Possible Generic Trojan Help Needed

[font=arial]I was using another virus software (ahem) when I happened to notice the lat 2 scans showed a trojan that could not be removed. It was a Generic 8? Any way, I called them and they said the only way to get rid of it was for me to pay them $129 or to reformat my hard drive. I just do not have that money at all, plus I do know something about computers, since I have been dealing with them since the early 90s. I will reformat if need be, however I am convinced that if the tech can fix the problem through remote access then I can do it locally. I just need to know what to do. I uninstalled their service and installed Avast after seeing your reviews. I ran Malwarebytes (full) Avast (full) deleted temp, cookies checked my regedit and program files and didn’t see anything obvious that stood out. Nothing was found on any scan, except Avast showed Error: the system cannot find the path specified (3). The files were all windows/WER/reportque/noncritical. It still seems like I am blocked from certain files, like my rights have been messed with. So…I found the tutorial thread on virus troubles here and ran OTL, ADWCleaner, ASWmbr. I have the attachments here. Any help would be appreciated! [/font]

It was a Generic 8?
what file was detected and where was it located..... full file path
except Avast showed Error: the system cannot find the path specified (3).
files not found error is usually gone if you reboot and scan again

malware removers are notified, they are usually here after work hours european time

i recomend running a removal tool for the AV you uninstalled so that any leftover files that may conflict are gone
tools found here. http://singularlabs.com/uninstallers/security-software/

OK running removal tool. As for the path, the stupid software wouldn’t show it! >:( Anyway, it was listed in 2 ways: 20dl8da.msi & generic8_ceyj. They wouldn’t even tell me where to look for it :frowning:

Hi requiemdream,

Wait for a qualified removal expert to appear in this thread. He will help you to evaluate the logs you provided. The first flag is for malware in your graphic card driver. What you describe could also be an FP findings for MSI Afterburner. Do you have that installed by the way? The second one is a generic backdoor trojan found up by AVG. read about this one here: http://www.securelist.com/en/descriptions/5241746/Trojan.Win32.Buzus.ceyj?print_mode=1

polonus

Hi,
Do you using “LastPass” and "DuckDuckgo"software and add-on?
I do not see anything relevant in logs but we will go to deeper scan.

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



:OTL
IE - HKU\S-1-5-21-3296849334-2917844610-2569990012-1000\..\SearchScopes\{655D0B3A-393C-48EB-B458-87C3AB71BEBF}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2260173&CUI=UN40255209102375684
FF - prefs.js..browser.search.selectedEngine: "Searchalot"

:Files
C:\Users\requiemdream\AppData\Roaming\Mozilla\Firefox\Profiles\9pzbhlw2.default\extensions\{0c8fbd76-bdeb-4c52-9b24-d587ce7b9dc3}.xpi
C:\Users\requiemdream\AppData\Roaming\Mozilla\Firefox\Profiles\9pzbhlw2.default\searchplugins\searchalot.xml

:files
C:\Users\requiemdream\dir /S
ipconfig /flushdns /c
ipconfig /release /c
ipconfig /renew /c

:commands
[CREATERESTOREPOINT]
[emptytemp]


[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.[/list]


Please download zoek.exe and save it to your desktop.

[list]
[*] Close any open browsers.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:



standardsearch;
silentrunners;


[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button
Please wait until a logreport will open (this can be after reboot)

[*] Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named “zoek-results.log


Let’s run powerfull AntiRootkit check:

Download GMER , AntiRootkit tool from the link below and save it to your Desktop :

Download GMER

Double-clicking to run GMER .

[*] Wait for initial scan to finish - if there is any query, click No ;

[*] Click Scan and wait until the full scan is complete;
[*] Click Save … - save the report to the Desktop (called Gmer1 );
// note: the scan for Gmer1 log may take some time

[*] Right-click in the window GMER and select Options> Only non MS files - click Scan ;
[*] after a fasts scan, click Save … - save the report to the Desktop (called Gmer2 );

[*] Click the >>> and select Autostart card;
[*] after a fast scan, click copy ;
[*] open notepad and it copy-paste text - save the report to the Desktop (called Gmer3 )

Attach here Gmer1; Gmer2 and Gmer3 logreports.

