How to Prevent and Remove the Trojan-GameThief.Win32.Magania.edbe.edbe

Bookmark and Share

 

1. What is the Trojan-GameThief.Win32.Magania.edbe.edbe

 Trojan-GameThief.Win32.Magania.edbe, also reffered to as GameThief.Win32.Magania is a hazardous trojan horse infection that attacks Windows system processes and obstruct access to msconfig and regedit. Inside the Pc, GameThief will automatically download and inject infected 601.exe, f3c74e3fa248.exe, 6f2.exe files without users knowledge. Generally Trojan-GameThief.Win32.Magania.edbe sneaks inside the system while downloading dubious tools, corrupt ActiveX updates or while visiting porn related web sites. The Trojan-GameThief.Win32.Magania.edbe is a dangerous trojan horse that can seriously harm Computer files, it's important to remove all its parts!

Alias: Trojan.Gen.2 [Symantec], Generic.dx!vaf [McAfee], Trojan-GameThief.Win32.Magania [Ikarus]  

 

2.Technical Details:

 

a. The following files were created in the system:

# Filename(s) File Size
1 %UserProfile%\Microsoft\EV3smx4pnp.dll 64,000 bytes
2 %UserProfile%\Microsoft\EV3smx4pnp.log 14 bytes
3 %System%\AEV3szxc10.dll
%System%\AEV3szxc11.dll
%System%\AEV3szxc12.dll 		87,040 bytes
4 %System%\AEV3szxc20.dll 84,992 bytes
5 %System%\AEV3zxc.exe 202,752 bytes
6 %System%\nvsvc.exe 74,752 bytes
7 [file and pathname of the sample #1] 101,888 bytes
  • Notes:
    • %UserProfile% is a variable that specifies the current user's profile folder. By default, this is C:\Documents and Settings\[UserName] (Windows NT/2000/XP).
    • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
  • The following file was modified:
    • %System%\drivers\npf.sys
  • The following directory was created:
    • %UserProfile%\Microsoft

b. Memory Modifications

  • There was a new process created in the system:

Process Name Process Filename Main Module Size
nvsvc.exe %System%\nvsvc.exe 372,736 bytes

  • The following modules were loaded into the address space of other process(es):

Module Name Module Filename Address Space Details
AEV3szxc12.dll %System%\AEV3szxc12.dll Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1EE0000 - 0x1F40000
AEV3szxc12.dll %System%\AEV3szxc12.dll Process name: sdnsmain.exe
Process filename: %Windir%\dns\sdnsmain.exe
Address space: 0x1620000 - 0x1680000
AEV3szxc10.dll %System%\AEV3szxc10.dll Process name: nvsvc.exe
Process filename: %System%\nvsvc.exe
Address space: 0x9F0000 - 0xA50000
  • Notes:
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

