Trojan.Gen infecting some files

April 25, 2014 at 06:14:25
Specs: Windows 7
Symantec End Point has Quarantined files that have been infected by this trojan. I tried using Norton Power Eraser while in Safe Mode and got the following error: "Windows is running in safemode. Norton Power Eraser will restart in safe mode to continue." I cancelled it. What's the best way to remove the trojan?

message edited by KPKris


See More: Trojan.Gen infecting some files

Report •


#1
April 25, 2014 at 08:43:13
Firstly, trojan-infected files cannot be repaired.

To remove the actual trojan, allow NPE to run in safe mode instead of cancelling.


Report •

#2
April 25, 2014 at 08:48:37
And another option is to boot with an anti-virus repair disk and let it scan fully etc...

Kaspersky have an ISO you download, burn to a dvd, boot with that. It will update itself (definitions) then run and clean etc...

Sophos and Avast have similar; as does Bitdefender.

They are generally running from within a Linux variant; and the disk you make is fully bootable to a working Linux type OS. It loads itself into RAM only; and thus the hard drive is there as a resource and can be scaned/cleaned.


Report •

#3
April 25, 2014 at 09:23:17
Phil 22. Still run NPE in safe mode even though I was already in safemode?

message edited by KPKris


Report •

Related Solutions

#4
April 25, 2014 at 09:33:55
trvlr.
BTW - All of this started after I downloaded Adaware from CNET. Any coincidence? I was trying to update their spyware and ended up downloading the antivirus. Once it started scanning, unprovoked by me, I couldn't stop it even by closing it.
I'm going to try Bitdefender now.

Report •

#5
April 25, 2014 at 10:04:50
There are 2 options to install. Which one should I choose?

BitDefenderRescueCD_v2.0.0_5_10_2010.iso 28-Mar-2014 16:27 515M
or
bitdefender-rescue-cd.iso 28-Mar-2014 16:27 515M


Report •

#6
April 25, 2014 at 12:51:37
Adwcleaner is the one to go for; and it's a safe download here (the site most of us recommend for it):

http://www.bleepingcomputer.com/dow...

Kaspersky rescue disk - info and download:

http://support.kaspersky.com/viruse...

http://www.softpedia.com/get/Antivi... - is the site to use to obtain a Bitdefender rescue disk (It's a freebie).

http://www.sophos.com/en-us/support... - is for the Sophos rescue disk. Read the instructions carefully. I think the disk you create is current at time of creation for the definitions, but each time you run it (at a later date) you need to renew it.

Overall I'd go with the Kaspersky disk, as it auto-updates its definitions once it's booted up the system.

message edited by trvlr


Report •

#7
April 25, 2014 at 12:52:52
Re #5

Give us the link you are using - they look the same to me or it is a surprising coincidence that they are both exactly 515M.

Always pop back and let us know the outcome - thanks


Report •

#8
April 25, 2014 at 14:05:20

Report •

#9
April 25, 2014 at 14:45:34
Thanks. I scoured the internet to find which was the latest or to find any difference - no dice. Downloaded each and checked Properties but the version given was that of the download file name. Their exact sizes were also identical (540,016,640 bytes). So I can only conclude they are one and the same but double posted - use whichever you wish.

Are you familiar with burning a image (ISO)? You don't just burn the download onto the disk but use the "burn an image" feature which is available in most burning software. If not, this little freebie program does it nicely:
http://www.imgburn.com/

EDIT: I overlapped with trvlr by about one minute. If he says another rescue disk is better then, sure, go for it. I quite agree about running ADWCleaner (and MalwareBytes for that matter) but they are not rescue disks of-course.

Always pop back and let us know the outcome - thanks

message edited by Derek


Report •

#10
April 26, 2014 at 08:00:00
#9
I used the link to imgburn you provided and downloaded the file. However, when I try to install it the screen that comes up is "Welcome to the SpeedUpMyComputer Setup" wizard. I cancelled the wizard.

Report •

#11
April 26, 2014 at 11:06:44
You've got something you didn't ought to have. Did you go to the downloads tab top left and select one of the sources? I have all adverts etc blocked but I see there is "something" in the center of the first page. If it is a download button then you might have downloaded some speed-up gimmick instead.

I'm afraid many websites these day push other gimmicks in front of you in the hope you will download them instead of what you are looking for - sick world.

Delete whatever you downloaded. Get ImgBurn from here (green button top right):
http://www.filehippo.com/download_i...
I've always found the filehippo website OK.
Save the file and make sure its name is "SetupimgBurn_2.5.8.0.exe" before you double click it to install.

Always pop back and let us know the outcome - thanks

message edited by Derek


Report •

#12
April 26, 2014 at 17:38:29
A lot of programs, now give you the choice to install toolbars & other during the install. Either uncheck these items during install, or use Custom install. No more click, click during an install, you have to read after each click.
I use Softpedia, down the bottom of the page, they make you aware what Ad-supported programs the author of the program has included.
Sample pages
http://www.softpedia.com/get/CD-DVD...

