Articles

i cant remove trojan.win32.generic!bt

January 14, 2010 at 05:27:17
Specs: Windows XP

my virus scanner (fullversion of vipre from
sunbelt) always shows me:
trojan.win32.generic!bt

five of them.
then i remove them.
when i scan again they are back.
i did that a few times now. sometimes it finds
one trojan but while scanning it
disappears again from the list. then i have to
cancel and scan again and it finds again the 5
trojans and they stay.
in the beginning i had a rogue security system
("windows security centre") on my pc (got it through some untrusted firefox app, il never use that firefox again, it was an experiment) which crashed nearly everything and i couldnt boot at
all. i took my hard drive to a mac and tried to
access, but access was denied because i
encrypted it with truecrypt and putting the
rescue disc didnt help, so i put the harddrive
back into my pc together with the rescue disc
an decrypted it. after decrypting the computer
magicly worked again. but its still finding them
trojans. and cant delete it.

meanwhile since a few starts it tells after
booting, that explorer.exe has a problem and
must be terminated. if i want to send a report?
if i click "no" or "yes" explorer terminates and
starts again and again there comes this
message. so i always put it to the side and
the computer works all well.

also i found a strange folder on my c-drive (i also have a d-partition for data). usually theres only "all users" and "uli" which is my username. but suddenly i find another folder called "wolgang" next to it. its content is some "ntuser.dat" and another folder "Temp", which is empty.

Reminds me of the German BundesTrojaner, the government developed it for spying terrorists and its founder is called Wolfgang Schäuble and the trojan my scanner found is called BT on the end of the name. maybe a joke some freako wrote for bothering?

