Trojan Win32 Generic 2 instances

[WFWS]

I have Kaspersky that detects but cannot remove two instances of a hueristic trojan Win32 Generic. Also, something is hijacking my Firefox browser search function and redirecting my searches and toolbar links to other sites, or to dead ends.

The files are attached.

Thanks for your help!

[Rene-gad]

Switch off/Disable:
- Antivirus and and, if you have - Firewall.
- System Restore

-Fix with Hijackthis

Код:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZRxdm805YYUS&ptb=IOsGzohD7Ln0qgeNHtvuLg
O20 - Winlogon Notify: __c0095910 - C:\WINDOWS\system32\__c0095910.dat
O20 - Winlogon Notify: __c00AF685 - C:\WINDOWS\

- Execute following script

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 QuarantineFile('C:\Documents and Settings\Wayne Cordrey\Application Data\Ableton\Live Recordings\Decoding Cache\Squared_46.wav','');
 QuarantineFile('C:\Documents and Settings\Wayne Cordrey\Local Settings\Temp\WinCnc.exe','');
 QuarantineFile('C:\WINDOWS\System32\davclnt(2)32.dll','');
 QuarantineFile('C:\Documents and Settings\All Users\DRM\Cache\Indiv01.key','');
 QuarantineFile('C:\WINDOWS\system32\__c0095910.dat','');
 QuarantineFile('C:\WINDOWS\System32\davclnt(2)32.dll','');
 QuarantineFile('C:\Documents and Settings\Wayne Cordrey\Application Data\Systweak\ASO 2\smstartUp manager.exe','');
 QuarantineFile('C:\DOCUME~1\WAYNEC~1\LOCALS~1\Temp\_A00F526648B.exe','');
 QuarantineFile('C:\WINDOWS\System32\cryptui(3)(2)32.dll','');
 DeleteFile('C:\DOCUME~1\WAYNEC~1\LOCALS~1\Temp\_A00F526648B.exe');
 DeleteFile('C:\WINDOWS\system32\__c0095910.dat');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
SetAVZPMStatus(True);
RebootWindows(true);
end.

After reboot execute following script

Код:

begin
CreateQurantineArchive('C:\quarantine.zip');
end.

- Remove Bonjour
- Clean Temp-Maps, Cache of Browsers, Recycler. Use Windows service tool cleanmgr or CCleaner or ClearProg
- Close all the programs and start only Internet Explorer!!!
- Make 3 new log files.
- Switch Antivirus and, if you have - Firewall, on.
- Go On-Line
- Upload the C:\quarantine.zip over the link Upload quarantined files on the top of this page.
- Attach 3 log to your new post..

[WFWS]

I ran Kaspersky full scan and it found no active threats, but some vulnerabilities. But when I ran the AVZ scan it found suspicious files and two other trojan files. The log files are attached.

Thanks for your help.

[Rene-gad]

In each case check your system with CureIt from Dr. Web from any write-protected drive (CD or SDCard).

Switch off/Disable:
- Antivirus and and, if you have - Firewall.
- System Restore

- Execute following script

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 QuarantineFile('C:\Documents and Settings\Wayne Cordrey\Application Data\Ableton\Live Recordings\Decoding Cache\Squared_46.wav','');
 QuarantineFile('C:\Documents and Settings\Wayne Cordrey\Local Settings\Temp\WinCnc.exe','');
 QuarantineFile('C:\WINDOWS\System32\cryptui(3)(2)32.dll','');
 QuarantineFile('C:\WINDOWS\system32\__c002709D.dat','');
 QuarantineFile('C:\DOCUME~1\WAYNEC~1\LOCALS~1\Temp\_A00F29E2A.exe','');
 QuarantineFile('C:\DOCUME~1\WAYNEC~1\LOCALS~1\Temp\_A00FB824A.exe','');
 QuarantineFile('C:\WINDOWS\System32\davclnt(2)32.dll','');
 QuarantineFile('C:\WINDOWS\system32\f3PSSavr.scr','');
 DeleteFile('C:\WINDOWS\system32\f3PSSavr.scr');
 DeleteFile('C:\WINDOWS\System32\davclnt(2)32.dll');
 DeleteFile('C:\DOCUME~1\WAYNEC~1\LOCALS~1\Temp\_A00FB824A.exe');
 DeleteFile('C:\DOCUME~1\WAYNEC~1\LOCALS~1\Temp\_A00F29E2A.exe');
 DeleteFile('C:\WINDOWS\system32\__c002709D.dat');
 DeleteFile('C:\WINDOWS\System32\cryptui(3)(2)32.dll');
 DeleteFileMask('C:\WINDOWS\System32','cryptui*.dll', false);
 DeleteFileMask('C:\WINDOWS\system32', '__*.dat', false);
 DeleteFileMask('C:\DOCUME~1\WAYNEC~1\LOCALS~1\Temp', '_*.exe', false);
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
SetAVZPMStatus(True);
RebootWindows(true);
end.

After reboot execute following script

Код:

begin
CreateQurantineArchive('C:\quarantine.zip');
end.

- After that make new logs (2 x avz +Hijackthis) + gmer - log file (www.gmer.net) Pls. don't rename any log file!!!
- Upload the C:\quarantine.zip over the link Upload quarantined files on the top of this page.

[WFWS]

I finally got the scans done, and when I tried to run the first script in your post from 12:45 today. It said "expecting a ")" at 18:38. I reviewed the script looking for an obvious close quote missing, and didn't find one.

Thanks for your help.

WFWS

[Rene-gad]

Sorry, it was my mistake. The script is correct now .

[WFWS]

Here are the log files. Kaspersky now reads no threats, only vulnerabilities.

Thanks

[Rene-gad]

-Fix with Hijackthis

Код:

O20 - AppInit_DLLs: C:\WINDOWS\System32\davclnt(2)32.dll,C:\PROGRA~1\KASPER~1\KASPER~2\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~2\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~2\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~2\kloehk.dll,C:\WINDOWS\System32\cryptui(3)(2)32.dll
O20 - Winlogon Notify: 46b788f609 - C:\WINDOWS\System32\davclnt(2)32.dll (file missing)
O20 - Winlogon Notify: 46b788f648 - C:\WINDOWS\System32\cryptui(3)(2)32.dll
O20 - Winlogon Notify: __c002709D - C:\WINDOWS\
O20 - Winlogon Notify: __c0095910 - C:\WINDOWS\

Any problem more?

[WFWS]

I think its fixed. No more detections, no more browser hijacks.

Many thanks. I'll do a system restore point and do some overdue data backup now.

Thanks so much for your help.

WFWS

[Rene-gad]

I think its fixed.

Why are you so unsure? Make a HJT log once more and look at it yourself
- Install Internet Explorer 8
- Install Kaspersky 2010
- Install Adobe Reader 9.1.2