Sign in to follow this  
Steve928

Guidance on removing Trojan.Win32.Generic!BT please

Recommended Posts

Hi there.

I have an Acer laptop running 64 bit Windows 7 Pro.

 

I use Microsoft Security Essentials as my main virus protection and scan every few days with Ad-Aware and Malawarebytes to catch anything MSE misses. I believe that running a downloaded software update from a fingerprint reader site yesterday has infected the laptop with Trojan.Win32.Generic!BT - as reported by Ad-Aware.

 

I have tried my very best to remove it since then but, as I'm sure you are aware, it hides itself and returns after re-boot.

I've followed the instructions, scanned with DDS and attached the two log files.

This is the first virus that has completely beaten me ! Your help in removing it would be greatly appreciated !

 

Thanks

Steve

Attach.txt

DDS.txt

Share this post


Link to post
Share on other sites

Hi Steve,

 

Trojan.Win32.Generic!BT is a very generic name and sometimes it's an infection that is hard to remove, sometimes it's very easy to remove and sometimes it isn't an infection at all.

 

Please, go to the Quarantine tab in Ad-Aware. Double-click the file in the list and write, in your answer, the path and file name after "Traces".

 

Please, check that UAC is on a high level for best protection: http://windows.microsoft.com/en-US/windows7/What-are-User-Account-Control-settings

 

This folder belongs to SpyHunter that you have uninstalled. You can delete the folder if you want.

2013-08-30 06:11:32 -------- d-----w- C:\Program Files\Enigma Software Group

Share this post


Link to post
Share on other sites
Hi Cecilia - many thanks for the quick reply !
There are three entries in the Quarantine list now, all with the same path and filename:
c:\Windows\SysWOW64\Macromed\Flash\flashplayerupdateservice.exe
I have reset UAC to the highest level - it was on the lowest (!!), but I had not done that !
Enigma folder removed.

Best regards
Steve

Share this post


Link to post
Share on other sites

Hi Steve,

 

You are welcome :)

 

Maybe it's a false positive. Do you know if you have updated Flash recently and did you do that on Adobe's web site?

 

Save SystemLook on the desktop: http://jpshortstuff.247fixes.com/SystemLook_x64.exe

Double-click on SystemLook file to run it.

Copy both lines in the box

:file
c:\Windows\SysWOW64\Macromed\Flash\flashplayerupdateservice.exe
and paste in the big text field in SýstemLook.
Click on the Look button to start the search.
When finished Notepad will pop-up with the log. Copy the log and paste into your answer. If Notepad doesn't pop-up you can find the log as SystemLook.txt on the Desktop.

Share this post


Link to post
Share on other sites

Hi again

 

Most definitely have not updated flash for, probably, months.

 

SystemLook 30.07.11 by jpshortstuff
Log created at 14:50 on 30/08/2013 by Steve
Administrator - Elevation successful

========== file ==========

c:\Windows\SysWOW64\Macromed\Flash\flashplayerupdateservice.exe - File found and opened.
MD5: 249A44DCFA2500EB1C020E33A3E9F25B
Created at 08:04 on 30/08/2013
Modified at 13:05 on 28/05/2013
Size: 163328 bytes
Attributes: -------
FileDescription: Adobe® Flash® Player Update Service 11.6 r602
FileVersion: 11,6,602,180
ProductVersion: 11,6,602,180
ProductName: Adobe® Flash® Player Update Service
CompanyName: Adobe Systems Incorporated
LegalCopyright: Copyright © 1996 Adobe Systems Incorporated

-= EOF =-

 

Regards

Steve

Share this post


Link to post
Share on other sites

Hi again,


Please, locate c:\Windows\SysWOW64\Macromed\Flash\flashplayerupdateservice.exe in Windows Explorer.

Right-click it and select "Send to" - "Compressed folder".

A new file with extension .zip will be created.

Please, upload this new file to the forum. Click on the "More Reply Options" button so see how you can upload a file.

 

I'll move this topic to the forum for false positives.

Share this post


Link to post
Share on other sites

Hi Steve928,

 

Thanks for uploading the file. We'll re-investigate and report back here.

 

Regards,

 

Andy

Lavasoft Malware Lab

Share this post


Link to post
Share on other sites

Hi Andy

 

I don't know if it helps, but I believe that the infected file(s) may have come from here - http://support.authentec.com/Downloads/Windows/TrueSuite.aspx .

 

It was the 64 bit version and pdf I downloaded and ran, just before the problems were noticed and virus detected. I did run Malawayebytes against the files before using them.

 

Best regards

Steve

Share this post


Link to post
Share on other sites

Hi Steve928,

 

In the re-analysis, FlashPlayerUpdateService.exe[249a44dcfa2500eb1c020e33a3e9f25b] is different from what is distributed from the official Adobe website.
Although the sample given and the file from Adobe has the same version (11.6.602.180), copyright, and product name, they differ in the following characteristics:

(malicious file vs legit file)
size: 160K vs 248K
Digital certificate: None vs. Has Certificate

The malicious file [249a44dcfa2500eb1c020e33a3e9f25b] also has a decryption routine. It was able to decrypt the following malicious URLs:

srvupd.net
svcupd.net
updsvc.com
updsrv.net

The file also decrypted suspicious strings such as: f L A S H p L A Y E R u P D A T E s E R V I C E

 

Beyond that, the sample contains other suspicious features, such as anti-debugging routines.

 

I hope this helps!

 

Regards,

 

Andy

Lavasoft Malware Labs

Share this post


Link to post
Share on other sites

Hi Steve,

 

1. Please, follow the instructions on http://www.bleepingcomputer.com/combofix/how-to-use-combofix for installing and running ComboFix.

Read carefully and note the "Disclaimer of warranty"!

Paste the content of the log into your answer.
If ComboFix displays a message, for example that a rootkit was found, write it down as detailed as possible.

 

2. Double-click on SystemLook file to run it.

Copy all lines in the box

:dir
C:\Windows\SysWow64\dfrg
and paste in the big text field in SýstemLook.
Click on the Look button to start the search.
When finished Notepad will pop-up with the log. Copy the log and paste into your answer. If Notepad doesn't pop-up you can find the log as SystemLook.txt on the Desktop.

Share this post


Link to post
Share on other sites

Hi Andy/Cecilia

Thanks for all this information, especially on FlashPlayerUpdateService.exe.

 

Unfortunately I have had further problems on the network, including a corrupt MBR on the main server - clearly not quick enough isolating the infected laptop.

 

This has meant that, so that I can remain operational, I have had to take immediate actions to rectify. I eventually found a Web site with very detailed and comprehensive step-by-step instructions on completely removing Trojan.Win32.Generic!BT. Basically running a whole sequence of scans with other actions. Some of the scans took ages, and the complete process over 24 hours - but far better than an XP and software re-install !!

 

It seems to have worked 100%. AdAware is no longer finding Trojan.Win32.Generic!BT (or anything else), and the system is running like it hasn't done in ages.

 

ComboFix was just one of the many scans used in the above process, but happy to run it again if that will help ?

 

What I don't quite understand is how I downloaded a corrupt version of FlashPlayerUpdateService.exe ? I wasn't sure if you were saying that this was part of the fingerprint id software I loaded ! If so, I'd better let the people running that Web site know.

 

And I ran two scans on that software before I opened it.

 

If I got it from an 'normal' download - how did it get past the virus checkers ?

 

As I say, happy to run ComboFix again (I assume that there is minimal risk in just running a scan) - I was about to tidy up all the scanning apps, so it's still available.

 

Best regards and thanks again

Steve

Share this post


Link to post
Share on other sites

Hi Steve,

 

It's impossible to give a correct description of how to remove Trojan.Win32.Generic!BT, since it is a very generic name used for many different infections and they need to be removed in different ways. In the

http://www.lavasoftsupport.com/index.php?/topic/33215-another-victim-of-trojanwin32genericbt-needing-help-to-remove-thanks/ topic it was bad browser add-ons, very different from your infection.

 

Since I don't know which page you found, I can only guess that it was either one of the sites that have a standard list of approx. 10 programs/actions that they say can remove everything or that you followed a topic in a forum for another person with Trojan.Win32.Generic!BT and it's impossible to know if those instructions should be applied to your type of Trojan.Win32.Generic!BT infection. Note that you should never use ComboFix without personal guidance of a person with good knowledge of it, since ComboFix is very powerful and can destroy Windows if used in the wrong way.

 

I checked premium64_5-2-2-62.exe from http://support.authentec.com/Downloads/Windows/TrueSuite.aspx with approx. 40 antivirus programs and none found it malicious. I think the computer got infected in another way.

https://www.virustotal.com/en/file/b25fedf4007e258296de8bbb211ac9b5599e78b16748359555660aa6bb2f2240/analysis/1378253347/

 

It's up to you to decide, if you want that I investigate if there are more malicious files in your computer. If you want that I need to see new DDS logs first and know which web page you followed.

Share this post


Link to post
Share on other sites

Hi Cecilia

Thanks for all the sage advice and comments about this matter from you and Andy.

 

I had reached the point where, quite honestly, to keep operational I had no option but to reinstall the OS and software. It was a case of one last go at beating 'them' before I did that. The advice I found was clear, concise and, action by action, exactly the commands/keystrokes used - http://malwaretips.com/Thread-How-to-completely-remove-ZeroAccess-Sirefef-rootkit-Removal-Guide .

 

It contained many warnings, including not running ComboFix twice - so probably best if I don't try that again ! It could be that this was a sledgehammer to crack a nut, but it was still easier than the reinstall route.

 

From what you and Andy have said, I was lucky that the cure I found seems to have fixed the specific problem, or maybe it was simply fixed as a side-effect of what I did. I have completed multiple scans now with various software, and nothing is being detected.......although I'm less convinced that means anything than I was before the weekend !

 

I'll leave you to help other people now, and can only thank you both once again. Topic closed from my side.

 

Best regards

Steve

Share this post


Link to post
Share on other sites

Hi Steve,

 

Next time, please, ask for help with cleaning the computer (and be patient) here or in another forum specializing in malware removal, instead of following a web page written for another infection than you had. That web page lists a lot of programs, that may or may not help, just to earn money if you buy one of the programs, they said you should download.

 

It is normal to run ComboFix several times while cleaning a computer, and the damage can happen already the first time, if ComboFix is used in the wrong way.

 

You are welcome :)

 

Best regards,

Cecilia

Share this post


Link to post
Share on other sites

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

 

If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.

 

Everyone else please begin a New Topic.

 

Thank you !

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this