Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Trojan infection

  • Please log in to reply
1 reply to this topic

#1 Appleflap


  • Members
  • 3 posts
  • Local time:04:54 PM

Posted 29 December 2009 - 03:33 AM

Dear BC community,

I hope I'm posting this in the right place, and that those in the know are able and willing to help me.

Last week i received an expected e-mail attachment from a trusted source with an unexpected surprise included in the .rar archive, which I in my infinite stupidity doubleclicked.
Since then, every time I connect a removable storage device, McAfee (Enterprise 8.7i) pops up with a warning that Generic!atr attempted to multiply itself, or at least an autorun.inf file.

The infection creates the files "install.exe" and "autorun.inf" in the root directory of each connected disk. These files both have the "hidden" attribute enabled. Neither can be removed by regular means, because they are always "in use by another user or application". McAfee manages to remove the autorun.inf file, because it is recognised as mentioned above.

When I right-click on the "install.exe" file and choose "properties", a shortcut appears in the same dir, with MS-DOS icon, it can be removed normally.

If I connect a digital camera, both files proliferate to its memory stick, whereupon it has to be removed "unsafely" because its constantly "in use".
When it is reconnected after doing so, the copy of "install.exe" on the memory stick shows "ewbkb2l0zjw" in the space where software publisher and/or document type are usually displayed in gray text, below the file name.

So far, I have run both McAfee and MBAM in and out of safe mode with system restore turned off (both full scan). As well as a stinger app the system admin sent me, based on my report of Generic!atr.
This morning, i discovered that the measures so far haven't helped, neither McAfee nor MBAM have managed to clean the infection.
The solution system admins have come up with now, is to use system restore to revert to a backup from before i opened the accursed e-mail.
And now, since I am so reluctant to do this, I come here seeking wisdom. Can anyone help?

The PC runs on Windows XP SP3.

Thank you for your time anyway.
If additional information is required, I will of course be happy to provide it.

Edited by Appleflap, 29 December 2009 - 03:45 AM.

BC AdBot (Login to Remove)


#2 Appleflap

  • Topic Starter

  • Members
  • 3 posts
  • Local time:04:54 PM

Posted 29 December 2009 - 08:13 AM

Problem has been fixed by the latest version of Spybot - Search & Destroy. Thank you for your time, and good luck.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users