Trojan Horse Generic12.BGEI and infected msconfig

Hello,

I have never posted here before but read this forum all the time to try and stay up-to-date. However, I think now I have a problem which needs expert advice (and I apologize in advance if this is too long-winded).

Four days ago (Feb 2), my daily AVG scan reported a Trojan Horse Generic12.BGEI in Nero7 BackItUp and 273 warnings (normally all I ever get is a few tracking cookies, which I remove). I researched the Trojan and could only find one post with a similar problem, on the SpyWareInfo forum dating back to Jan 29, 2009, reporting successful removal (after reading about Mike Healan etc. I lost a little confidence in this forum). This was really bad timing because I just got an external hard drive for major video backup, and was finally ready to make an image of my system on bootable DVD and intended to use Nero for that. Naturally I did not proceed.

Anyway, I started to work through your malware removal procedures, removed old Java versions, set msconfig to normal (it was on custom, I think), run Ccleaner but as I use this program regularly, I cleaned the registry as well. At this point I had to go out (medical issues unfortunately!) and lost the thread of what I was doing. Continued the next day downloading and running Malwarebytes. The quick scan found 62 problems, so I then ran a deep scan and Malwarebytes quarantined msconfig and deleted 62 issues again (this should have rang a bell but I was in a hurry and had to leave it). It also found problems in my recent backup on the external drive and on my MP3 music. I deleted the backup, cleaned everything and left. Spent the next 2 days researching and downloading updates to my programs which was difficult as my internet connection kept dropping but since we have just suffered a major wind storm, I put it down to that. Also Orange (we are in France) is never super-reliable.

My pc was running normally, except for the drop-outs, and maybe a little slow but suddenly AVG is finding tons of tracking cookies. Run Malwarebytes and again got 62 problems (some needing a reboot) but on a second scan, the same 62 issues keep coming back.

I have just gone back to your malware removal post, but when I tried the msconfig step, I found it was not there … duh! Also re-read the bit about hidden files (I always have it set to show them) and remembered something … I think I may have clicked on a file ending in Ink to see what it might be. Would that have caused the infection? Also I had recently removed Ad-Aware (intending to reinstall it) as it had stopped working. So adding it all together, I think I'm in trouble and am not sure what to do next. Can anyone please help me? Thanks in advance!

MayBee


Maxdata 1.87 gHz Intel Core 2 Duo 6300
1024 MB memory
250 Gb HD
HL-DT-ST DVDRAM GSA-H42N ATA Device [CD/DVD drive]
Vista Home Premium build 6000 - IE 7

 

Hello Tim, and thank you very much for responding. I can see how busy you are and truly appreciate your time! I have since read in another thread that I should continue with the cleaning, even if some steps cannot be done, so I will try to do what I can but we have another wind-storm coming tonight and may lose power again (last time we went 4 days and nights without electricity).

I did run some other scans (Exterminator and the daily AVG Free, and Avast on my Flash Drive plugged into a laptop offline) and my system appears clean, so am wondering if the Nero trojan was a false positive, I have had this version of Nero7 on my system since Oct. 2007.

To be honest, I am very nervous of using ComboFix as I simply cannot afford to lose my internet connection (we have no TV and depend on the internet for news). The line dropouts have been minimal yesterday and only at peak times. My main problem now is that I lost msconfig.exe after deleting all quarantined items and don't even know if I need it (for Vista Home Premium), or how to best get it back “clean”. I have attached the latest MBAM log but realize it is not enough to go on. In fairness to you, I would say to take me off your list of critical requests, as my system seems stable, and I will continue to educate myself, run scans as I am able, and get back to you when I have the logs you require. Thank you again for your time, I think you guys are unbelievably kind to do all you do to help us clueless ones!

MayBee

Maxdata 1.87 gHz Intel Core 2 Duo 6300
1024 MB memory
250 Gb HD
HL-DT-ST DVDRAM GSA-H42N ATA Device [CD/DVD drive]
Vista Home Premium Service Pack 1 (build 6001)
Mozilla Firefox

 

Hello Tim,

I have just finished the Vista cleaning procedures exactly as laid out (but skipping Combofix, as you suggested).

SUPERAntiSpyware found nothing. Spybot ditto, but I had already run it the other day when it did find one problem, the hijacker QHosts. Both times the scan stopped at about 20% with an error message (I copied today's one) but resumed after I clicked <Try again>. Malwarebytes found 65 issues, some requiring a restart to remove completely. I have not checked to see if they are back, but previously they would show up on a subsequent scan. MGTools ran without any problems (in fact it did everything automatically from the initial double-click).

I am attaching: SAS log, MBAM new log and the MGlogs zip file. I'll send you the Spybot error separately in case I did something wrong.

Thank you for your time!

MayBee

 

... and here is the error message from Spybot.

MayBee :wave

 

Well, first the good news: I removed the 2 entries from HJT and did the registry fix. Got this message: “The keys and values contained in C:\Users\...\fixME.reg have been successfully added to the registry.” Then deleted C:\DEF.exe which (as you probably know) was the name I had given to Mgtools.

However, I could not get ComboFix to finish the scan. The first time my computer rebooted after ComboFix had changed the clock and it happened so fast that I didn't even see if anything had been scanned. The last entry in the txt file was: Created a new restore point. The second time it seemed to get a little farther, then an error message popped up (I enclose a snip of it). It seems to be the same issue that hang Spybot but in this case nothing worked. I tried all 3 options <Try again> <Continue> and <Cancel> without success. Could not close ComboFix either until I used Task Manager to kill both processes.

After this, my pc rebooted normally, I re-enabled all the security settings (anti-virus, firewall, anti-spyware) and reconnected to the internet without any problem. Two things I should mention: (1) in both attempts ComboFix detected an AVG component still active, so I had to disable that before continuing (AVG has become very difficult to disable, even the fix from their website does not quite work as stated). (2) both times I ran ComboFix with my pc physically disconnected from the internet. I was pretty sure that I had the Recovery Console installed and did not want to risk being online without any security protection.

I'm sorry I could not run ComboFix, I'll send you the text log but there's hardly anything in it. Apart from that, everything seems fine. Thanks for all your help!

MayBee

 

Hello Tim,

No operating problems, as far as I can tell, and I never did have any. The internet was cutting out but, as I mentioned, we had just been hit by windstorm Klaus ... this past Monday we had tempest Quentin, almost as violent as the first one, but this time we did not lose power or telephone, thank goodness! The only thing is this NO DISK error during Spybot's scan and today also. Apart from that, my pc is behaving normally, but how do I know for sure that it's clean? Should I run MBAM again? Also if my system is clean, how do I make sure it won't get re-infected from my flash drive or when I re-use a back-up DVD +RW disk? Should I toggle System Restore? The earliest point is from Feb. 9.

I have some other questions, but perhaps I should go to the software forum for those. For example, there are many old desktop.ini files all over the place. Can I delete them? There are 47 ntuser.dat files in my user root directory, all dating back to 2007 when I was having trouble updating to my current version of Nero7. Can they go?

I will re-read Chaslang's sticky on How to Protect Yourself and for sure create a standard user account for everyday's use. What do you personally think of AVG? I had Avast! before and liked it but when I bought the new pc, it had AVG already loaded so I kept it.

Anyway, the main thing is to know that my system is clean, as I need to update Nero and a bunch of drivers and burn a bootable DVD, and I couldn't do any of these under the threat of infection. I am truly grateful for all your help! And now I must get some sleep.

MayBee

 

Hi Tim,

A short update. Today's AVG scan found and quarantined the following: Virus identified EICAR_Test. Would that be left over from running ComboFix? It was in C:\Users\...\AppData\Local\Temp\Av-test.txt.
Also the daily warnings for tracking cookies are down to 2 from the recent 60-70. I suspect they were coming from the Excite news site which we have avoided for a couple of days now. I know cookies are not a biggie but still it's an improvement!

