Module32.exe

[surf2ya]

A new trojan, seems to be a keylogger but not sure, Here is how to get rid of it.
Go to start/run/msconfig/startup uncheck rfv which is where it hides.
now reboot, go to c drive/windows/rfv folder right click delete

Hope this helps, You will not find this folder until you uncheck it from start up nor will you the system find it.

I first started gettting module 32 late last month while surfing nomoreclicking.com, however it is on a lot of traffic exchanges at present, as I surf 14 windows at the same time I still can not identify the site distributing it, I have notified Trendmicro bit no other as Trendmicro is the leader in my books, However it would be advantagous if spybot, spywareblaster were notified. As for every thing else being deleted with this, well one can never be sure except to check your windows files after every reboot.

[Paul Wilders]

surf2ya,

Please zip and password-protect that .exe and email me a copy - my addy is in my profile. Thanks in advance.

regards.

paul

[surf2ya]

I will do Paul, Next time it comes in, which is about once a day lately, I have posted it in virtualdr.com forums as well and there is a good deal of response there.

Kind regards
Steve

[Paul Wilders]

Thanks Steve

regards.

paul

Paul,

You've got mail....




Paul

[BigDaddy]

...and I became a registered member of your board :-)

[Paul Wilders]

Thanks - email received Good having you aboard

regards,

paul

[surf2ya]

Hi Paul,
I just got home from offline work and my system was totalled, I finally got one back up to work but everything is very suss from this even though I had deleted it, it was back in windows as rfv i deleted it again but it can't be found in recycle bin to zip it and send to you, I got big daddy to send it too you, hopefully this gives you something to work on.
Thanks for all.
Steve

[Paul Wilders]

surf2ya,

Sorry to hear about your problems! BigDaddy did sent me a copy - and received an answer as well in the meanwhile.

regards.

paul

[adspace]

Hello.....I also use auto-surf as a means of advertising and got the module32.exe bug I have posted also several writings and as of yet there is no one who has given me a way to stop it from gaining access in the first place. I know there are programs that will find and delete once infected but I can do that manually. The thing I cant do is stop it in the first place.....I get this thing at least twice a day auto surfing.........when some one finds out stop-steps let me know as removing it totally is not the problem even though it is a hasle its "Lets Stop This Thing Before It Gains System Access"

[surf2ya]

Welcome to the club, I wish someone would find a way to stop it soon, Hopefully Paul is doing that as we speak, That is why I posted here, I posted to trendmicro but had no answer, Paul has been on to it as soon as I mentioned it and as you see is investigating the file, As for using auotsurfs for advertising, Don't you know no one looks at them, I personally use them for banner exchange reasons and thats when I am sleeping. 1-1 manual exchanges produce results, It's work but it produces.

Hopefully there will be a fix soon.

Happy Times

[Paul Wilders]

Gents,

Please have a look at this thread on the same subject.

regards.

paul

[surf2ya]

Yes thanks Paul, I hadn't realised he started another thread.
Regards,
Steve

[Paul Wilders]

No problem, Steve

regards.

paul

[Grandslam]

So removing the folder will not cause any problems, in my pc its in C/Windows/tgbcde/module32.exe

Please help me, I just re-formated my hard disk yesterday to get rid of all the malicious stuff and now this !!

Thanks

[snapdragin]

Hi Grandslam, and welcome to Wilders.

We do have several threads on this subject that you can look through for further details:
http://www.wilderssecurity.com/showthread.php?t=25630
http://www.wilderssecurity.com/showthread.php?t=26179
(please note, that we no longer do HijackThis review at Wilders, but you can follow up with posting one at the link available in the General Cleaning Instructions thread below)

A step-by-step cleaning guide that you can follow: General Cleaning Instructions

===
For an anti-trojan, I would recommend you download and install the 30-day free trial of TDS-3

Before you open and run the program you must bring it up-todate. Download the latest radius database file from here: Radius td3 update. Right-click on the link shown on the updates page, and choose "Save target as" and save it to your TDS install directory (say "yes" to overwriting the one that is there). Reboot your computer after installing.

Now reboot your computer again, but this time into Safe Mode, by tapping the F8 key just before Windows begins to load.

Then open TDS-3
1. Press the "Scan Control" and tick all the boxes in the bottom part of the window.
2. Press "Save configuration" and then close the window by pressing the red x in the top right corner.
3. Now select "System Testing" and choose the 'Full system Scan" and scan your local drives.

Once the scan is finished, TDS3 will display what it finds in the lower screen. It will show "Positive Identification" or "Suspicious File". Right-click on anything found as "Positive Identification" and choose Delete.

===

Further link for cleaning instructions:
Win32.Reign.R (also known as Win32/PWS.CashSteal.HookDLL.Troj, Win32/PWS.CashSteal.Trojan, PWS-WebMoney.gen (McAfee)

Please let us know if the above helps.

Regards,

snap

[lostotaku]

Hi... new member here. Thought I'd share my experience with module32.

Well, recently I was struggling to remove various trojans/viruses etc that had found their way onto my computer. They had the nasty habit of doing such things as starting my IRC or ICQ for me, or trying to connect via dialup, opening up the help file, or randomly opening an hta file with babble for text. I'd pretty much eliminated everything, except one thing still lingered behind in my msconfig: module32. Before, when I disabled the programs via msconfig they would just magically reenable themselves, but it seemed that module32 couldn't do this on it's own.

Unfortunately the trojan had already taken down my network. I was about to do some messy stuff in regedit and I knew that I'd need to be prepared to reformat if I screwed up, so I began moving my files. But just as I moved WinNY, the last of my P2P programs over to an external hard drive, the network came back. Intrigued I went ahead and searched for module32 in the registry... beside several of my P2P programs and ICQ was a message that said "enabled." Beside mcsmss and several other things I'd eliminated was a message that said "disabled."

Strange huh?

[snapdragin]

Hi lostotaku, and welcome to Wilders.

Quote:

Originally Posted by lostotaku

But just as I moved WinNY, the last of my P2P programs over to an external hard drive, the network came back. Intrigued I went ahead and searched for module32 in the registry... beside several of my P2P programs and ICQ was a message that said "enabled." Beside mcsmss and several other things I'd eliminated was a message that said "disabled."

Strange huh?

I am not familiar with the p2p WinNY, but doing a quick google search on it, the sites listed didn't look too safe to click on to check it out further. But it sounds like either that p2p app was infected, or became infected with something you downloaded, and upon removing the WinNY folder/program, you could have displaced the malware files, which may have prevented them from running and allowing your network to come back.

It also sounds like you probably had a number of trojans going on there, but I do hope you were able to eliminate them all safely and your computer is clean now. If you are still having problems, please do look through the General Cleaning Instructions link I posted above.

Not to wander too off topic from this thread, but here are some additional links that you can check through about the mcsmss.exe file for further cleaning:

Trend Micro - Troj_Agent.EI
And another that also uses the same file: McAfee - BackDoor-CIP

Regards,

snap