zorran

Gen.Trojan!IK problem

Recommended Posts

Hello,

Last week I had Gen.Trojan!IK appeared on my a-squared Anti-Malware deep scan, and when I attempted to quarantine it the computer screen went blue briefly, and computer restarted. From that point I have several problems: Half of the time my computer would start normally and the rest of the times it would go into restart cycle mode. Also,I noticed that my Firefox and Internet Explorer 8 became disabled, while Opera and Google Chrome are still working.In addition,a couple days ago I could not start my computer in normal mode anymore (just keeps restarting after the welcome sign) so I went into the safe mode.From there, I ran the "msconfig" and disabled some non-Microsoft services and startups,after which I was able to return to the normal mode.My Firefox (that I removed from the computer short time ago) and Internet Explorer 8 are still disabled and the Gen.Trojan!IK (along with some other "infections")is still present.

Therefore, I would truly appreciate your help regarding this issue.

Please note that I'm using the Windows Vista Home Premium SP2, the Opera Browser, and that all scans are done in the "msconfig" modified, normal mode.

As per instructions,

I downloaded and installed all the programs other than a-squared Free (I have a-squared Anti-Malware installed).

First, I ran the CCleaner.

Second, I performed a deep scan using a-squared Anti-Malware, and after I found suspicious lines in my a-squared log (per instructions)I downloaded and ran Win32kDiag.

Third,I posted this thread in the Malware Removal forum, and attached the following logs to your post:

I'm awaiting further instructions.

Thank you

Share this post


Link to post
Share on other sites

Open notepad

Copy and Paste the below lines of code to notepad:

@echo off
copy C:\Windows\System32\logevent.dll C:\cngaudit.dll

Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your Desktop.

Double-click on fixes.bat to execute it.

-----------------------------------------------------------

Download Avenger from -->> HERE <<-- and unzip to your desktop.

  • Run Avenger
  • Read the prompt that appears, and press OK
  • Copy & paste the following text in Input script Box:
    Files to move:
    C:\cngaudit.dll | C:\Windows\System32\cngaudit.dll

    Then click "Execute".

  • You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  • Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

-----------------------------------------------------------

Go to start > run and copy and paste the following command in the field:

"%userprofile%\desktop\win32kdiag.exe" -f -r

This should restore permissions on locked files and remove mountpoints.

-----------------------------------------------------------

Post fresh logs for:

  • Avenger (C:\avenger.txt)
  • a-squared Free
  • ISeeYouXP

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

Thank you for your prompt response.

I took care of fixes.bat and executed it without any problems.

I downloaded Avenger and copied and pasted the text in input script box, executed it and rebooted (it rebooted only once) the system without any problems.

Before I restore permissions on locked files and remove mountpoints, I'm posting/pasting the Avenger log below:

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6002, Service Pack 2)

Thu Oct 08 14:33:11 2009

14:33:11: Error: Invalid script. A valid script must begin with a command directive.

Aborting execution!

//////////////////////////////////////////

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file "C:\cngaudit.dll" not found!

File move operation "C:\cngaudit.dll|C:\Windows\System32\cngaudit.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

Please note:

After this post I will restore permissions on locked files and remove mountpoints.

Than, I will run,

Avenger (C:\avenger.txt)

a-squared Free

ISeeYouXP

and post fresh logs as soon as possible.

Please advise me on the following:

Am I going to substitute a-squared Free fresh scan with a-square Anti Malware like I did the first time?

Also, since I did not encounter any problems with above instructions, should I than after I post these fresh posts from above, go to the system configuration and instead selective startup choose normal startup (with all device drivers and services),restart and report how things are running along with posting these fresh logs?

Share this post


Link to post
Share on other sites

Please attach all logs.

You should be in Normal startup during all procedures.

Yes use a2 antimalware if that is what you have installed.

Share this post


Link to post
Share on other sites

Good Morning,

I tried to run my computer in Normal mode three times, but after the welcome logo I get this message every time:

"Windows has encountered a critical problem and will restart automatically in one minute.

Please save your work now."

So I had to go to msconfig again from the Safe mode and enter the Selective mode and than perform scans.

I attached the Avenger log and fresh a-square Anti Malware log.

Unfortunately I could not run ISeeYouXP on my Vista(I installed it fine,turned off UAC, rebooted and Ran as Administrator). Simply said,after I right click Run as Administrator nothing happens at all.

Share this post


Link to post
Share on other sites

Open notepad

Copy and Paste the below lines of code to notepad:

@echo off
copy C:\Windows\System32\logevent.dll C:\logevent.dll

Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your Desktop.

Double-click on fixes.bat to execute it.

-----------------------------------------------------------

Download Avenger from -->> HERE <<-- and unzip to your desktop.

Run Avenger

  • Read the prompt that appears, and press OK
  • Copy & paste the following text in Input script Box:
    Tiles to delete:
    C:\Windows\System32\cngaudit.dll
    
    Files to move:
    C:\logevent.dll | C:\Windows\System32\cngaudit.dll

    Then click "Execute".

  • You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  • Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

-----------------------------------------------------------

Go to start > run and copy and paste the following command in the field:

"%userprofile%\desktop\win32kdiag.exe" -f -r

This should restore permissions on locked files and remove mountpoints.

-----------------------------------------------------------

Post fresh logs for:

  • Avenger (C:\avenger.txt)
  • a-squared Free
  • ISeeYouXP

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

First, I would like to thank you for your effort.

Things are going much better now. After I applied the codes you sent me yesterday I was able to log in normal mode. Also, my Internet Explorer 8 finally started, and I installed and ran the Firefox 3.5.3. In addition, I did not notice Gen.Trojan!IK during the deep scan with a-square Anti Malware.Unfortunately I still could not get the ISeeYouXP to run (the UAC turned off, reboot, and run as Administrator), so I attached the other two requested fresh logs:

Share this post


Link to post
Share on other sites

Download ComboFix from one of these locations:

Link 1

Link 2

Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

-----------------------------------------------------------

Post fresh logs for:

  • ComboFix (C:\combofix.txt)
  • a-squared Free
  • ISeeYouXP

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

I installed the ComboFix, followed all the procedures(Antivirus and Antispyware disabled), and did not move or click with a mouse pointer, but the program stalled right after backing up the windows registry. I tried to rerun it for three times but every time the same thing happens.

In addition, I stil cannot run ISeeYouXP. The computer runs better as I mentioned yesterday.Should I still post a fresh log for a-squared Anti Malware?

Share this post


Link to post
Share on other sites

Download RootRepeal.zip and unzip it to your Desktop.

Double click RootRepeal.exe to start the program

Click on the Report tab at the bottom of the program window

Click the Scan button

In the Select Scan dialog, check:

  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services

Click the OK button

In the next dialog, select all drives showing

Click OK to start the scan

Note: The scan can take some time. DO NOT run any other programs while the scan is running

When the scan is complete, the Save Report button will become available. Click this and save the report to your Desktop as RootRepeal.txt

Go to File, then Exit to close the program

Attach it to your reply.

Share this post


Link to post
Share on other sites

I downloaded and installed the RootRepeal, followed the instructions, and started the scan.

After about 45-50 minutes later, the scan stopped and the following message showed up on the screen:

"Could not initialize driver! Please contact the author."

Than, I clicked on OK button after which the a-squared Anti Malware pops up asking me if I wanted to block, quarantine or allow the process. I allowed the process. Immediately after that the scan was finished and I saved the report.

Around the same time another message (RootRepeal Error) pops up. I clicked on OK again. The window closed and I exited the program.

I attached it bellow using a Snipping Tool.

Share this post


Link to post
Share on other sites

There doesn't appear to be a RootKit present.

Download OTL to your desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
      Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
    • Attach both logs with your next reply.

Share this post


Link to post
Share on other sites

Here is the log I was able to download/attach:

The OTL was made as well but the file was too big to upload.

Please advise me which alternative would you like me to use(if at all) in order to upload the file.

Share this post


Link to post
Share on other sites

Here is the log I was able to download/attach:

The OTL was made as well but the file was too big to upload.

Please advise me which alternative would you like me to use(if at all) in order to upload the file.

Zip the OTL file and attach it.

Share this post


Link to post
Share on other sites

Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    PRC - C:\Windows\Explorer.EXE (Microsoft Corporation)
    O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - No CLSID value found.
    O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O2 - BHO: (no name) - {AE40EBA0-2D49-48C9-BA8D-E9F046240F5F} - No CLSID value found.
    O4 - HKLM..\Run: []  File not found
    
    :Files
    C:\Users\HP_Administrator\AppData\Roaming\*.tmp
    C:\Windows\*.tmp
    C:\Windows\System32\*.tmp
    C:\Windows\System32\CF29448.exe
    C:\Windows\System32\CF8704.exe
    C:\Windows\System32\CF22468.exe
    C:\Windows\System32\CF17094.exe
    C:\Windows\System32\temp.010
    C:\Windows\System32\temp.00C
    C:\Windows\System32\temp.00D
    C:\Windows\System32\temp.00F
    C:\Windows\System32\temp.00E
    C:\Windows\System32\temp.00B
    C:\1.bmp
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

Share this post


Link to post
Share on other sites

All done, and here is the log:

And just one thing. after the computer rebooted I can see a couple of "desktop.ini" icons and one "bak" icon on my desktop. Is this related to what was done?

Share this post


Link to post
Share on other sites

Yes, those files are visible because of what we did.

Run ComboFix, if it the scan successfully completes attach the log.

Share this post


Link to post
Share on other sites

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

-----------------------------------------------------------

Download avz4.zip from HERE

  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: AVZupdate.jpg
  • Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

  • After the update, from the "File" menu, choose "Standard Scripts"
  • Put a check next to item 2: Advanced System Investigation
  • Click Execute selected scripts
  • At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach the Compressed file, virusinfo_syscheck.zip, to your next reply.

Share this post


Link to post
Share on other sites

All done. Unfortunately, The Zip file is 92 k which is more than allowed max. single file size of 40.09 k and therefore too big to upload. I 'm waiting for the further instructions.

Share this post


Link to post
Share on other sites

The AVZ log didn't show anything of concern.

Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    
    :Files
    C:\Windows\COUPON~1.OCX
    @C:\ProgramData\TEMP:A31FAD21
    @C:\Users\HP_Administrator\AppData\Roaming:iSpring Pro 4 Giveaway
    @C:\ProgramData:iSpring Pro 4 Giveaway
    @C:\ProgramData\TEMP:7204B89D
    @C:\ProgramData\TEMP:98781370
    @C:\ProgramData\TEMP:44807EFA
    @C:\ProgramData\TEMP:56AC8DD1
    @C:\ProgramData\TEMP:78CE0B72
    @C:\ProgramData\TEMP:76C85903
    @C:\ProgramData\TEMP:4E0ADA73
    @C:\ProgramData\TEMP:C265C458
    @C:\ProgramData\TEMP:D00F0074
    @C:\ProgramData\TEMP:867C1254
    @C:\ProgramData\TEMP:335CB24A
    @C:\ProgramData\TEMP:507FBB4F
    @C:\ProgramData\TEMP:DCD39382
    @C:\ProgramData\TEMP:4F0FFA06
    @C:\ProgramData\TEMP:DCE70D73
    @C:\ProgramData\TEMP:044B104C
    @C:\ProgramData\TEMP:87F27901
    @C:\ProgramData\TEMP:C97C8631
    @C:\ProgramData\TEMP:18C289EF
    @C:\ProgramData\DRM:tf4XgsAcXJ9LV5YVUz89hGANSN
    @C:\ProgramData\TEMP:8CE646EE
    @C:\ProgramData\TEMP:5CB1E0D3
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new OTL log ( don't check the boxes beside LOP Check or Purity this time )

Share this post


Link to post
Share on other sites

Unless you are having problems from Malware it is time to do the final steps.

If you used ComboFix, uninstall ComboFix:

  • Click START then RUN and enter the below into the run box and then click OK. (Use only the command of the same name as your copy of combofix.)
  • AvoidTDSS /u or combofix /u
    Note: The space before /u, must be there.
    This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
  • Delete the C:\AvoidTDSS or C:\ComboFix folder from combofix.
    Delete everything in C:\!KillBox

Delete the following from your Desktop (If they exist)

Avenger.exe

Avenger.txt

Avenger.zip

DisableAutoRuns.reg

FixMe.reg

FixReg.reg

ISeeYouXP.exe

ISeeYouXP.lnk

ISeeYouXP.txt

Anything else I had you use

Delete the following: (If they exist)

C:\Avenger.txt

C:\Avenger

C:\ComboFix.txt

C:\ComboFix

C:\SDFix

C:\Qoobox

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Empty the Recycle Bin

Run ATF Cleaner

In the ISeeYouXP folder double-click HideIT.bat.

Turn off System restore to flush all your restore points then turn system restore back on.

To manually turn off System Restore, follow these steps:

1. Click Start, right-click My Computer, and then click Properties.

2. Click the System Restore tab.

3. Click to select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

4 Click Yes when you receive the prompt to the turn off System Restore.

To turn on System Restore, follow these steps:

1. Click Start, right-click My Computer, and then click Properties.

2. Click the System Restore tab.

3. Click to clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

Delete C:\ISeeYouXP

Run Windows Update and update your Windows Operating System.

Run the Secunia Online Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated.

That should take care of everything.

Safe Surfing!

Share this post


Link to post
Share on other sites

I performed all the clean up.

My final question is :

What about those desktop.ini and bak files. How do I clear them from my desktop?

Thanks for everything.

Share this post


Link to post
Share on other sites

Well, one more thing, after I flushed the System Restore and came back to check it today I found out that there were not System Restore points created by the computer. I tried to create them myself but this is the message I received:

I tried it again, and even rebooted the computer but I have the same message.

I would appreciate your suggestions.

Share this post


Link to post
Share on other sites

Run the command prompt as administrator, enter "cmd" in Start Search and then use the keyboard combination Ctrl+Shift+Enter.

Type the following command at the prompt, followed by pressing Enter:

chkdsk C: /R

Try enabling System Restore. Getting the same error?

Share this post


Link to post
Share on other sites

Yes, I 'm getting the same error.When I ran chkdsk C: /R command this is what I got:

"The type of the file system is NTFS.

Cannot lock current drive.

Chkdsk cannot run because the volume is in use by another

process.Would you like to schedule this volume to be

checked the next time the system restarts? <Y/N>"

Share this post


Link to post
Share on other sites

Bring up the System Properties window by going to your start menu, and opening up the Control Panel. In Control Panel, click "System and Maintenance". in the window that opens, click "System". On the left panel, look for a line that says "System protection" and click it. The Windows User Account Control, or UAC, will pop up. Click the "Continue" button.

In the dialog box that appears, you should be able to see a list box with all the available drives on your computer. Next to each drive is a check box. If there is a check in the box next to the drive, it means volume shadow copy, along with System Restore, is enabled for that drive. If there is no check in the box nest to the drive, then volume shadow copy is turn off for that drive. To enable volume shadow copy, simply check the box.

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.