I would like to resume my routine of periodic scans with CCleaner, Advanced System Care, Spybot (and now SAS) but I will wait for your go-ahead. Something I'm not clear about (among many things!): was the original trojan detection by AVG8 a red herring? And is it possible that by resetting msconfig to normal (while doing the READ & RUN protocol), some hidden infection surfaced, which was then detected by MBAM? In other words, was my system infected and, if so, what with? Knowing that would help me stay safer in the future.

Having read through the How to Protect Yourself from Malware post again, I am inclined to remove AVG and install Avast! as my antivirus. By the way, you may want to pass along to Chaslang that in editing his excellent post (to change the firewalls order of preference), he has Jetico Personal Firewall – shareware version in both 2nd and 6th place. I think he intended to move it up to 2nd from 6th and somehow forgot to remove the old placing (unless I'm missing something...) :confused

Thank you, as always, for your precious time and invaluable assistance. You people are amazing!

MayBee

 

Hello again Tim,

I'm sorry if I am taxing your patience but I am confused. Perhaps I asked too many questions, so I will make this shorter. Your last response seemed to imply that my system is clean, but I ran a new MBAM scan yesterday and it reported 65 issues, all infected files. Rogue.InternetAntivirus is listed among other nasty things. After cleaning and rebooting, I ran the scan again and it seems that the same 65 problems showed up again (log attached). I thought perhaps MBAM was finding these files in the Quarantine area but there is nothing listed as quarantined. I tried to find some of these files with Win Explorer and these folders are not accessible to me.

I have removed AVG8 and installed Avast! The scan from Avast! is clean except for not being able to access a quarantine file containing Qhosts (which Spybot had found). So today I will only ask one question: given that MBAM continues to show the (same?) 65 issues, is my system clean, or not?

Thanks as usual for your time.

MayBee

 

I'm not doing it on purpose, I promise! Obviously you are the expert here, but it seems to me that re-infection occurs on reboot, as I have never had a clean log out of MBAM. Two adults use this computer, both exercise extreme caution while online and the wildest we get is YouTube! Clearly nobody is safe nowadays.

I attach the logs you requested. ComboFix stopped 3 times (with the Windows – No Disk error that I mentioned previously) before starting to scan, after Stage 4 and after Stage 50. Hitting <cancel> several times got it going again. This time I had a blank disk in the DVD drive but it made no difference. Please let me know if there is anything else I can do. Thanks!

MayBee

 

It's the only account I had until the other day when I created a standard account but haven't finished customizing the new one, or figured out what to do about the e-mail program, so it's pretty useless. I have run all the scans from there as it is my admin account. However, I will go and do as you say.

MayBee

 

Hi Tim,

Enclosing the latest logs. Sorry, I did not follow what you were saying. I can see the “default” user in Win Explorer c:\Users but not in the Control Panel Users area so I could not log in there. Most of the default folders date back to 2006. I bought this pc in August 2007. I saw somewhere that the Admin account showed as “disabled” but in the Control Panel the main account (me) is Admin. Thanks again for your time (where do you get the energy to keep going, I wonder?).

MayBee

 

Correct, in User Accounts (reached through Control Panel) my account is the Admin one. Until recently there was nothing else there, just a guest account disabled.

Under the default user, desktop is empty. Cookies, Local Settings and some other folders look like shortcuts and give me an error “Location is not available – Access is denied” but they appear empty. Under AppData there is some stuff and in the Default folder itself is today's NTUSER.DAT and ntuser.dat.LOG1 (as well as some older ones).

Latest MBAM log enclosed … same old, I think. “No action taken” means nothing got cleaned, right? … although I told MBAM to remove everything.

 

Yes, all boxes ticked. Should I ran MBAM with Avast and firewall disabled? So far I have only disabled User Account Control, as per instructions.

 

Ran MBAM as Admin in safe mode, Avast and all AM disabled … it found NOTHING to fix! Ran again by double-clicking, same result. Logs attached. Good night!

