Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Odd Warnings Involving Trojan.generic3.qtn


  • Please log in to reply
5 replies to this topic

#1 AnonArtist

AnonArtist

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 14 October 2006 - 03:39 AM

Software I have scanned with:
- AVG Free v7.1 (up to date definitions) - Scanned with "Scan Computer" Option
- Panda ActiveScan - Don't remember the exact option - was something like Scan Disks
- AdAware SE Personal 1.06r (up to date definitions) - Perform Full System Scan

I also scanned with GMER rootkit after reading a an article here about "Generic2" - I scanned and didn't find anything that drew my attention, and GMER didn't bring up any visible warnings about any of the objects it scanned. I'm not entirely sure if I am reading GMER correctly though (scanned via "rootkit" tab), with all the default options ("show all" was not checked - I will be running it with that checked after posting this).

Every now and then AVG Free will turn up a warning about a .exe file infected with "Trojan.Generic3.QTN" - and then the warning will quickly vanish (the last one I was across the room, noticed it popped up, and it had gone down before I even finished reading it - it repeats this warning in the AVG logs (although it hasn't popped up the warning again, just added it to the list):

Resident Shield Reports Trojan Horse BackDoor.Generic3.QTN on C:\System Volume Information\_restore{99A27477-6940-497F-B583-7CEAC1485970}\RP626\A0090158.exe

That is the only file it has listed on there, yet I can't find the location (restricted, even though my account is an "Administrator" account). (I had to type that out...XML doesn't read right)

I'm curious why on active scans, it returns nothing (not even the file that resident shield warns about in the logs - much less the source of it). All Panda/AdAware return is a list of old cookies (which I went through and deleted - AdAware reported 7, Panda reported something like 90 *about 75-80 of which were in an old user folder that I hadn't removed yet, but hadn't been used for about 3 months*). AVG reports an all-clean (with it's usual list of "-OK-"|"Quickchecked", " "|"Scanned", and "Changed"|"Changed")

- Another recent problem: While looking for solutions to this problem, the tempurature of my Processor jumped to 70C in the period of a few seconds (according to MBM 5 *A tempurature monitoring tool I've had for some time*), and requested a shutoff (which I did, manually, not through MBM 5), came back tonight and it's working fine (44C atm - 42C to 52C is normal for it under standard working conditions)

Where should I start to solve this problem that I can't seem to find the source of?

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:21 PM

Posted 14 October 2006 - 02:51 PM

I'm not entirely sure if I am reading GMER correctly though

Its not a good idea to be using tools/programs that you do not know who to use.

According to what you posted, AVG is finding this trojan in RP626 located within C:\System Volume Information. This folder is a part of System Restore - the tool that allows you to set points in time to roll back your computer. The System Volume Information folder is where XP stores these System Restore points and other information. By default, it is a hidden folder unless you reconfigured Windows to show it. You can set a new restore point and purge the old ones to include RP626.

If your running Win XP/2000, download and scan with AVG Anti-Spyware 7.5 in "SAFE MODE".
(This is Ewdio 4.0 renamed. If you already have Ewido installed, please update to this version which has a special "clean driver" for removing persistent malware). Be sure to print out the AVG Anti-Spyware Install-Scan Instructions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 AnonArtist

AnonArtist
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 15 October 2006 - 12:40 AM

Downloaded and about to install and run in Safe Mode...(temperature problem still exists...stabilized though at a roasty 64C -_- thanks to a huge box fan and an open case, which I know isn't good).

I assume the new restore point should be set AFTER running Ewdio - does this automatically purge the old restore point? or do I have to do something special to purge it? (I can see it, but it won't let me access it to manually remove it - even on the owner account, there is no 'security' tab in the "security and sharing" popup, so the instructions on the MS website for accessing it in WinXP aren't working :thumbsup: ).

Anywho...off to scan in safe mode (I'm going to run AVG 7.1 again as well in safemode).

[Edit] I got it to give me access (view and such) to the folder, scanned it directly with AVG and it spotted the trojan, only in 1 file, in that 1 restore...

Order of Events (notice cool downs due to odd heat problems - more on that in a second):
- Downloaded and set up Ewido, set the computer up to restart in safe mode.
- Turned off computer, let it cool down for about an hour.
- Turned it on in safe mode, scanned in safe mode, Ewido (AVG Anti-Spyware) only returned 1 "Tracking Cookie" (which I removed).
- Turned off computer to let it cool down again (leaving it set to turn on in safe mode) - this due to a heat warning.
- Turned on in safe mode, scanned with AVG 7.1 in safemode, still only found the 1 trojan.generic3.qtn
- Set it up so I could view the "System Volume Restore" folder on my admin account (didn't give any editing access to this account though, just in case)
- Turned off restore point so it would purge old restores (while in safemode), set to reboot in normal mode.
- Turned off computer again (to cool down).
- Started computer in normal mode, came to post results.

Temperature still acting interesting, curious if this could be related to this trojan (even though no viruses are showing or anything). At this moment it's hovering at 42C/43C like normal, mind you with the case open and the box fan running...in fact MBM is reporting it flipping between these 2 at this very moment, back and forth. I may run a scan to see if it hits the oddly high temperature during the scan again (prior to this incident it'd reach 55 at the highest, mid-summer, during a virus scan, it's been peaking over 60C now which gives warnings *it's autumn and cooler now which is why it concerns me*)

All the fans on my system are working (Power supply Fan, Processor Fan, Rear outtake fans, and front intake fans), and it kept the system more than cool enough for the past 3+ years. There is very minimal dust (probably gonna blow it out again tomarrow with some compressed air just to make sure, but I don't think this is enough dust to cause this issue). My system isn't overclocked... could the overheating have had anything to do with the virus?

And if it's not likely related to a virus, is there a way to underclock (all I do on here is browse online, check email, and digitally paint - all of which I've done without a problem on slower systems...since most of the art programs are mainly just memory hogs).

I'm also curious as to how this may have gotten on my system - I haven't visited any new sites between my last scan prior to the trojan and the discovery of the trojan (I generally only visit about 15 sites I've visited for years without problems, I never open unsolicited emails *even if I know the sender*, I run Zonelabs firewall, restricting most programs access, and use windows auto-updates, and install immediately after downloaded, as well as auto-updates for AVG 7.1 *checks daily for updates*, I update Adaware regularly, and Zonelabs auto-update is active, I install as soon as it notifies me). In case that provides any hint to how I got it :\...

Only thing I can think of is it came on an advertisement on one of the sites (although only a few have random banner advertising), or maybe a malicious person (I have a few people who wouldn't mind seeing me vanish for a while because of my work on a few sites - and personal quarrels) mind you my IP is dynamic (dialup). Any ideas? Or could there be something that these scanners just aren't picking up that was laying dormant and plunking this into files?

I've had trojans pop up before, and AVG + a little research, usually cleaned them up just fine - but with the exception of this incident, haven't had any issues for several months (last year - one nested in some wolfenstein files I had dl'd from the official site about 6-8 months prior to that).

Anywho...hope that reveals something that can maybe give some insight on how to prevent this in the future (or how to fix the overheating problem when it arises).

Thanks for the help, it is greatly appreciated.

PS - yea, it was a mistake running GMER probably (I was following the information in another person's post about a Trojan.Generic2 where a BC official was helping them and got it resolved), didn't turn up anything though.

Going to scan again after posting this btw (praying it doesn't overheat :flowers:)

Edited by AnonArtist, 15 October 2006 - 04:13 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:21 PM

Posted 15 October 2006 - 06:36 AM

After you finish the AVG ANti-spyware scan do this:
1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to Start > Run and type: Cleanmgr
4. Click "OK".
5. Click the "More Options" Tab.
6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one. That should take care of your problem.

And if it's not likely related to a virus, is there a way to underclock...

I'm not a tweaking expert in this area. Temperature problems can be the result of various hardware issues. Probably best to start a new topic in the Hardware forum about this.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 AnonArtist

AnonArtist
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 16 October 2006 - 07:08 PM

Thanks again for all the help :thumbsup: - everyting seems to be working ok (albeit a little hot, 47-50C now during normal activity, idles around 42-45C, without the box fan for both :flowers: - warm but workable).

New system restore setup, old restores removed, none of the scans are returning anything (not even tracking cookies :inlove: ).

If the temperature issue returns I'll probably make the new post you suggested - as there is no need to try and fix it if it isn't broken (especially considering I'm only familiar enough with hardware to know what I need to make it work with standard settings and keep it clean :trumpet:).

Thanks again (issue resolved I think, still no other files popping up warnings through AVG).

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:21 PM

Posted 17 October 2006 - 04:25 AM

Your welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users