what is gmgcjs?

[Julius_Z]

Hello,
What's gmgcjs?
Is it a Trojan or what? I have a question about avast! action in my computer as regards a certain file. Each time I switch on my computer, after some 20 - 40 minutes, I obtain a message from Avast! that a "suspicious" file has been found. The address is usually reported as:

 C:\WINDOWS\System32\Drivers\gmgcjs.sys

Usually the recommendation is to "Ignore" and sometimes to delete the file. It than asks me to submit the file to Avast! laboratory. I always agree but I never got any reply. It asks me to scan all the local discs. Sometimes it says the file is of the type "ukryte usługi" which means "hidden services". Sometimes it reports a Trojan in 1 or two files. But usually the search result is that "the number of infected  files equals 0".  The problem is the scan takes a lot of time during which I cannot use my computer. And 40 minutes later you have the same once again.

I've only had this problem for about 4 weeks. I had used avast! home edition for over 2 years and about a week ago I upgraded to the Professional edition.

So my questions are : is gmgcjs a virus? Or is it some file in WINDOWS? How can this happen that if you delete that file in the WINDOWS catalogue, the same once deleted appears again? The message says it is dangerous - is it?  Or should I answer to avast! "don't inform me about this file again? (There is an option like that.)
Can one set avast! so that it deals with this problem automatically?
With best wishes
Julius_Z

[polonus]

Hi Julius_Z,

Google this "random named sys file in system32\Drivers\" (without "" of-course) and you find plenty of replies on this rootkitted trojan....

polonus

[Julius_Z]

Hi Polonus
I have now read the earlier discussion on how to deal with probably the same thing under different names. So I found the file, its size is now 746 kB and the date created is mentioned as December 14, 13:37 but it keeps on modifying each time you search for it.
I tried to submit it where recommended but the answer was 0 bytes transmitted.
What to do now?
Julius_Z

[Julius_Z]

And now I tried to submit it to jotti but the answer is that the file is empty - even though it's 746 kB!

[polonus]

Część, Julius_Z

This could be a Srizbi or Bagle detection. With removal also consider after cleansing with HJT: http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.aspx
See: http://www.bleepingcomputer.com/startups/Random_Name-18257.html

Download HJT 2.03 from here: http://www.filehippo.com/download_hijackthis/download/0b5bbb42be6243172c8e6303e69eda10/
and I will have a look at the 023in the logfile it comes up with, so add the HJT log txt file at additional options,

If you have an sptd.sys driver (driver of CD/DVD emulator; installed with Alcohol 120%, Daemon Tools and some others), then your randomly named hidden driver ("aa9ak670.sys") is not a malicious and it is not a rootkit (just using rootkit technologies) -- it's a part of sptd.sys. This behavior (hide a dropped driver and kill the body of the driver) was made by authors of SPTD to prevent CD-copy protectors, who trying to detect and doesn't allow to work a CD-emulator software.

pozdrawiam,

polonus

[Julius_Z]

Czołem,
Hi Polonus,
I have downloaded Hijackthis and have scanned the computer. There is a logfile and the Analyse this file. I can see it in front of me but understand very little of it. What shall I do next?
With best wishes,
Julius_Z

[Pondus]

There is a logfile and the Analyse this file. I can see it in front of me but understand very little of it. What shall I do next?

post the logfile here so polonus can see it

[Julius_Z]

The logfile is below:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 19:32:44, on 2010-01-05
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: YouTube To ALLPlayer - {61DB16C5-B733-43F4-872E-B20DC9E72740} - C:\PROGRA~1\ALLPLA~1\YOUTUB~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [sysgif32] C:\WINDOWS\TEMP\~TME.tmp
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Zięborak\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} (DLoader Class) - http://dl.uc.sina.com/cab/downloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lmab_device - Unknown owner - C:\WINDOWS\system32\LMabcoms.exe

--
End of file - 6698 bytes

[Julius_Z]

avast! always reports it has found the gmgcjs about 25-40 minutes after switched on the computer, irrespective of what I am doing, even if I don't touch the keyboard.   

