Infected with Trojan.Win32.Generic!BT & Win32.Trojan.Agent

Hello,

I am on a laptop running Windows 7 and a couple of days ago, Ad-aware found two viruses: Trojan.Win32.Generic!BT & Win32.Trojan.Agent - see details on quarantined items pasted at the bottom of this note. I've tried numerous times to remove the viruses by rebooting, as recommended, and rescanning, but it's only gotten worse. I can now no longer access most of my programs, including any virus scan programs (Adaware, Malwarebytes). I was able to download RKill but when I try to run any of the different versions nothing happens - have tried renaming with no sucess. When using Internet Explorer, Google search is redirected to other sites. I've tried using safe mode with the same results.

Please let me know if you can help? Here's the virus scan log from a few days ago, when I was actually able to run Adaware.

Thanks in advance!!

Scan Log:

Quarantined items:
Description: c:\programdata\f4d55f3b0001577a000a86a2b4eb2367\f4d55f3b0001577a000a86a2b4eb2367.exe Family Name: Trojan.Win32.Generic!BT Engine: 3 Clean status: Success Item ID: 1 Family ID: 0 MD5: 7f544794965c873108012225055eafd6
Description: c:\windows\assembly\gac_32\desktop.ini Family Name: Trojan.Win32.Generic!BT Engine: 3 Clean status: Reboot required Item ID: 1 Family ID: 0 MD5: 878F9B6DA85CB98FCBDF6ABD1730A32F
Description: c:\windows\assembly\temp\u\00000002.@ Family Name: Trojan.Win32.Generic!BT Engine: 3 Clean status: Success Item ID: 1 Family ID: 0 MD5: 423301116b6212572c18cacb6b2cdcc1
Description: c:\windows\assembly\temp\u\80000004.@ Family Name: Trojan.Win32.Generic!BT Engine: 3 Clean status: Success Item ID: 1 Family ID: 0 MD5: cad5f92045b581a877ec5cb1b738233d
Description: c:\users\brian\appdata\local\temp\~!#3f23.tmp Family Name: Win32.TrojanDropper.Injector Engine: 1 Clean status: Success Item ID: 0 Family ID: 6048712 MD5: 93cca20de1f597ae69110d908542ff48
Description: c:\users\brian\appdata\locallow\sun\java\deployment\cache\6.0\60\54f8fbfc-6bfd8131 Family Name: Trojan.Win32.Generic.pak!cobra Engine: 3 Clean status: Success Item ID: 2 Family ID: 0 MD5: 670393a01b820293dd2f125faf2e2dd6
Description: c:\windows\assembly\gac_64\desktop.ini Family Name: Win32.Trojan.Agent Engine: 1 Clean status: Reboot required Item ID: 0 Family ID: 936 MD5: 9D7EC1E355AC35CBE6991721EF5AE3B8

Hello, let see if we can do these.

If RKill still fails ,move on.


Please click Start > Run, type inetcpl.cpl in the runbox and press enter.
Click the Connections tab and click the LAN settings option.
Verify if "Use a proxy..." is checked, if so, UNcheck it and click OK/OK to exit.


Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:

• Flush DNS
• Report IE Proxy Settings
• Reset IE Proxy Settings
• Report FF Proxy Settings
• Reset FF Proxy Settings
• List content of Hosts
• List IP configuration
• List Winsock Entries
• List last 10 Event Viewer log
• List Installed Programs
• List Devices
• List Users, Partitions and Memory size.
• List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.




Reboot into Safe Mode with Networking
How to enter safe mode(XP/Vista)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.


>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.


Run RKill....


Download and Run RKill

• Please download RKill by Grinler from one of the 4 links below and save it to your desktop.
  
  Link 1
  Link 2
  Link 3
  Link 4
  
  
• Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  
• Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  
• A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  
• If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.



Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users

• Double-click SUPERAntiSpyware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
• In the Main Menu, click the Preferences... button.
• Click the Scanning Control tab.
• Under Scanner Options make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen.
• Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan.
• Click "Next" to start the scan. Please be patient while it scans your computer.
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes".
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Now reboot to Normal and run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.

Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet and double-click on the renamed file to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
• If an update is found, the program will automatically update itself. Press the OK button and continue.
• If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues.

• Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
• Click on the Scan button.
• When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked and then click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab.
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
• Exit Malwarebytes when done.

Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

-- Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that's the case, go to Start > All Programs > Malwarebytes Anti-Malware folder > Tools > click on Malwarebytes Chameleon and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).

Please ask any needed questions,post logs and Let us know how the PC is running now.

Thanks for the quick reply. "Use a proxy" was not checked so that was okay. I downloaded MiniToolBox to my desktop and tried to run it but when I click "run" the hourglass appears for a few seconds and then nothing happens. Tried it a couple of times. This is the same thing that happens when I try to run RKill, Ad-Aware, etc. Do you have another suggestion? Thanks again.

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Now try again,

Hello, I downloaded exehelper and double clicked it to run. A black box appeared for maybe 1/10th of a second and then disappeared, and I can't find a log file - I don't think one was created. I tried this a few times with no luck.

Any ideas? Thanks again.

Can you do a sytem restore to a date before this all started? Then try scanning.
Windows 7 - System Restore


OR
FixNCR.reg (http://download.bleepingcomputer.com/reg/FixNCR.reg)
For can't launch anything

This infection changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program. To fix this we must first download a Registry file that will fix these changes. From a clean computer, please download the following file and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.

FixNCR.reg

insert the removable device into the infected computer and open the folder the drive letter associated with it. You should now see the FixNCR.reg file that you had downloaded onto it. Double-click on the FixNCR.reg file to fix the Registry on your infected computer.

Hello again. I tried System Restore and it worked but it restored my system to Fri, 3/9 which is after I picked up the virus -this was the earliest available restore point. In any case, I tried the suggestions again that you made earlier, but they didn't work.

I also uploaded FixNCR.reg to a USB from a clean computer and ran it on the infected computer. This also appeared to work. I then uploaded and tried to run MiniToolBox but when I clicked "run" nothing happened. I also tried RKill again with no success. Do you have another idea I can try. Thank you - really appreciate your help.

Did you try,Right clicking on the desktop icon and selecting Run as Administrator ?

Thanks. Yes, I tried running as an administrator but it didn't work.

Can you possibly create a DDS log ? this can be run from a CD or Flash Drive.

We need a deeper look. Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If GMER won't run skip it and move on.

Let me know if that went well.

Hi, I am not able to create a DDS log. Tried to run DeFogger and a black box appeared and stayed open for maybe 10 seconds but then closed. It was blank - there wasn't a diable button.

I tried to run DDS anyway and that didn't work either - the hourglass appeared for a couple of seconds and that was it.

I tried both DeFogger and DDS in regular mode and safe mode a few times, and tried just running, and also opening as an administrator, but no luck....

Thank you.

If you cannot get DDS to work, please try this instead.

Please download OTL by OldTimer and save it to your Desktop.

• Close all other applications and windows so that you have nothing open.
• Double click on the icon on your desktop.
  
  Vista/Windows 7 users right-click and select Run As Administrator.
  If you receive a UAC prompt asking if you would like to continue running the program, you should press the Continue button.
  
• Under Output, ensure that Minimal Output is selected.
• Click the "Scan All Users" checkbox.
  Leave the remaining selections to the default settings.
  
• Click the button.
• Do not use the computer while the scan is in progress.
• When the scan is complete, two log files will open in Notepad:
  • OTListIt.txt <- (will be maximized)
  • Extras.txt <- (will be minimized in the Task Bar).
• Both logs are automatically saved to the Desktop.
• Please copy and paste the contents of OTListIt.txt and Extras.txt in your next reply.
  If the Extras.txt log is too long, you may need to add a second reply to your thread or upload it as an attachment.
• Click the red X in the upper right corner to exit OTL.

Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run. If OTL did not work, then reply back here.

Good morning. I downloaded OTL, closed all applications and attempted to run OTL as administrator but it wouldn't execute. I tried this in both regular and safe modes. Would appreciate any other suggestions you might have. Thanks for your help.

OK, we are going to just repost your 1st post in the new topic.
Copy this link to this topic and state we tried DDS and OTL and neither will run.

http://www.bleepingcomputer.com/forums/topic446129.html/page__pid__2633214#top

Sorry but I'm not following. Are you asking that I create a new post in this same topic (forum) or in a different one? Thanks for all of your help.