Help removing Trojan Horse Generic32.MRX

March 20, 2013 at 10:34:54
Specs: Windows 13.06.2009
I ran my AVG program today and it told me it located Trojan Horse Generic32.MRX but was unable to remove. I googled this virus and was not able to find anything about it. Can anyone assist me with this? Is it a real virus? If so, how do I remove it? Thanks.

See More: Help removing Trojan Horse Generic32.MRX

Report •


#1
March 20, 2013 at 15:35:36
1: Download & run Unhide
http://www.bleepingcomputer.com/for...
http://download.bleepingcomputer.co...
A introduction as to what this program does.
http://www.bleepingcomputer.com/for...
For those of you who no longer have the %Temp%\Smtmp folder, you will not be able to use Unhide to restore your Start Menu items. With this in mind, I have created some scripts to restore the default Start Menu for specific versions of Windows that I have access to. You can view the available versions below. I will be adding more as time goes on.
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run, it does take some time, be patient. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.
When Unhide is complete, it will create a logfile on the Windows Desktop called Unhide.txt. Let me know if it dosn't produce a log please.

2: Reboot

3: Run Hitman Pro, then Copy & Paste the contents of the log please.
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
http://www.surfright.nl/en/HitmanPro
http://www.surfright.nl/en/hitmanpro/
Unlimited free scanning and free 30-day version to remove detected malware.
Download now (32-bit)
http://dl.surfright.nl/HitmanPro35.exe
Download now (64-bit)
http://dl.surfright.nl/HitmanPro35_...
Review
http://www.youtube.com/watch?v=WmPQ...


Report •

#2
March 20, 2013 at 16:07:14
Thanks, I will try this. The Unhide program won't delete any of my files, will it?

Report •

#3
March 20, 2013 at 16:16:18
"Thanks, I will try this. The Unhide program won't delete any of my files, will it?"

Note: Is your important stuff backed up, including your emails & address book. Anything can happen, during the clean up.


Report •

Related Solutions

#4
March 22, 2013 at 16:09:33
A trojan is quite easy to remove...try this free fully working trial and run it till it runs clean.
1- Trojan Remover
http://www.simplysup.com/tremover/d...


Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#5
March 22, 2013 at 18:01:45
Is it possible that I am getting a false reading? I ask because when I turn my computer on, I get a notification from AVG that the generic32.mrx has been located and when I click the remove button, it says it cannot be removed... but when I run my AVG scanner (it runs automatically every 3 hours), it says no threats were found.

Report •

#6
March 22, 2013 at 18:05:15
"Is it possible that I am getting a false reading?

Impossible to know, that is why I asked you to do what I have listed.


Report •

#7
March 23, 2013 at 10:06:33
Thanks for your help - I am starting it now, had to save all my files first. Will post the reports as soon as I can.

Report •

#8
March 23, 2013 at 10:53:19
[code]
HitmanPro 3.7.2.190
www.hitmanpro.com

Computer name . . . . : JESSICA-PC
Windows . . . . . . . : 6.0.1.6001.X86/2
User name . . . . . . : Jessica-PC\Jessica
UAC . . . . . . . . . : Enabled
License . . . . . . . : Free

Scan date . . . . . . : 2013-03-23 13:42:13
Scan mode . . . . . . : Normal
Scan duration . . . . : 3m 53s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No

Threats . . . . . . . : 24
Traces . . . . . . . : 27

Objects scanned . . . : 1,527,493
Files scanned . . . . : 17,260
Remnants scanned . . : 235,238 files / 1,274,995 keys

