?
Solved

removing Trojan.win32.Generic!bt

Posted on 2011-10-14
24
Medium Priority
?
1,064 Views
Last Modified: 2012-06-27
I have a pc infected with Trojan.win32.Generic!bt. I have scanned the pc and its finding it but not cleaning all of it.  I have booted the machine into safe mode and downloaded Malewarebytes.  When I try to scan the virus closes Malwarebytes and I can't scan.  Can I remove this manually?
0
Comment
Question by:WellingtonIS
  • 11
  • 4
  • 3
  • +3
24 Comments
 
LVL 17

Expert Comment

by:James H
ID: 36967947
You can download Combofix and run that in safe mode.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

once that is completed and your PC reboots, download and run TDSS killer as a precaution against rootkits.

http://support.kaspersky.com/faq/?qid=208283363

Reboot and post back if you still have any issues.
0
 
LVL 6

Expert Comment

by:Sid_F
ID: 36967961
Before going down the vast amount of links and removal tools can you try a simple system restore... start - programs -accessories and select a previous restore point before the machine was infected. This will not change data just system files
0
 
LVL 6

Expert Comment

by:Sid_F
ID: 36967976
sorry start-programs-accessories- system tools- system restore
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 

Author Comment

by:WellingtonIS
ID: 36968014
I tried that too.  Maybe I didn't go back far enough.
0
 
LVL 6

Expert Comment

by:Sid_F
ID: 36968019
Yes you could be right, you should have the option for more restore points.
0
 

Author Comment

by:WellingtonIS
ID: 36968056
I'll check that out again tonight and see if I can go back further. Thx
0
 
LVL 38

Expert Comment

by:younghv
ID: 36968156
WellingtonIS,
The reason for some Experts posting links to advice is that is saves us from re-typing information that is available with the click of a mouse. It is and always has been an acceptable method of helping other Members here on EE.

The malware variant "Trojan.win32.Generic!bt" is fairly old and should be handled by using a rogue process stopper and Malwarebytes.

I wrote an EE Article that describes the process here:
Rogue-Killer-What-a-great-name

"Safe Mode" scans can create more problems than they cure and a group of us wrote an EE Article about "Best Practices". Please give that a read also.

Malware Fighting – Best Practices
0
 

Author Comment

by:WellingtonIS
ID: 36968217
thanks for this info.  I will try this too and get back to you.  This is not my own PC I'm cleaning it's a clients who didn't even have virus protection.  I can't seem to stress enough to people how important it is to have so sort of protection.  
0
 

Author Comment

by:WellingtonIS
ID: 36968232
Lastly, I'm sorry I left this out..  I tried running Maleware byte but the virus closes the program in safe mode and it regular mode.
0
 
LVL 38

Expert Comment

by:younghv
ID: 36968441
The reason for running "RogueKiller" (or RKill) before scanning is that it will stop the rogue processes that are preventing MBAM from running.

It seems that all of the malware variants for the past year or more have been able to identify the most common scanners/cleaners and prevent them from executing.

If you want to try RKill - in addition to RogueKiller - the link is here:
http://www.bleepingcomputer.com/download/anti-virus/rkill  Note that there are about 8 different versions of RKill shown. They are all the same program, but sometimes the malware will recognize the basic name and stop it from running.
0
 

Author Comment

by:WellingtonIS
ID: 36968501
OK thanks again for the info.  I"ll be working on this tonight and I'll let you know how I make out.
0
 
LVL 38

Expert Comment

by:younghv
ID: 36968566
Good stuff!
Please post the logs that are generated by RogueKiller and Malwarebytes. It helps us analyze the variant of malware.
Check back with you tomorrow.
0
 

Author Comment

by:WellingtonIS
ID: 36968769
Will do
0
 
LVL 30

Expert Comment

by:flubbster
ID: 36970455
The most likely reason that mbam is not running, most likely along with other a/v programs, is that an entry has been placed in the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

If you can get into the registry on the infected system, navigae to this key and look at the entries under it. You will most likely find a great many of them. If you look at each individual entry, you will probably find that each application is being remapped to svchost. What this means is that when you try to launch an application, like mbam, it will launch svchost instead, and nothing will happen. You may see it open the close immediately, or see nothing at all.

You can safely delete everything under this key, then run the a/v software. Mbam will actually clean the key for you, but the specific entries stopping ti from running will first have to be removed. This includes the app itself, the updater, etc.

You can also try downloading it again, but change the name BEFORE you save it. A good idea is to save it as explorer.exe because that application is usually left alone.
 

0
 

Author Comment

by:WellingtonIS
ID: 36971573
The task manager has 39567873244:3823576596.exe I can' kill that process no matter what I try to run.  I searched the registry and deleted everything and still I can't kill that process.  It a system process.. Help?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 36971629
That's a ZeroAccess rootkit, you already use the combofix as already suggested? If combofix won't run download and use inherit.exe for combofix to run.... or try running combofix in safe mode if it still won't run even if you drag it over the inherit.exe.

1.  Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe 

STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

ComboFix tutorial:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix




2. Download inherit.exe by sUBs.
http://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe
Drag the program's executable file into the inherit.exe and wait for it to say OK.
0
 
LVL 17

Accepted Solution

by:
James H earned 2000 total points
ID: 36971634
That is a virus.... Run tdss killer in safe mode.
I just dealt with that virus recently.
Run combofix in safe mode.
0
 

Author Comment

by:WellingtonIS
ID: 36971668
Where do I find tdss killer?
0
 

Author Comment

by:WellingtonIS
ID: 36971693
wait found it trying it now
0
 
LVL 17

Expert Comment

by:James H
ID: 36971700
Look at my earlier post. I have the link there.
0
 
LVL 38

Expert Comment

by:younghv
ID: 36971704
WellingtonIS,
The additional information you provided about the rogue process  "39567873244:3823576596.exe" identifies it as the specific "ZeroAccess" malware.

Please follow the advice posted by 'rpggamergirl' at http:#a36971629
0
 

Author Closing Comment

by:WellingtonIS
ID: 36971718
THANK YOU SO MUCH!  That did the trick
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 36971915
Yes, that ADS is the tripwire process belonging to ZA rootkit.
This rootkit is usually installed via drive-by downloads but also installed by TDL droppers or TDSS rootkit, if so, then TDSSKiller needs to be run first to remove TDSS followed by combofix or other tools to remove ZA files.

Even though the symptoms is gone, I'd suggest you also run combofix or other tools to remove the hidden folders/files belonging to ZA so it won't come back.
0
 

Author Comment

by:WellingtonIS
ID: 36978987
THanks for that info.  this was a machine by one of my clients so I'm sure it's possible that's where  he picked it up from.  thanks everyone for all your help.  I got rid of the virus with your guidance.  thanks again. this site rocks and it's worth every penny!
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question