Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan horse Generic17.BICQ


  • Please log in to reply
7 replies to this topic

#1 CJ32

CJ32

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 12 May 2010 - 09:54 AM

I fell asleep last night and woke up to see AVG ran a scan and found an infection titled 'Trojan horse Generic17.BICQ'. It has it 3 times in the list too, all from the same file. I try to remove them but it won't let me. I put together my own computer not long ago and have Windows 7 64-bit currently running on it. I've had several minor problems in the past(or present, as I haven't exactly got around fixing those either). Please, any help would suffice. I appreciate the time and concern for it all too.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,099 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:24 PM

Posted 12 May 2010 - 02:28 PM

Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.

Please download Malwarebytes Anti-Malware (v1.46) and save it to your desktop.Download Link 1
Download Link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • Follow these instructions: How to use SUPERAntiSpyware to scan and remove malware from your computer Guide.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 CJ32

CJ32
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 12 May 2010 - 04:14 PM

Thank you very much for giving me options and some hope in this.

Before your reply, I did a little looking and did some stuff on me own. I used CCleaner and used all of it's cleaning ability, not sure if that's similar to TFC in any way. But after that I used the full scan of the Malwarebyte's Anti-Malware. I actually used it the exact way you explained to use it before your post (besides the quick scan, I did full). Here's the log from that in red.

------------------------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4093

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

5/12/2010 10:23:14 AM
mbam-log-2010-05-12 (10-23-14).txt

Scan type: Full scan (C:\|)
Objects scanned: 248259
Time elapsed: 24 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Installer\UpgradeCodes\3ba493e399df23647b4968681e4173c8 (Rogue.AdwareBot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4a7c84e2-e95c-43c6-8dd3-03abcd0eb60e} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8bcb5337-ec01-4e38-840c-a964f174255b} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3cc3d8fe-f0e0-4dd1-a69a-8c56bcc7bebf} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3cc3d8fe-f0e0-4dd1-a69a-8c56bcc7bec0} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{4a7c84e2-e95c-43c6-8dd3-03abcd0eb60e} (Adware.SmartShopper) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\AdwareBot (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AdwareBot (Rogue.AdwareBot) -> Quarantined and deleted successfully.

Files Infected:
C:\$Recycle.Bin\S-1-5-21-1925726785-2166078532-367145404-1000\$RDE6A73.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Users\CJ\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0007b3 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Users\CJ\Documents\Downloads\setupxv.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Users\CJtest\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6HFCQJ1J\PerfectOptimizer[1].exe (PUP.PerfectOptimizer) -> Quarantined and deleted successfully.
C:\Users\CJtest\Desktop\PerfectOptimizer.exe (PUP.PerfectOptimizer) -> Quarantined and deleted successfully.
C:\Program Files\AdwareBot\AdwareBot.exe (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Program Files\AdwareBot\AdwareBot.url (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Program Files\AdwareBot\DataBase.ref (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Program Files\AdwareBot\vistaCPtasks.xml (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AdwareBot\AdwareBot on the Web.lnk (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AdwareBot\AdwareBot.lnk (Rogue.AdwareBot) -> Quarantined and deleted successfully.


------------------------------------------------------------------------------------------------------------------------------------

Now that I got that through, I looked here and saw your post. So I here's what I did to your instructions. I ran TFC immediately after downloading. It rebooted shortly after opening and starting it. Got out Malwarebytes Anti-Malware again and checked for updates, but already had latest due to earlier. Ran the quick scan and if not mistaken, everything seemed fine. Here's the log in blue.

------------------------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4093

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

5/12/2010 3:36:49 PM
mbam-log-2010-05-12 (15-36-49).txt

Scan type: Quick scan
Objects scanned: 130296
Time elapsed: 2 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


------------------------------------------------------------------------------------------------------------------------------------

I rebooted after that just for assurance. Logged back in, and luckily already had SUPERAntispyware downloaded from earlier today as well. Just never used it. I followed your instructions given to me and after the scan, this is what was logged in green.

------------------------------------------------------------------------------------------------------------------------------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/12/2010 at 03:59 PM

Application Version : 4.37.1000

Core Rules Database Version : 4925
Trace Rules Database Version: 2737

Scan type : Complete Scan
Total Scan Time : 00:11:52

Memory items scanned : 341
Memory threats detected : 0
Registry items scanned : 4820
Registry threats detected : 0
File items scanned : 23760
File threats detected : 7

Adware.Tracking Cookie
C:\Users\CJtest\AppData\Roaming\Microsoft\Windows\Cookies\cjtest@clickbank[1].txt
C:\Users\CJtest\AppData\Roaming\Microsoft\Windows\Cookies\Low\cjtest@www.googleadservices[1].txt
C:\Users\CJtest\AppData\Roaming\Microsoft\Windows\Cookies\Low\cjtest@windowsexpert[2].txt
C:\Users\CJtest\AppData\Roaming\Microsoft\Windows\Cookies\Low\cjtest@serving-sys[1].txt
C:\Users\CJtest\AppData\Roaming\Microsoft\Windows\Cookies\Low\cjtest@atdmt[2].txt
C:\Users\CJtest\AppData\Roaming\Microsoft\Windows\Cookies\Low\cjtest@media6degrees[2].txt
C:\Users\CJtest\AppData\Roaming\Microsoft\Windows\Cookies\Low\cjtest@bs.serving-sys[2].txt



------------------------------------------------------------------------------------------------------------------------------------

With that, I thank you again for your time!