Users are advised to pay attention while installing this ad-supported application:
· Offers to change the homepage for web browsers installed in the system
· Offers to change the default search engine for web browsers installed in the system
· Offers to install StartNow Toolbar that the program does not require to fully function
SS ( screenshots ) of above
http://i.imgur.com/3eWWoXm.gif

Use Unchecky to help prevent these third party installs. Nothing is perfect, the badies are always ahead of the goodies.
http://www.softpedia.com/get/System...
http://www.softpedia.com/progScreen...
http://unchecky.com/
How to download from Softpedia
http://i.imgur.com/iZ3Fzmc.gif
http://i.imgur.com/NNgm1rF.gif
A reliable application that aims to protect your computer against third-party components often offered during software installations.

message edited by Johnw


Report •

#13
April 26, 2014 at 17:46:54
Johnw

The way I read it this poster might have hit one of those often too prominent download buttons rather than the one for ImgBurn. As he didn't install "SpeedUpMyComputer Setup" most likely it has done nothing. Because of the ad blocking I use I often can't see them, but I did see a button sized box that said "advertisement".

Always pop back and let us know the outcome - thanks

message edited by Derek


Report •

#14
April 26, 2014 at 18:22:03
Hi Derek, I just thought it best to cover all the bases, the OP can then fill in the gaps.

I'm 400 km's from home at the moment, our friends have just gone out for a little while, to sort out some stuff & I am using a laptop.

message edited by Johnw


Report •

#15
April 27, 2014 at 04:38:15
re: #12.
I did see those options when trying to install imgburn - unfortunately users don't see them unless they choose to Custom install the program instead of Express install so the inexperienced user will most likely choose Express.

message edited by KPKris


Report •

#16
April 27, 2014 at 04:53:56
re. #2 trvlr
I'm still working on this as I am not experienced using imgburn. I downloaded and ran Adwcleaner. Not sure how to create the anti-virus repair disk. Which files to choose to burn.

Report •

#17
April 27, 2014 at 06:12:08
A wee how example one can get tricked into downloading stuff you don't want...

http://adwcleaner.en.uptodown.com/ - is the homepage for the utility itself...

If you look a little down the page and to centre right you will see a reference to Mac OS - with a Download bar above it... That is (sadly) typical attempt to get you to click on that bar and download another "homepage" utility... Carefully placed to imply (I suggest) that it's actually to obtain a Mac version of AdwCleaner - which unfortunately doesn't exist... Even allowing for the smaller type information that it will take you to a download for Geneo... the first instinct is of course to read it as link to/for a Mac version of AdwCleaner...; which of course it isn't.

The correct bar/link for the widows version is at the upper left of the page next to to the "description, comments, screen shots buttons" but you can see how cleverly sites try to fob of "other stuff" for which they presumably get a fee (for promoting 'the stuff")?

Anti-virus rescue disk... Kaspersky comes down as a single ISO - which you burn to a cd (or possibly a dvd if it won't fit on a cd). It'd just under 400Meg in size. That's the file you select and burn.

I suggest you try it with a CD-RW (or DVD+RW or DVD-RW first. That way if you get the process wrong - in a learning curve as it were - you can re-use the disk.. Using a standard DVDR or CDR means you wast a disk if it goes wring in the burn process? You can always reburn (or copy the RW version) later to a R version disk and thus release re-use the RW disk later?

As this Kaspersky support item advises you can burn it to a cd/dvd (or a USB stick - as long as you are able to boot with a USB device too). Whichever you opt for that is what you boot the system with to run the disk/application and scan etc..

http://support.kaspersky.com/4162


Report •

#18
April 27, 2014 at 09:09:40
Re #16.
When you have installed ImgBurn and have run the program you will get a number of choices. The one you want is "Write image file to disc". When asked point it to the ISO file you downloaded (presumably Kaspersky but the procedure is the same for any). It will ask for a disk then burn it for you.

ADWCleaner is a little program that removes undesirable toolbars that are easily collected. With this all you do is download and "Save" the file. To run it you just double click the saved file (it is not "installed" in the usual sense). Select the Scan option and wait until it has finished. After that it is usually safe to run the Clean although there are options. Best paste the Report (log) on here so that we can see what it found.

EDIT: Johnw Re #14
Sure thing - understood.

Always pop back and let us know the outcome - thanks

message edited by Derek


Report •

#19
April 27, 2014 at 09:40:13
I'm no longer getting the runaway Trojan.gen window so I think I've got it solved thanks to all of you. Do you get points for having the Best Answer?

Report •

#20
April 27, 2014 at 13:19:51
With Trojans you can never be quite sure without a fair bit of testing. However, if you can make it to Windows now it makes it far easier to do so (without having to mess with disks).

A good start would be to copy/paste any logs on here from programs you have run to get this far, so that we can see what was found.

Yeah, there are points for Best Answer but not many of us worry too much about all that and it can come later. The main thing is to ensure your computer is clean. Johnw might have some ideas if he is available.

Always pop back and let us know the outcome - thanks


Report •

#21
April 29, 2014 at 06:27:38
I guess I was wrong. I still have the Trojan.Gen. I've got at least 900 files infected and they are all located at: c:\ProgramData\Symantec\Symantec Endpoint Protection\xfer

Report •

#22
April 29, 2014 at 06:58:29
Download OTL, save & run from your Desktop.
http://oldtimer.geekstogo.com/OTL.exe
Double click the OTL icon to start the tool. (Note: If you are running on Vista or Windows 7 accept UAC alert)
1: When the window appears, underneath Output at the top, make sure Standard output is selected.
2: Select Scan all users
3: Change Drivers to All
4: Under the Extra Registry section, check Use SafeList
5: In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".
6: Click Run Scan and let the program run uninterrupted.
Screenshots ( SS ) of 1 - 6
http://i.imgur.com/rvTDUlL.gif
When the scan is complete, two text files will be created on your Desktop
OTL.Txt <- this one will be opened
Extras.txt <- this one will be minimized

Upload the logs using this. I upload to Imgur.com for images & load.to for files ( neither need an account ) Give us the links please.

Image Uploader
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
http://zenden.ws/imageuploader_ru
How to use for files.
http://i.imgur.com/FhtnM6c.gif
http://i.imgur.com/yBtjlpb.gif
http://i.imgur.com/txFkgpT.gif
Free file sharing sites come & go, if Imgur.com & load.to are too busy ( or not working ) here are others to try.
free file upload no account needed
http://is.gd/ije9W6
http://www.zippyshare.com/
http://www.speedyshare.com/
http://www.filedropper.com/index.php
http://www.wikisend.com/
https://www.sendspace.com/
http://www.megafileupload.com/


Report •

#23
April 29, 2014 at 11:49:55
... ...

message edited by KPKris


Report •

#24
April 29, 2014 at 12:30:52
... ...

message edited by KPKris


Report •

#25
April 29, 2014 at 12:48:41
Check your links - they didn't open for me.

Always pop back and let us know the outcome - thanks


Report •

#26
Report •

#27
April 29, 2014 at 13:28:15
I saw some files in the Hosts section that are disturbing and not sure how they got there. I use Spybot S&D. Is that more harmful than helpful?

message edited by KPKris


Report •

#28
April 29, 2014 at 16:55:43
" c:\ProgramData\Symantec\Symantec Endpoint Protection\xfer"
They are in Quarantine, open Norton & delete them.

Disable re-scanning of the quarantine folder, please follow these steps:
From the SEP-Manager ( Symantec Endpoint Protection ):
- Edit the Antivirus and Antispyware policy of affected clients.
- In the policy editor click "Quarantine" on the left-hand menu.
- On the general tab click "Do nothing" under the heading "When new Virus Definitions Arrive"

Next, RunTFC
http://www.geekstogo.com/forum/file...
http://www.bleepingcomputer.com/dow...
http://oldtimer.geekstogo.com/TFC.exe
http://www.itxassociates.com/OT-Too...
Please double-click TFC.exe to run it. Note: If you are running on Vista/Windows 7/8, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


Report •

#29
April 29, 2014 at 17:15:35
" Is that more harmful than helpful?"
No harm.

"I saw some files in the Hosts section that are disturbing"
The OTL log shows you have a very large file, maybe you have installed it, perhaps with Spybot, Norton or other, but nothing untoward.

Let me know how you go.


Report •

#30
April 29, 2014 at 18:35:05
It's taking forever to delete the files!

Report •

#31
April 30, 2014 at 06:40:24
re: #29

I was unable to delete the quarantined files in temp location.
and
I don't see this. "Edit the Antivirus and Antispyware policy of affected clients."


Report •

#32
April 30, 2014 at 07:13:21
"I was unable to delete the quarantined files in temp location"

Did you try this way?

Symantec Endpoint Protection clean out quarantine
http://is.gd/ZfNsC5
http://www.symantec.com/business/su...


Report •

#33
April 30, 2014 at 07:29:51
"I don't see this. "Edit the Antivirus and Antispyware policy of affected clients."

Symantec Endpoint Protection quarantine policy editor
http://is.gd/kIdnow
http://www.symantec.com/business/su...


Report •

#34
Report •

#35
April 30, 2014 at 16:02:35
"http://www.load.to/BFO4S7oDIH/screen1.jpg"
Click on each of the > Configure Settings < until you find something that exempts scanning the quarantine folder.

"http://www.load.to/Z4EWNdUpQ4/screen3.jpg"
Here is another way from googling.
http://bestadmins.ru/articles/43-xfer

message edited by Johnw


Report •

#36
May 1, 2014 at 13:44:56
"Click on each of the > Configure Settings < until you find something that exempts scanning the quarantine folder."
Not finding anything.

These are the options on the Configure Settings
http://www.load.to/UAwbtYKcFw/scree... - Scan Frequency refers to TruScan
http://www.load.to/AEPLthKvlI/scree...
http://www.load.to/vNHdxZW7w6/scree...
http://www.load.to/Iv2SI3Oo16/scree...


Report •

#37
May 1, 2014 at 15:58:21
This gives all the info on how to add Quarantine into your Exceptions list. The Help file will also have all the info.

http://www.symantec.com/business/su...


Report •

Ask Question