Author Topic: Help With Trojan! (Read 6317 times)

ZakDar · « **on:** October 04, 2005, 05:19:05 AM »

Can't get rid of this one. Had Avast up and running but this came in thru Limewire while downloading.

Win32: Trojan-gen. {UPX}

It's embedded in C:\Program Files\Common Files\system32.dll\gui.exe

Access denied on all attempts be it repair, move, or delete.

What to do?

Thanx.

ZakDar

thedon57 · « **Reply #1 on:** October 04, 2005, 11:56:20 AM »

Hi,
Have you tried trogan hunter.
See link below.
It works well with avast as I have it installed.

If not then download and install that.
That will get rid of it hopefully.

Mischel Internet Security - Home of TrojanHunter™ - The original ...TrojanHunter is the most powerful trojan scanner on the market. ... This new version of TrojanHunter makes TrojanHunter the only trojan scanner on the ...
www.trojanhunter.com/ - 15k - 2 Oct 2005 - Cached - Similar pages

ramses · « **Reply #2 on:** October 04, 2005, 12:07:49 PM »

Try doing it in Safe Mode. Another trojan detector is A-squared

http://www.emsisoft.com/en/software/free/

FreewheelinFrank · « **Reply #3 on:** October 04, 2005, 03:52:56 PM »

Ewido is good, too.

http://www.ewido.net/en/

If nothing works, please post a HijackThis! log:

http://www.bleepingcomputer.com/forums/tutorial42.html

DavidR · « **Reply #4 on:** October 04, 2005, 04:07:19 PM »

Because it is in a system folder and likely to be in use it is protected by windows, nice windows.

Schedule a boot-time scan from within avast, that way it won't be in use.

I also suggest you click the link for DropMyRights in my signature. This should give limited user rights and stop files being placed in the system folders and creating registry entries.

ZakDar · « **Reply #5 on:** October 05, 2005, 01:26:55 AM »

Quote from: DavidR on October 04, 2005, 04:07:19 PM

Because it is in a system folder and likely to be in use it is protected by windows, nice windows.

Schedule a boot-time scan from within avast, that way it won't be in use.

I also suggest you click the link for DropMyRights in my signature. This should give limited user rights and stop files being placed in the system folders and creating registry entries.

Still get errors on that file, but it found another virus (wumeer) in the Program Files\MSupdate directory. Removing this one has restored some functionality. Still don't know what to do with that System32.dll file. Gonna try booting with DOS floppy disk and see if I can remove that hidden property on the file.

DavidR · « **Reply #6 on:** October 05, 2005, 01:41:22 AM »

Can you confirm the OS your are using, because I'm making an assumption that it is XP?

Did you schedule a boot-time scan from within avast as I suggested because that should have been able to deal with this?

Have you visited the DropMyRights link in my signature?
More importantly did you take action, because this will help stop future infection making the job in hand a little easier perhaps.

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2
For an on-line analysis - HiJackThis Log file - On-line Analysis
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
OR HiJackThis Log file - On-line Analysis 2

Post here as has been previously suggested, but the on-line analysis links can guide you and you can ask for further help here if needed.

Spiritsongs · « **Reply #7 on:** October 05, 2005, 07:21:20 PM »

Limewire is NOT recommended to be used by many Experts
on Antispyware forums; it's better to use the safer &
"cleaner" "Shareaza" from www.shareaza.com . AND if
you want help with a HijackThis log, it is better to seek
assistance from a HijackThis Expert on an Antispyware
forum, who know things beyond what the HijackThis log
shows .

ZakDar · « **Reply #8 on:** October 06, 2005, 04:22:53 AM »

Quote from: DavidR on October 05, 2005, 01:41:22 AM

Can you confirm the OS your are using, because I'm making an assumption that it is XP?

Did you schedule a boot-time scan from within avast as I suggested because that should have been able to deal with this?

Have you visited the DropMyRights link in my signature?
More importantly did you take action, because this will help stop future infection making the job in hand a little easier perhaps.

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2
For an on-line analysis - HiJackThis Log file - On-line Analysis
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
OR HiJackThis Log file - On-line Analysis 2

Post here as has been previously suggested, but the on-line analysis links can guide you and you can ask for further help here if needed.

OS is XP PRo

Ran boot scan and got these errors:
1. Repair error 42060
2. Move or Delete error 0x0000022

Here's the line from the boot-scan log:

File C:\Program Files\Common Files\system32.dll\gui.exe is infected by Win32:Trojan-gen. {UPX!} - Repair: Error 42060, Repair: Error 42060, Move: Error 0xC0000022

Note that there is no file "gui.exe". Only system32.dll files in the Common directory.

ZakDar · « **Reply #9 on:** October 06, 2005, 04:33:37 AM »

Got the job done. Downloaded that ewido package suggested by FWF. Don't know how, but it removed the file no problem.

Subsequent scan by Avast confirmed cleanliness.

David, you mentioned to "take steps". What steps are you talking about? I use Avast in "resident" mode, so my expectations are that it will protect me from crap coming thorugh the Inet pipes.

Thanx.

DavidR · « **Reply #10 on:** October 06, 2005, 02:52:14 PM »

Quote

Ran boot scan and got these errors:
1. Repair error 42060
2. Move or Delete error 0x0000022

1. I doubt that it could be repaired as it isn't a system file that is infected, rather a malicious file.
2. This means "access denied" - i.e. the scanning process doesn't have rights to access the file http://forum.avast.com/index.php?topic=15087.0. Which leads me to believe you didn't do a boot-time scan as windows won't be active. As does the log you gave as as far as I'm aware boot-time logging is very limited and repair isn't an option as the VRDB process isn't running.

How did you initiate the boot-time scan?

Quote

Note that there is no file "gui.exe". Only system32.dll files in the Common directory.

That is correct, gui.exe is a file inside the system32.dll file so you won't find it.

Quote

David, you mentioned to "take steps". What steps are you talking about? I use Avast in "resident" mode, so my expectations are that it will protect me from crap coming thorugh the Inet pipes.

I can't see anywere on this page were I mentioned taking steps, indeed a search only finds your mention of it. What are you referring to?

If this is what you are on about "take action" then it means download it and set it up.

Quote

Have you visited the DropMyRights link in my signature?
More importantly did you take action, because this will help stop future infection making the job in hand a little easier perhaps.

Author Topic: Help With Trojan! (Read 6317 times)

ZakDar

Help With Trojan!

thedon57

Re: Help With Trojan!

ramses

Re: Help With Trojan!

FreewheelinFrank

Re: Help With Trojan!

DavidR

Re: Help With Trojan!

ZakDar

Re: Help With Trojan!

DavidR

Re: Help With Trojan!

Spiritsongs

Re: Help With Trojan!

ZakDar

Re: Help With Trojan!

ZakDar

Re: Help With Trojan!

DavidR

Re: Help With Trojan!