TechSpot

Generic2.JHS

By cam975
Nov 26, 2006
  1. Hi there. Similar to another thread I found, I am getting this Generic2.JHS Trojan Horse. It regenerates itself in the System32 folder.
    I've been through the checklists as suggested in this forum, and the problem is still happening.
    Any help is greatly appreciated as I'm getting close to throwing the computer out of the window.

    HijackThis file attached.

    Thanks.

    Cameron.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Dap

    Close control panel.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll

    O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll

    O20 - Winlogon Notify: rpccd - C:\WINDOWS\System32\rpccd.dll (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\DAP<Delete the entire Dap folder.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

    This is the filepath you need to enter into killbox.

    C:\WINDOWS\System32\rpcc.dll

    Once your system has rebooted, turn system restore back on and rehide your protected OS files.

    Now, go HERE and follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs into this thread, only after doing the above.


    Regards Howard :wave: :wave:

    This thread is for the use of cam975 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. cam975

    cam975 TS Rookie Topic Starter Posts: 36

    Hi Howard,

    Thanks for your response.

    I did everything in your post, and was all going fine, but when I tried to delete the dll file using KillBox, it came up with a message saying file could not be deleted. Something perhaps not quite right?

    Anyway, I will attach a new HJT log to this post.

    Thanks again for your help !

    Kind regards,

    Cameron.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I don`t wish to appear rude, but which bit of post an AVG Antispyware log did you not understand?

    Download Vundofix from HERE.

    Double-click VundoFix.exe to run it.

    Rightclick in the main window and click add more files.

    Enter the filepath you wish to remove into the top line and click the add files button, followed by the close window button.

    Click the remove vundo button. And let vundofix do it`s stuff.

    This is the filepath you need to enter into Vundofix.

    C:\WINDOWS\System32\rpcc.dll

    Once you`ve done that, post fresh HJT and AVG Antispyware logs.

    Regards Howard :)

    This thread is for the use of cam975 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. cam975

    cam975 TS Rookie Topic Starter Posts: 36

    Thanks again Howard,

    I've done all you suggested in your previous post. Attached HJT log and also AVG AntiSpyware log.

    I will be away from computer for a while, but I look forward to seeing if you find anything when I next log on.

    Thankyou once again for your time it is most appreciated.

    Kind regards,

    Cameron.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Well done, your HJT log is now clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of cam975 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. cam975

    cam975 TS Rookie Topic Starter Posts: 36

    Once again, thanks so much for your help. All seems fine now. FIngers crossed it stays this way.

    Kind regards,

    Cameron.
     
  8. cam975

    cam975 TS Rookie Topic Starter Posts: 36

    A new issue

    Hello again. As requested, I will use my previous thread to post.

    It has been a while, but I have encountered some more problems. AVG has been detecting a couple of things. dropper.agent.9 and downloader.agent.js

    I have been through all the comprehensive pre-requisites and will attach the logs to this post. The scans on all the recommended programs didn't seem to find anything at all. (nothing on the panda antiroot scan)

    Anyway, any help is much appreciated.

    Kind regards,

    Cameron.
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    All your log files appear to be clean.

    Can you give me details of where exactly AVG is detecting the supposed malware?

    I need the full file paths to whatever AVG says is infected.

    Regards Howard :)

    This thread is for the use of cam975 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. cam975

    cam975 TS Rookie Topic Starter Posts: 36

    Hi Howard,

    AVG is not currently detecting anything. The files it was detecting were in Temorary Internet files in the Documents & Settings area. Sorry to be non-specific. I should have made note of the path.

    But all seems ok at present, perhaps it was picked up somewhere along the way with the pre-requisites?

    If it does re-occur, I will post the details.

    Thanks for your time.
     
  11. cam975

    cam975 TS Rookie Topic Starter Posts: 36

    Generic9.aadh

    AVG this morning detected Trojan Horse Generic9.AADH.

    A file called BASSMOD.dll was in the Windows/System32 folder.

