Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Generic8.tsa - Got rid of most - 3 lingering


  • Please log in to reply
48 replies to this topic

#1 TiredofThis

TiredofThis

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 02 February 2009 - 02:40 AM

The trojan seemed to have the name: generic8.tsa (I see there are many versions people are experiencing). I followed the thread for one of them where the advice was to download Malwarebytes' Anti-Malware. I had the hardest time getting it done for popups kept closing my browser and sending me to more spyware ads and downloads. I installed and ran the program and it found 68 affected things. They were all checked for removal and then to restart the pc. It wasn't able to remove them all at that point but instructed me to restart the pc. That's when more problems occurred. I restarted my pc and tried to load my user account only to find a blank blue screen - it remained there for over ten minutes with nothing happening - just my cursor sitting on the screen. So I restarted the pc again by turning it off. This time it let me see my desktop but with popups about programs that were unable to run including my taskbar to close them. I had to restart a couple of times in order to get those closed before I could do anything. I have run the Malwarebytes four times now and it remains with three trojans - even though it says it has removed them. Then I reboot, run the program again - and there they are again.
Also, AVG 7.5 was completely shot after all this - I couldn't get it to work at all. I uninstalled it and will install ver 8. The two errors on my desktop with the first couple of reboots shows errors with avg, yahoo messenger and the taskbar (alt control delete trying to manually shut programs and it said the option to run it was shut off by the administrator)
I read some other suggestions for others on here - but just not sure which one would be best for me to download and do at this point. I read the thread where someone else mentioned avg and yahoo being a problem.
Here is what my log shows it removed and healed but they are there with each reboot:

Malwarebytes' Anti-Malware 1.33
Database version: 1714
Windows 5.1.2600 Service Pack 2

2/2/2009 12:13:03 AM
mbam-log-2009-02-02 (00-13-03).txt

Scan type: Quick Scan
Objects scanned: 60535
Time elapsed: 7 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\winnt\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINNT\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.


I see on another thread that someone suggested to do the following:

Install Super Antispyware free. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

Run the online scan for Bit Defender in normal mode. Allow it to quarantine whatever it finds.
http://www.bitdefender.com/scan8/ie.html

How to Start Windows in Safe Mode:
http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

Is this what I should be doing? Or is there something else I need to do instead?

Thanks!

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:30 AM

Posted 02 February 2009 - 03:41 AM

http://www.bleepingcomputer.com/forums/ind...t&p=1116533

Follow QM7's guide for running SAS after ATFCleaner
Chewy

No. Try not. Do... or do not. There is no try.

#3 TiredofThis

TiredofThis
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 02 February 2009 - 11:51 AM

So I ran the scan again with the Malwarebytes so to see if that might correct why the other site is giving me problems since I was getting popups again. It thinks it's all cleaned up now so I have them off for the time being but I know as soon as I reboot, they'll be back. I tried to download the SuperAntispy and got the same error saying that windows explorer can't download for the site is not there or has moved, etc... Anything else I can try to download it?
Thanks!

#4 TiredofThis

TiredofThis
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 02 February 2009 - 11:52 AM

forgot to check the option to receive emails when a reply... so adding one more message so I can check that option.

#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:30 AM

Posted 02 February 2009 - 12:22 PM

http://www.atribune.org/ccount/click.php?id=1

http://www.superantispyware.com/

http://www.superantispyware.com/definitions.html

try copying and pasting into the address bar

or

Use an uninfected computer to download to
Chewy

No. Try not. Do... or do not. There is no try.

#6 TiredofThis

TiredofThis
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 02 February 2009 - 05:23 PM

This is definitely the worst one I've encountered. I was able to get it downloaded. In safemode, it ran a scan and then overrode me and wanted to shut it down and did without correcting anything. The second time, I was able to catch when it did it. So the third time, I was able to stop it after the 13 infected were showing and I was able to remove them - so it said. However, I also ran Spybot in safemode, same problem - but I wasn't able to tell it to remove them before it overrode me and shut it down. My browser works sporadically now.
I don't think this is working to remove this.
What about a System Restore two days back? Is that possible?

#7 TiredofThis

TiredofThis
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 02 February 2009 - 05:26 PM

I removed my hijacklog - just saw I wasn't supposed to post it here.

Edited by TiredofThis, 03 February 2009 - 01:38 AM.


#8 TiredofThis

TiredofThis
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 02 February 2009 - 06:54 PM

I should mention - I have done what has been suggested - downloading malware and SuperAnti - malware lets me finish and reboot with the virus still there. Super didn't let me finish in safemode, I had to watch for when it popped up the box to shut it down and catch it before then and tell it to manually go ahead and get rid of the list of viruses. They were there again when I rebooted and did Spybot in safemode - I couldn't tell it to fix or move them to the vault for it also shut me down before it was finished. I'm going to try it again now. But I am reading now that some of these are attached to the System Restore and that's why they keep coming back. I wanted to do a previous restore from two days ago. Can that work? I dont' want to shut it off and risk there is no restore but that is one of the suggestions to turn off the system restore (lose all the previous restores) and then go ahead and run the virus scanners. I'm too scared to try that. Is there anything I can do to get it off the system restore or to completely remove it on my own without having to take my pc to someone?

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:30 AM

Posted 02 February 2009 - 07:35 PM

You are not being reinfected from system restore, you have to do that yourself, the malware often sets a restore point after you are infected.

Help is on the way, don't make any changes
Chewy

No. Try not. Do... or do not. There is no try.

#10 TiredofThis

TiredofThis
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 03 February 2009 - 01:35 AM

I have rerun malware, Superanti and spybot - about three times each (super took over 2 hours to complete one). Then it makes me reboot to finish - and everytime I reboot... they are back!
Here is the list of them that seem to remain:
fraud xp antivirus
adware.vundo
adware.vundo/variant ms worker fake 2
rogue.msantispyware2009
adware.tracking cookie

there are a few more on spybot that keep returning... I just didn't write them down. I have figured out a way to get my browser to work - I have to load it over and over and over in a row and eventually - one of the loaded browsers works!
I haven't attempted System Restore but I want to if it will take me to a couple days back and no virus will be attached. I had to do it a month ago for the first time ever on this pc and everything went fine - but wasn't for a virus. I have it set to the maximum restore so I can go to the day before all this happened. I'm okay with doing that if that might work.
I'll wait and see what else is advised to try. If its advised I take it to someone to have it repaired, I'm also open to that. I've never had to do that before - always been able to repair and fix things but this one seems just horrible.
thanks!

#11 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:30 AM

Posted 03 February 2009 - 07:50 AM

http://www.bleepingcomputer.com/forums/ind...t&p=1116300

Let's give cureit a chance at this
Chewy

No. Try not. Do... or do not. There is no try.

#12 TiredofThis

TiredofThis
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 03 February 2009 - 03:28 PM

well I ran it... Dr Cureit... it found one: userinit.exe in WINT/System32... I told it to cure all and saw the status of it and showed it was deleted. And I rebooted after I made the log. And now I can't use any user accounts and can't log onto my desktop. It starts to, then boots me back off. So whatever this was... is worse now. I have no access on the pc now - this is the laptop. Anymore suggestions?

#13 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:30 AM

Posted 03 February 2009 - 03:36 PM

Which optios work in safe mode if any?
Chewy

No. Try not. Do... or do not. There is no try.

#14 TiredofThis

TiredofThis
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 03 February 2009 - 04:01 PM

I can't load the user account in safe mode, either.
I tried safe mode with command prompt. Same thing - it showed my user accounts, I tried to use mine and it logged me back off immediately. I also tried the other user accounts - they don't work.
Safe mode with networking - same thing
Anything else I should try in safe mode? I did the top three...

#15 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:30 AM

Posted 03 February 2009 - 09:05 PM

Do you know how to burn an iso?

DrWeb makes an anti-virus emergency aid disk that would restore a system that became non-operational due to activities of malware

http://www.freedrweb.com/livecd/
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users