Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Generic17.BTH is wrecking havoc with my machine - advice please


  • Please log in to reply
2 replies to this topic

#1 Tigo

Tigo

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 01 June 2010 - 11:08 AM

Hi -
My husband was using his laptop with no virus protection. He now has this trojan virus on it. He has lost the ability to connect wirelessly, it tells him it's acquiring network address and there is no IP listed. He also can't use his iphone to access the net through his USB, that's what he ususally does.

So what we've done...
Installed AVG - purchased the full version. It notifies us of the virus everytime we turn it on but not much else.
Did a ESET online scan - found some stuff, got rid of it but things have gotten worse since that point.

I then un-installed, re-installed the wireless network adaptor but all that has done as deleted my key, so I can't get to our wireless network even if the other problems were solved - I can't find the key but all of the other machines are connected using it.

We can connect if I plug the machine into the modem with the cable.

Oh I also just tried to start in safe mode to run AVG that way, but it won't let me pass the log in prompt - I can't even move the cursor.

Also - when AVG pops up at start up it says it found the virus in explore. exe, and I'm running Windows XP.

Any advice?

Thanks

Edited by Tigo, 01 June 2010 - 02:48 PM.


BC AdBot (Login to Remove)

 


#2 Tigo

Tigo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 01 June 2010 - 10:06 PM

I just ran Malwarebytes and this is the report I got after the scan

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4162

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

01/06/2010 11:44:15 PM
mbam-log-2010-06-01 (23-44-15).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 182026
Time elapsed: 1 hour(s), 31 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7}
(Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}
(Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7}
(Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7}
(Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}
(Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7}
(Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and
deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explore
(Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad:
(C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,)
Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted
successfully.

Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and
deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and
deleted successfully.

But then I restarted the machine, and AVG opened up and told me it found the virus and now it can no longer get an IP on the wired LAN - which before the last start up it could with no difficulties. So now I can't access the net when I'm plugged in directly to the modem. I'm not sure what to do next.

thanks

eta: I've also run ATF cleaner and SuperAntiSpysare in Safe mode - I thought that had solved the problem as things seem to be working nicely but AVG is still picking up the Trojan thread. SuperAntiSpyware is running clean now in regular mode.

Edited by Tigo, 02 June 2010 - 10:12 AM.


#3 Tigo

Tigo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 02 June 2010 - 10:23 AM

I should also add that I've attempted to do a system restore at a couple of different points, and it won't allow a restore. I can connect to the net now, if I'm connected to the modem, since running the last two programs in safe mode.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users