    AVG said that it has healed the file, and didn't detect anything again after another scan. Should I forget about it, or take further action?

    Also, how do these things find their way in through ZoneLab, AVG anti-spyware etc.?
     
  12. evilfantasy

    evilfantasy Banned Posts: 428

    Do you visit/use warez sites?

    That is what the BASSMOD.dll is associated with.
     
  13. evilfantasy

    evilfantasy Banned Posts: 428

    Edit:


    Updating your AVG will take care of this.

    Is a false positive which was addressed by AVG in an update on or around May 27 '07

    You can restore the quarantined file as follows.
    Source: http://www.un4seen.com/forum/?topic=7151.msg48610#msg48610
     
  14. cam975

    cam975 TS Rookie Topic Starter Posts: 36

    Thanks for the reply.

    Is it a necessary file? Just wondering why I need to restore it.

    Kind regards.
     
  15. evilfantasy

    evilfantasy Banned Posts: 428

    If you don't need it then it then it can be deleted. It goes with a program called BASS Audio Library.

    http://www.un4seen.com/
     
  16. cam975

    cam975 TS Rookie Topic Starter Posts: 36

    I see. A little strage, I don't have that program. I deleted the file and will keep an eye on the scans in the next few days.

    Anyway, thanks again for the replies.

    Cameron.
     
  17. cam975

    cam975 TS Rookie Topic Starter Posts: 36

    Following on from the posts from the other day, AVG again this morning detected Trojan Horse Generic9.AADH and found a file this time in the System Restore folder called A0002323.dll

    AVG said it had deleted the file.

    Is it possible there is something going on that I need to take further action against?
     
  18. evilfantasy

    evilfantasy Banned Posts: 428

    Toggle System Restore to clear infected restore points

    1. Turn off System Restore
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    2. Restart your computer

    3. Turn ON System Restore
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check Turn off System Restore.
    Click Apply, and then click OK.
     
  19. cam975

    cam975 TS Rookie Topic Starter Posts: 36

    Ok, did that. Thanks. Will continue to monitor.
     
  20. cam975

    cam975 TS Rookie Topic Starter Posts: 36

    Trojan Horse Issues

    It's been a while, but these pesky Trojan Horses have again caused me some grief. I have three that have been annoying me:

    Clicker.NYM
    Downloader.Generic7.VBM
    Generic10.AOWW

    I have been through all the preliminary steps. See attached log files. Any help is greatly appreciated.

    PS: Panda Rootkit came back negative.

    PPS: I have the Combofix log, but I am unable to attach it as it is over the 100kb limit. Please advise.
     
  21. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Paste the CF log

    If it has too many characters you may email it to me as a txt file - please don't zip it
     
  22. cam975

    cam975 TS Rookie Topic Starter Posts: 36

    Email sent to your hotmail address with attachment as a txt file. File is about 500kb.
     
  23. cam975

    cam975 TS Rookie Topic Starter Posts: 36

    I re-did Combofix and this time log was not so large.

    Log attached.

    (AVG scan today picked up Downloader Generic7.XCL)
     
  24. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Ok,

    First
    Update your Java Runtime Environment
    • Click the following link
      Java Runtime Environment 6 Update 6
    • The 5th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_06 folder

    --------------------------------------------------------------------

    Upload a File to Virustotal
    Please visit Virustotal found HERE
    • Click the Browse... button
    • Navigate to the file C:\jfidoj.exe
    • Click the Open button
    • Click the Send button
    • Copy and paste the results back here please.

    Do the same for
    C:\WINDOWS\system32\1Nj77QK2.exe
     
  25. cam975

    cam975 TS Rookie Topic Starter Posts: 36

    Results for 1Nj77QK2.exe

    File 1Nj77QK2.exe received on 07.06.2008 11:52:54 (CET)
    Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


    Result: 16/33 (48.49%)
    Loading server information...
    Your file is queued in position: ___.
    Estimated start time is between ___ and ___ .
    Do not close the window until scan is complete.
    The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
    If you are waiting for more than five minutes you have to resend your file.
    Your file is being scanned by VirusTotal in this moment,
    results will be shown as they're generated.
    Compact Print results
    Your file has expired or does not exists.
    Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

    You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
    Email:


    Antivirus Version Last Update Result
    AhnLab-V3 2008.7.4.1 2008.07.05 -
    AntiVir 7.8.0.64 2008.07.05 TR/Crypt.ULPM.Gen
    Authentium 5.1.0.4 2008.07.06 -
    Avast 4.8.1195.0 2008.07.05 -
    AVG 7.5.0.516 2008.07.06 -
    BitDefender 7.2 2008.07.06 Trojan.Downloader.Firu.G
    CAT-QuickHeal 9.50 2008.07.04 Win32.Packed.NSAnti.r
    ClamAV 0.93.1 2008.07.06 -
    DrWeb 4.44.0.09170 2008.07.06 Trojan.Packed.418
    eSafe 7.0.17.0 2008.07.03 Suspicious File
    eTrust-Vet 31.6.5929 2008.07.05 -
    Ewido 4.0 2008.07.06 -
    F-Prot 4.4.4.56 2008.07.06 -
    F-Secure 7.60.13501.0 2008.07.03 -
    Fortinet 3.14.0.0 2008.07.06 -
    GData 2.0.7306.1023 2008.07.06 -
    Ikarus T3.1.1.26.0 2008.07.06 Trojan-Downloader.Firu.C
    Kaspersky 7.0.0.125 2008.07.06 -
    McAfee 5332 2008.07.04 New Malware.bl
    Microsoft 1.3704 2008.07.06 Trojan:Win32/Bohmini.A
    NOD32v2 3244 2008.07.05 a variant of Win32/TrojanDownloader.Firu
    Norman 5.80.02 2008.07.04 -
    Panda 9.0.0.4 2008.07.05 Suspicious file
    Prevx1 V2 2008.07.06 -
    Rising 20.51.60.00 2008.07.06 -
    Sophos 4.31.0 2008.07.06 Mal/HckPk-A
    Sunbelt 3.1.1509.1 2008.07.04 Trojan-Downloader.Win32.Firu.eh
    Symantec 10 2008.07.06 SecurityRisk.Downldr
    TheHacker 6.2.96.373 2008.07.05 -
    TrendMicro 8.700.0.1004 2008.07.05 PAK_Generic.001
    VBA32 3.12.6.8 2008.07.05 Trojan-Downloader.Win32.Firu.el
    VirusBuster 4.5.11.0 2008.07.05 -
    Webwasher-Gateway 6.6.2 2008.07.05 Trojan.Crypt.ULPM.Gen
    Additional information
    File size: 29760 bytes
    MD5...: 3fe18ca8220904d4ab36488872fe9b91
    SHA1..: 785b6980b52d468eb095644506a378223b0eeb51
    SHA256: 9f51c6505f7a34635e3ead6ffb41ac10396c0e1c46d18525c39fb86cdd2dec08
    SHA512: 5a7310b39404843e1e177826f3150d836660a2be042e6b3f72f02eea380bd423
    fd71fac1e4f392d8209b87d045f06528b3522b2e6bc4ecd24fa0fb950c87fa25
    PEiD..: -
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x40cb70
    timedatestamp.....: 0x485437ea (Sat Jun 14 21:28:10 2008)
    machinetype.......: 0x14c (I386)

    ( 3 sections )
    name viradd virsiz rawdsiz ntrpy md5
    UPX0 0x1000 0x5000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
    UPX1 0x6000 0x7000 0x6e00 7.97 8fcbdbf16121428ad8de6975fef137fd
    .rsrc 0xd000 0x1000 0x200 2.64 f82f8511f32941e05ec75163800bcd2e

    ( 2 imports )
    > KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
    > ADVAPI32.dll: SetSecurityDescriptorDacl

    ( 0 exports )
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...