Malware _____________________________________________________________________

C:\$Recycle.Bin\S-1-5-21-3668781360-3455941742-2845156026-1000\$ff24043d55f85ce9a20a8337d9b4b888\n
Size . . . . . . . : 69,120 bytes
Age . . . . . . . : 4.0 days (2013-03-19 12:47:09)
Entropy . . . . . : 6.5
SHA-256 . . . . . : 146BF041F467539D2E4019B69DF4A4EA7D8D19733ADE74F3A5063B522E409620
> G Data . . . . . . : Gen:Variant.Kazy.156055 (Engine A)
> Ikarus . . . . . . : Trojan.Win32.Sirefef!IK
Fuzzy . . . . . . : 124.0
Startup
HKU\S-1-5-21-3668781360-3455941742-2845156026-1000\SOFTWARE\Classes\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InprocServer32\
Forensic Cluster
-10.0s C:\Users\Jessica\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\3d56d36f-21d99148.idx
-10.0s C:\Users\Jessica\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\3d56d36f-25ff6cbb.idx
-10.0s C:\Users\Jessica\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\3d56d36f-25ff6cbb
-9.3s C:\Users\Jessica\AppData\Local\Temp\jar_cache31898519640467566.tmp
-9.2s C:\Users\Jessica\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\3d56d36f-2b303c30.idx
-9.2s C:\Users\Jessica\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\3d56d36f-2b303c30
-9.1s C:\Users\Jessica\AppData\Local\Temp\jar_cache606965215335465211.tmp
-9.1s C:\Users\Jessica\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\3d56d36f-7a3fbad2.idx
-9.1s C:\Users\Jessica\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\3d56d36f-7a3fbad2
-4.1s C:\Users\Jessica\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\3d56d36f-7362fca1
0.0s C:\$RECYCLE.BIN\S-1-5-21-3668781360-3455941742-2845156026-1000\$ff24043d55f85ce9a20a8337d9b4b888\
0.0s C:\$RECYCLE.BIN\S-1-5-21-3668781360-3455941742-2845156026-1000\$ff24043d55f85ce9a20a8337d9b4b888\@
0.0s C:\$RECYCLE.BIN\S-1-5-21-3668781360-3455941742-2845156026-1000\$ff24043d55f85ce9a20a8337d9b4b888\L\
0.0s C:\$Recycle.Bin\S-1-5-21-3668781360-3455941742-2845156026-1000\$ff24043d55f85ce9a20a8337d9b4b888\n
0.0s C:\$RECYCLE.BIN\S-1-5-21-3668781360-3455941742-2845156026-1000\$ff24043d55f85ce9a20a8337d9b4b888\U\
0.0s C:\Users\Jessica\AppData\Local\Temp\InstallFlashPlayer.exe

C:\$RECYCLE.BIN\S-1-5-21-3668781360-3455941742-2845156026-1000\$ff24043d55f85ce9a20a8337d9b4b888\U\80000000.@
Size . . . . . . . : 11,776 bytes
Age . . . . . . . : 4.0 days (2013-03-19 14:49:43)
Entropy . . . . . : 5.4
SHA-256 . . . . . : 9A9DE323DC2BA4059C3EB10D20E8B93A4CC44C93AC41A5DFC9572FA1C0D5B1A8
> G Data . . . . . . : Trojan.Sirefef.RG (Engine A)
> Ikarus . . . . . . : Backdoor.Win32.ZAccess!IK
Fuzzy . . . . . . : 112.0
Forensic Cluster
-0.9s C:\$RECYCLE.BIN\S-1-5-21-3668781360-3455941742-2845156026-1000\$ff24043d55f85ce9a20a8337d9b4b888\U\00000001.@
0.0s C:\$RECYCLE.BIN\S-1-5-21-3668781360-3455941742-2845156026-1000\$ff24043d55f85ce9a20a8337d9b4b888\U\80000000.@
0.0s C:\$RECYCLE.BIN\S-1-5-21-3668781360-3455941742-2845156026-1000\$ff24043d55f85ce9a20a8337d9b4b888\U\800000cb.@

C:\$RECYCLE.BIN\S-1-5-21-3668781360-3455941742-2845156026-1000\$ff24043d55f85ce9a20a8337d9b4b888\U\800000cb.@
Size . . . . . . . : 21,504 bytes
Age . . . . . . . : 4.0 days (2013-03-19 14:49:43)
Entropy . . . . . : 7.4
SHA-256 . . . . . : 87441AA88ED59DC9E3B9A0328A0703E7CD70B69EE13E12734D46059CE8C23312
> Ikarus . . . . . . : Virus.Win32.Vundo!IK
Fuzzy . . . . . . : 116.0
Forensic Cluster
-0.9s C:\$RECYCLE.BIN\S-1-5-21-3668781360-3455941742-2845156026-1000\$ff24043d55f85ce9a20a8337d9b4b888\U\00000001.@
-0.0s C:\$RECYCLE.BIN\S-1-5-21-3668781360-3455941742-2845156026-1000\$ff24043d55f85ce9a20a8337d9b4b888\U\80000000.@
0.0s C:\$RECYCLE.BIN\S-1-5-21-3668781360-3455941742-2845156026-1000\$ff24043d55f85ce9a20a8337d9b4b888\U\800000cb.@

C:\Users\Jessica\AppData\Local\Temp\nsbC459.tmp\13\StrongVault_352013.exe
Size . . . . . . . : 13,158,147 bytes
Age . . . . . . . : 0.0 days (2013-03-23 13:33:46)
Entropy . . . . . : 8.0
SHA-256 . . . . . : 660F9E59999D850D6450D1E0CD58322097935F8C1A75F43F821D4FBBDD84599B
Product . . . . . : StrongVault
Publisher . . . . : StrongVault
Description . . . : StrongVault Installer
Version . . . . . : 1.0
Copyright . . . . : © StrongVault
> a-Squared . . . . : Trojan.Win32.OutBrowse.AMN!A2
Fuzzy . . . . . . : 105.0


Malware remnants ____________________________________________________________

C:\$RECYCLE.BIN\S-1-5-21-3668781360-3455941742-2845156026-1000\$ff24043d55f85ce9a20a8337d9b4b888\@ (ZeroAccess)
C:\$RECYCLE.BIN\S-1-5-21-3668781360-3455941742-2845156026-1000\$ff24043d55f85ce9a20a8337d9b4b888\L\ (ZeroAccess)
C:\$RECYCLE.BIN\S-1-5-21-3668781360-3455941742-2845156026-1000\$ff24043d55f85ce9a20a8337d9b4b888\U\ (ZeroAccess)
C:\$RECYCLE.BIN\S-1-5-21-3668781360-3455941742-2845156026-1000\$ff24043d55f85ce9a20a8337d9b4b888\U\00000001.@ (ZeroAccess)
C:\Program Files\PricePeep\ (Adware.ClickPotato)
C:\Program Files\PricePeep\installer.ico (Adware.ClickPotato)
C:\Program Files\PricePeep\pricepeep.dll (Adware.ClickPotato)
Size . . . . . . . : 491,008 bytes
Age . . . . . . . : 0.0 days (2013-03-23 13:33:31)
Entropy . . . . . : 6.2
SHA-256 . . . . . : 01AF1A0ADF68663CF5DEAA3A6071232974C12CA2F552F97E5F276ACFC79AF07B
Product . . . . . : PricePeep
Publisher . . . . : PricePeep
Description . . . : PricePeep
Version . . . . . : 2.0.0.0
Gossip . . . . . . : PricePeep
Fuzzy . . . . . . : 5.0
Startup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}\
References
HKLM\SOFTWARE\Classes\CLSID\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}\
HKLM\SOFTWARE\Classes\PricePeep.PricePeepBho.1\
HKLM\SOFTWARE\Classes\PricePeep.PricePeepBho\
HKLM\SOFTWARE\Classes\TypeLib\{3BF3DED5-0FC8-4207-AC09-AA7B5AF4E408}\
HKU\S-1-5-21-3668781360-3455941742-2845156026-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}\

C:\Program Files\PricePeep\uninstall.exe (Adware.ClickPotato)
Size . . . . . . . : 86,845 bytes
Age . . . . . . . : 0.0 days (2013-03-23 13:33:32)
Entropy . . . . . : 7.1
SHA-256 . . . . . : C440231E1E3D85AE73342036C5D8617214715EC0CADEAA486742773FE4AAA4FB
Fuzzy . . . . . . : 0.0

C:\Program Files\PricePeep\unutil.exe (Adware.ClickPotato)
Size . . . . . . . : 206,336 bytes
Age . . . . . . . : 0.0 days (2013-03-23 13:33:30)
Entropy . . . . . : 6.2
SHA-256 . . . . . : DB9CC6A9E27EACDC9E9419FAC4F1EF6AE914A300ECF5C20C8F96025CEF168FB9
Fuzzy . . . . . . : 0.0

