Trojan horse Generic10.ABTV and AVG's threat force removal

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by laurac, Jun 25, 2008.

  1. laurac

    laurac Private E-2

    Greetings,

    This is my first experience with an infection. AVG warned me about this (Trojan horse Generic10.ABTV in system32/winivstr.exe), put it into the vault, then warned that removal could cause system problems or a crash. I'm not sure what to do even after reading through FAQs, manual and googling for the answer. I've downloaded and run RogueRemover (found nothing) and am currently scanning with Spybot. Sony VAIO XP PC, about 5 years old. Any hand holding would be mightily appreciated.
     
    laurac, Jun 25, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    This file is part of an infection that includes a bunch of other files. You need to do the below.

    Please follow the instructions in the below link and attach the requested logs when you finish these instructions. If something does not run, write down the info to explain to us later but keep on going. Do not assume that because one step does not work that they all will not.

    READ & RUN ME FIRST. Malware Removal Guide
     
    chaslang, Jun 25, 2008
    #2
  3. laurac

    laurac Private E-2

    Trojan horse Generic10.ABTV post 'Read Me" results and logs

    Gone through everything. Search and Destroy found nothing. MGTools gave me 4th error 'Process DLL.EXE - Application Error The application failed to initialize properly (0xc0000135)'. First three logs attached, MGTools logs to follow.

    I really appreciate the help. Note that the Windows warning about infection is no longer occuring, nor is AVG warning me, but I am not sure if that means I am home free...please advise. Thanks so much Laura
     

    Attached Files:

    laurac, Jun 26, 2008
    #3
  4. laurac

    laurac Private E-2

    Pt. II Trojan horse Generic10.ABTV - MGTools logs

    Here are the MGTools logs!
     

    Attached Files:

    laurac, Jun 26, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Pt. II Trojan horse Generic10.ABTV - MGTools logs

    You are in pretty good shape now. We just have couple minor things to do.



    Uninstall the below software as requested in step 1 of the READ & RUN ME:
    Viewpoint Manager (Remove Only)
    Viewpoint Media Player

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.



    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below log:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jun 26, 2008
    #5
  6. laurac

    laurac Private E-2

    Thanks Mr. Chaslang

    Removed 2 Viewpoint programs and ran regedit successfully. I have attached MGTools logs.

    *But* while I was doing these things I got another AVG Shield warning and when I look in the Virus Vault I see Trojan Horse Agent.XGR dated today. I also had emptied the vault, but see several Trojan Horse Generic10.ABTV entries from yesterday???
    Does this mean I need to go through the whole ReadMe process again? Note that Windows is not warning me that my computer is infected like it was previously. I really do appreciate all your help - MajorGeeks is awesome.
     

    Attached Files:

    laurac, Jun 27, 2008
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No because it is quite possible that this is not even a problem. It could be just detections withing your System Volume Information folder which is System Restore and we have not emptied it yet. It is always better to tell us where an inection is being found (i.e, what file names and where on the hard disk it was found). Just giving us an infection name alone is not helpful. Giving us a log that shows the exact info would be much better.

    I suggest you do all of the below and then tell me if you still have any detections. If you do then attach a log or just give me the info I mentioned.

    If you are not having any other malware problems, it is time to do our final steps:
    1. You can uninstall SUPERAntiSpyware now.
    2. We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
    4. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\cf" /u
        • Notes: The space between the cf" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\cf folder from combofix.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Jun 27, 2008
    #7
  8. laurac

    laurac Private E-2

    OK, I did all the final steps, including resetting restore points. Note that when I try to remove ComboFix, which I had renamed to cf.exe on my Desktop as instructed, the program complains that it cannot remove ComboFix renamed as cf and does not remove it - should I rename it back and run it again?

    I look in my AVG vault virus and still see the same things listed (I had never removed them - do not know if you had intended me to do that as part of final steps).

    I have three infection Trojan horse Generic10.ABTV notations for
    C:\WINDOWS\system32\winivstr.exe listed for 6/26 from 8:30 to 9:53 in the a.m., another for C:\DOCUMENTS AND SETTINGS\LAURA FRANK CLIFFORD\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\01234567\INSTALL[1].EXE for 6/26 AT 10:38 A.M. and
    the final one I got the threat detection from AVG for yesterday as I was going through the cleaning procedure for infection Trojan horse Agent.XGR at
    C:\DOCUME~1\LAURAF~1\LOCALS~1\Temp\nbVj.exe for 6/27 12:41 p.m.

    Please advise on above. And thank you very much.
     
    laurac, Jun 28, 2008
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes try renaming it back to combofix.exe and then enter the below in the Start, Run box.

    "%userprofile%\desktop\combofix.exe" /killall

    This actually requested in step 1 of the READ ME. You should always be emptying the quarantine yourself once you are sure that you do not need what was quarantined. The quaranine serves as a backup just incase something is removed that should not be removed.
     
    chaslang, Jun 28, 2008
    #9
  10. laurac

    laurac Private E-2

    I had emptied the Vault before beginning procedure - these things appeared afterwards. However, I emptied and rebooted and they remain gone. So I presume that means success!

    That command reran combo fix rather than deleting it - I looked farther down in the thread and got what you'd originally given me, but that doesn't work either - says it can't find cf now that I renamed it back. No big deal.

    Thanks again.
     
    laurac, Jun 30, 2008
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry about that. I forget to edit what I posted to make it uninstall. It should have been the below

    "%userprofile%\desktop\combofix.exe" /u
     
    chaslang, Jun 30, 2008
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds