Shoutbox

Nasty little trojan horse - Printable Version

-Shoutbox (https://shoutbox.menthix.net)
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: Skype & Technology (/forumdisplay.php?fid=9)
+---- Forum: Tech Talk (/forumdisplay.php?fid=17)
+----- Thread: Nasty little trojan horse (/showthread.php?tid=69712)
Nasty little trojan horse by RebelSean on 12-20-2006 at 05:06 AM

Well, thanks to my brother just now telling me that our office computer has a virus on it I can't do a system restore to get rid of this little bastard. It's called "Generic2.AVS". I have used both AVG Professional and NOD32. Both have healed the virus, but after every reboot the stupid thing comes back. What it does is disconnect my internet and connect to some dodgy place in Austrailia which I'm being billed for. I've looked on my startup list (msconfig), and I don't see anything out of the norm. I've googled this but nothing has helped.

Solution anyone? Really annoying, especially now that the family computer is down :(.

RE: Nasty little trojan horse by matty on 12-20-2006 at 05:11 AM

quote:
Originally posted by RebelSean
Well, thanks to my brother just now telling me that our office computer has a virus on it I can't do a system restore to get rid of this little bastard. It's called "Generic2.AVS". I have used both AVG Professional and NOD32. Both have healed the virus, but after every reboot the stupid thing comes back. What it does is disconnect my internet and connect to some dodgy place in Austrailia which I'm being billed for. I've looked on my startup list (msconfig), and I don't see anything out of the norm. I've googled this but nothing has helped.

Solution anyone? Really annoying, especially now that the family computer is down :(.
Download and run Autoruns from http://download.sysinternals.com/Files/Autoruns.zip and run it in Safe Mode then check for anything out of the ordinary.
RE: Nasty little trojan horse by RebelSean on 12-20-2006 at 05:17 AM

Woah, I have no idea what half that stuff is, or if it's sopossed to be there or not :-$.

RE: Nasty little trojan horse by matty on 12-20-2006 at 05:20 AM

You should be able to save a text file of all of it then try and post it. (May need to copy it to a key drive to post it here). Or boot in Safe Mode with Networking.

RE: Nasty little trojan horse by RebelSean on 12-20-2006 at 05:23 AM

I think this is it.

RE: Nasty little trojan horse by matty on 12-20-2006 at 05:53 AM

quote:
Originally posted by AutoRuns.txt

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run   

+ gwiz            c:\windows\system32\ntsystem.exe

HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute           

+             File not found: 

+ ????Ta             File not found: ????Ta

+ ?A??2            File not found: ?A??2

+ SsiEfr.e            File not found: SsiEfr.e

+ SsiEfr.e            File not found: SsiEfr.e

+ SsiEfr.e            File not found: SsiEfr.e

+ SsiEfr.exe\            File not found: SsiEfr.exe\

+ stera            File not found: stera

+ t?A(            File not found: t?A(

These are all oddities. However you ant to delete the gwiz and as well delete that file. (If you want to zip it up and post it I can open it in a VM and see if it does anything else).

[edit]

ZOMG My Post Counter~ 4666
[Image: attachment.php?pid=766658]

[/edit]
RE: Nasty little trojan horse by bladeswords on 12-20-2006 at 05:59 AM

Ok, I have had a look trough there.  First filter out verified microsoft processes (go to option then Hide Signed Microsoft....).  Second remove all the settings that say "File Not Found" next to them (they are obviously not needed and redundent) that is for general maintainance.  Filtering out the windows varified makes it alot easier for us looking at your log files.  (Damn trojans are annoying!)

RE: RE: Nasty little trojan horse by RebelSean on 12-20-2006 at 07:02 PM

quote:
Originally posted by Matty
quote:
Originally posted by AutoRuns.txt

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run   

+ gwiz            c:\windows\system32\ntsystem.exe

HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute           

+             File not found: 

+ ????Ta             File not found: ????Ta

+ ?A??2            File not found: ?A??2

+ SsiEfr.e            File not found: SsiEfr.e

+ SsiEfr.e            File not found: SsiEfr.e

+ SsiEfr.e            File not found: SsiEfr.e

+ SsiEfr.exe\            File not found: SsiEfr.exe\

+ stera            File not found: stera

+ t?A(            File not found: t?A(

These are all oddities. However you ant to delete the gwiz and as well delete that file. (If you want to zip it up and post it I can open it in a VM and see if it does anything else).

[edit]

ZOMG My Post Counter~ 4666
[Image: attachment.php?pid=766658]

[/edit]

So I can untick those boxes and then delete the ntsystem file?
RE: Nasty little trojan horse by matty on 12-20-2006 at 08:13 PM

quote:
Originally posted by RebelSean
So I can untick those boxes and then delete the ntsystem file?
Yup.
RE: Nasty little trojan horse by bladeswords on 12-21-2006 at 08:40 PM

Better now RebelSean?  I want to know if our advice worked....

RE: Nasty little trojan horse by RebelSean on 12-22-2006 at 01:15 AM

quote:
Originally posted by bladeswords
Better now RebelSean?  I want to know if our advice worked....


Haven't seen any threat notices yet. So I'm assuming yes.
RE: Nasty little trojan horse by RebelSean on 12-23-2006 at 08:09 PM

Sorry to double post. After not rebooting for about 2 days, I rebooted and it popped up again, but this time it's in my system volume thing, "C:\System Volume Information\_restore{BUNCH OF NUMBERS}\RP265\"

RE: Nasty little trojan horse by Dane on 12-25-2006 at 08:04 PM

quote:
Originally posted by RebelSean
Sorry to double post. After not rebooting for about 2 days, I rebooted and it popped up again, but this time it's in my system volume thing, "C:\System Volume Information\_restore{BUNCH OF NUMBERS}\RP265\"

Thats your System Restore backup.  Simply disable system restore, Reboot, and re-enable it and you should be fine.
RE: Nasty little trojan horse by Sunshine on 12-25-2006 at 10:51 PM

quote:
Originally posted by RebelSean
Sorry to double post. After not rebooting for about 2 days, I rebooted and it popped up again, but this time it's in my system volume thing, "C:\System Volume Information\_restore{BUNCH OF NUMBERS}\RP265\"
Sean, this tells me you haven't disabled sysrestore before you ran the virusscan (in safemode i hope) as it would have wiped all the restore points.

Remember when doing an AV scan:
1. Update virusdefinitions
2. Disable sysrestore
3. Boot into safemode and perform the scan there
This is the only way to make sure the AV program can get rid of it completely (providing it already knows this virus ofcourse).

I advice you to disable it now, boot into safemode and do another AV scan. You can turn on sysrestore again afterwards.