Have to find my MADCHOOK.DLL

[DavidR]

Wasn't it winsys2.exe that we are looking for in your previous posts and not winsys32.exe ?

Well, I don't have the "winsys32.exe" file in "C:\Windows\SysWOW64 anymore".

But I still had that "madCHook.dll" I downloaded. Now when I didn't find the "winsys32.exe" I renamed it to "AAAAAAAAAAAAAAAmadCHook.dll" and there wasn't an error message when I booted. I am going to move it completely from where it is now and delete it when I see that everything is ok.
<snip>

[Marco_SE]

Wasn't it winsys2.exe that we are looking for in your previous posts and not winsys32.exe ?

Well, I don't have the "winsys32.exe" file in "C:\Windows\SysWOW64 anymore".

But I still had that "madCHook.dll" I downloaded. Now when I didn't find the "winsys32.exe" I renamed it to "AAAAAAAAAAAAAAAmadCHook.dll" and there wasn't an error message when I booted. I am going to move it completely from where it is now and delete it when I see that everything is ok.
<snip>

Sorry for that... Yes it was all about "winsys2.exe" I go back and edit that post. Must be my big fingers hehe.

[a_zad]

Hello,

I just recently did a scan with Malbytes and the results were

Malwarebytes' Anti-Malware 1.43
Database version: 3490
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/3/2010 11:34:46 PM
mbam-log-2010-01-03 (23-34-43).txt

Scan type: Full Scan (C:\|)
Objects scanned: 174069
Time elapsed: 1 hour(s), 14 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\madCHook.dll (Worm.Messenger) -> No action taken.

as you can see I have a madchook file. The Force classic c panel is fine I checked, but I am not sure about the madchook. I have been to the website www.madshi.net and have read their concerns about this program. I am going to remove it and see what happens.

Also....the winsys2.exe can be dangerous. read here http://www.what-is-exe.com/filenames/winsys2-exe.html

I did a scan at virustotal.com of the madchook file and this was the result.

File madCHook.dll received on 2009.11.16 18:54:57 (UTC)
Current status: finished
Result: 4/41 (9.76%)
 Compact
Print results  Antivirus   Version   Last Update   Result
a-squared   4.5.0.41   2009.11.16   -
AhnLab-V3   5.0.0.2   2009.11.16   -
AntiVir   7.9.1.65   2009.11.16   -
Antiy-AVL   2.0.3.7   2009.11.16   -
Authentium   5.2.0.5   2009.11.16   -
Avast   4.8.1351.0   2009.11.16   -
AVG   8.5.0.425   2009.11.16   -
BitDefender   7.2   2009.11.16   -
CAT-QuickHeal   10.00   2009.11.16   -
ClamAV   0.94.1   2009.11.16   -
Comodo   2958   2009.11.16   Heur.Packed.Unknown
DrWeb   5.0.0.12182   2009.11.16   -
eSafe   7.0.17.0   2009.11.16   Suspicious File
eTrust-Vet   35.1.7122   2009.11.16   -
F-Prot   4.5.1.85   2009.11.16   -
F-Secure   9.0.15370.0   2009.11.11   -
Fortinet   3.120.0.0   2009.11.16   -
GData   19   2009.11.16   -
Ikarus   T3.1.1.74.0   2009.11.16   -
Jiangmin   11.0.800   2009.11.16   -
K7AntiVirus   7.10.897   2009.11.16   -
Kaspersky   7.0.0.125   2009.11.16   -
McAfee   5804   2009.11.16   -
McAfee+Artemis   5804   2009.11.16   -
McAfee-GW-Edition   6.8.5   2009.11.16   Heuristic.BehavesLike.Win32.Obfuscated.A
Microsoft   1.5202   2009.11.16   -
NOD32   4613   2009.11.16   -
Norman   6.03.02   2009.11.16   -
nProtect   2009.1.8.0   2009.11.16   -
Panda   10.0.2.2   2009.11.15   -
PCTools   7.0.3.5   2009.11.16   -
Prevx   3.0   2009.11.16   -
Rising   22.22.00.08   2009.11.16   -
Sophos   4.47.0   2009.11.16   MadCodeHook
Sunbelt   3.2.1858.2   2009.11.12   -
Symantec   1.4.4.12   2009.11.16   -
TheHacker   6.5.0.2.071   2009.11.16   -
TrendMicro   9.0.0.1003   2009.11.16   -
VBA32   3.12.10.11   2009.11.15   -
ViRobot   2009.11.16.2039   2009.11.16   -
VirusBuster   4.6.5.0   2009.11.16   -
Additional information
File size: 61440 bytes
MD5   : c55877060560d165c7c9acf565e3ebaa
SHA1  : 292f335f10e7f8611ff15857fe8b77d92029360c
SHA256: 8a0003b444c577caae683c81255ef91cad66e81a822728b547d871d493fdef0d
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x26E90
timedatestamp.....: 0x2A425E19 (Sat Jun 20 00:22:17 1992)
machinetype.......: 0x14C (Intel I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
0x1000 0x18000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
0x19000 0xF000 0xE200 7.88 9e8d5d9fb0ab6dda0a66b9868fc22bf8
.rsrc 0x28000 0x1000 0xA00 4.72 cf509194598236c6c02b9ad780d5ee3d

( 4 imports )

> advapi32.dll: FreeSid
> kernel32.dll: LoadLibraryA, GetProcAddress
> oleaut32.dll: SysFreeString
> user32.dll: MessageBoxA

( 1 exports )

> AddAccessForEveryone, AllocMemEx, AmSystemProcess, AmUsingInputDesktop, AnsiToWide, AutoUnhook, CollectHooks, CopyFunction, CreateGlobalEvent, CreateGlobalFileMapping, CreateGlobalMutex, CreateIpcQueue, CreateIpcQueueEx, CreateProcessExA, CreateProcessExW, CreateRemoteThreadEx, DestroyIpcQueue, FlushHooks, FreeMemEx, GetCallingModule, GetCurrentSessionId, GetInputSessionId, HookAPI, HookCode, InjectLibraryA, InjectLibrarySessionA, InjectLibrarySessionW, InjectLibraryW, InstallMadCHook, IsHookInUse, OpenGlobalEvent, OpenGlobalFileMapping, OpenGlobalMutex, ProcessHandleToId, ProcessIdToFileName, RemoteExecute, RenewHook, SendIpcMessage, StaticLibHelper_Final, StaticLibHelper_Init, UnhookAPI, UnhookCode, UninjectLibraryA, UninjectLibrarySessionA, UninjectLibrarySessionW, UninjectLibraryW, UninstallMadCHook, WideToAnsi,
TrID  : File type identification
Win32 EXE Yoda's Crypter (67.9%)
Win32 Executable Generic (21.8%)
Generic Win/DOS Executable (5.1%)
DOS Executable Generic (5.1%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 1536:4AhCvbneCLf4U9kWqCGOrIsF4pYvfY3UES2pUut:bhWbnL9kWqCbIsFM2w39h
PEiD  : -
packers (Kaspersky): UPX
packers (F-Prot): UPX
RDS   : NSRL Reference Data Set

Ah...it was winsys32.

http://www.file.net/process/winsys32.exe.html

I am going to check the malware bytes forum as well, but I can across this in a random search to figure out what to do



Any advice would be great........Thanks


A_zad

[DavidR]

Before removing - Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and possible undetected malware in the subject.
 
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already in the chest) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
 
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.