hijack log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:11:18, on 14.1.2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dwwin.exe
C:\Programme\Lavasoft\Ad-
Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Gemeinsame
Dateien\LogiShrd\LComMgr\Communications_
Helper.exe
C:\Programme\Logitech\QuickCam\Quickcam.
exe
C:\Programme\Java\jre6\bin\jusched.exe
C:\Programme\Zone
Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\TrueCrypt\TrueCrypt.exe
C:\Programme\InterVideo\Common\Bin\WinCi
nemaMgr.exe
C:\Programme\RALINK\Common\RaUI.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Gemeinsame
Dateien\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Sunbelt
Software\VIPRE\SBAMSvc.exe
C:\Programme\Sunbelt Software\Personal
Firewall\SbPFLnch.exe
C:\Programme\Sunbelt Software\Personal
Firewall\SbPFSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Sunbelt
Software\VIPRE\SBAMTray.exe
C:\Programme\Gemeinsame
Dateien\LogiShrd\LVCOMSER\LVComSer.exe
C:\Programme\Gemeinsame
Dateien\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\Sunbelt Software\Personal
Firewall\SbPFCl.exe
C:\Programme\SRWare Iron\iron.exe
C:\Programme\SRWare Iron\iron.exe
C:\Programme\SRWare Iron\iron.exe
C:\Programme\SRWare Iron\iron.exe
C:\Programme\SRWare Iron\iron.exe
C:\Programme\SRWare Iron\iron.exe
C:\Programme\Adobe\Reader
8.0\Reader\AcroRd32.exe
C:\Programme\SRWare Iron\iron.exe
C:\Programme\SRWare Iron\iron.exe
C:\Programme\Trend
Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet
Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://alice.aol.de
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet
Explorer\Main,Start Page = http://alice.aol.de
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,First Home Page =
http://go.microsoft.com/fwlink/?Lin...
O2 - BHO: Adobe PDF Reader - {06849E9F-
C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Programme\Gemeinsame
Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.
dll
O2 - BHO: RealPlayer Download and Record
Plugin for Internet Explorer - {3049C3E9-B461-
4BC5-8870-4C09146192CA} -
C:\Programme\Real\RealPlayer\rpbrowserrecor
dplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper -
{DBC80044-A445-435b-BC74-9C25C1C588A9}
- C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl -
{E7E6F031-17CE-4C07-BC86-
EABFE594F69C} -
C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_pl
ugin.dll
O4 - HKLM\..\Run: [IgfxTray]
C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence]
C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon]
RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL]
RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter]
RUNDLL32.EXE
C:\WINDOWS\system32\NvMcTray.dll,NvTask
barInit
O4 - HKLM\..\Run: [NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task]
"C:\Programme\QuickTime\qttask.exe" -
atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed
Launcher] "C:\Programme\Adobe\Reader
8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run:
[LogitechCommunicationsManager]
"C:\Programme\Gemeinsame
Dateien\LogiShrd\LComMgr\Communications_
Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon]
"C:\Programme\Logitech\QuickCam\Quickcam
.exe" /hide
O4 - HKLM\..\Run: [TkBellExe]
"C:\Programme\Gemeinsame
Dateien\Real\Update_OB\realsched.exe" -
osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched]
"C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SBAMTray]
C:\Programme\Sunbelt
Software\VIPRE\SBAMTray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client]
"C:\Programme\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TrueCrypt]
"C:\Programme\TrueCrypt\TrueCrypt.exe" /q
preferences
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE]
C:\WINDOWS\system32\CTFMON.EXE (User
'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run]
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
/RUNONCE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE]
C:\WINDOWS\system32\CTFMON.EXE (User
'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE]
C:\WINDOWS\system32\CTFMON.EXE (User
'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE]
C:\WINDOWS\system32\CTFMON.EXE (User
'Default user')
O4 - Global Startup: InterVideo WinCinema
Manager.lnk =
C:\Programme\InterVideo\Common\Bin\WinCi
nemaMgr.exe
O4 - Global Startup: Ralink Wireless Utility.lnk
= C:\Programme\RALINK\Common\RaUI.exe
O8 - Extra context menu item: Nach Microsoft
E&xel exportieren -
res://C:\PROGRA~1\MICROS~2\Office12\EXC
EL.EXE/3000
O9 - Extra button: Research - {92780B25-
18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\Office12\REFIEBA
R.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-
4851-A3BA-FE49C35617C2} -
C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 -
{E59EB121-F339-4851-A3BA-FE49C35617C2}
- C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-
F110-11d2-BB9E-00C04F795683} -
C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows
Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} -
C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-
0E3A5CAA8CD8} (Office Genuine Advantage
Validation Tool) -
http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {1E3F1348-4370-4BBE-A67A-
CC7ED824CA85} (Microsoft Genuine
Advantage Self Support Tool) -
http://go.microsoft.com/fwlink/?Lin...
O17 -
HKLM\System\CCS\Services\Tcpip\..\{7408AE
6E-266B-430B-AB11-EA4645C510A6}:
NameServer = 192.168.3.3
O17 -
HKLM\System\CCS\Services\Tcpip\..\{963CB
E2E-E589-417D-847A-B16BE7CC7F36}:
NameServer = 62.109.123.197 213.191.74.19
O18 - Protocol: skype4com - {FFC8B962-
9B40-4DFF-9458-1830C7DD7F5D} -
C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1
.DLL
O20 - AppInit_DLLs:
C:\WINDOWS\system32\cssdll32.dll
O23 - Service: Lavasoft Ad-Aware Service
(aawservice) - Lavasoft -
C:\Programme\Lavasoft\Ad-
Aware\aawservice.exe
O23 - Service: InstallDriver Table Manager
(IDriverT) - Macrovision Corporation -
C:\Programme\Gemeinsame
Dateien\InstallShield\Driver\11\Intel
32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman -
C:\Programme\Alex Feinman\ISO
Recorder\ImapiHelper.exe
O23 - Service: Java Quick Starter
(JavaQuickStarterService) - Sun
Microsystems, Inc. -
C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. -
C:\Programme\Gemeinsame
Dateien\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) -
Unknown owner - C:\Programme\Gemeinsame
Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe (file
missing)
O23 - Service: NVIDIA Display Driver Service
(NVSvc) - NVIDIA Corporation -
C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VIPRE Antivirus + Antispyware
(SBAMSvc) - Sunbelt Software -
C:\Programme\Sunbelt
Software\VIPRE\SBAMSvc.exe
O23 - Service: SbPF.Launcher - Sunbelt
Software, Inc. - C:\Programme\Sunbelt
Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4
(SPF4) - Sunbelt Software, Inc. -
C:\Programme\Sunbelt Software\Personal
Firewall\SbPFSvc.exe
O23 - Service: TrueVector Internet Monitor
(vsmon) - Check Point Software Technologies
LTD -
C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8139 bytes



See More: i cant remove trojan.win32.generic!bt

Report •


#1
January 17, 2010 at 12:45:29


Report •

#2
January 18, 2010 at 14:05:54

I tried to install super-antispyware, but it tells me, super-
antispyware has located a problem and gotta be shut down.
I tried to install malwarebyte, but the setup wont even start.
help me please. i would be so thankful. im desperate.
the computer has booting problems every other time i try. gotta
restart then. restart. ah, finally. its terrible. im always scared,
this might have been it.

Report •

Related Solutions


Ask Question