Another victim of Trojan.win32.generic!bt needing help to remove! Thanks

[JoDeeAnne 0]

I ran "Adware" found the Trojan.win32.genric!bt was on my computer. Ran the DNS as instructed and attached the text as instructed. Now.... what to do is my question. Thanks so much!

I can use Chrome explorer, but not i.e.

I keep receiving a 'pop up' box saying my windows is not valid. With a link to go an purchase a valid copy.

 

I play "Pangya" (NTreev online golf game) but this virus will not allow me to pull up the game.

 

Just about ready to throw this computer in the trash..... arrghhh!

 

Hugs & Thanks

 

Jo Dee

 

Carolina Girl from North Carolina with a little "TarHeel" goin on!

 

 

oops 4got to attach the 2nd one! Sorry

Attach 4-20-13.txt

DDS 4-20-13.txt

Edited April 20, 2013 by JoDeeAnne

[CeciliaB 475]

Hi Jo Dee,

 

Please, start with uninstalling the following programs:

 

DefaultTab due to http://www.systemlookup.com/CLSID/75777-DefaultTabBHO_dll.html

IObit Toolbar v7.0 http://www.systemlookup.com/CLSID/72063-iobitToolbarIE_dll.html
Yahoo! Toolbar http://www.systemlookup.com/CLSID/241-Ycomp_dll_yt_dll.html

Java 7 Update 17 since it's an old version with known vulnerabilities that makes it easy to infect the computer from a web site.

 

Please, save AdwCleaner by Xplode on the desktop: http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner

Turn off all programs, including browsers.
Double-click on AdwCleaner to start the program.

Click on the Search button.
Wait until the search has finished.
A report will be displayed, copy its content and paste into your answer.
If the report isn't displayed, it exist as C:\AdwCleaner[R1].txt.

[JoDeeAnne 0]

Thanks Cecilia,

Couldn't find c:\adwcleaner[r1].txt

This was the 'log'

Not sure if this is what you need to see.

[info] [1] tid=2980 09:46:27.460018 [Loki::ImplOf<class Common::ComServerLauncher>::COMServerDown:289] Service Process not exist

[info] [2] tid=2980 09:46:27.460018 [Loki::ImplOf<class Common::ComServerLauncher>::GetComServerPath:174] CLSID[b08ecec8-805c-49f5-a388-3a769e2ed33d]

[info] [3] tid=2980 09:46:27.460018 [Loki::ImplOf<class Common::ComServerLauncher>::GetComServerPath:177] Server path C:\PROGRA~2\AD-AWA~1\AdAware.exe

[info] [4] tid=2980 09:46:27.756419 [Loki::ImplOf<class Common::ComServerLauncher>::WaitServerInitialization:253] Wait for init

[info] [5] tid=2980 09:46:27.756419 [Loki::ImplOf<class Common::ComServerLauncher>::WaitServerInitialization:254] Init event name [Global\c9fd0629-f27f-5b83-b841-e73fcc79f267]

[info] [6] tid=2980 09:46:32.526623 [Loki::ImplOf<class Common::ComServerLauncher>::WaitServerInitialization:268] Wait done

[info] [7] tid=2980 09:46:32.526623 [Loki::ImplOf<class Common::ComServerLauncher>::ImpersonateThread:317] User before Impersonate [sYSTEM]

[info] [8] tid=2980 09:46:32.526623 [Loki::ImplOf<class Common::ComServerLauncher>::ImpersonateThread:322] User after Impersonate [Jo Anne]

[info] [9] tid=2980 09:46:32.527623 [Loki::ImplOf<class Common::ComServerLauncher>::CreateClassInstance:352] Try create instance...