c.  Registry Modifications

    • The following Registry Keys were created:
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{94AC7942-7BE1-4FB9-A7CA-67CD88362758}
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{94AC7942-7BE1-4FB9-A7CA-67CD88362758}\InprocServer32
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{94AC7942-7BE1-4FB9-A7CA-67CD88362758}\ProgID
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{94AC7942-7BE1-4FB9-A7CA-67CD88362758}\Programmable
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{94AC7942-7BE1-4FB9-A7CA-67CD88362758}\VersionIndependentProgID
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{94AC7941-7BE1-4FB9-A7CA-67CD88362758}
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{94AC7941-7BE1-4FB9-A7CA-67CD88362758}\ProxyStubClsid
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{94AC7941-7BE1-4FB9-A7CA-67CD88362758}\ProxyStubClsid32
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{94AC7941-7BE1-4FB9-A7CA-67CD88362758}\TypeLib
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{94AC7948-7BE1-4FB9-A7CA-67CD88362758}
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{94AC7948-7BE1-4FB9-A7CA-67CD88362758}\1.0
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{94AC7948-7BE1-4FB9-A7CA-67CD88362758}\1.0\0
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{94AC7948-7BE1-4FB9-A7CA-67CD88362758}\1.0\0\win32
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{94AC7948-7BE1-4FB9-A7CA-67CD88362758}\1.0\FLAGS
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{94AC7948-7BE1-4FB9-A7CA-67CD88362758}\1.0\HELPDIR
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{94AC7942-7BE1-4FB9-A7CA-67CD88362758}
    • The newly created Registry Values are:
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{94AC7942-7BE1-4FB9-A7CA-67CD88362758}\VersionIndependentProgID]
        • (Default) = "IEHlprObj.IEHlprObj"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{94AC7942-7BE1-4FB9-A7CA-67CD88362758}\ProgID]
        • (Default) = "IEHlprObj.IEHlprObj.1"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{94AC7942-7BE1-4FB9-A7CA-67CD88362758}\InprocServer32]
        • (Default) = "%System%\AEV3szxc20.dll"
        • ThreadingModel = "Apartment"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{94AC7942-7BE1-4FB9-A7CA-67CD88362758}]
        • (Default) = "IEHlprObj Class"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{94AC7941-7BE1-4FB9-A7CA-67CD88362758}\TypeLib]
        • (Default) = "{94AC7948-7BE1-4FB9-A7CA-67CD88362758}"
        • Version = "1.0"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{94AC7941-7BE1-4FB9-A7CA-67CD88362758}\ProxyStubClsid32]
        • (Default) = "{00020424-0000-0000-C000-000000000046}"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{94AC7941-7BE1-4FB9-A7CA-67CD88362758}\ProxyStubClsid]
        • (Default) = "{00020424-0000-0000-C000-000000000046}"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{94AC7941-7BE1-4FB9-A7CA-67CD88362758}]
        • (Default) = "IIEHlprObj"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{94AC7948-7BE1-4FB9-A7CA-67CD88362758}\1.0\0\win32]
        • (Default) = "%System%\AEV3szxc20.dll"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{94AC7948-7BE1-4FB9-A7CA-67CD88362758}\1.0\HELPDIR]
        • (Default) = "%System%\"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{94AC7948-7BE1-4FB9-A7CA-67CD88362758}\1.0\FLAGS]
        • (Default) = "0"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{94AC7948-7BE1-4FB9-A7CA-67CD88362758}\1.0]
        • (Default) = "IEHelper 1.0 Type Library"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer]
        • (Default) = "IEHlprObj.IEHlprObj.1"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj]
        • (Default) = "IEHlprObj Class"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID]
        • (Default) = "{94AC7942-7BE1-4FB9-A7CA-67CD88362758}"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1]
        • (Default) = "IEHlprObj Class"
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
        • EV3smx4pnp = "rundll32.exe "%UserProfile%\Microsoft\EV3smx4pnp.dll", Launch"
        • AEV3sos = "%System%\AEV3zxc.exe"
        • nvsvc = "%System%\nvsvc.exe"

    d. Other details

    • There were registered attempts to establish connection with the remote hosts. The connection details are:

    Remote Host Port Number
    67.159.45.128 61688

    • The data identified by the following URLs was then requested from the remote web server:

      • http://67.159.45.128:61688/img/img.txt
      • http://67.159.45.128:61688/img/masdlfslsiowlsj1.exe
      • http://67.159.45.128:61688/img/ZadsgedyfGk2.exe

     

    3. How-to's

    a. How to prevent the  Trojan-GameThief.Win32.Magania.edbe.edbe ?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the GameThief.Win32.Magania.edbe.edbe Manually?

