please help to remove Trojan.Win32.Generic!BT

here is logs of what was done
also i run HitMan pro but not sure hot to get it log . i can see/read history of it.
still have my av popup messages of finding same Trojan and wants to reboot .
done it but it does not help

thank you an advance

 

should to say ..my av is VIPRE
finding mention above Trojan in 2 locations:
C:\windows\assembly\GAC\Desktop.ini
C;\windows\System32\services.exe

 

http://img827.imageshack.us/img827/1263/frst.gif Please download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
• Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

 

Dear Thisisu,

Thank you for reply and instructions. I had reported my problem to VIPRE last week and there specialist finally get back to me this morning. He remotely connected to my PC and cleaned it up .
So I am good for now and hopefully won't have this problem !

Again, Thanks a lot for your help ~

 

No problem.
Glad to hear all is well.

__

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe

 

Hello again,
not even a week pass by and i got the same crap again!
i am not sure how it pass gates of VIPRE. i did deep scan with VIPRE and it found 9 risks all except one are like the one i had before and one named
Virus.Win32.Serefef.r(v)

i run the tool you asked me to run in first place, log attached.
Your help is greatly appreciated !

 

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

• Save fixlist.txt to your flash drive.
• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now reboot.

 

Dear Thisisu,

First of all thanks a lot for very quick reply!

Attached is the log you asked me to attach. BTW I ran he fix tool as you advised me. After reboot I immediately got popup from vipre see screenshot attached also. Please advise.

Best regards,
Slava

 

Click Show Details

Let me know what the details are (or screenshot)

 

looks like it lives in quarantine folder of the program i ran to fix the problem
i assume it not a big deal right ?

what can i do to prevent to getting this kind of virus ? seems i got second time and i an not even sure how

 

Right. In fact, we can delete the C:\FRST folder at this time.

Here is a helpful guide: How to Protect yourself from malware!

 

Just noticed.. if I go to youtube and lick to login it rist popup an advertizing .
yesterday it was servery and i think i click on link on it, then closed a window.
maybe it's a reason i got the virus ?
after cleaning today went to youtube again. Before cleaned history and cookies with CCleaner. click on login and it popus advertizing sreen again in full screenmode u just closed it and loged in youtube.

I don't remember it was like this before with youtube.
is it youtube or my pc steel has some sort of infection ?

 

Please try to use proper spelling and punctuation when you type. It is very hard to understand what you are trying to say. Try again, this time with a bit more clarity and also attach the logs from RogueKiller and HitmanPro as was requested earlier so I can review them.

 

Sorry...here it is again I have attached logs before i think in very first post of this thread...

Just noticed.. if I go to YouTube and click “ login” it pops up an advertizing.
Yesterday it was survey and I think I clicked on the link in it, then closed a window.
Maybe it's a reason I got the virus ?
After cleaning today went to YouTube again. First cleaned history and cookies with CCleaner. Clicked on login and it pops us advertizing again in full screen mode. I just closed it and logged in YouTube.

I don't remember it was like this before if I go to YouTube.
is it YouTube or my pc steel has some sort of infection ?

 

Hi,

There could still be an infection present.
Go ahead and redo the RogueKiller and HitmanPro instructions outlined in the Malware Removal Guide once more and attach the latest logs from each.

 

Hello,

Ran these programs today, logs attached.

Thank you an advance,
Slava

 

http://img805.imageshack.us/img805/9659/rktigzy.gif Delete items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Once the scan is complete, go to the Registry tab and checkmark this item ONLY:

• [ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Slava\AppData\Local\{f3165a7d-1f52-0e48-f652-14344c40ab2d}\n.) -> FOUND

Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[3].txt
Attach RKreport[3].txt to your next message. (How to attach)

__

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  %windir%\$ntuninstallkb*. /120
  %windir%\system32\drivers\*.sys /lockedfiles
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Here they are..

 

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
FF - prefs.js..extensions.enabledItems: {FBF6D7FB-F305-4445-BB3D-FEF66579A033}:5.0
FF - prefs.js..extensions.enabledItems: toolbar@alexa.com:2.11
FF - prefs.js..extensions.enabledItems: {4D144BC3-23FB-47de-90C5-63CCB0139CCF}:1.0
FF - prefs.js..extensions.enabledItems: web2pdfextension@web2pdf.adobedotcom:1.0
FF - prefs.js..keyword.URL: "http://search.toolbars.alexa.com/?ver=alxf-2.15&src=ab&aid=AQYKb17hNy00Ww&q="
[2011/02/17 14:30:58 | 000,000,000 | ---D | M] (TradeManager-Plugin) -- C:\Users\Slava\AppData\Roaming\Mozilla\Firefox\Profiles\i0l54466.default\extensions\{4D144BC3-23FB-47de-90C5-63CCB0139CCF}
[2012/06/24 22:45:05 | 000,000,000 | ---D | M] (VideoFileDownload - Download YouTube Videos) -- C:\Users\Slava\AppData\Roaming\Mozilla\Firefox\Profiles\i0l54466.default\extensions\plugin@videofiledownload.com
[2010/04/12 10:21:15 | 000,002,332 | ---- | M] () -- C:\Users\Slava\AppData\Roaming\Mozilla\Firefox\Profiles\i0l54466.default\searchplugins\bigseekpro.xml
[2011/03/29 10:26:57 | 000,001,490 | ---- | M] () -- C:\Users\Slava\AppData\Roaming\Mozilla\Firefox\Profiles\i0l54466.default\searchplugins\web-search-powered-by-google.xml
[2012/03/28 17:19:31 | 000,049,303 | ---- | M] () (No name found) -- C:\USERS\SLAVA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\I0L54466.DEFAULT\EXTENSIONS\{4C7097F7-08F2-4EF2-9B9F-F95FA4CBB064}.XPI
[2012/05/01 12:25:48 | 000,344,887 | ---- | M] () (No name found) -- C:\USERS\SLAVA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\I0L54466.DEFAULT\EXTENSIONS\TOOLBAR@ALEXA.COM.XPI
[2012/07/24 11:36:49 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\SBRC.dat
[COLOR="DarkRed"]:services [/COLOR]
elxstor
[COLOR="DarkRed"]:files[/COLOR]
c:\windows\system32\drivers\elxstor.sys
xcacls.exe C:\Windows\SysWow64\%APPDATA% /p Administrators:f SYSTEM:f /y /c
fsutil reparsepoint delete C:\Windows\SysWow64\%APPDATA% /c
C:\Windows\SysWow64\%APPDATA%
[COLOR="DarkRed"]:commands[/COLOR]
[emptytemp]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Thisisu,

i REALLY appreciate all your help and time you spent to help me out.
Logs attached
all the best,
Slava

 

No problem.

Are you still experiencing the issue with YouTube?

 

Nope, just checked login and logout several times at YouTube, all back to normal!
again, thanks a lot!
.. i really value time because i know how important it is.. is there any way i could reimburse you for your time ?
do you have a PayPal account i could make a donation maybe ?

What would you recommend to keep my system healthy? form malware and viruses? what is the best AV and malware protection soft. in your opinion ?

I assume the VIPRE is worthless since it did not protect my system from all that malware I had.

 

also noticed that on facebook i don't have this ads that i had between news feeds before ! and pop up ads that a pear if i point mouse to any link on any website is gone too !
that is awesome !

 

You're welcome

I'm happy to help and this is a volunteer service. You can like MajorGeeks on Facebook / Follow us on Twitter. Check my signature for the links.

I use MSE. Check out the How to Protect yourself from malware! link.
I wouldn't say VIPRE is worthless, just that nothing is 100% versus every type of infection.

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe