Trojan.win32.Generic!BT removal help

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Ben1976, Jul 18, 2012.

  1. Ben1976

    Ben1976 Private E-2

    My AV (Vipre) has detected Trojan.win32.Generic!BT, but seems to fail when quarentine / remove options are used at the end of the scan.

    The active protection is constantly throwing up notifications of "A known bad file was blocked from opening" with file names like "00000004.@" trying to modify C:\windows\installer {lots of numbers and letters here}\U . It seems to be atacking the desktop.ini file as Vipre constanly wants to reboot and attempt to clean the .ini file. I have run scans a couple times now, even in safe mode.

    About a week ago a RunDLL error appeared on startup and the other syptoms only started yesterday. I have worked my way through the readme and will attach the required logs and screen shots in the following post.

    Please advise what I can do to remedy this.
     

    Attached Files:

  2. Ben1976

    Ben1976 Private E-2

    Remaing log files and two screen dumps of errors I got running MGtools

    Thanks
     

    Attached Files:

  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these 3 detections:
    • [BLACKLIST DLL] HKLM\[...]\Run : usmong (rundll32.exe "C:\Users\Ben\AppData\Roaming\usmong.dll",CleanupGlobalTempFiles) -> FOUND
    • [BLACKLIST DLL] HKLM\[...]\Run : svcasw ("C:\Windows\System32\rundll32.exe" "C:\Users\Ben\AppData\Roaming\svcasw.dll",TypeToAdsTypeDNWithString) -> FOUND
    • [ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Ben\AppData\Local\{5ecb092d-3f90-f199-254e-75d1456c20e6}\n.) -> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.


    Do the same with the files/folder tab and locate these: Checkmark them and fix them.
    • [ZeroAccess][FILE] @ : c:\windows\installer\{5ecb092d-3f90-f199-254e-75d1456c20e6}\@ --> FOUND
    • [ZeroAccess][FOLDER] U : c:\windows\installer\{5ecb092d-3f90-f199-254e-75d1456c20e6}\U --> FOUND
    • [ZeroAccess][FOLDER] L : c:\windows\installer\{5ecb092d-3f90-f199-254e-75d1456c20e6}\L --> FOUND
    • [ZeroAccess][FILE] @ : c:\users\ben\appdata\local\{5ecb092d-3f90-f199-254e-75d1456c20e6}\@ --> FOUND
    • [ZeroAccess][FOLDER] U : c:\users\ben\appdata\local\{5ecb092d-3f90-f199-254e-75d1456c20e6}\U --> FOUND
    • [ZeroAccess][FOLDER] L : c:\users\ben\appdata\local\{5ecb092d-3f90-f199-254e-75d1456c20e6}\L --> FOUND
    • [ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_32\desktop.ini --> FOUND
    • [ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_64\desktop.ini --> FOUND

    • When it is finished, there will be a log on your desktop called: RKreport[2].txt
    • Attach RKreport[2].txt to your next message. (How to attach)
    • Rerun RogueKiller and attach the new log so I can see those items got dealt with.
    • Do not reboot your computer yet.



    [​IMG] For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    To enter System Recovery Options by using Windows installation disc:

    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    • Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)
     
  4. Ben1976

    Ben1976 Private E-2

    Hi Kestrel13!,

    Firstly, thanks for the reply. Things didnt go quite to plan following your instructions - I will elaborate....

    I Ran RK, and selected the 3 reg entries and hit delete, this created a RKreport[3].txt - attached - simple:confused. Then proceded with the files tab, but there isn't a check box or anything to check (from what I can see - screen dump attached). So I thought the "fix shortcuts" was related to the files (i know now this isn't) this created another RKreport[5].txt - attached. Then I thought if in the files tab, I just hit delete to fix the files (wrong again) this has replaced 4 registry entries see RKreport[7].txt attached. So I ran a final scan and attached RKreport[8].txt - you can see the folders / files with the ZeroAccess infection are still present.

    The last part of your instructions was easy to follow and I have attached the FRST.txt. Looks like ZeroAccess is showing in:

    C:\Windows\Installer\{5ecb092d-3f90-f199-254e-75d1456c20e6}
    C:\Windows\assembly\GAC_32\Desktop.ini
    C:\Windows\assembly\GAC_64\Desktop.ini
    C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.

