TechSpot

Sophos - Mal/Generic-A

By myhg
Jul 10, 2008
  1. I discovered a virus/malware call Mal/Generic-A on my computer a few days ago but have had no success in clearing it. My system has become very sluggish. Sophos kindly tells me of the presence of Generic-A at least 1,000 times an hour. I have search for information, but there is very little and none of it seems to help.

    Sophos continually tells me the file is in the system32 folder and is called xxyvstRh.dll and every time it attempts to delete it fails due to an unknown error 0x80070020.

    The location details according to Sophos are: -

    C:\Windows\system32\xxyvstRh.dll
    HKCR\CLSID\{c6ea321d-ee5f-4ed5-b1ff-3a87f9d81abf}
    HKLM\SOFTWARE\Microsoft\CurrentVersion\Explorer|BrowserHelpObjects\{c6ea321d-ee5f-4ed5-b1ff-3a87f9d81abf}
    C:\Windows\Temp\SMI1.tmp
    C:\Windows\Temp\SMI6.tmp
    C:\Windows\system32\xxyvstRh.dll: pid:000003c0:file
    C:\Windows\system32\xxyvstRh.dll: pid:00000634:file
    HKLM\SOFTWARE\Microsoft\CurrentVersion\Explorer\ShellExecuteHooks\{c6ea321d-ee5f-4ed5-b1ff-3a87f9d81abf}

    I have installed AVG Anti-Spyware, I have updated it and it does not picked up Generic-A.

    I have installed HijackThis and asked it to remove the entries but as yet nothing seems to want to shift it.

    Is there someone that could offer some advice on removing this subborn virus/spyware.

    Many thanks.

    HG
     
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    update your definitions for sophos.

    Then reboot your computer into safe mode (by tapping F8 prior to it loading windows) select safe mode

    Then run a full system scan in safe mode - it may make it past that point as the file wont be running or in use hopefully.

    ---------------------------------------------------

    After that come back here and run a hijackthis scan for me and attach the log

    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
     
  3. myhg

    myhg TS Rookie Topic Starter

    HJT log file as follows...many thanks.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 16:14:38, on 10/07/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\Belkin\F5D7051\WLService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
    C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\ARPWRMSG.EXE
    C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
    C:\Program Files\Sophos\AutoUpdate\ALMon.exe
    C:\PROGRA~1\MICROS~4\rapimgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
     
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Thats not the whole file and is missing the most important part - if you can attach it that would be best - after you hit Post Reply -> click the paperclip icon -> navigate to the log and select upload
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...