HKLM\SOFTWARE\Classes\AppID\{38A066B0-DD5F-4226-AC4F-6A27C1BFB892}\ (Adware.ClickPotato)
HKLM\SOFTWARE\Classes\CLSID\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}\ (Adware.ClickPotato)
HKLM\SOFTWARE\Classes\Interface\{1B97A696-5576-43AC-A73B-E1D2C78F21E8}\ (Adware.ClickPotato)
HKLM\SOFTWARE\Classes\Interface\{75BF416E-4326-45B5-8A2D-AE32D05B930B}\ (Adware.ClickPotato)
HKLM\SOFTWARE\Classes\PricePeep.PricePeepBho.1\ (Adware.ClickPotato)
HKLM\SOFTWARE\Classes\PricePeep.PricePeepBho\ (Adware.ClickPotato)
HKLM\SOFTWARE\Classes\TypeLib\{3BF3DED5-0FC8-4207-AC09-AA7B5AF4E408}\ (Adware.ClickPotato)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}\ (Adware.ClickPotato)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PricePeep\ (Adware.ClickPotato)
HKU\S-1-5-21-3668781360-3455941742-2845156026-1000\Software\AppDataLow\Software\PricePeep\ (Adware.ClickPotato)
HKU\S-1-5-21-3668781360-3455941742-2845156026-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}\ (Adware.ClickPotato)

Potential Unwanted Programs _________________________________________________

HKLM\SOFTWARE\Classes\s\ (Softonic)

Repairs _____________________________________________________________________

Proxy server on this computer (User)
127.0.0.1:5643

[/code]


Report •

#9
March 23, 2013 at 15:10:34
You certainly are infected.

Did you try > Trojan Remover?

As we dismantle the infection bit by bit, that may allow the repeat use of programs, which may in turn pick up more.
Removal of infected parts of the system, may cause other parts to stop working, such as your Internet connection or Services. These we then, have to repair later.

If any program won't run ( due to the infection ) let me know.

Copy & Paste the contents of the log/logs after running each program.


Report •

#10
March 23, 2013 at 15:15:08
4: Run Defogger
http://majorgeeks.com/Defogger_d708...
This program can enable and disable CD emulation, often required in removing difficult malware. Some CD Emulation programs use a hidden driver that may be seen as a rootkit or that will interfere with the proper operation of the anti-rootkit scanner.

5: Run ComboFix & post the contents of the log please. ComboFix's log shall be located a C:\COMBOFIX.TXT.
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.techsupportforum.com/sec...
http://www.forospyware.com/sUBs/Com...
A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
http://www.winhelp.us/index.php/gen...
Manually restoring the Internet connection
http://www.bleepingcomputer.com/com...
Depending on how badly a system is infected, ComboFix may take longer to complete its routine than it normally does or fail to run properly. While that is not normal behavior, it is not unusual"
Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.
NOTE:
ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/Vir...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.


Report •

#11
March 23, 2013 at 15:54:55
I did not try Trojan Remover yet, because when I ran Hitman Pro, after it gave me the log, it gave me an option to repair/remove the viruses, so I did. When done, it said I no longer was infected. AVG also shows no infections. Should I still run Trojan Remover?

Report •

#12
March 23, 2013 at 16:00:00
"Should I still run Trojan Remover?"
Yes & combofix.

You have been infected with ZeroAccess & others, if we don't get the rest of the remnants lurking, it will come back bigtime.


Report •

#13
March 23, 2013 at 16:02:19
What country/city are you in please?

I'm here.

http://www.timeanddate.com/worldclo...


Report •

#14
March 23, 2013 at 17:43:43
New York, USA. I will get on the Trojan Remover & Combofix tonight or tomorrow, thanks!

Report •

#15
March 23, 2013 at 17:49:33
Just tried to download Trojan Remover and it would not let me. I tried from your link as well as from CNET. Should I skip ahead to Combofix?

Report •

#16
March 23, 2013 at 18:48:59
" Should I skip ahead to Combofix?"
Yes please.

Report •

Ask Question