Jump to content


Photo

Trojan.Win32.Generic!BT detected by Ad-Aware, help needed!


  • This topic is locked This topic is locked
12 replies to this topic

#1 Un1man

Un1man

    Newbie

  • Members
  • Pip
  • 9 posts

Posted 12 July 2010 - 11:10 PM

Hi, Ad-Aware detects two processes: smss.exe and svchost.exe as Trojan.Win32.Generic!BT . I've tried quarantining and deleting these files, but they still appear after reboot. Sound has disappeared on my computer and I get a login window to sign in as a user on my computer even when I never created any alternative users. So I think I really have a trojan virus. Any help in deleting it is appreciated!

Attached Files



#2 LS Albin (former Lavasoft employee)

LS Albin (former Lavasoft employee)

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 407 posts

Posted 13 July 2010 - 08:27 AM

Hi, Ad-Aware detects two processes: smss.exe and svchost.exe as Trojan.Win32.Generic!BT . I've tried quarantining and deleting these files, but they still appear after reboot. Sound has disappeared on my computer and I get a login window to sign in as a user on my computer even when I never created any alternative users. So I think I really have a trojan virus. Any help in deleting it is appreciated!



Hi!

This is a forum dedicated to false positive issues. Please use this link for more help:

http://www.lavasofts...hp?showforum=61

Thanks :unsure:

Albin

Lavasoft Malware Labs

#3 Un1man

Un1man

    Newbie

  • Members
  • Pip
  • 9 posts

Posted 13 July 2010 - 03:00 PM

Hi!

This is a forum dedicated to false positive issues. Please use this link for more help:

http://www.lavasofts...hp?showforum=61

Thanks :unsure:

Albin

Lavasoft Malware Labs


Well, if it's a false positive I don't need to delete anything, right? What I mean is that this seems to be the right forum for my issue.

#4 LS Albin (former Lavasoft employee)

LS Albin (former Lavasoft employee)

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 407 posts

Posted 14 July 2010 - 08:40 AM

Hi!

You can submit the detected files in this thread. It would be helpful so we could look further into this issue.

Here is instructions how to post a FP:

http://www.lavasofts...showtopic=18033

Thanks

Albin

Lavasoft Malware Labs

#5 Un1man

Un1man

    Newbie

  • Members
  • Pip
  • 9 posts

Posted 15 July 2010 - 11:49 PM

Hi,

Since I don't have access to the suspected files, I copied their paths from the quarantine. I hope that's helpful.

Attached Files



#6 LS Albin (former Lavasoft employee)

LS Albin (former Lavasoft employee)

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 407 posts

Posted 16 July 2010 - 08:36 AM

Hi,

Since I don't have access to the suspected files, I copied their paths from the quarantine. I hope that's helpful.



Hi!

It would be nice if it was possible to get hold of the actual files.

I don't believe this is fp's, smss.exe and svchost.exe should not be located in: c:\system volume information\_restore{d5fffa500b1b}. I can't tell you for sure until we get hold of the files.

Thanks

Albin

Lavasoft Malware Labs

#7 visitor

visitor

    Advanced Member

  • Valued Member
  • PipPipPip
  • 2855 posts

Posted 17 July 2010 - 08:00 AM

Since I don't have access to the suspected files, I copied their paths from the quarantine.

Why not restore the files from quarantine? At least temporarily, so you can upload them. Then you can scan/quarantine them again until you find out if they're safe or not.
Before posting, please read the pinned topics atop the forums or check the Lavasoft searchable FAQs.

Lavasoft Support for Plus/Pro paid licenses.

Help fight malware! Upload Suspicious Files to Lavasoft.

Malware removal assistance? Please read this first.
After following the instructions, open a new thread in the HijackThis Forum where you can copy/paste your HJT log.
Note: do not bump HJT threads by replying - volunteer security advisors help the 0 reply threads on a first-come, first-served basis.

#8 Un1man

Un1man

    Newbie

  • Members
  • Pip
  • 9 posts

Posted 18 July 2010 - 03:24 AM

Thanks for your help guys, I'm not too experienced with this, had some trouble zipping the files. Here they are.

Attached Files



#9 LS Albin (former Lavasoft employee)

LS Albin (former Lavasoft employee)

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 407 posts

Posted 19 July 2010 - 07:47 AM

Hi !

Smss.exe is a malicious file. I couldn't extract the archive for svchost.exe. I guess you typed some wrong letter in the password. The password should be infected. My assumption is that svhost.exe is a malicious file aswell.

Thanks for your report

Albin

Lavasoft Malware Labs

#10 Un1man

Un1man

    Newbie

  • Members
  • Pip
  • 9 posts

Posted 19 July 2010 - 01:24 PM

Hello,
Thanks for letting me know of that, but do you know how to get rid of these files? I've tried SuperAntiSpyware, MalwareBytes, and Ad-Aware, none of them can delete these files...

#11 LS Anders

LS Anders

    Lavasoft Staff

  • Members
  • PipPipPip
  • 559 posts

Posted 19 July 2010 - 03:14 PM

Hello

Try posting your problem in this forum:
http://www.lavasofts...hp?showforum=61

Regards
LS Anders

#12 Un1man

Un1man

    Newbie

  • Members
  • Pip
  • 9 posts

Posted 19 July 2010 - 07:24 PM

Hi Anders,

I have posted it there already but the topic was locked by another Lavasoft staff. It's here: http://www.lavasofts...showtopic=29637 .

#13 visitor

visitor

    Advanced Member

  • Valued Member
  • PipPipPip
  • 2855 posts

Posted 19 July 2010 - 11:33 PM

Hi Anders,

I have posted it there already but the topic was locked by another Lavasoft staff. It's here: http://www.lavasofts...showtopic=29637 .

That was before you uploaded the files to confirm they're malicious. Now that it's confirmed, you should follow the instructions in my signature for posting in the HijackThis forum. After following the steps, someone can help you diagnose and remove malware.

Edit: now that user has posted in HJT, I'll close this thread. Moved/merged the GMER log posted here to there:

http://www.lavasofts...showtopic=29686

Edited by visitor, 21 July 2010 - 02:35 PM.

Before posting, please read the pinned topics atop the forums or check the Lavasoft searchable FAQs.

Lavasoft Support for Plus/Pro paid licenses.

Help fight malware! Upload Suspicious Files to Lavasoft.

Malware removal assistance? Please read this first.
After following the instructions, open a new thread in the HijackThis Forum where you can copy/paste your HJT log.
Note: do not bump HJT threads by replying - volunteer security advisors help the 0 reply threads on a first-come, first-served basis.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users