    Step 1 : Use Windows Task Manager to Remove GameThief.Win32.Magania.edbe.edbe Processes

    %System%\nvsvc.exe

    Step 2 : Use Registry Editor to Remove GameThief.Win32.Magania.edbe.edbe Registry Values

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{94AC7942-7BE1-4FB9-A7CA-67CD88362758}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{94AC7942-7BE1-4FB9-A7CA-67CD88362758}\InprocServer32
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{94AC7942-7BE1-4FB9-A7CA-67CD88362758}\ProgID
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{94AC7942-7BE1-4FB9-A7CA-67CD88362758}\Programmable
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{94AC7942-7BE1-4FB9-A7CA-67CD88362758}\VersionIndependentProgID
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{94AC7941-7BE1-4FB9-A7CA-67CD88362758}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{94AC7941-7BE1-4FB9-A7CA-67CD88362758}\ProxyStubClsid
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{94AC7941-7BE1-4FB9-A7CA-67CD88362758}\ProxyStubClsid32
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{94AC7941-7BE1-4FB9-A7CA-67CD88362758}\TypeLib
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{94AC7948-7BE1-4FB9-A7CA-67CD88362758}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{94AC7948-7BE1-4FB9-A7CA-67CD88362758}\1.0
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{94AC7948-7BE1-4FB9-A7CA-67CD88362758}\1.0\0
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{94AC7948-7BE1-4FB9-A7CA-67CD88362758}\1.0\0\win32
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{94AC7948-7BE1-4FB9-A7CA-67CD88362758}\1.0\FLAGS
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{94AC7948-7BE1-4FB9-A7CA-67CD88362758}\1.0\HELPDIR
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{94AC7942-7BE1-4FB9-A7CA-67CD88362758}

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{94AC7942-7BE1-4FB9-A7CA-67CD88362758}\VersionIndependentProgID]
    (Default) = "IEHlprObj.IEHlprObj"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{94AC7942-7BE1-4FB9-A7CA-67CD88362758}\ProgID]
    (Default) = "IEHlprObj.IEHlprObj.1"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{94AC7942-7BE1-4FB9-A7CA-67CD88362758}\InprocServer32]
    (Default) = "%System%\AEV3szxc20.dll"
    ThreadingModel = "Apartment"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{94AC7942-7BE1-4FB9-A7CA-67CD88362758}]
    (Default) = "IEHlprObj Class"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{94AC7941-7BE1-4FB9-A7CA-67CD88362758}\TypeLib]
    (Default) = "{94AC7948-7BE1-4FB9-A7CA-67CD88362758}"
    Version = "1.0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{94AC7941-7BE1-4FB9-A7CA-67CD88362758}\ProxyStubClsid32]
    (Default) = "{00020424-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{94AC7941-7BE1-4FB9-A7CA-67CD88362758}\ProxyStubClsid]
    (Default) = "{00020424-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{94AC7941-7BE1-4FB9-A7CA-67CD88362758}]
    (Default) = "IIEHlprObj"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{94AC7948-7BE1-4FB9-A7CA-67CD88362758}\1.0\0\win32]
    (Default) = "%System%\AEV3szxc20.dll"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{94AC7948-7BE1-4FB9-A7CA-67CD88362758}\1.0\HELPDIR]
    (Default) = "%System%\"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{94AC7948-7BE1-4FB9-A7CA-67CD88362758}\1.0\FLAGS]
    (Default) = "0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{94AC7948-7BE1-4FB9-A7CA-67CD88362758}\1.0]
    (Default) = "IEHelper 1.0 Type Library"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer]
    (Default) = "IEHlprObj.IEHlprObj.1"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj]
    (Default) = "IEHlprObj Class"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID]
    (Default) = "{94AC7942-7BE1-4FB9-A7CA-67CD88362758}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1]
    (Default) = "IEHlprObj Class"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    EV3smx4pnp = "rundll32.exe "%UserProfile%\Microsoft\EV3smx4pnp.dll", Launch"
    AEV3sos = "%System%\AEV3zxc.exe"
    nvsvc = "%System%\nvsvc.exe"

    Step3: Detect and Delete Other GameThief.Win32.Magania.edbe.edbe Files

    %UserProfile%\Microsoft\EV3smx4pnp.dll
    %UserProfile%\Microsoft\EV3smx4pnp.log
    %System%\AEV3szxc10.dll
    %System%\AEV3szxc11.dll
    %System%\AEV3szxc12.dll
    %System%\AEV3szxc20.dll
    %System%\AEV3zxc.exe
    %System%\nvsvc.exe
    [file and pathname of the sample #1]

    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•