TechSpot - PC Technology News and Analysis

Hi there. Similar to another thread I found, I am getting this Generic2.JHS Trojan Horse. It regenerates itself in the System32 folder.
I've been through the checklists as suggested in this forum, and the problem is still happening.
Any help is greatly appreciated as I'm getting close to throwing the computer out of the window.

HijackThis file attached.

Thanks.

Cameron.

Attached Files

hijackthis.log (5.3 KB, 3 views)

Hello and welcome to Techspot.

Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Dap

Close control panel.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll

O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll

O20 - Winlogon Notify: rpccd - C:\WINDOWS\System32\rpccd.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\DAP<Delete the entire Dap folder.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

This is the filepath you need to enter into killbox.

C:\WINDOWS\System32\rpcc.dll

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Now, go HERE and follow all the instructions exactly.

Post fresh HJT and AVG Antispyware logs into this thread, only after doing the above.


Regards Howard

This thread is for the use of cam975 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Hi Howard,

Thanks for your response.

I did everything in your post, and was all going fine, but when I tried to delete the dll file using KillBox, it came up with a message saying file could not be deleted. Something perhaps not quite right?

Anyway, I will attach a new HJT log to this post.

Thanks again for your help !

Kind regards,

Cameron.

Attached Files

hijackthis.log (4.9 KB, 1 views)

I don`t wish to appear rude, but which bit of post an AVG Antispyware log did you not understand?

Download Vundofix from HERE.

Double-click VundoFix.exe to run it.

Rightclick in the main window and click add more files.

Enter the filepath you wish to remove into the top line and click the add files button, followed by the close window button.

Click the remove vundo button. And let vundofix do it`s stuff.

This is the filepath you need to enter into Vundofix.

C:\WINDOWS\System32\rpcc.dll

Once you`ve done that, post fresh HJT and AVG Antispyware logs.

Regards Howard

This thread is for the use of cam975 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Thanks again Howard,

I've done all you suggested in your previous post. Attached HJT log and also AVG AntiSpyware log.

I will be away from computer for a while, but I look forward to seeing if you find anything when I next log on.

Thankyou once again for your time it is most appreciated.

Kind regards,

Cameron.

Attached Files

	hijackthis.log (4.8 KB, 3 views)
	Report-Scan-20061127-175710.txt (2.1 KB, 2 views)

Well done, your HJT log is now clean.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of cam975 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Once again, thanks so much for your help. All seems fine now. FIngers crossed it stays this way.

Kind regards,

Cameron.

Hello again. As requested, I will use my previous thread to post.

It has been a while, but I have encountered some more problems. AVG has been detecting a couple of things. dropper.agent.9 and downloader.agent.js

I have been through all the comprehensive pre-requisites and will attach the logs to this post. The scans on all the recommended programs didn't seem to find anything at all. (nothing on the panda antiroot scan)

Anyway, any help is much appreciated.

Kind regards,

Cameron.

Attached Files

	Report-Scan-20071122-160513.txt (510 Bytes, 2 views)
	ComboFix.txt (6.9 KB, 3 views)
	hijackthis.log (7.2 KB, 2 views)

All your log files appear to be clean.

Can you give me details of where exactly AVG is detecting the supposed malware?

I need the full file paths to whatever AVG says is infected.

Regards Howard

This thread is for the use of cam975 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Hi Howard,

AVG is not currently detecting anything. The files it was detecting were in Temorary Internet files in the Documents & Settings area. Sorry to be non-specific. I should have made note of the path.

But all seems ok at present, perhaps it was picked up somewhere along the way with the pre-requisites?

If it does re-occur, I will post the details.

Thanks for your time.

AVG this morning detected Trojan Horse Generic9.AADH.

A file called BASSMOD.dll was in the Windows/System32 folder.

AVG said that it has healed the file, and didn't detect anything again after another scan. Should I forget about it, or take further action?

Also, how do these things find their way in through ZoneLab, AVG anti-spyware etc.?

Do you visit/use warez sites?

That is what the BASSMOD.dll is associated with.

Edit:


Updating your AVG will take care of this.

Is a false positive which was addressed by AVG in an update on or around May 27 '07

You can restore the quarantined file as follows.
Source: http://www.un4seen.com/forum/?topic=...48610#msg48610

Thanks for the reply.

Is it a necessary file? Just wondering why I need to restore it.

Kind regards.

If you don't need it then it then it can be deleted. It goes with a program called BASS Audio Library.

http://www.un4seen.com/

I see. A little strage, I don't have that program. I deleted the file and will keep an eye on the scans in the next few days.

Anyway, thanks again for the replies.

Cameron.

Following on from the posts from the other day, AVG again this morning detected Trojan Horse Generic9.AADH and found a file this time in the System Restore folder called A0002323.dll

AVG said it had deleted the file.

Is it possible there is something going on that I need to take further action against?

Toggle System Restore to clear infected restore points

1. Turn off System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Restart your computer

3. Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

Ok, did that. Thanks. Will continue to monitor.

It's been a while, but these pesky Trojan Horses have again caused me some grief. I have three that have been annoying me:

Clicker.NYM
Downloader.Generic7.VBM
Generic10.AOWW

I have been through all the preliminary steps. See attached log files. Any help is greatly appreciated.

PS: Panda Rootkit came back negative.

PPS: I have the Combofix log, but I am unable to attach it as it is over the 100kb limit. Please advise.

Attached Files

	SUPERAntiSpyware Scan Log - 07-03-2008 - 10-59-35.log (15.9 KB, 1 views)
	hijackthis.log (6.9 KB, 2 views)