[polonus]

You apparently do not run a software firewall,

Check on the following, for instance upload at virustotal.com

O2 - BHO: YouTube To ALLPlayer - {61DB16C5-B733-43F4-872E-B20DC9E72740} - C:\PROGRA~1\ALLPLA~1\YOUTUB~1.DLL

O4 - HKLM\..\Run: [sysgif32] C:\WINDOWS\TEMP\~TME.tmp Unknown application.
Possible backdoor: see:
http://www.threatexpert.com/report.aspx?md5=7a741227a3aefea1ec29d9343543e7b0
and see:
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_TIKAYB.A&VSect=Sn

Fix this entry using HJT
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
The entry &Winamp Search has been identified as nasty.

O16 - DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} (DLoader Class) - http://dl.uc.sina.com/cab/downloader.cab
Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!

Survey od active tasks:Overzicht van actieve taken: (Klik op de taken voor meer informatie)

smss.exe   
System task

Session Manager Subsystem

winlogon.exe   
System task

Microsoft Windows Logon Process

services.exe   
System task

Windows Service Controller

lsass.exe   
System task

Local Security Authority Service

Ati2evxx.exe   
Driver

ATI Display Adapter Assistant

svchost.exe   
System task

Microsoft Service Host Process

svchost.exe   
System task

Microsoft Service Host Process

Ati2evxx.exe   
Driver

ATI Display Adapter Assistant

aswUpdSv.exe   
Virusscan

Avast Anti-Virus Component

Explorer.EXE   
System task

Microsoft Windows Explorer

ashServ.exe   
Virusscan

Avast

spoolsv.exe   
System task

Microsoft Printer Spooler Service

MaxMenuMgrBasics.exe   
Background task

MSS

iTunesHelper.exe   
Application

Apple Itunes

ashDisp.exe   
Virusscan

Avast AntiVirus

ctfmon.exe   
System task

Alternative User Input Services

AppleMobileDeviceService.exe   
Background task

Apple Mobile Device Service

SyncServicesBasics.exe   
Background task

Sync

mDNSResponder.exe   
Background task

Bonjour for Windows Component

svchost.exe   
System task

Microsoft Service Host Process

ashMaiSv.exe   
Virusscan

Avast Anti-Virus Component

ashWebSv.exe   
Virusscan

avast! Web Scanner

iPodService.exe   
Background task

Apple iTunes

firefox.exe   
Application

Mozilla Firefox

msiexec.exe   
System task

Windows Installer Component

HiJackThis.exe   
Application

Merijn Hijackthis v.2.0.3 (BETA)

polonus

[Julius_Z]

Hi there!
Uploading was not possible. I fixed the four items mentioned above (02, 04, 08 and 016), one by one, each time waiting to see what happens. Each time the thingy appeared again in an avast! report about 8 minutes 45 seconds after switched on; after which I clicked on Ignore (recommended) which resulted in another scan that took 25 minutes, switched off and on, 8 min 45 and here it is the gmgcjs alive and kicking. I tried to kill it by avast!'s  delete - failed, send by email - failed, delete manually by using the mouse - failed. Still has the same size of 746 kB. Maybe just try to love it and let it stay forever, I don't know ...
Or is there anything else a human can do?
Julius_Z   

[polonus]

Hi JUlius_Z,

This is cloaked malware. There is this you can do about it: http://techver2.blogspot.com/2009_11_22_archive.html
Another way is to perform the cleansing routine proposed here: http://forum.avast.com/index.php?topic=53050.msg450158#msg450158
Later we can essexboy have it analyzed,

polonus

[essexboy]

To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

Download OTS  to your Desktop

• Close ALL OTHER PROGRAMS.
  
• Double-click on OTS.exe to start the program.
  
• Check the box that says Scan All Users
  
• Under Additional Scans check the following:
• Reg - Shell Spawning
• File - Lop Check
• File - Purity Scan
• Evnt - EvtViewer (last 10)

• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
/md5stop
%systemroot%\*. /mp /s

• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

[Julius_Z]

Today avast! reported something different. It identified gmgcjs as a rootkit so I clicked delete. The name gmgcjs is still there, in drivers, but the computer has been running uninterrupted for over one hour already without any warnings from avast!. I've run the scan as essexboy recommended and will try to upload as soon as they finish maintanance in Mediafire.
Julius_Z

[essexboy]

Back up now