    Sorry if I messed things up a little, hope I haven't done too much damage???:-o

    Out of curiosity, any Idea where / how ZeroAccess could have been infected from?
     

    Attached Files:

  5. Ben1976

    Ben1976 Private E-2

    Remaining logs

    Thanks in advance.
     

    Attached Files:

  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Attached is fixlist.txt
    • Save fixlist.txt to your flash drive.
    • You should now have both fixlist.txt and FRST64.exe on your flash drive.

    Now re-enter System Recovery Options.
    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (How to attach)

    Now attempt to boot normally.
    • Now run FRST like you did the very first time and attach that log too please.
    • Run RogueKiller again without attempting fixes and attach that log.
     

    Attached Files:

  7. Ben1976

    Ben1976 Private E-2

    Followed instructions, everything went well this time.

    I looked at the logs, and seems to have amlost cleaned it all. Still infection present in

    C:\Windows\assembly\GAC_32\Desktop.ini
    C:\Windows\assembly\GAC_64\Desktop.ini
    C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.

    AV is only reporting now on the desktop.ini file, and still wants to reboot to clean the infection. Every time I have rebooted to run the FRST scan / fix, the desktop.ini files are being "cleaned" (unsuccessfully) by Vipre.

    Thought that info might help, logs attached.

    Thanks
     

    Attached Files:

  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Disable Vipre and then repeat everything in my post #6. Something is blocking my fix it could be you AV.
     
  9. Ben1976

    Ben1976 Private E-2

    I can disable in windows, but when booting into system recovery options to run the fixlist I have no control over AV?

    Should I temp uninstall?

    I just repeated everything in step 6 and got the same result. If you think the AV is still blocking your fixlist, unistalling is the only thing I can think of :confused
     
  10. Ben1976

    Ben1976 Private E-2

    Okay, So I unistalled AV and repeated everything in post #6

    Logs attached, to me they still look the same.

    Please advise next course of action.

    Thanks
     
  11. Ben1976

    Ben1976 Private E-2

    Logs didn't attach?
     

    Attached Files:

  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    If this fix doesn't work, I'll seek advice from colleagues. :)

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Attached is fixlist.txt
    • Save fixlist.txt to your flash drive.
    • You should now have both fixlist.txt and FRST64.exe on your flash drive.

    Now re-enter System Recovery Options.
    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (How to attach)

    Now attempt to boot normally.

    ---------------------------

    Now run FRST like you did the very first time. Attach the log.
     

    Attached Files:

  13. Ben1976

    Ben1976 Private E-2

    I used the new fixlist.txt, the results are attached. Still the same result :(

    Are there any other scans you would like me to re-run?

    I will wait for further instructions.
     

    Attached Files:

  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Seeking advice Ben, hang in there.
     
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Here we go Ben, I made a simple error with my script again, I do apologise. Having a stressful week. :-D

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Attached is fixlist.txt
    • Save fixlist.txt to your flash drive.
    • You should now have both fixlist.txt and FRST64.exe on your flash drive.

    Now re-enter System Recovery Options.
    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (How to attach)

    Now attempt to boot normally.

    -------------------------------

    Now run FRST like you did the very first time and attach that log too.
     

    Attached Files:

  16. Ben1976

    Ben1976 Private E-2

    NO worries Kestrel, we all have stressful weeks. I have faith ;) you personally helped clean an infection on my laptop almost 2 years ago.....At the end of the day you guys on here offering Malware removal advise - do this for free in your spare time and for that I am very grateful. I hope what ever has you stressed passes...:)

    Back to my PC infection... I ran FRST64 as instructed and have attached the two logs. It all looks well, so I re-installed AV and did a quick scan. It found a trojan (screen dump attached) and was cleaned successfuly so I am thinking I should run a full deep scan, but its getting late for me so I wont have time to post the results (will let it run overnight) and will post in the morning (AUS time). At least since re-installing AV it's not throwing up messages and wanting to reboot....

    Thanks again Kestrel, will let you know how the deep scan goes. Let me know if you would like me to run any additional scans.

    Ben
     

    Attached Files:

  17. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Thanks for your patience, Ben. That last log looks great now. :)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  18. Ben1976

    Ben1976 Private E-2

    Scans were all good, just found the quarentined files from FRST. All back to normal, once again thanks. Lets hope I am not back here soon...;)
     
  19. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Glad you're all sorted, Ben! :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds