Generic2.JHS

Status
Not open for further replies.

cam975

Posts: 36   +0
Hi there. Similar to another thread I found, I am getting this Generic2.JHS Trojan Horse. It regenerates itself in the System32 folder.
I've been through the checklists as suggested in this forum, and the problem is still happening.
Any help is greatly appreciated as I'm getting close to throwing the computer out of the window.

HijackThis file attached.

Thanks.

Cameron.
 
Hello and welcome to Techspot.

Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Dap

Close control panel.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll

O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll

O20 - Winlogon Notify: rpccd - C:\WINDOWS\System32\rpccd.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\DAP<Delete the entire Dap folder.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

This is the filepath you need to enter into killbox.

C:\WINDOWS\System32\rpcc.dll

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Now, go HERE and follow all the instructions exactly.

Post fresh HJT and AVG Antispyware logs into this thread, only after doing the above.


Regards Howard :wave: :wave:

This thread is for the use of cam975 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Hi Howard,

Thanks for your response.

I did everything in your post, and was all going fine, but when I tried to delete the dll file using KillBox, it came up with a message saying file could not be deleted. Something perhaps not quite right?

Anyway, I will attach a new HJT log to this post.

Thanks again for your help !

Kind regards,

Cameron.
 
I don`t wish to appear rude, but which bit of post an AVG Antispyware log did you not understand?

Download Vundofix from HERE.

Double-click VundoFix.exe to run it.

Rightclick in the main window and click add more files.

Enter the filepath you wish to remove into the top line and click the add files button, followed by the close window button.

Click the remove vundo button. And let vundofix do it`s stuff.

This is the filepath you need to enter into Vundofix.

C:\WINDOWS\System32\rpcc.dll

Once you`ve done that, post fresh HJT and AVG Antispyware logs.

Regards Howard :)

This thread is for the use of cam975 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Thanks again Howard,

I've done all you suggested in your previous post. Attached HJT log and also AVG AntiSpyware log.

I will be away from computer for a while, but I look forward to seeing if you find anything when I next log on.

Thankyou once again for your time it is most appreciated.

Kind regards,

Cameron.
 
Well done, your HJT log is now clean.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of cam975 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Once again, thanks so much for your help. All seems fine now. FIngers crossed it stays this way.

Kind regards,

Cameron.
 
A new issue

Hello again. As requested, I will use my previous thread to post.

It has been a while, but I have encountered some more problems. AVG has been detecting a couple of things. dropper.agent.9 and downloader.agent.js

I have been through all the comprehensive pre-requisites and will attach the logs to this post. The scans on all the recommended programs didn't seem to find anything at all. (nothing on the panda antiroot scan)

Anyway, any help is much appreciated.

Kind regards,

Cameron.
 
All your log files appear to be clean.

Can you give me details of where exactly AVG is detecting the supposed malware?

I need the full file paths to whatever AVG says is infected.

Regards Howard :)

This thread is for the use of cam975 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Hi Howard,

AVG is not currently detecting anything. The files it was detecting were in Temorary Internet files in the Documents & Settings area. Sorry to be non-specific. I should have made note of the path.

But all seems ok at present, perhaps it was picked up somewhere along the way with the pre-requisites?

If it does re-occur, I will post the details.

Thanks for your time.
 
Generic9.aadh

AVG this morning detected Trojan Horse Generic9.AADH.

A file called BASSMOD.dll was in the Windows/System32 folder.

AVG said that it has healed the file, and didn't detect anything again after another scan. Should I forget about it, or take further action?

Also, how do these things find their way in through ZoneLab, AVG anti-spyware etc.?
 
Edit:


Updating your AVG will take care of this.

Is a false positive which was addressed by AVG in an update on or around May 27 '07

You can restore the quarantined file as follows.
If you need to restore deleted files from AVG Virus Vault you can do it this way: open AVG Virus Vault (Start -> Programs -> AVG Antivirus -> AVG Virus Vault). Locate the file that was removed, right click on it and choose "Restore File(s)" option.

Source: http://www.un4seen.com/forum/?topic=7151.msg48610#msg48610
 
Thanks for the reply.

Is it a necessary file? Just wondering why I need to restore it.

Kind regards.
 
I see. A little strage, I don't have that program. I deleted the file and will keep an eye on the scans in the next few days.

Anyway, thanks again for the replies.

Cameron.
 
Following on from the posts from the other day, AVG again this morning detected Trojan Horse Generic9.AADH and found a file this time in the System Restore folder called A0002323.dll

AVG said it had deleted the file.

Is it possible there is something going on that I need to take further action against?
 