[info] [10] tid=2980 09:46:32.539623 [Loki::ImplOf<class Common::ComServerLauncher>::CreateClassInstance:357] Successful

[info] [11] tid=2980 09:53:08.013243 [Loki::ImplOf<class Common::ComServerLauncher>::COMServerDown:284] Service Process exist

[info] [12] tid=2980 09:53:08.014243 [Loki::ImplOf<class Common::ComServerLauncher>::WaitServerInitialization:253] Wait for init

[info] [13] tid=2980 09:53:08.014243 [Loki::ImplOf<class Common::ComServerLauncher>::WaitServerInitialization:254] Init event name [Global\c9fd0629-f27f-5b83-b841-e73fcc79f267]

[info] [14] tid=2980 09:53:08.014243 [Loki::ImplOf<class Common::ComServerLauncher>::WaitServerInitialization:268] Wait done

[info] [15] tid=2980 09:53:08.014243 [Loki::ImplOf<class Common::ComServerLauncher>::ImpersonateThread:317] User before Impersonate [sYSTEM]

[info] [16] tid=2980 09:53:08.014243 [Loki::ImplOf<class Common::ComServerLauncher>::ImpersonateThread:322] User after Impersonate [Jo Anne]

[info] [17] tid=2980 09:53:08.014243 [Loki::ImplOf<class Common::ComServerLauncher>::CreateClassInstance:352] Try create instance...

[info] [18] tid=2980 09:53:08.033244 [Loki::ImplOf<class Common::ComServerLauncher>::CreateClassInstance:357] Successful

[info] [19] tid=2224 10:25:01.279676 [Loki::ImplOf<class Common::ComServerLauncher>::COMServerDown:284] Service Process exist

[info] [20] tid=2224 10:25:01.279676 [Loki::ImplOf<class Common::ComServerLauncher>::WaitServerInitialization:253] Wait for init

[info] [21] tid=2224 10:25:01.279676 [Loki::ImplOf<class Common::ComServerLauncher>::WaitServerInitialization:254] Init event name [Global\c9fd0629-f27f-5b83-b841-e73fcc79f267]

[info] [22] tid=2224 10:25:01.279676 [Loki::ImplOf<class Common::ComServerLauncher>::WaitServerInitialization:268] Wait done

[info] [23] tid=2224 10:25:01.279676 [Loki::ImplOf<class Common::ComServerLauncher>::ImpersonateThread:317] User before Impersonate [sYSTEM]

[info] [24] tid=2224 10:25:01.279676 [Loki::ImplOf<class Common::ComServerLauncher>::ImpersonateThread:322] User after Impersonate [Jo Anne]

[info] [25] tid=2224 10:25:01.279676 [Loki::ImplOf<class Common::ComServerLauncher>::CreateClassInstance:352] Try create instance...

[info] [26] tid=2224 10:25:01.281676 [Loki::ImplOf<class Common::ComServerLauncher>::CreateClassInstance:357] Successful

[CeciliaB 475]

You are welcome

 

Sorry, that isn't the correct text file.

Did you download AdwCleaner and saved it to the desktop before running the program?

Didn't a log file pop up when AdwCleaner had finished?

Is the log file located on the desktop?

[JoDeeAnne 0]

Sorry Celilia! I didn't download the "AdwCleaner"

Got it now!

Here is the report after doing the search!

Thanks!

*I am able to play the 'pangya' game now, after following your instructions.

But I continue to get a 'pop up' window saying I do not have 'valid' windows.

It gives me a link to go an purchase the 'windows'.

Also when I open Google Chrome, I get 4 tabs reading

1. Lavasoft Secure Search

2. start.sweetpacks.com/? (http://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10042&barid={FDABD91C-A516-11E2-B5EC-1C6F65973872} )

3. Google

4. Yahoo! Search

***********************************************************************************************************************

# AdwCleaner v2.200 - Logfile created 04/21/2013 at 13:30:59

# Updated 02/04/2013 by Xplode

# Operating system : Windows 7 Ultimate Service Pack 1 (64 bits)

# User : Jo Anne - JOANNE-PC

# Boot Mode : Normal

# Running from : C:\Users\Jo Anne\Downloads\adwcleaner (2).exe

# Option [search]

***** [services] *****

Found : DefaultTabUpdate

***** [Files / Folders] *****

File Found : C:\Users\Jo Anne\AppData\Local\funmoods-speeddial.crx

File Found : C:\Users\Jo Anne\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_cjpglkicenollcignonpgiafdgfeehoj_0.localstorage

