module32.exe trojan keylogger

Discussion in 'malware problems & news' started by colin dooley, Jun 21, 2004.

Thread Status:
Not open for further replies.
  1. colin dooley

    colin dooley Guest

    **Temporary Fix**

    The fix is temporary insomuch as this method will stop the module32 executable from executing but does not completely alleviate problem. The reason for this is explained fully in a moment.

    1. boot up XP machine in safe mode, find the "tgbcde" folder.
    2. Delete all files in folder (module32.exe, library32.dll, etc.)
    3. Using notepad or other editor and create dummy module32.exe and library32.dll files
    4. Make the folder and files read-only (using the right-click properties menu)
    5. Run msconfig and uncheck module32.exe from startup tab
    6. Run regedit and delete all entries to do with "tgbcde" and "module32.exe"
    and "library32.dll"
    7. Restart machine, use program like security task manager to check module32 executable is not running

    As alluded to earlier, this is a temporary fix. If you were to open the tgbcde folder (you can do this by typing in c:\windows\tgbcde in the explorer address bar as the folder may not be visible in explorer) and delete the dummy files you created. Upon re-booting the machine, in my experience, the trojan will re-appear in the directory. So, whilst the dummy files you created exist, the condition that the trojan uses to see if the appropriate files have been created and exist remains true (and because the files you created are harmless, nothing untoward takes place). However, the file that exists and is effectively 're-spawning' the trojan is still on the computer 'somewhere' and still needs to be found. I am hoping that someone will be capable of doing this, somewhere!!
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi colin, I'm not sure why you posted your information about module32.exe in the TDS forum?

    It has been moved a more appropriate forum

    Cheers. Pilli
     
  3. colin dooley

    colin dooley Guest

    Sorry Pilli :),

    i must've been geting mixed up with another forum or post!!. BTW have you got any more information on the module32.exe trojan (I don't know its proper name)

    TIA,

    Colin.
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Afraid I have no idea Colin but I am sure that Gavin at DiamondCS maybe able to help.
    If you have a copy of the file please zip and send to submit@diamondcs.com.au for analysis. :)

    HTH Pilli
     
  5. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    colin,

    You might be interested in an old archived thread on the subject over here ;).

    regards.

    paul
     
Loading...
Thread Status:
Not open for further replies.