Hi,

Has anyone heard of this one before. "Trojan horse Generic27.SLL"
I can't seem to get rid of it or find any info on it!

Help please! Im ready to throw the computer in the bin.

Cheers

I have the same problem

And I'm still using it for work.. even if I don't know how safe it is.. now..

I'm running Windows Vista Home Basic
AVG ver. 2012.0.1913
DB ver. 2114/4840

"";"C:\Windows\System32\rundll32.exe (3560):\memory_00ca0000";"Trojan horse Generic27.SLL";"Object is inaccessible."
"Detection name";"Trojan horse Generic27.SLL"
"Object type";"file"
"SDK Type";"Core"
"Result";"Infected"

"Object name";"C:\Windows\System32\rundll32.exe (3560)"
"Detection name";"Trojan horse Generic27.SLL"
"Object type";"process"
"SDK Type";"Core"
"Result";"Deleted"

Even if it says it was deleted it's not... whenever I do the scan it's still there and after I rebooted my laptop I still have the same problems with that Trojan Horse cloning explorer and other system or user files and AVG doesn't find them anymore...

in 10 hours I need to access my secure accounts to work I would really need some help

is it at least safe to access my accounts?

P.S. whenever I open my laptop I have to close down from task manager rundll32.exe for me to be able to even go on the internet.

@ vd233

Memory.. This type of infection can be usually removed by running a scan using updated AVG Rescue CD. Should the infection persist, please provide both Gmer scan results Msinfo output and AVG Anti-Virus scan results for further analysis.

---

AVG Free Volunteer ModeratorAVG Free Forum member since - Nov. 27, 2004My total posts on the Old AVG Free Forum - 27,063
Alan

---

How-To Articles | FAQ | Free Support

Can you let me know if it is safe for me to access my accounts? I think I can live with closing down the programs from task manager if we can't solve it in 24h.

And thanks for the quick reply, really appreciate it.

Error trying to put it on the USB.

Can you let me know if it is safe for me to access my accounts?

And thanks for the quick reply !!!

Hello vd233,

It is definitely not safe to use your accounts when your computer is infected.

Please follow steps mentioned by BigAl so we can analyse the issue further.

Thank you.
___________________AVG TeamHow-To articles | FAQ | Free SupportWe Protect Us

Hi Big Al,

Im having similar problems to vd233.
I am running XP Professional on my pc. When I encountered this problem and realised it was a virus, I disconnected from the internet. Every time I start up the pc it opens 2 explorer windows with the ip address http://195.189.227.147/.

When I start up it also seems to clone my desktop, so that some of the system files i try to open, open behind the the cloned desktop. You see them briefly when shutting down. e.g. Task manager or if I push windows key + R.....

I am working off my laptop at the moment, so not sure how to get the required info through to you!
Worried about connecting my pc to the internet.
Can I take a photo? (sorry if its a silly question)

I'm lucky I have Windows XP installed on it too but without internet, only a few basic drivers, so I was able to make the bootable USB from there and I left the scan run all night long, when I woke up in the morning he found 3 worms and the scan was frozen.. so I rebooted the laptop.. and when I went back on the bootable usb I chose to see the last result and what I remember is that one was in system32 and one in explorer, I chose the healing option and it said he healed all 3 files, then I scanned it again just to be sure and he found 3 Trojan Horses into Java, I chose the healing option again and the program said he healed only 1 file, when I went back to check the last result it said all the files were healed.

I opened windows vista and the same things happen, when the processes are loading at one point explorer disappears and this other "fake", "cloned" explorer comes into place.. I took a screenshot too so you can see how weird my task manager looks like. ( http://www4.zippyshare.com/i/96108801/22577/task%20manager.jpg )

Whenever I try to use gmer rootscan it freezes (while scanning) and at one point rebooted my laptop too, I tried the older version but I can't even open it up because it instantly freezes. (yes they were renamed into vd233roo.exe)

The normal gmer scan worked.. even if the first time I tried it rebooted my laptop.. and the msinfo was done on the "fake" "cloned" explorer so I hope is still some good.

What I also noticed is that whenever explorer starts and I quickly access task manager and I close rundll32.exe and everything that looks suspicious to me the "cloned", "fake" explorer and invisible notepads don't appear anymore, is that safe for me to work on? Without the "fake", "cloned" explorer?!?

Thanks again for the effort and the help, really appreciate it.

P.S: I had to access my accounts this morning to work a bit I hope they're not compromised... and after I'll post this I'll run the rescue CD again if it finds anything I'll choose renaming this time.

Cheers.

not working....

I did another scan with the bootable usb... and he didn't find anything... but I still get the issues with "fake", "cloned" explorer and the rest...



I just want to be able to work again on my laptop, I'm currently on a friends laptop..

Hello vd233,

Please also provide us with Gmer anti-rootkit scan results.

If you will not be able to run anti-rootkit scan, you may try to restore master boot record in offline mode.
Right after the MBR is restored, please scan your computer with updated AVG Rescue CD to kill all remains of infection.

Thank you.

___________________AVG TeamHow-To articles | FAQ | Free SupportWe Protect Us