Folder Found : C:\Program Files (x86)\Common Files\spigot

Folder Found : C:\Program Files (x86)\OApps

Folder Found : C:\ProgramData\Tarma Installer

Folder Found : C:\Users\Jo Anne\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpglkicenollcignonpgiafdgfeehoj

Folder Found : C:\Users\Jo Anne\AppData\Local\Google\Chrome\User Data\Default\Extensions\ogccgbmabaphcakpiclgcnmcnimhokcj

***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software\Crossrider

Key Found : HKCU\Software\AppDataLow\Software\DefaultTab

Key Found : HKCU\Software\AppDataLow\Software\Freecause

Key Found : HKCU\Software\AppDataLow\Software\PriceGong

Key Found : HKCU\Software\AppDataLow\Software\Search Settings

Key Found : HKCU\Software\Conduit

Key Found : HKCU\Software\Default Tab

Key Found : HKCU\Software\DefaultTab

Key Found : HKCU\Software\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh

Key Found : HKCU\Software\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7F6AFBF1-E065-4627-A2FD-810366367D01}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7F6AFBF1-E065-4627-A2FD-810366367D01}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}

Key Found : HKCU\Software\ShopToWin

Key Found : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}

Key Found : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}

Key Found : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL

Key Found : HKLM\Software\Conduit

Key Found : HKLM\Software\Default Tab

Key Found : HKLM\Software\Freeze.com

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\FunmoodsSetup_RASAPI32

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\FunmoodsSetup_RASMANCS

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\WajamUpdater_RASAPI32

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\WajamUpdater_RASAPI32

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\WajamUpdater_RASMANCS

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\WajamUpdater_RASMANCS

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7F6AFBF1-E065-4627-A2FD-810366367D01}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{7F6AFBF1-E065-4627-A2FD-810366367D01}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{99066096-8989-4612-841F-621A01D54AD7}

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93}

Key Found : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh

Key Found : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj

Key Found : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc

Key Found : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ogccgbmabaphcakpiclgcnmcnimhokcj

Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}

Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01}

Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}

Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DefaultTab

Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh

Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj

Key Found : HKLM\SOFTWARE\Tarma Installer

Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EEE6C35B-6118-11DC-9C72-001320C79847}]

***** [internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16537

[OK] Registry is clean.

-\\ Google Chrome v26.0.1410.64

File : C:\Users\Jo Anne\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [5438 octets] - [21/04/2013 13:08:30]

AdwCleaner[R2].txt - [5498 octets] - [21/04/2013 13:10:10]

AdwCleaner[R3].txt - [5435 octets] - [21/04/2013 13:30:59]

########## EOF - C:\AdwCleaner[R3].txt - [5495 octets] ##########

Edited April 21, 2013 by JoDeeAnne

[CeciliaB 475]

You are welcome

 

Good that the computer behaves better now!

And it will be even better after the next step and tell me how the activation is after that.

 

1. Please, turn off all programs, including browsers.
Double-click on AdwCleaner to start the program.

Click on the Delete button.

Click on OK.
The computer will be restarted.

A report will be displayed, copy its content and paste into your answer.
If the report isn't displayed, it exist as C:\AdwCleaner[s1].txt

2. Scan the computer with Avast and Ad-Aware.

Do they find anything?

 

3. Run DDS again and paste the content of DDS.txt into your answer.

[JoDeeAnne 0]

Sweet Cecilia....

 

The 'Trojan.win32.Generic!bt' is in quarantine per AdAware.

 

Avast picked up 'dnsbasic.exe (Win32.basicScan.c.adw) which I assumed is the adaware running.