Toggle System Restore to clear infected restore points

1. Turn off System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Restart your computer

3. Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
 
Trojan Horse Issues

It's been a while, but these pesky Trojan Horses have again caused me some grief. I have three that have been annoying me:

Clicker.NYM
Downloader.Generic7.VBM
Generic10.AOWW

I have been through all the preliminary steps. See attached log files. Any help is greatly appreciated.

PS: Panda Rootkit came back negative.

PPS: I have the Combofix log, but I am unable to attach it as it is over the 100kb limit. Please advise.
 
Blind Dragon said:
Paste the CF log

If it has too many characters you may email it to me as a txt file - please don't zip it

Email sent to your hotmail address with attachment as a txt file. File is about 500kb.
 
I re-did Combofix and this time log was not so large.

Log attached.

(AVG scan today picked up Downloader Generic7.XCL)
 
Ok,

First
Update your Java Runtime Environment
  • Click the following link
    Java Runtime Environment 6 Update 6
  • The 5th option down is the one you want (click Download)
  • Check the box to agree to terms of service
  • Check the box for your operating system and click 'Download selected'at the bottom
  • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
  • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_06 folder

--------------------------------------------------------------------

Upload a File to Virustotal
Please visit Virustotal found HERE
  • Click the Browse... button
  • Navigate to the file C:\jfidoj.exe
  • Click the Open button
  • Click the Send button
  • Copy and paste the results back here please.

Do the same for
C:\WINDOWS\system32\1Nj77QK2.exe
 
Results for 1Nj77QK2.exe

File 1Nj77QK2.exe received on 07.06.2008 11:52:54 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 16/33 (48.49%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.7.4.1 2008.07.05 -
AntiVir 7.8.0.64 2008.07.05 TR/Crypt.ULPM.Gen
Authentium 5.1.0.4 2008.07.06 -
Avast 4.8.1195.0 2008.07.05 -
AVG 7.5.0.516 2008.07.06 -
BitDefender 7.2 2008.07.06 Trojan.Downloader.Firu.G
CAT-QuickHeal 9.50 2008.07.04 Win32.Packed.NSAnti.r
ClamAV 0.93.1 2008.07.06 -
DrWeb 4.44.0.09170 2008.07.06 Trojan.Packed.418
eSafe 7.0.17.0 2008.07.03 Suspicious File
eTrust-Vet 31.6.5929 2008.07.05 -
Ewido 4.0 2008.07.06 -
F-Prot 4.4.4.56 2008.07.06 -
F-Secure 7.60.13501.0 2008.07.03 -
Fortinet 3.14.0.0 2008.07.06 -
GData 2.0.7306.1023 2008.07.06 -
Ikarus T3.1.1.26.0 2008.07.06 Trojan-Downloader.Firu.C
Kaspersky 7.0.0.125 2008.07.06 -
McAfee 5332 2008.07.04 New Malware.bl
Microsoft 1.3704 2008.07.06 Trojan:Win32/Bohmini.A
NOD32v2 3244 2008.07.05 a variant of Win32/TrojanDownloader.Firu
Norman 5.80.02 2008.07.04 -
Panda 9.0.0.4 2008.07.05 Suspicious file
Prevx1 V2 2008.07.06 -
Rising 20.51.60.00 2008.07.06 -
Sophos 4.31.0 2008.07.06 Mal/HckPk-A
Sunbelt 3.1.1509.1 2008.07.04 Trojan-Downloader.Win32.Firu.eh
Symantec 10 2008.07.06 SecurityRisk.Downldr
TheHacker 6.2.96.373 2008.07.05 -
TrendMicro 8.700.0.1004 2008.07.05 PAK_Generic.001
VBA32 3.12.6.8 2008.07.05 Trojan-Downloader.Win32.Firu.el
VirusBuster 4.5.11.0 2008.07.05 -
Webwasher-Gateway 6.6.2 2008.07.05 Trojan.Crypt.ULPM.Gen
Additional information
File size: 29760 bytes
MD5...: 3fe18ca8220904d4ab36488872fe9b91
SHA1..: 785b6980b52d468eb095644506a378223b0eeb51
SHA256: 9f51c6505f7a34635e3ead6ffb41ac10396c0e1c46d18525c39fb86cdd2dec08
SHA512: 5a7310b39404843e1e177826f3150d836660a2be042e6b3f72f02eea380bd423
fd71fac1e4f392d8209b87d045f06528b3522b2e6bc4ecd24fa0fb950c87fa25
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x40cb70
timedatestamp.....: 0x485437ea (Sat Jun 14 21:28:10 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x5000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x6000 0x7000 0x6e00 7.97 8fcbdbf16121428ad8de6975fef137fd
.rsrc 0xd000 0x1000 0x200 2.64 f82f8511f32941e05ec75163800bcd2e

( 2 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
> ADVAPI32.dll: SetSecurityDescriptorDacl

( 0 exports )
 
Status
Not open for further replies.
Back