IPB

Welcome Guest ( Log In | Register )

 
Closed TopicStart new topic
> How to remove HEUR:Trojan.Win32.Generic?
scat951
post 17.04.2009 08:28
Post #1


Newbie
*

Group: Members
Posts: 5
Joined: 17.04.2009




I'm having trouble removing HEUR:Trojan.Win32.Generic from my computer. I'm using Internet Security 2009 and it has spotted several files that are infected with the trojan. It causes many popup ads to appear while browsing the web and results in lots of malware and etc. KIS isn't able to delete/quarantine it. Can anyone help me? Thank you in advance. smile.gif

This post has been edited by scat951: 17.04.2009 08:30
Go to the top of the page
 
+Quote Post
richbuff
post 17.04.2009 08:38
Post #2


Oldtimer
****************

Group: Moderators
Posts: 48576
Joined: 14.06.2007




Welcome. Please attach the zipped virusinfo_syscure.zip; instructions, see: http://forum.kaspersky.com/index.php?s=&am...st&p=678334


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
scat951
post 17.04.2009 08:59
Post #3


Newbie
*

Group: Members
Posts: 5
Joined: 17.04.2009




I have attached the file to this post.
Attached File(s)
Attached File  sysinfo.zip ( 34.52K ) Number of downloads: 5
 
Go to the top of the page
 
+Quote Post
richbuff
post 17.04.2009 09:04
Post #4


Oldtimer
****************

Group: Moderators
Posts: 48576
Joined: 14.06.2007




Run this script, instructions linked in the second important topic located at top of this forum page, PC will reboot:
CODE
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('C:\WINDOWS\system32\larirako.dll','');
QuarantineFile('C:\WINDOWS\system32\volitumi.dll','');
QuarantineFile('c:\windows\system32\dinufula.dll','');
DelBHO('{3dc7104d-82d1-43b6-9cc8-477ad772de24}');
QuarantineFile('C:\WINDOWS\system32\lativuyi.dll','');
QuarantineFile('c:\windows\system32\gowisaje.dll','');
QuarantineFile('C:\WINDOWS\system32\wukanute.dll','');
QuarantineFile('C:\autorun.inf','');
QuarantineFile('D:\autorun.inf','');
DeleteFile('D:\autorun.inf');
DeleteFile('C:\autorun.inf');
DeleteFile('C:\WINDOWS\system32\wukanute.dll');
DeleteFile('c:\windows\system32\gowisaje.dll');
DeleteFile('C:\WINDOWS\system32\lativuyi.dll');
DeleteFile('c:\windows\system32\dinufula.dll');
DeleteFile('C:\WINDOWS\system32\volitumi.dll');
DeleteFile('C:\WINDOWS\system32\larirako.dll');
ExecuteRepair(13);
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

After run script, attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the
option "resume manually" if still active) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post. Also, please don't
forget to resume the Kaspersky that you paused.


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
scat951
post 17.04.2009 17:43
Post #5


Newbie
*

Group: Members
Posts: 5
Joined: 17.04.2009




When I attempted to run ComboFix, I received the following error message:



I am running on Windows XP, so I am confused about this. I think I followed all of your instructions up to this point correctly.

After the error message I received (above), a command window opened that was empty.

EDIT: Nevermind this post. ComboFix is now scanning.

This post has been edited by scat951: 17.04.2009 17:59
Go to the top of the page
 
+Quote Post
scat951
post 17.04.2009 18:56
Post #6


Newbie
*

Group: Members
Posts: 5
Joined: 17.04.2009




I have attached the ComboFix logfile to this post.
Attached File(s)
Attached File  ComboFix.txt ( 21.02K ) Number of downloads: 4
 
Go to the top of the page
 
+Quote Post
richbuff
post 18.04.2009 03:40
Post #7


Oldtimer
****************

Group: Moderators
Posts: 48576
Joined: 14.06.2007




Run this script, PC will reboot:
CODE
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('c:\windows\system32\banoneso.dll','');
QuarantineFile('c:\windows\system32\kisadiko.dll','');
QuarantineFile('c:\windows\system32\wukanute.dll','');
QuarantineFile('c:\windows\system32\larirako.dll','');
QuarantineFile('c:\windows\system32\notonoji.dll','');
QuarantineFile('c:\windows\system32\dokanisu.dll','');
DeleteFile('c:\windows\system32\dokanisu.dll');
DeleteFile('c:\windows\system32\notonoji.dll');
DeleteFile('c:\windows\system32\larirako.dll');
DeleteFile('c:\windows\system32\wukanute.dll');
DeleteFile('c:\windows\system32\kisadiko.dll');
DeleteFile('c:\windows\system32\wukanute.bak');
DeleteFile('c:\windows\system32\larirako.bak');
DeleteFile('c:\windows\system32\reforola.dll');
DeleteFile('c:\windows\system32\kerojade.dll');
DeleteFile('c:\windows\system32\banoneso.dll');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

Then, run this one:
CODE
begin
CreateQurantineArchive('c:\quarantine.zip');
end.

A file called quarantine.zip should be created in C:\. Then please zip up C:\qoobox\quarantine and upload both it and C:\quarantine.zip to a filehost such as
http://rapidshare.com/ Then, Private Message me the Download link to the uploaded file. Click my user name and select Send message. Lastly, uninstall Combofix by:
pause Kaspersky > Start > run > type combofix /u > ok. Or Start > run > type 1234567 /u > ok. Restart Kaspersky.

Also, if you use Windows System restore, turn it off > reboot and do a full scan with Kaspersky. Then turn system restore back on, if you wish; this to remove malware
from system volume information files. How to turn it off/on: http://support.kaspersky.com/faq/?qid=208279208

Before doing the scan, Clear the Detected list: Detected > Active threats > right click > Disinfect all > right click > Clear list > then scan again > then post
screenshot of Detected > Active threats. With columns widened to show full name and object details.

Also, scan with Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php and attach its log, but please don't fix anything yet, until the log is reviewed.

How to take and post screenshot: PrtSc (Print screen) key (upper right part of keyboard)> open Paint (Start > All programs > Accessories) > Edit > Paste, File > Save as (jpeg or
png, Not bmp). When replying, Browse > click once to select file > Open > Upload > add reply.


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
scat951
post 18.04.2009 16:58
Post #8


Newbie
*

Group: Members
Posts: 5
Joined: 17.04.2009




I am beginning to get many popup ads once again when I use the internet. Also, after doing the scan on KIS, there seems to be files that are still infected with HEUR:Trojan.Win32.Generic. They don't appear in the detected list which I am about to show below, but I am getting alerts about it. There also seems to be a new trojan that was found called Trojan.Win32.Stuh.dwv. Ugh, this is frustrating. I have not yet done the Malwarebytes' Anti-Malware scan, but I will soon.

Here is a print screen of the detected list after the KIS scan:

Go to the top of the page
 
+Quote Post
richbuff
post 19.04.2009 02:10
Post #9


Oldtimer
****************

Group: Moderators
Posts: 48576
Joined: 14.06.2007




We need to wrap up here.

Your log shows
CODE
AbletonLive full\Crack.exe

From the readme pinned topic: http://forum.kaspersky.com/index.php?showtopic=84003
QUOTE
We here don't encourage piracy since it's also a common cause for infections, so if we spot illegal software on the PCs of users asking for help, we will deny further help and close the topic.
Official Technical Support can be found here: http://support.kaspersky.ru/helpdesk.html?LANG=en


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post

Closed TopicStart new topic

 



Lo-Fi Version Time is now: 30.07.2014 21:11