Trojan Generic33.CIKO - Mtool_new.exe

I have reason to believe I have been infected with Trojan horse (Generic33.CIKO) and/or a root kit.
AVG detects them and moves them to the virus vault; but I cannot empty or delete any of the quarantined listings.
They would never disappear from the screen as AVG highlighted them while “Removing” them.

Now AVG is updated to 2014 version, and now the all the Virus Vault listings say “Access Denied” when I try to delete.
Furthermore, the Trojan detections by AVG have continued after quarantine, and they continue to infect.

The detections occurred while scanning with AVG Anti-Virus program and while online using Mozilla Firefox and IE as follows:
//-------------------------------------------
THREAT:
Trojan horse Generic33.CIKO

OBJECT NAME:
C:\Users\B\AppData\Roaming\MCommon\MTool_new.exe

Found registry key with reference to infected file:
C:\Users\B\AppData\Roaming\MCommon\MTool_new.exe

Registry Key:
HKU\S-1-5-21-3940834483-2450762797-250082717-1000\Software\Microsoft\Windows\CurrentVersion\Run\\MTool
//-------------------------------------------
I found a similar thread on your forum where chaslang responded to a post regarding the infected file (MTool_New.exe) by a forum member: (MAVE) at this link:
Very good reason to believe I've been infected with a rootkit/remote control 'hack'
http://forums.majorgeeks.com/showthread.php?p=1788073
//-------------------------------------------
I also found another thread at Bleeping Computer referring to a Trojan horse with a different extension, named: Generic33.PMB instead of: Generic33.CIKO
http://www.bleepingcomputer.com/forums/t/500497/trojan-horse-generic33-pmb/?hl=generic33
//-------------------------------------------
I believe it is an uninstalled downloader file referenced in the registry that keeps calling the Trojan.
FreeNew.Net has a downloader utility that is supposed to download all the best freeware.
I don’t know the name of the file downloader, but I believe it has “One Click” and/or “All” in the URL link, as below:

FreeNew.Net/downloader
files.freenew.net/downloader

FreeNew.net/One Click Install All
FreeNew.Net/FreeAppInstaller.exe

PATHS on my computer:
C:\Users\B\AppData\Roaming\MCommon\MTool_new.exe
C:\Users\B\Downloads\Software _Archives\FreeWare\FreeNew.net\Freenew One Click Install All\FreeAppInstaller.exe
//-------------------------------------------
1. I have read the: READ & RUN ME FIRST. Malware Removal Guide
2. I was wondering if the are any concerns regarding program conflicts, because I am using AVG for my anti-virus program,
- While also using – Iobit Malware Fighter v2.1 – for my malware program.
3. I have a 32 bit system and set the folder options view to see hidden files, and turned off User Account Control
4. I have run CCleaner on each user account
5. I have downloaded the tools, but could not download MGtools to the root of C:\ - so I dowloaded it to my user desktop: C:\Users\B\Downloads\Desktop\MGtools.exe
and the moved it to C:\MGtools.exe
6. I have disabled the User Account Control
7. The Malwarebytes utility did find a file that I accidentally restored from the Virus Vault while I was trying to clear out the AVG listings: MTool_new.exe.old
8. The AVG Virus vault still shows many detections and registry entries. I can attach a screen shot (.jpg picture) of the Vault listings if need be. I don’t know how to export just the menu items listings of each occasion they were detected.

 

Yes, MGTools was detected as a virus, by AVG, but I allowed it to run when prompted. It ran fine.

I just had another current AVG detection with the same specifics (Trojan generic33.CIKO, from my appdata\roaming\Mtool_New.exe) while I am writing this reply.

It was removed by AVG.

 

I don't think we are talking about the same *.exe file.

They have different file names.
MGtools = has the letter "G" in it's filename
Mtools = does not

They have different paths
MGtools.exe path is: C:\MGtools.exe
Mtools.exe path is: C:\Users\B\AppData\Roaming\MCommon\MTool_new.exe

MGtools.exe is not running when my AVG detects Mtools.exe
Mtools.exe is detected by AVG just after Mozilla Firefox loads

AVG allows MGtools to run during program execution - (virus scans)
AVG has detected MGtools, only once during program installation - (Install)
AVG has detected Mtools, numerious times - while loading Firefox - (Internet)

 

The registry was updated, but I had detections since rebooting.

 

ANSWER - OR WORK AROUND FOUND:

The source of the problem appears to be the website: YTIMG.BIZ
Ytimg.biz downloads the infected file MTool_New.exe when you open the browsers: IE or Firefox
The directory \mcommon is rebuilt if you delete it, and triggered by opening the IE browser.
I cannot stop "mtool_new.exe", from appearing in Startup in msconfig, but I can stop it's effect.
//------------------------------------------------------------------------

In MS INTERNET EXPLORER I decided to BLOCK all access to variations of the URL website address: YTIMG.BIZ

To do so use the following PATHS:
- CONTROL PANEL - INTERNET OPTIONS - SECURITY TAB - SELECT A ZONE - RESTRICTED STES - SITES - ADD THIS WEBSITE TO THE ZONE -
Type in the following variations of Ytimg.biz website address:

http://ytimg.biz
http://www.ytimg.biz
www.ytimg.biz
*.ytimg.biz

Also I blocked cookies for ytimg.biz.
To do so use the following PATHS:
- CONTROL PANEL - INTERNET OPTIONS - PRIVACY tab - SETTINGS - SITES - ADDRESS OF WEBSITE -
Type in the following variations of Ytimg.biz website address:

*ytimg.biz

- BLOCK

//------------------------------------------------------------------------

In FIREFOX I had to download an "Add On" to BLOCK a website, as this option does not exist in the default Firefox browser.
I used: BLOCK SITE 1.0.9 and once again I blocked accessing the URL address: YTIMG.BIZ

It would appear that blocking website "ytimg.biz" is helping.