Woke up this morning and there are ini files on my desktop and an unknown user with full admin rights that I cannot remove! (see screencap) GULP! I do have LastPass & Duck Duck Go, but I removed duck duck go. Should I get rid of LastPass? I am leery of it anyway. Just a quick update:

  1. I dl MSI aftrerburner, as mentioned
  2. I am running the OTL as directed will attach log
  3. DL zoeke will attach log
  4. GMER running will attach scan
    Wish me luck!

Ooopss…When I ran the OTL fix I was offline. Can you give me the code for the network portion only? Attached is what it did fix. I have been shutting off my wifi when I log off since this all started. Need to run the network part again. Thanks SO MUCH!!! You AWESOME!

:smiley:

These files you see are legitimate and systems related. OTL has temporarily displayed them.

Wish me luck!
Good luck. ;D

Attach zoek and Gmer logs just in case. :wink:

Hi requiemdream,

Do not worry, and don’t panick as you’re in the best of hands, magna86 will get you through this. He like essexboy have been proven themselves here grand style…

polonus

OK, well I was able to run the other things, except like I said I need to probably run the wireless portion of OTL, since I was offline. However - GMER keeps crashing in the middle of the scan. What could be causing that? Here are the logs I have today. What to do about GMER??

try run it from safe mode

OK - ran GMER in safe mode fine. I have scans 1 & 3, however, I can’t seem to find the option of “scan only MS files”. I have attached a screen cap so you can see what I am looking at under options. Maybe I am looking in the wrong screen? Here are GMER 1, 3 and the screen cap.

Also, here is a screen cap of the permissions showing on my pc. Never seen these account unkowns before??

I am hanging in there! You are all awesome for helping! Can’t thank you enough!

Hi requiemdream.

Well, relax a bit an lean back. Now the first issue explained just to set your mind at rest a bit more, is the SID account-unknowns (see image reply#13). Read here why there is no threat meant at all there: http://www.sevenforums.com/general-discussion/217773-account-unknown.html
Know you feel better now. Hope magna86 can add more to the good news, as apart from some search page hijacker I could not envision enormous threats luring in the background,

polonus

Yeah, about Gmer3 log, I didn’t update Gmer instructions for 3rd party scan. ;D
Doesn’t matter.

GMER keeps crashing in the middle of the scan. What could be causing that?
Gmer is extremly powerfull, it goes so deeply into system core (kernel) and the occasional BSOD do happens. It's called driver hooking, No big deal ;) Scan in safe mode will do the trick.

Please ignore this line in OTLFix log, OTL just reports that it hase fails do some let’s sey some automated fix, that’s all. Zoek do shows Internet Access so it’s OK.
No operation can be performed on Wireless Network Connection 2 while it has its media disconnected.
You do have internet, right?

BTW, all logs are fully clean. I see no traces of malware.
Be free to remove all used tools with DelFix,

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[
] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.

Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

About new user account, yes, it exists and it is active as I see in zoek reports.
This account could not be created by malware (at least these symptoms are not yet known to us), so it must be done manually.
Who have access to your computer?

Hi magna86,

This SID-unknown-accounts could also be produced for instance from importing/exporting files from another computer - then needed to be able to handle these files, i.m.o. a probable scenario and not necessarily malicious in nature…

pol

So this is good news! :smiley:

I was panicking but when things get weird on my computer I get a tad OCD and dig too deep I think looking for problems. The unknown user is no there now, so I am not bothered by it. I had been transferring files from my home network pc, could that have caused it? Running delfix now. Should be go to go then, right? I’ll check back in if troubles persist.

Thank you both SO MUCH! :slight_smile:

Just as you say, transferring files and for that you needed these temp SID accounts. You answered that one yourself then…

pol