Trojan horse Injector.GT removal help

Sony Vaio VGN-SZ2HP, Windows XP Pro 2002 Service Pack 3, AVG 9.0.733, ZoneAlarm version:8.0.298.000

On Sunday, I installed the latest version of Logitech Harmony Remote Software 7 (it installed a USB driver for the remote as well).

Later on, Wireless problems with Intel ProSet Wireless, AVG wouldn't update (even when I fixed the wireless connection by using windows to manage it), pdfs were not opening and Adobe Reader 7 re-installed when I launched it.

AVG Scan found 50 or so references to Trojan horse Injector.GT (I can't find a log of that scan, so I have attached the log of a scan I did at the end of the process below.) AVG claimed to have removed and healed them all.

After re-boot, problems persisted. So I did an AVG scan in safe mode. Same references to Trojan horse Injector.GT, same claims by AVG to have removed and healed them all, still there after re-boot.

So I found MajorGeeks and did the READ & RUN ME FIRST to the letter:

SuperAntiSpyware - Ran OK - Found nothing - Log attached.

Malwarebytes - Launched ok but disappeared in four seconds (even after I tried renaming the mbam.exe)

I shut down ZoneAlarm, Disabled AVG Resident Shield (I could not find an option to shut down AVG or to disable other components: Anti-virus, Anti-spyware. I left E-mail Acanner set to scan incoming messages because I figured that was not relevant.)

Combofix - Launched, got security warning and then small progress bar filling up and then nothing. Tried a few times.

RootRepeal - Ran OK - Found something - Log attached.

MGtools - Extracted the files to C:\MGtools but then nothing - no sign of it running batch files - no command prompt window - no error message.

This trojan seems to be guarding his rear very well!!

Any help would be greatly appreciated. Thank you.

 

Sorry, I forgot to add that one of the other problems is that google searching is crashing Firefox 3.6 for me.

 

Welcome to MajorGeeks!

Try this please. Right click on ComboFix and rename it to Combobatch.bat

Copy the below red text.

"%userprofile%\desktop\Combobatch.bat"

Go to Start > Run > then paste in the the text you copied into the run box then click OK

ComboFix should now run. Please post the log it creates.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.

 

Thanks for the welcome and the help!

I did that.

I shut down ZoneAlarm, Disabled AVG Resident Shield (I could not find an option to shut down AVG or to disable other components: Anti-virus, Anti-spyware. I left E-mail Acanner set to scan incoming messages because I figured that was not relevant.)

combofix was on my desktop, so I renamed it, moved it to C:\Combofix\ and ran %systemdrive%\Combofix\Combobatch.bat.

Combofix - Launched, got security warning and then small progress bar filling up and then nothing. Same as before.

I did not touch the laptop at all after clicking ok to the security warning (i.e. I did not cause it to stall by mouseclicking).

By the way, I noticed that you quoted my comment on MGtools, but your comment was about combofix. Did you have an MGtools comment as well?

Thanks!

 

Actually yes and I forgot. rolleyes

<edited>


Try restarting the computer in Safe Mode and running ComboFix.

 

Thanks. I'll give that a go.

By the way, I had followed these instructions:

"It is critical that you save this file to the root folder of the drive where you have installed Windows (Typically this would be C:\ and thus you would have a C:\MGtools.exe file after downloading)"

from Step 1 here: http://forums.majorgeeks.com/showthread.php?t=139313

 

OkayI was giving bad advice. Yes you need to save it to the C drive.

Try running ComboFix in Safe Mode.

 

No problem. Thanks.

I'll try combofix in safe mode now.

I guess I'll try the standard combofix.exe approach first and if that doesn't work I'll try the Combobatch.bat approach?

 

If you have already renamed it to Combobatch.bat then that would be best.

 

Thanks. Here goes......

 

Combofix has started to work in safe mode but it warned me that AVG should be disabled. But I cannot find any way to disable AVG 9 in safe mode.

Can I run combofix in spite of the warning?

Or could you advise on disabling AVG 9 in safe mode?

Thanks.

 

Yes just continue on. ComboFix will still run.

 

It did run. Thanks.

I have attached the log.

In safe mode, it could not download the recovery console, but it continued anyway.

 

That actually looks a lot better then I thought it would.

See if you can get the MGtools log now.

 

That sounds promising. Thanks.

Do you mean combofix didn't find much or that it fixed a lot?