 

Here is the log from the AdwCleaner after 'search', 'delete' then a reboot of the computer. (I attached the 2 logs from the dds run)

 

Everything seems to be running back to normal.

 

*I am waiting to see if I get the 'pop up' window saying my windows is not a valid version. We will see.

 

Thanks for all your help & Patience! Hugs!

******************************************************************************************************************************************************************

 

 

# AdwCleaner v2.201 - Logfile created 04/21/2013 at 18:34:19

# Updated 21/04/2013 by Xplode

# Operating system : Windows 7 Ultimate Service Pack 1 (64 bits)

# User : Jo Anne - JOANNE-PC

# Boot Mode : Normal

# Running from : C:\Users\Jo Anne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V075ZMDO\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

***** [Registry] *****

***** [internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16537

[OK] Registry is clean.

-\\ Google Chrome v26.0.1410.64

File : C:\Users\Jo Anne\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [5438 octets] - [21/04/2013 13:08:30]

AdwCleaner[R2].txt - [5498 octets] - [21/04/2013 13:10:10]

AdwCleaner[R3].txt - [5558 octets] - [21/04/2013 13:30:59]

AdwCleaner[R4].txt - [5614 octets] - [21/04/2013 13:41:00]

AdwCleaner[R5].txt - [1158 octets] - [21/04/2013 18:05:14]

AdwCleaner[R6].txt - [1279 octets] - [21/04/2013 18:34:03]

AdwCleaner[s1].txt - [5658 octets] - [21/04/2013 13:41:12]

AdwCleaner[s2].txt - [1219 octets] - [21/04/2013 18:08:10]

AdwCleaner[s3].txt - [1210 octets] - [21/04/2013 18:34:19]

########## EOF - C:\AdwCleaner[s3].txt - [1270 octets] ##########

attach.txt

dds.txt

[CeciliaB 475]

You are welcome, Jo Dee

 

Ad-Aware doesn't have a file called dnsbasic.exe. But it seems to be installed shortly before Ad-Aware:

2013-04-14 18:44:58 -------- d-----w- C:\Users\Jo Anne\AppData\Roaming\Ad-Aware Antivirus
2013-04-14 17:54:27 -------- d-----w- C:\ProgramData\DnsBasic
2013-04-14 17:54:27 -------- d-----w- C:\Program Files (x86)\DnsBasic

 

From the list of installed programs:

DnsBasic 1.0 build 111

 

Do you know what it is?

If not, please uninstall it.

 

Any more questions or issues before I give you the instruction of how to uninstall DDS and AdwCleaner?

[JoDeeAnne 0]

I did uninstall. Would it hurt if I kept the 'adwcleaner'?

 

I think you have finished with me! You did a great job! Thanks again so much!

[CeciliaB 475]

You are welcome

 

Time for final clean-up.

 

1. Removal of AdwCleaner

Please, turn off all programs, including browsers.
Double-click on AdwCleaner to start the program.

Click on the Uninstall button.

 

2. Removal of DDS
Download OTC http://oldtimer.geekstogo.com/OTC.exe
Close all programs.
Start OTC program.
Click the CleanUp! button.
Select Yes when asked "Begin cleanup process".
If you are asked to reboot, select Yes.
If any logs remain on the computer you can remove them.

3. Improve the security in the computer
It is very important to keep Windows and all programs updated. An old version of, for example, Flash contains vulnerabilities that makes it easy to infect the computer from a web page. To help you with keeping everything updated you can use the program Secunia Personal Software Inspector (PSI). http://www.bleepingcomputer.com/tutorials/detect-vulnerable-programs-with-secunia-psi/ describes how to install and use the program.

 

P.S. AdwCleaner is frequently updated, why it's better to always download the latest version when you want to run it.

[CeciliaB 475]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

 

If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.

 

Everyone else please begin a New Topic.

 

Thank you !