Trojan.Win32.Generic!BT

I am working on my sister-in-laws computer. She had Windows Live Essential Family Safety running and wanted to have it uninstalled. When I was working on it, I noticed how sluggish it was and that there was a Windows Update that would not install. I felt that it had some Malware on it as well as some, what I call "Crapware" on it. Crapware refers to toolbars and other stuff that runs in the background that she might have installed by not reading all the check boxes when she installed some stuff. I could not get the Windows Live Essential (WLE) to uninstall. The uninstall routine did not even load up. I had to use Revo Uninstaller to make a futile attempt at uninstalling it, then install WLE again, and then uninstall would work. This removed WLE.

Next I wanted to look at the malware issue. After I get that taken care of, I will look at the Crapware and try to remove some of that later in a rough attempt to speed up her laptop.

The system used AVG Free for an antivirus software and Window Firewall as a firewall. I deleted AVG and installed Microsoft Security Essentials because MSSE seems not to be as much of a resource hound.

In searching for and removing malware, I use four programs; Malwarebytes Anti-Malware, Adaware, SpyBot S&D, and MS Security Essentials. I make sure I have the latest copies of these programs and that they are updated. I run these one at a time until I have a clean scan on all four. I run them in the order listed above. The first three found some stuff, mostly adware cookies, and was removed. MSSE did not find anything though it might have had I ran it first.

Now three of them finds nothing but Adaware still finds something. I saved the Adaware report log and can upload it if needed. Below is the part of the log of the stuff that it found.

Description: c:\system volume information\_restore{e50a3772-adc6-42f8-b62f-feba80092159}\rp386\a0383715.dll Family Name: Trojan.Win32.Generic!BT Engine: 3 Clean status: Success Item ID: 1 Family ID: 0 MD5: 5e58968f209a4e038d42905699e145d5
Description: c:\system volume information\_restore{e50a3772-adc6-42f8-b62f-feba80092159}\rp386\a0383716.exe Family Name: Trojan.Win32.Generic!BT Engine: 3 Clean status: Success Item ID: 1 Family ID: 0 MD5: 1f0d051ff55fd2d354c4f6c04bac3d34

After the scan, I have Adaware remove the problems and then I run another scan. It still finds this.

Please help me in trying to get this remove permanently.

Thanks,

Below is the DDS.txt log. I have also attached copies of the attach.txt and Ark.txt files.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Sandy at 23:18:53.35 on Sun 09/19/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.105 [GMT -4:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Documents and Settings\Sandy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.att.net/
uSearch Bar = hxxp://www.toshiba.com/search
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
BHO: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ShopAtHome Toolbar: {98279c38-de4b-4bcf-93c9-8ec26069d6f4} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Walgreens PhotoShow Media Manager] c:\progra~1\walgre~1\walgre~1\data\xtras\mssysmgr.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [dla] c:\windows\system32\dla\DLACTRLW.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238764347859
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-3 64288]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]
S3 ATMFBUS;A600 USB Composite Device Driver;c:\windows\system32\drivers\atmfbus.sys --> c:\windows\system32\drivers\ATMFBUS.sys [?]
S3 ATMFCVsp;A600 Cricket CM Port;c:\windows\system32\drivers\atmfcvsp.sys --> c:\windows\system32\drivers\ATMFCVsp.sys [?]
S3 ATMFFLT;A600 USB Modem Installation CD;c:\windows\system32\drivers\atmfflt.sys --> c:\windows\system32\drivers\ATMFFLT.sys [?]
S3 ATMFMdm;A600 Cricket EVDO Modem;c:\windows\system32\drivers\atmfmdm.sys --> c:\windows\system32\drivers\ATMFMdm.sys [?]
S3 ATMFNET;A600 Cricket EVDO Network Adapter;c:\windows\system32\drivers\atmfnet.sys --> c:\windows\system32\drivers\ATMFNET.sys [?]
S3 ATMFNVsp;A600 Cricket NMEA Port Serial Port;c:\windows\system32\drivers\atmfnvsp.sys --> c:\windows\system32\drivers\ATMFNVsp.sys [?]
S3 ATMFVsp;A600 Cricket Diagnostics Port;c:\windows\system32\drivers\atmfvsp.sys --> c:\windows\system32\drivers\ATMFVsp.sys [?]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2010-09-19 16:05:52 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-19 15:58:02 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-09-18 16:42:22 0 d-----w- c:\program files\VS Revo Group
2010-09-18 13:11:56 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-18 13:11:56 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-18 05:10:31 0 d-----w- c:\windows\system32\XPSViewer
2010-09-18 04:20:44 0 d-----w- c:\windows\system32\URTTemp
2010-09-18 01:39:29 4448 ----a-w- c:\windows\wininit.ini
2010-09-18 00:37:14 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-17 16:18:21 0 d-----w- c:\windows\SxsCaPendDel
2010-09-17 12:44:13 0 d-----w- c:\windows\system32\winrm
2010-09-17 12:44:00 0 dc-h--w- c:\windows\$968930Uinstall_KB968930$
2010-09-13 04:15:34 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-09-13 04:01:45 0 d-----w- c:\program files\Microsoft Security Essentials
2010-09-13 02:27:56 0 d-----w- c:\program files\CCleaner

==================== Find3M ====================

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-12 12:15:20 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-06 19:16:12 94384 ----a-w- c:\windows\system32\IncContxMenu.dll
2010-07-06 19:16:06 2319536 ----a-w- c:\windows\system32\Incinerator.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 23:20:59.96 ===============

I meant to also include that the Windows Update that did not install was for Microsoft .NET Framework. I was successful in getting it to update by deleting all versions of MS .NET Framework and then reinstalling them. Not sure if it helps but there it is.

Fujidave

EDIT: Posts merged ~BP

Hello ,
And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

• The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
• Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
• The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
• Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Please download OTL from one of the following mirrors:
  • This is THE Mirror
• Save it to your desktop.
• Double click on the icon on your desktop.
• Click the "Scan All Users" checkbox.
• Push the Quick Scan button.
• Two reports will open, copy and paste them in a reply here:
  • OTListIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

Please download Rootkit Unhooker and save it to your Desktop

• Double-click on RKUnhookerLE to run it
• Click the Report tab, then click Scan
• Check Drivers, Stealth and uncheck the rest
• Click OK
• Wait until it's finished and then go to File > Save Report
• Save the report to your Desktop

Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

• A detailed description of your problems
• A new OTL log (don't forget extra.txt)
• RKU log

Thanks and again sorry for the delay.

Due to lack of feedback, this topic is now closed.

If you are the original topic starter and you need this topic reopened, please send me a PM.

Everyone else, please start a new topic.