Need Help with Trojan Generic29.AJGE

[gloverjd]

I seem to have been invaded by a Trojan. (Name listed above) AVG detected it but cannot remove it. I get access denied when I request that it be removed. I think the affected program is explorer.exe since I get a message from AVG whenever explorer.exe is started. What to do, what to do. Any assistance is appreciated.

Thanks,
jdg

 

[Jacee]

Download DDS from one of these links:
DDS.com
DDS.pif

• Disable any script blocking protection
• Double click the dds icon to run the tool.
• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt <--- will be minimized in the task tray
• Save both reports to your desktop.

Include the contents of both logs in your next post.
The scan will instruct you to post Attach.txt as an attachment.

 

[cottonball]

gloverjd,

In addition to what Jacee requested, can you tell us what files/location AVG is reporting?

Also, please download RogueKiller:
Tlcharger RogueKiller (Site Officiel)

When you get to the website, go to where it says:
(Download link) Lien de téléchargement:

Select the version for your system: 32-bit or 64-bit (See Note below.)
Click the applicable dark-blue button to download.
Save to the Desktop.

Close all windows and browsers.

Right-click and select: Run as Administrator

At the program console, wait for the prescan to finish. (Under Status, it says: Prescan finished.)

Press: SCAN

When done, a report opens on the Desktop: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply.
(Do not take action to fix anything, please!!)


Note:
You need to know if the infected computer is running a 32-bit or 64-bit system.
To find out, click: Start
Type System in the Start Search box
Click System in the Programs list.

The operating system is displayed as follows under System > System type:
64-bit Operating System
32-bit Operating System

 

[gloverjd]

I think I have included everything asked for. The Word document contains three screen prints: One shows AVG blocking the threats. The other two are the infected programs - explorer.exe and RogueKiller64.exe. Hope you got the attachments; I did not insert them.

Thanks,
jdg

 

[cottonball]

gloverjd,

Thanks for the additional info.

Let's press on with RogueKiller...

•Please quit all programs
•Right-click the RogueKiller file and select: Run as Administrator
•Wait until the Prescan finishes
•Press: Scan
•Once the scan is done, click the Registry tab.
•Make sure only the following entry is checked:

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-1195105727-229723847-1802915304-1002\$77080bb8b6c592054498c15000827081\n) [-] -> FOUND

•Now, click the Files tab.

•Make sure the following four entries are checked:
[ZeroAccess][FILE] n : C:\$recycle.bin\S-1-5-21-1195105727-229723847-1802915304-1002\$77080bb8b6c592054498c15000827081\n [-] --> FOUND

[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-1195105727-229723847-1802915304-1002\$77080bb8b6c592054498c15000827081\@ [-] --> FOUND

[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-1195105727-229723847-1802915304-1002\$77080bb8b6c592054498c15000827081\U --> FOUND

[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-1195105727-229723847-1802915304-1002\$77080bb8b6c592054498c15000827081\L --> FOUND

•Now, press the [Delete] button.

Please post the new RKreport (Mode: Remove) in your reply.
The report is created on the Desktop.

 

[VistaKing]

cottonball

The .doc file was just an image of what AVG Found which was the viruses .

 

[cottonball]

I know...got it opened.

 

[gloverjd]

Did as you requested. The file from RogueKiller is attached.

Thanks,
jdg

 

[cottonball]

The last report is Mode Scan, and nothing happened there, other than showing the entries.

Is there an RKreport (Mode: Remove) or (Mode Delete) somewhere on the Desktop?
It shows what was removed/deleted.

 

[gloverjd]

Oops, my bad. I didn't close enough. I think the attached is what you are looking for. I've also noticed that AVG has not reported a threat since these entries were removed.

Thanks,
jdg

 

[cottonball]

gloverjd,


Please go to the TDSSKiller Download
Select the .exe version
Double-click on TDSSKiller.exe to run the program.

When the TDSSKiller console opens, click on: Change Parameters
Under Additional Options, place a check in the box next to: Detect TDLFS File System
Click: OK

Press: Start Scan

•If a suspicious object is detected by this program, the default action is Skip. Leave this action as is, and click on: Continue
•If malicious objects are found, they show in the Scan results.
Ensure Cure (the default action) is selected, then click: Continue > Reboot now, to finish the cleaning process.
(Note: If Cure is not available, select Skip, >>Do not select: Delete<<)

When done, the tool creates a log on the disk with the Windows Operating System, normally C:\
Logs have a name like:
C:\TDSSKiller.X.X.X_30.04.2013_15.31.43_log.txt

Please attach the TDSSKiller log in your reply.

 

[gloverjd]

The requested file is attached.

jdg

 

[cottonball]

Doin' good!

Please do a Scan with RogueKiller once again. This time it should be clean.

Now, please download the Farbar Recovery Scan Tool
Select the 64-bit version.
Save it to your Desktop.

• Double-click the downloaded file to run it.
• When the tool opens click Yes to disclaimer.
• Press the Scan button.
• FRST64 makes a log (FRST.txt) in the same directory from which the tool is run (Desktop).

Please provide the FRST.txt in your reply. <<---
The first time the tool is run, it also makes another log: Addition.txt
Also post the Addition.txt in your reply. <<---

 

[gloverjd]

cottonball,
The scan with FRST64.exe is completed and both files are attached.

jdg

 

[VistaKing]

Might want to remove the PC tweaking software using RevoUninstaller .

Download :ar:
Download




Please download and install Revo Uninstaller Free
Double click Revo Uninstaller to run it.
From the list of programs double click on The Program to remove
When prompted if you want to uninstall click Yes.
Be sure the Advanced option is selected then click Next.
The program will run, If prompted again click Yes
when the built-in uninstaller is finished click on Next.
Once the program has searched for leftovers click Next.
Check/tick the bolded items only on the list then click Delete
when prompted click on Yes and then on next.
put a check on any folders that are found and select delete
when prompted select yes then on next
Once done click Finish.

SOFTWARE TO REMOVE
SparkTrust PC Cleaner Plus (Version: 3.1.7.0)
Uniblue SystemTweaker
Glary Utilities 2.53.0.1726

 

[cottonball]

FRST does not show malware.

Let's make sure there is no damage to certain services targeted...

Please press on with Downloading Farbar Service Scanner
Save to the Desktop


Make sure the following options are checked:

• Internet Services
• Windows Firewall
• System Restore
• Security Center/Action Center
• Windows Update
• Windows Defender

Press: Scan

When done, the tool creates a report, FSS.txt, on the Desktop.
Please provide the FSS.txt in your reply.

 

[gloverjd]

cottonball,
I have downloaded and executed FFS.exe. The text file is attached.

jdg

 

[gloverjd]

Vista King,
I have used the Revo Uninstaller for the last couple years and like it. You suggested I remove Glary utilities and two other packages. I have only been using it about a year so is there something I should know about it. Secondly, will you suggest a replacement for it?

jdg

btw - The other two are history.

 

[VistaKing]

Could be causing issues to your PC then fixing them . I don't think any PC tuning software is helpful .

 

[cottonball]

gloverjd,

The FSS report looks OK.

Will you run AVG again and see what it reports?

Post back on what it finds.

Thanks!