By the way, I forgot to mention that before I successfully ran combofix, a scheduled AVG scan ran while I was away from the laptop. I hope that does not confuse things. It claimed to have removed 60 or 70 infections as before. So I rebooted. And then rebooted again into safe mode to run combofix.

Just now I tried MGtools again. Extracted the files to C:\MGtools but then nothing - no sign of it running batch files - no command prompt window - no error message. As before. Then I tried deleting the MGtools folder it had created, disabling AVG resident shield, and running MGtools.exe again. Exact same result.

Should I try MGtools in safe mode?

Thanks again!

 

Yes I meant that it didn't find as much as I would have expected.

Let me check a few things about why MGtools is not running. I'll be back.

 

Let's try this:

Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The red is merely informational.

cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.

Do you now have a C:\MGLogs.zip? Do you have a RunKeys.txt and a Newfiles.txt? Tell me exactly what happens.

 

GetRunKey - nothing happened except that the command prompt window disappeared.

ShowNew - A scan worked and created the attached C:\MGLogs.zip. It did not look as if it had finished though. The attached screenshot shows all of what appeared in the command prompt window.

 

I may have posted too soon.

I came back later and the "All finished with ShowNew" line had been added (see screenshot).

So I was planning to attach MGlogs.zip again in case it is updated from the last one, but the forum won't let me (even if I rename it). Does that mean it is identical and unchanged?

 

Yes it most likely is the same. You can check by opening the zip file and seeing how many files are in it. If there is more then three then it is different. If there is only three then it's the same.


I need to ask also. Besides the issues with getting the scanners to run, how is your computer running?

I'm looking over the other logs now

Please run the ESET scanner and attach the log. Using ESET's Online Scanner

 

Apart from the issues I have mentioned, the audio is acting a bit strange. The volume control does not work properly. Working generally ok but with odd issues.

Thanks for looking at the logs. I am away for a few days and I'll run that scan when I'm back.

 

I went to the ESET's Online Scanner page (http://www.eset.com/onlinescan/) but when I click on "ESET Online Scanner", nothing happens. I have tried both Firefox and IE. No images appear for me on the page in either browser (i.e. no buttons, no proper formatting).

Do you think that this is a problem with the page or with my machine?

Did you find anything interesting in the other logs?

Thanks again for your help.

 

Nothing major but without the MGtools scan logs it's hard to tell if anything is hiding.

Download OTL to your desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
* When the window appears, underneath Output at the top change it to Minimal Output.
* Check the boxes beside LOP Check and Purity Check.
* Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please attach both of these files into your next reply.

 

Here are the OTL logs.

Thanks for your patience on this!

 

I'm really not seeing anything to indicate a malware issue so I'm wondering if the OS itself is not damaged.

Lets clean up a few things first.

* Open OTL
* Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
* Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.

Code:

:OTL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.

:COMMANDS
[purity]
[emptytemp]
[start  explorer]

* Click Run Fix
* OTLI2 may ask to reboot the machine. Please do so if asked.
* Click OK
* A report will open. Copy and Paste that report in your next reply.

 

That already looks like it may have done some good.

A few programs that normally launch at startup but have not been launching (skype, zonealarm, google talk) launched after that re-boot.

Also, I had a sound issue where sound was working for skype and iTunes but not for any browser and clicking on the volume icon in the system tray gave me an error that no mixer was installed. That is all working ok now.

Below is the OTL report:

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes
->Flash cache emptied: 41085 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Maurice
->Temp folder emptied: 1296144 bytes
->Temporary Internet Files folder emptied: 36597722 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 64778060 bytes
->Google Chrome cache emptied: 4788592 bytes
->Flash cache emptied: 49353 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1027 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 437356449 bytes

Total Files Cleaned = 520.00 mb

Error: Unable to interpret <[start explorer]> in the current context!

OTL by OldTimer - Version 3.1.37.3 log created on 03212010_214221

Files\Folders moved on Reboot...
C:\Documents and Settings\Maurice\Local Settings\Temp\~DF325D.tmp moved successfully.
File\Folder C:\WINDOWS\temp\ZLT07f7e.TMP not found!

Registry entries deleted on Reboot...

 

Maybe I spoke too soon!

On the very next boot, those programs (AVG, skype, zonealarm, google talk) again failed to launch on startup.

The audio stuff is still working well though.

If it is not malware and the OS is damaged, what would that mean in terms of how it could be fixed?

Thanks.

 

The audio problem is back too.

When I double-click the volume icon in the system tray, I get:

"There are no active mixer devices available. To install mixer devices... etc"