I would like to remove the registry entries causing the browsers to call for the download, but I don't know where they reside. Any suggestions?

 

I have had more detections since my last post regarding blocking the website.

I have attached the new C:\MGlogs.zip file you've requested.

Thanks for your help - you provide a great service to the personal computer community.

 

The detections by AVG occur while online using Mozilla Firefox and/or IE, and also while runnning a complete scan, as follows:
//-------------------------------------------
THREAT:
Trojan horse Generic33.CIKO

OBJECT NAME:
C:\Users\B\AppData\Roaming\MCommon\MTool_new.exe

Found registry key with reference to infected file:
C:\Users\B\AppData\Roaming\MCommon\MTool_new.exe

Registry Key:
HKU\S-1-5-21-3940834483-2450762797-250082717-1000\Software\Microsoft\Windows\CurrentVersion\Run\\MTool

I do not have a log - but I beleive there is a registy entry (or some other code) that is calling to the website: *ytimg.biz
to download the infected file: MTool_new.exe

I have see the file in the MCommon directory but I am afraid to click it, so I then I have AVG remove it.

I am not sure if it is a Trojan or and old removed program that is trying to "Update" itself.

 

I do not have a log, But I do have attached the AVG program log files.

The AVG detections occurred while online using Mozilla Firefox and/or IE, and sometimes when AVG anti-virus is scanning the hard drive, the AVG info is as follows:

//-------------------------------------------
THREAT:
Trojan horse Generic33.CIKO

OBJECT NAME:
C:\Users\B\AppData\Roaming\MCommon\MTool_new.exe

Found registry key with reference to infected file:
C:\Users\B\AppData\Roaming\MCommon\MTool_new.exe

Registry Key:
HKU\S-1-5-21-3940834483-2450762797-250082717-1000\Software\Microsoft\Windows\CurrentVersion\Run\\MTool

//-------------------------------------------
I believe there is a registry entry or code somewhere that is calling the corrupt file named: MTool_new.exe
and it is being downloaded from from the website: *.ytimg.biz
And AVG captures and quanteens it most of the time before it is copied to the MCommon directory. C:\Users\B\AppData\Roaming\MCommon\MTool_new.exe

I'm not sure this is a Trojan, perhaps it is an old update program for a application that's been uninstalled.
I would like to find the registry entry or hidden code that is calling the download, and remove it.
Is there some way we could determine the programs that are requesting any downloading, and also what file names are downloaded, during the times iget these infections.

/////////////////////////////////////////////////

I found a similar thread on your forum where chaslang responded to a post regarding the infected file (MTool_New.exe) by a forum member: (MAVE) at this link:

Very good reason to believe I've been infected with a rootkit/remote control 'hack'
http://forums.majorgeeks.com/showthread.php?p=1788073

 

I have found some additional information regarding: MTool_New.exe
It seems this is included in Windows Vista Home Premium operating system.
I have a dual boot system with Windows7 (primary OS) & Vista Home Premium.

I have not run OTM by Old Timer as you have requested, in case this new info is relavent. I will wait until your next post and you can tell me to continue or give new instructions.

The additional info regarding MTool_New.exe is as follows:

//////////////////
The new info regarding mtool_new.exe was found with a Bing search at:

http://www.shouldiblockit.com/mtool_new.exe-8ad4c9b2e83d2341476ed1bf75abdc9c.aspx

//////////////////
Overview
//////////////////

mtool_new.exe is set to be run when the PC boots and the user logs into Windows (added to the Run registry key for the current user).
The assembly utilizes the .NET run-time framework (which is required to be installed on the PC).
This particular version is usually found on Windows Vista (TM) Home Premium (6.0.6002.131072).

I have a dual boot system with Windows7 Ultimate and Windows Vista Home Premium
--------------------------------------------------------------------------------
//////////////////
Details
//////////////////

File name:
mtool_new.exe

Publisher:
MCompany

Product name:
MApp

Typical file path:
C:\users\user\appdata\roaming\mcommon\mtool_new.exe

Original name:
MTool.exe

File version:
1.0.0.0

Size:
305.5 KB (312,832 bytes)

Build date:
5/23/2013 4:40 AM


//////////////////
Digital DNA
//////////////////

File packed:
No

Code language:
Microsoft Visual C# / Basic .NET

.NET CLR:
Yes

.NET NGENed:
No


//////////////////
Behaviors
//////////////////

Startup files (user) run:
Runs under the registry key 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
'MTool' → C:\users\user\appdata\Roaming\MCommon\MTool_new.exe


//////////////////
Distribution by Windows OS
//////////////////

OS version:
Windows Vista Home Premium

 

It's not in MSconfig. So should I follow the previous Old Timer instrutions?

 

I tried to run the OT program but it hung after it had moved the pasted files.
I had to use the power button to shut down, task manager didn't work to resolve or reboot.

I now have detections in the paths as mentioned previously:
C:\Users\B\AppData\Roaming\MCommon\MTool_new.exe

and also when opening a new window or a new tab, in Firefox, as follows:
C:\Users\B\AppData\Local\Mozilla\Firefox\Profiles\fb215x1o.default\Cache\7\EA\38799d01

 

Yes, I can remove the Generic33.CIKO Trojan Horse virus, by using AVG's empty virus vault, where the trojans are in quarantine.

I have attached the AVG resident shield history. Notice that Firefox profiles default cache, has a new detection in a different default directory.

 

Yes, I can remove them by using AVG "Empty Virus Vault" option in AVG history.

It seems as though the infections notifications have stopped - it's been 11-15-2013 since the last detection.