msacmx.dll is infected

G’day all,

When I open some of the desktop folders avast comes up with the following message:

C:\WINDOWS\System32\msacmx.dll is infected with the WIN32:Trojan-gen {other} virus.

I then move it to the chest.

I have updated and ran the following applications:

CCleaner
CWShredder (Tells me there is nothing there)
Adaware (Found 4 critical & 1 registry entry which I removed)

I am using Zone Alarm, Avast AV with Auto Updates, Spyblaster 3.3.
Browser is the Mozilla Suite

I have ran a boot scan and deleted the following file:
C\WINDOWS\System32\msacmx.dll

After restarting I went to open a folder and the same message came up again. I have done a hijack this and analysed it online, but I’m not sure what I should be doing with this. Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 8:08:44 AM, on 5/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\dllhostxp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Documents and Settings\marty\Desktop\Anti-virus Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: AudioDeck.lnk = C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Does anyone have suggestions.

Cheers for now.

Try to schedule boot-time scan in avast’s menu (or try the ‘Schedule Boot-Time Scan’ using RajZors AEC avast! External Control Tool

For an on-line scan of your Hijackthis log file try here http://hijackthis.de/index.php
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.

Hi,
if you analyzed it, then the above file should be shown as unknown:
→ Google is your friend

http://www.google.de/search?hl=de&q=dllhostxp.exe&meta=

==>

  1. Install & Update SPYBOT (update Ad-Aware also); get the ESCAN-Tool

  2. Disable system RESTORE, reboot to SafeMode

  3. scan & clean with Spybot & ad-Aware several times

  4. Scan all with ESCAN & report findings here
    (virusnames & locations/Path/folder/filenames)

  5. reboot normally and post a fresh Hijackthis-Log here

Info/Links for the above you can find in the “VirusRemoval”-link below in my sig.

:wink:

Ok here goes,

Adaware - nothing found
CW Shredder - nothing found
Ran CCleaner and deleted the stuff
Ran bootscan - nothing found

Here is a hjt log from today.

Logfile of HijackThis v1.99.1
Scan saved at 5:18:52 PM, on 25/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Documents and Settings\marty\Desktop\Anti-virus Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: AudioDeck.lnk = C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O15 - Trusted Zone: http://*.63.219.181.7
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Any advice will be great.
Thanks,

MArty

dllhostxp.exe was definitely a nasty:

http://www.bleepingcomputer.com/startups/dllhostxp.exe-1367.html

You didn’t mention if avast! found anything during a boot time scan: as you say the other programs found nothing, did avast! remove this file?

This log seems to be clean, but you need to update windows to SP2. which is much more secure. You can do it at the update site with broadband, or order a free CD if you’re on dial up, where a download might take six hours.

Dear Pongo81,

Read this concerning msacmx.dll. It is a certified Spyware BHO.
Link to go to for info is: http://castlecops.com/tk1630-msacmx_dll.html

Yours sincerely,

polonus

Dear Pongo81,

If it is a cool websearch BHO variant this is a little cleaning proggie you want, download it from: http://www.intermute.com/spysubtract/cwshredder_download.html

polonus

Thanks for the comments guys,

Boot scan didn’t detect anything.
I already have CWShredder, it didn’t detect this either.
When I started again today, as soonas I open a folder on the desktop, avast find this #^*^!>" thing.
I am going to upgrade to SP2 soon (broadband is getting conectged soon).
Any other suggestions??

Cheers

Could you submit the file to Jotti’s scanner:

http://virusscan.jotti.org/?

This will confirm if it is malware or just a false alarm.

Pongo81,

You said you have CWShredder. But you know the old program is discontinued and the latest updates are from the new maker InterMute. The link is http://www.intermute.com/products/cwshredder.html
Did you have the latest version? Sorry, this was just a question on my behalf. If you got rid of the malware, tell us about it. We want to know.

greets,

polonus

I have downloaded and run the lastest version of cwshredder from the above website.
Silly question - Once I have moved the infected file to the chest, how do I then find it to us the above online scanner?
I have used the search function, but it can’t find it & I have browsed to where it should be, but no.

I’m starting to run out of patience.

Cheers,

Right click the avast! icon, select Start avast! Antivirus and right click on the skin somewhere (or click on Menu) and select Virus Chest, that is how to find it.

Unfortunately you wont be able to submit it to Jotti from the chest because it is a protected area. You would have to copy it to a temporary location (or restore it to the original location) first.

I'm starting to run out of patience.
By submitting it to Jotti, you will not only be helping yourself (by getting confirmation) but helping others. If it is a false positive, then alwil can hopefully resolve it to the benefit of others, perhaps even those who have helped you.

If it is a false positive, then if you can zip and password protect (‘virus’, will do) the suspect file and send it to virus @ avast.com (no spaces).

Give a brief outline of the problem, the fact that you believe it to be a false positive and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

When the Avast! warning comes up I moved the file this time. (It went to the data\moved file)
Went to Jotti and browsed to the moved file. (The avast! warning comes up again, but I closed it this time)
Put in the box and submitted, this is what I got

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

What’s next?

You will have to 1) temp disable avast standard shield and possibly web shield once you have established the connection to Jotti. 2) you may have to move the file out of the avast moved folder as it may be protected in the same way you can’t do anything with a file in the chest, as I said above.

I have scanned with Jotti and it has confirmed it is infected with a malware. I have downloaded a couple of programs suggested in other posts that I will try. I’ll keep you informed, but any suggestions will be welcomed.

Cheers

Thanks to all the suggestions, I finally got rid of this annoying little problem last night.
I scanned with TDS-3 as suggested in another post but it didn’t find anything. Then I tried TrojanHunter. It found (Foton.100) in the dllhost.exe file in windows\systyem32 and cleaned it.
So far so good.

Cheers

Hi Pongo81,

Thanks for the reply, for the record this is the qaz trojan, formerly known as notepad trojan, see: http://www.pchell.com/virus/qaz.shtml.

greets,

polonus