MayBee :confused

 

Sorry, Tim … I had problems with Avenger. Downloaded and extracted OK, pasted the commands, executed, and yes to reboot. But on first reboot, Windows could not restart (Computer unable to restart), so I deployed the Startup Repair and selected the Restore Point offered. I'm back in and I see the Avenger folder on my desktop (still zipped) so the Restore didn't take me back too far. I had disabled UAC, Avast and all antispyware but left the Win firewall and also Defender as I never get the admin option to turn if off. Did I do something wrong?

On reboot the firewall was turned off and also Automated Updating. I guess Avenger did that?

I then ran MBAM, it found the usual 65 suspects and marked all “delete on reboot”. A second MBAM scan did exactly the same thing. I have updated all my anti-malware and Avast, all went OK. The only difference is that now the Default folder is gone (or hidden?) from the C:\ path. This is getting depressing.:cry

 

Will do. Just to clarify, should I always disable UAC, anti-virus, anti-malware, firewall and unplug from the internet even if you don't specifically say so? Sorry, I don't want to waste your time doing something incorrectly. Thanks, I really am grateful for all your help so far!

 

Disabled Win Defender, but Pocket KillBox will not run. I have tried all the download locations, they are all the same KillBox-Beta 91.5 KB. I get this error message (attached).

 

No good … tried again 3 times, same result. I gave it a different name, put it in different places, desktop, folder, etc.

As for deleting files, wish I could. As I mentioned earlier, there is no Default folder under c:\ now, it doesn't show in Win Explorer. How else can I get to them?

 

Oh no! If you are confused, what hope have I got??? I have just tried searching for a few of those files. They only show up in the logs, your e-mails, lists of fixes but nothing in non-indexed, system and hidden places. The C:\Users\Default folder disappeared after I had that problem with Avenger. Windows could not start and I had to do a Startup Repair and roll back to a Restore Point from earlier the same day. I was happy until I did the next MBAM scan and everything showed up again.

The No Disk error, and KillBox not registering properly. Other than that, my pc is running normally (touch wood!), internet connection is solid, better than ever before in fact, and all AM programs will update and run as they should.

I do have some questions that belong on the Software forum, I think, so that would be fine with me. I can always come back if needs be.

 

Well, I'm glad you can laugh about it! This last week has put 10 years on me … and a fine mess you've left me to clean up!! No, I'm joking. I'm delighted that you consider my pc healed. A big thank you for all the thought, care and time you put into answering my plea for help.

I re-enabled Win Defender and let CCleaner clean the registry (it found only one item) but I still cannot run KillBox. It's bugging me. Anyway I learnt a lot more than I ever wanted to about running scans and reading registry entries. If anything interesting crops up, I'll be back to tell you. All the best!

MayBee :wave

 

Guess what … the Default folder is still THERE, it was hidden. rolleyes One of the tools (ComboFix?) must have changed my settings and I didn't notice until yesterday. :-o The Recycle Bin was also different. Instead of emptying, it asked if I wanted to permanently delete the file (the bin icon) instead. I have now fixed it.

I was just remembering all the problems I had when I first got this pc. Perhaps this Default user was part of the vendor's original installation and somehow got corrupted without him noticing (he went out of business 8 weeks thereafter). Another option is that the Default account was created when I migrated my old pc's contents onto the new one. Either way, since the whole Default folder is hidden and some of the subfolders are shortcuts or not accessible to explore, perhaps MBAM reads this as malware.

Now the good news: I successfully deleted most of the Default subfolders that I thought would be OK to delete (Cookies, Documents, Downloads, Links, Local Settings, My Documents, Music, Recent, Saved Games, Sent To, Templates and Videos) and just got a clean MBAM scan!!! :celebrate I thought you might want to see it!

I also sent you a screenshot of what's left. I'm not sure about the NTUSER.DAT files, they are all dated 18 Feb 2009 (except Log 2 and the last one which are dated 02 Nov 2006). Inside AppData there are Local and Roaming folders that lead eventually to shortcuts for major applications like E-Mail, Control Panel, Notepad, System Tools, etc. The other user folders also have these items. Do you think it's safe to delete what is left, including Default and see what happens?

MayBee