Module32.exe

Discussion in 'malware problems & news' started by surf2ya, Mar 22, 2004.

Thread Status:
Not open for further replies.
  1. surf2ya

    surf2ya Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    5
    A new trojan, seems to be a keylogger but not sure, Here is how to get rid of it.
    Go to start/run/msconfig/startup uncheck rfv which is where it hides.
    now reboot, go to c drive/windows/rfv folder right click delete

    Hope this helps, You will not find this folder until you uncheck it from start up nor will you the system find it.

    I first started gettting module 32 late last month while surfing nomoreclicking.com, however it is on a lot of traffic exchanges at present, as I surf 14 windows at the same time I still can not identify the site distributing it, I have notified Trendmicro bit no other as Trendmicro is the leader in my books, However it would be advantagous if spybot, spywareblaster were notified. As for every thing else being deleted with this, well one can never be sure except to check your windows files after every reboot.
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    surf2ya,

    Please zip and password-protect that .exe and email me a copy - my addy is in my profile. Thanks in advance.

    regards.

    paul
     
  3. surf2ya

    surf2ya Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    5
    I will do Paul, Next time it comes in, which is about once a day lately, I have posted it in virtualdr.com forums as well and there is a good deal of response there.

    Kind regards
    Steve
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Thanks Steve ;)

    regards.

    paul
     
  5. BigDaddy

    BigDaddy Guest

    Paul,

    You've got mail....




    Paul
     
  6. BigDaddy

    BigDaddy Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    13
    ...and I became a registered member of your board :)
     
  7. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Thanks - email received ;) Good having you aboard :cool:

    regards,

    paul
     
  8. surf2ya

    surf2ya Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    5
    Hi Paul,
    I just got home from offline work and my system was totalled, I finally got one back up to work but everything is very suss from this even though I had deleted it, it was back in windows as rfv i deleted it again but it can't be found in recycle bin to zip it and send to you, I got big daddy to send it too you, hopefully this gives you something to work on.
    Thanks for all.
    Steve
     
  9. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    surf2ya,

    Sorry to hear about your problems! BigDaddy did sent me a copy - and received an answer as well in the meanwhile.

    regards.

    paul
     
  10. adspace

    adspace Registered Member

    Joined:
    Mar 24, 2004
    Posts:
    13
    :( Hello.....I also use auto-surf as a means of advertising and got the module32.exe bug I have posted also several writings and as of yet there is no one who has given me a way to stop it from gaining access in the first place. I know there are programs that will find and delete once infected but I can do that manually. The thing I cant do is stop it in the first place.....I get this thing at least twice a day auto surfing.........when some one finds out stop-steps let me know as removing it totally is not the problem even though it is a hasle its "Lets Stop This Thing Before It Gains System Access"
     
  11. surf2ya

    surf2ya Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    5
    Module32.exe fix

    Welcome to the club, I wish someone would find a way to stop it soon, Hopefully Paul is doing that as we speak, That is why I posted here, I posted to trendmicro but had no answer, Paul has been on to it as soon as I mentioned it and as you see is investigating the file, As for using auotsurfs for advertising, Don't you know no one looks at them, I personally use them for banner exchange reasons and thats when I am sleeping. 1-1 manual exchanges produce results, It's work but it produces.

    Hopefully there will be a fix soon.

    Happy Times
     
  12. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Gents,

    Please have a look at this thread on the same subject.

    regards.

    paul
     
  13. surf2ya

    surf2ya Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    5
    Yes thanks Paul, I hadn't realised he started another thread.
    Regards,
    Steve
     
  14. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    No problem, Steve ;)

    regards.

    paul
     
  15. Grandslam

    Grandslam Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    1
    So removing the folder will not cause any problems, in my pc its in C/Windows/tgbcde/module32.exe

    Please help me, I just re-formated my hard disk yesterday to get rid of all the malicious stuff and now this :( !!

    Thanks
     
  16. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Grandslam, and welcome to Wilders.

    We do have several threads on this subject that you can look through for further details:
    https://www.wilderssecurity.com/showthread.php?t=25630
    https://www.wilderssecurity.com/showthread.php?t=26179
    (please note, that we no longer do HijackThis review at Wilders, but you can follow up with posting one at the link available in the General Cleaning Instructions thread below)

    A step-by-step cleaning guide that you can follow: General Cleaning Instructions

    ===
    For an anti-trojan, I would recommend you download and install the 30-day free trial of TDS-3

    Before you open and run the program you must bring it up-todate. Download the latest radius database file from here: Radius td3 update. Right-click on the link shown on the updates page, and choose "Save target as" and save it to your TDS install directory (say "yes" to overwriting the one that is there). Reboot your computer after installing.

    Now reboot your computer again, but this time into Safe Mode, by tapping the F8 key just before Windows begins to load.

    Then open TDS-3
    1. Press the "Scan Control" and tick all the boxes in the bottom part of the window.
    2. Press "Save configuration" and then close the window by pressing the red x in the top right corner.
    3. Now select "System Testing" and choose the 'Full system Scan" and scan your local drives.

    Once the scan is finished, TDS3 will display what it finds in the lower screen. It will show "Positive Identification" or "Suspicious File". Right-click on anything found as "Positive Identification" and choose Delete.

    ===

    Further link for cleaning instructions:
    Win32.Reign.R (also known as Win32/PWS.CashSteal.HookDLL.Troj, Win32/PWS.CashSteal.Trojan, PWS-WebMoney.gen (McAfee)

    Please let us know if the above helps.

    Regards,

    snap
     
  17. lostotaku

    lostotaku Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    1
    Hi... new member here. Thought I'd share my experience with module32.

    Well, recently I was struggling to remove various trojans/viruses etc that had found their way onto my computer. They had the nasty habit of doing such things as starting my IRC or ICQ for me, or trying to connect via dialup, opening up the help file, or randomly opening an hta file with babble for text. I'd pretty much eliminated everything, except one thing still lingered behind in my msconfig: module32. Before, when I disabled the programs via msconfig they would just magically reenable themselves, but it seemed that module32 couldn't do this on it's own.

    Unfortunately the trojan had already taken down my network. I was about to do some messy stuff in regedit and I knew that I'd need to be prepared to reformat if I screwed up, so I began moving my files. But just as I moved WinNY, the last of my P2P programs over to an external hard drive, the network came back. Intrigued I went ahead and searched for module32 in the registry... beside several of my P2P programs and ICQ was a message that said "enabled." Beside mcsmss and several other things I'd eliminated was a message that said "disabled."

    Strange huh?
     
    Last edited: Jan 17, 2005
  18. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi lostotaku, and welcome to Wilders.

    I am not familiar with the p2p WinNY, but doing a quick google search on it, the sites listed didn't look too safe to click on to check it out further. But it sounds like either that p2p app was infected, or became infected with something you downloaded, and upon removing the WinNY folder/program, you could have displaced the malware files, which may have prevented them from running and allowing your network to come back.

    It also sounds like you probably had a number of trojans going on there, but I do hope you were able to eliminate them all safely and your computer is clean now. If you are still having problems, please do look through the General Cleaning Instructions link I posted above.

    Not to wander too off topic from this thread, but here are some additional links that you can check through about the mcsmss.exe file for further cleaning:

    Trend Micro - Troj_Agent.EI
    And another that also uses the same file: McAfee - BackDoor-CIP

    Regards,

    snap
     
Loading...
Thread Status:
Not open for further replies.