file could not be found. Now whenever I try to open any program (literally any program, including the date/time in the bottom-right corner), so I was wondering if anyone is familiar with this and/or knows about a way to fix it.

OS: WinXP
Avast version: 4.8 Home Edition

Hi, the sentence above

Now whenever I try to open any program (literally any program, including the date/time in the bottom-right corner),
appears to be incomplete.
What happens when you try to open any program?

I’d try a boot scan with Avast, Start Avast antivirus (it will take a few seconds for a memory scan then the GUI opens)> menu>schedule boot time scan, select all local disks, OK your way out, restart when prompted.
Ths can take considerable time, depending on how much data you have.

I’ll try it out. I’ll let you know.

So I did a complete system scan on startup, moving all files to the chest, and when Windows started up, I tried to run a program (Opera Web Browser) the avast “You have been infected!” screep popped up, with the same msxchhcvo.dll file in question. Just like before, it acted like the file wasn’t on the computer, then none of my other programs would launch. The screen reads as such:

opera.exe - Unable to Locate Component
This application has failed to start because msxchhcvo.dll was not found. Re-installing this application may fix this problem. (‘OK’ button)

When you click ‘OK’, the same screen pops up again, and when you click ‘OK’ a second time, the application fails to launch. It does this with every application I try to run. Also, I can’t try re-installing all of the programs on my PC, because the same screen pops up when the installer tries to open.

Anyone have any other ideas?


Please tell us what files are now in the Infected section of the Chest?


A “Google” of the file name, gives 1 (one) hit: this thread.
This is either looking like needing a BART disk, or it’s a brand new false positive. What version of the Opera browser do you use?

Either way it’s probably a bit beyond my abilities; I’ll butt out and let more expert folk suggest the fix. Good luck.

CharleyO: These are the files currently in the chest:

A0205683.dll
A0205697.dll
A0205920.dll
A0205959.dll
A0205970.dll
A0209918.dll
A0210006.exe
A0210031.exe
A0210035.dll
asterouste_com[1].htm
MFEX-1.dat
MFEX-2.dat
MFEX-3.dat
MFEX-4.dat
msxchhcvo.dll
msxchhcvo.dll.vir
nah_vkwl.exe
tmp59DF.tmp
tmp764F.tmp
tmp920F.tmp
tmpC4C1.tmp
trz16.tmp
trz6.tmp
trz6C.tmp
trz7.tmp
unp28323606.tmp

Most of these files are Win32:Trojan-Gen, a few of them look like spyware. Both of the msxchhcvo files are listed as Win32:Trojan-Gen.


Hi Gustafae -

Sorry for the delay in a reply. From my research, it seems that you have a W32/Hupigon backdoor trojan infection and maybe something else. The file … A0210006.exe … is a component of Hupigon.

I suggest that you next download the free version of malwarebytes antimalware (MBAM) from the link below, install it, update it, and then run a full scan. This might take some time to complete. Let it fix anything it finds and then post the log here.

http://www.malwarebytes.org/mbam.php


Malwarebytes’ Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

9/5/2009 2:50:45 PM
mbam-log-2009-09-05 (14-50-45).txt

Scan type: Full Scan (C:|D:|)
Objects scanned: 260497
Time elapsed: 57 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


After a full scan of the system and removal of the infected file, the same msxchhcvo.dll prompt comes up when I try to launch an application. It even does this when an application automatically launches, either when triggered, or upon startup.

Can you update malwarebytes and run a full scan again since you are not scanning with the latest database

I updated before I ran it, but when the update began to install, the same msxchhcvo.dll popped up and wouldn’t let me finish the update.

The latest Database version: 2746 as I just updated.

Please read:
http://www.malwarebytes.org/forums/index.php?showtopic=17607

Register at Malwarebytes forum and follow the directions:
I’m infected - What do I do now?, Please follow these instructions to clean your system
http://www.malwarebytes.org/forums/index.php?showtopic=9573

I updated to 2746, ran a scan, and still no malicious content was found.

You seem to be running out of options so if you have System Restore still active, then turn it off (right-click My Computer, select Properties, choose System Restore and check the box to turn off. Run boot-time scan with System Restore turned off and see what happens.

Attempt to access your applications with System Restore still turned off.
If things are back to normal, turn System Restore back on and see if things are still normal.

I say this because my only Google return for A0210006.exe shows the instance as turning up in a _restore folder.
Maybe a start point for repair. :slight_smile:

WOW. ok. When I tried to do that (right click “My Computer”, click “properites”) the same thing popped up, with run32dll.exe as the subtext of the msxchhcvo.dll, and refuses to let me run it.

I ran a “thorough” scan of my local discs via Avast (took almost 12 hours for < 100GB) and a few more files popped up. Yes still, I’m left with the same problem.

Just out of interest, have you tried disable System Restore? Or is it already disabled.

You can do that (right click “My Computer”, click “properites”) in Safe Mode and should be okay (access My Computer through Start Menu).

100GB is a fairly sizable volume to cover. You’ve got quite a workload to get through. If System Restore is still enabled then disable it immediately and run a boot-time scan once again and see how long it takes.

The scan took less time, but the problem still remains. I don’t know what else to try.

Well it won’t do any harm, run a scan for rootkits. Download Rootrepeal.

http://rootrepeal.googlepages.com/

http://forum.avast.com/index.php?topic=47639.msg402995#msg402995

then post the log here

OK, I scanned, and these were my results for Rootrepeal.

ROOTREPEAL (c) AD, 2007-2009

Scan Start Time: 2009/09/07 20:16
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3

Drivers

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF5159000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7C23000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF0681000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Cookies\hp_owner@blatsnarf[3].txt
Status: Could not get file information (Error 0xc0000008)

Path: c:\documents and settings\hp_owner\local settings\temp~df93e6.tmp
Status: Allocation size mismatch (API: 24576, Raw: 0)

Path: c:\documents and settings\hp_owner\local settings\temp~dfc65a.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

SSDT

#: 025 Function Name: NtClose
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xf550a6b8

#: 041 Function Name: NtCreateKey
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xf550a574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xf550aa52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xf550a14c

#: 119 Function Name: NtOpenKey
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xf550a64e

#: 122 Function Name: NtOpenProcess
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xf550a08c

#: 128 Function Name: NtOpenThread
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xf550a0f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xf550a76e

#: 204 Function Name: NtRestoreKey
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xf550a72e

#: 247 Function Name: NtSetValueKey
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xf550a8ae

==EOF==

So what other options do I have now?

EDIT: Whenever I do a virus scan, the msxchhcvo.dll file pops up (now located in C:\Program Files\Avast\Avast4) as being infected. So I try to Repair it, and it says it can’t because it is already being used by another process.