Edited by CJ32, 12 May 2010 - 04:16 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,099 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:24 PM

Posted 12 May 2010 - 06:15 PM

Please perform a scan with Kaspersky Online Virus Scanner.
-- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.
  • Vista users need to right-click the IE or FF Start Menu or Quick Launch Bar icons and Run As Administrator from the context menu.
  • Read the "Advantages - Requirements and Limitations" then press the Posted Image... button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the Posted Image... button.
  • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the Posted Image... button afterwards:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
  • Click on My Computer under the Scan section. OK any warnings from your protection programs.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
  • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
-- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 CJ32

CJ32
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 13 May 2010 - 07:40 PM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, May 13, 2010
Operating system: Microsoft (build 7600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, May 13, 2010 10:36:49
Records in database: 4105732
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 126061
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 01:16:54

Edited by CJ32, 13 May 2010 - 07:41 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,099 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:24 PM

Posted 13 May 2010 - 09:35 PM

IMPORTANT NOTE: Your scan log results in the email notification I received before you edited it indicate you are using keygens/crack tools.

Scan statistics:
	Objects scanned: 126061
	Threats found: 1
	Infected objects found: 1
	Suspicious objects found: 0
	Scan duration: 01:16:54

C:\Users\CJ\Documents\Photoshop\Adobe Photoshop CS4 Extended v.11 + 
Activation\Adobe_Keygen.exe Infected: Trojan.Win32.Buzus.dseo
The practice of using cracking tools, keygens, warez or any pirated software is not only considered illegal activity but it is a serious security risk.

Cracking applications are used for illegally breaking (cracking) various copy-protection and registration techniques used in commercial software. These programs may be distributed via Web sites, Usenet, and P2P networks.

trendmicro.com/vinfo

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

...warez/piracy sites ranked the highest in downloading spyware...just opening the web page usually sets off an exploit, never mind actually downloading anything. And by the time the malware is finished downloading, often the machine is trashed and rendered useless.

University of Washington spyware study

...One of the most aggressive and intrusive of all bad websites on the Internet are serial, warez, software cracking type sites...they sneak malware onto your system...Where do trojan viruses originate? One of the biggest malware distributors on the Internet are serial/warez/code cracking sites.

Bad Web Sites: Malware

When you use these kind of programs, be forewarned that some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, those sites are infested with a smörgåsbord of malware and an increasing source of system infection. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

I strongly recommend that you remove all cracks and keygens immediately to reduce the risk of infection or we are just wasting time trying to clean your system.

Using these types of programs or the websites you visited to get them is very likely how your computer got infected!!

Please download OTM by OldTimer and save to your Desktop.
  • Double-click on OTM.exe to launch the program. (If using Windows Vista, be sure to Run As Administrator)
  • Copy the file(s)/folder(s) paths listed below - highlight everything in the code box and press CTRL+C or right-click and choose Copy.
:Processes
explorer.exe

:Services

:Reg

:Files
C:\Users\CJ\Documents\Photoshop\Adobe Photoshop CS4 Extended v.11 + 
Activation\Adobe_Keygen.exe

:Commands
[emptytemp]
[start explorer]
[reboot]
  • Return to OTM, right-click in the open text box labeled "Paste Instructions for Items to be Moved" (under the yellow bar) and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results will be displayed in the right-hand pane.
  • Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTM\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. After the reboot, open Notepad, click File > Open, in the File Name box type *.log and press the Enter key. Navigate to the C:\_OTM\MovedFiles folder, open the newest .log file and copy/paste the contents in your next reply. If not asked, reboot anyway.

Caution: Be careful of what you copy and paste with this tool. OTM is a powerful program, designed to move highly persistent files and folders and is intended by the developer to be used under the guidance and supervision of a trained malware removal expert.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 jenga420

jenga420

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 18 May 2010 - 07:12 PM

I had a similar issue.

This is the complete log from the MBAM scan of my computer.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4113

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

5/18/2010 8:07:15 PM
mbam-log-2010-05-18 (20-07-15).txt

Scan type: Quick scan
Objects scanned: 137440
Time elapsed: 7 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.49,93.188.161.197 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4d1ae69f-9f6f-4bae-baed-e8fa76b007cf}\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.49,93.188.161.197 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,099 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:24 PM

Posted 19 May 2010 - 08:30 AM

Welcome to BC jenga420

If you have an issue or problem you would like to discuss, please start your own topic. Doing that will help to avoid the confusion that often occurs when trying to help two or more members at the same time in the same thread. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using and the presence of other malware. Further, posting for assistance in someone else's topic is not considered proper forum etiquette.

Thanks for your cooperation.
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users