Win32: Trojan-gen {Other}

Viruses and worms
1

Let me begin by saying I am not too proficient with computers, so please have patience with me. =)

About two days ago, I started noticing a lot of popups, so naturally, I ran avast virus scan and it presented several files, leading to Win32: Trojan-gen {Other}. Currently, they are sitting in the chest. Even with them contained in there, I still get pop-ups.

I rebooted my Gateway laptop and ran the virus scan again in Safe Mode. I fear deleting these infected files, as that might trigger somthing.

I was actually looking for a number for live support, but unfortunately, could only find International numbers, thus keeping me from calling and causing me to register here on the forums. Honestly, online is the last place I should be, I think. lol

Anywho, after aimless browsing through posts, I find one that claims this removal is an easy process. So I disable System Restore, and schedule a boot scan. (Post says the boot scan will fix the problem.) Computer resets, scan ensues, windows loads and pop-ups once again appear on my screen.

In my chest are 11 infected files.
7 of them have similar patterned names- AOO49189.dll, AOO49190.dll, AOO50461.dll, etc. and are all in the same folder: C:\System Volume Information_restore{593F298…

The remaining four have various names: efcYRjgD.dll, or QJEIAR.dll and are all in C:\Windows\System32

I’ll take any help your willing to give me, and thank you in advance for your assistance.

(btw, during the time I wrote this, about 30 popups interrupted what I was tyrping. This is why I prefer live assistance. :wink: )

2

Hello , I will help with what I can until you could get some more advanced help

First of all leave the files in the chest alone they are no harm there and can do nothing
to deal with the popups please download, install, update and run a complete system scan using SUPERantispyware which can be downloaded from here

http://www.superantispyware.com/

and quarantine/delete anything found by the scan after it has finished.

3

hey thanks, Justin!

I seem to be popup free now.
…I was actually kinda shocked at the high number of threats I had!
It worked surprisingly well. :slight_smile:

Have these been in my computer for a long time? lol. I’ve only been having problems for about 3 days now.

Now that the popups are out of the way, gotta get to work in these other lil’ buggers in the chest.
Thanks for your help!

4

Over and above the SAS link given another for you (both SAS and MBAM should be run from safe mode.)

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

  1. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

The named files from the system32 folder are likely to be randomly common in Vundo malware infections, both the above programs have reasonably good results on Vundo.

Once you have run both the programs and reported the findings:
Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial.

Download and run HJT and post the contents of the log file (cut and paste or attach the log file) into this topic, you may need to split it over two or more posts depending on how large it is.

5

If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:

  1. Clean your temporary files. You can use CleanUp or CCleaner for that.

  2. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).
    If avast does not detect it, you can try DrWeb CureIT! instead.

  3. It will be good if you download, install, update and run SUPERantispyware, MBAM or SpywareTerminator.
    If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
    About legit antispyware applications or the bad ones see here.

  4. If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster for XP/Vista. For XP only: Panda.

  5. Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.

  6. After you’re clean, disable System Restore on Windows ME, XP or Vista. System Restore is not available in Windows 9x and 2k. After disabling you can enable it again.

  7. Use the immunization of SpywareBlaster.

  8. Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.

6

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:04:33 PM, on 1/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Saitek\CyborgKeyboard\SaiVolume.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A5034291-A0D8-49CF-8DDC-E3E6EE0EE1F7} - C:\WINDOWS\system32\efcYRjgD.dll (file missing)
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [ATIPTA] “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [trayServer] C:\Program Files\MAGIX\Movie_Edit_Pro_12\TrayServer.exe
O4 - HKLM..\Run: [SaiVolume] C:\Program Files\Saitek\CyborgKeyboard\SaiVolume.exe
O4 - HKLM..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
O4 - HKLM..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM..\Run: [80902ba5] rundll32.exe “C:\WINDOWS\system32\nfbndubh.dll”,b
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU..\Run: [GetModule34] C:\Program Files\GetModule\GetModule34.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://webmail.shawinc.com/notes26aw/iNotes6W.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187906504750
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: gcxsvb.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - E:\INSTAL~7.EXE (file missing)
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe


End of file - 7868 bytes

7

Fix:
O2 - BHO: (no name) - {A5034291-A0D8-49CF-8DDC-E3E6EE0EE1F7} - C:\WINDOWS\system32\efcYRjgD.dll (file missing)
O4 - HKLM..\Run: [80902ba5] rundll32.exe “C:\WINDOWS\system32\nfbndubh.dll”,b
O4 - HKCU..\Run: [GetModule34] C:\Program Files\GetModule\GetModule34.exe - The file called GetModule34.exe is considered dangerous and there may be other infections on your PC. Get rid of GetModule34.exe IMMEDIATELY.

Suspect:
O20 - AppInit_DLLs: gcxsvb.dll
This seems to be a Vundo variant as I mentioned in my earlier post.

HJT ACTIONS
Suspect: or Fix: entries - Upload the file/s to VirusTotal, Send a sample to avast if multiple detections at VT (help improve avast detections) and Fix in HJT (see below)

Check the suspect file/s at: VirusTotal - Multi engine on-line virus scanner and report the findings here in the topic.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a reference to this topic (give URL) and undetected malware in the subject.

Run HJT again (close any other windows except HJT), tick the box to the left of the suspect entry you wish to fix, click the Fix Selected Button.

Note: Firewall - You don’t appear to have an active firewall - It should be capable of blocking unauthorised outbound Internet Connections. - What is your firewall ?

8

Thank you, I was successfully able to fix/remove the selected 3 files.

As for the suspect: O20 - AppInit_DLLs: gcxsbc.dll
I can not actually locate it as a file to upload to VT.

According to the SuperAntiSpyware, the address of it is C:\WINDOWS\SYSTEM32\GCXSVB.DLL

but when I look for it to manually retrieve it, I cannot find it.
I even did a Windows search for it, and the only place it find it is in the HJT logs.
Should I go ahead and fix/remove it without uploading it?

As for the firewall, I have Windows Firewall running at all time. At the current moment, I am at work, at a hotel, with a broad open connection. lol. Dunno if that makes a difference.

9

Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image.

Before dealing with any of the files we want to a) upload to VT and b) get a sample to avast to help improve detections. If they are fixed/quarantined, etc. then that opportunity may be lost.

As I said:

So you should also do the same for the ones I said to fix, find the file names below
C:\WINDOWS\system32\efcYRjgD.dll
C:\WINDOWS\system32\nfbndubh.dll
C:\Program Files\GetModule\GetModule34.exe

When infected with something like this there is a high likelihood that it will download more of the same, connecting to the internet and your firewall won’t prevent that.

Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

  • There are many freeware firewalls such as, Comodo (care required now it is a suite not to install the anti-virus element), PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.

See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0
See http://www.matousec.com/projects/firewall-challenge/results.php.

10

:slight_smile: Hi :

Your HijackThis log shows an extremely outdated version of Java, a serious
security risk . I recommend you run the FREE “JavaRa” program available from
http://raproducts.org .

11

It looks like you are still at SP2 while SP3 has been available for 6 months so you should go to Windows Update in IE Tools menu. SP3 has several security updates.

You should enable “Automatic Updates” in Control Panel or at least “Download updates for me, but let me choose when to install them.”

12

thank you, I have successfully installed SP3.

Perhaps I’m just a buffoon, but I still cannot find O20 - AppInit_DLLs: gcxsbc.dll

When searching for it, I made sure to include hidden files and systems files and such, but I simply cannot find it.

I told you, I’m bad at this. lol

13

Are you just searching for the file name, gcxsbc.dll (and not the full O20 - AppInit_DLLs: gcxsbc.dll) ?

If so did you do as suggested in un-hiding files, etc. ?

14

Yes, I have it checked to search hidden, system and subfolders.

If I search the full O20 - AppInit_DLLs: gcxsbc.dll, it states that “O20 - AppInit_DLLs: is not a valid folder.”

15

That is why you should be searching for only the file name gcxsbc.dll as the other information in HJT has nothing to do with where the file might be.

16

Initially, gcxsbc.dll was the only thing I searched for.

…actually, just ‘gcxsbc’ but alas, no avail. Searching for it in all files and folders, all hidden, system and sub folders and I still cant locate it for some reason. ???

17

OK, whilst that entry might be there in HJT it is possible that the file has been cleaned up in one scan or other, but we had to check.

You should now Fix: that entry in HJT.

Run HJT again (close any other windows except HJT), tick the box to the left of the entry you wish to fix (O20 - AppInit_DLLs: gcxsbc.dll), click the Fix Selected Button.

So you should also do the same for the other ones I said to fix, you didn’t say if you did ?
O2 - BHO: (no name) - {A5034291-A0D8-49CF-8DDC-E3E6EE0EE1F7} - C:\WINDOWS\system32\efcYRjgD.dll (file missing)
O4 - HKLM..\Run: [80902ba5] rundll32.exe “C:\WINDOWS\system32\nfbndubh.dll”,b
O4 - HKCU..\Run: [GetModule34] C:\Program Files\GetModule\GetModule34.exe

I also said you should find these if they exist and also upload to virustotal for scanning and send to avast if detected by multiple scanners. Did you do that ?

C:\WINDOWS\system32\efcYRjgD.dll
C:\WINDOWS\system32\nfbndubh.dll
C:\Program Files\GetModule\GetModule34.exe