Attached Files
-
Ad_Aware_scan_log.txt 39.03K
3 downloads
Trojan.Win32.Generic!BT detected by Ad-Aware, help needed!
Started by
Un1man
, Jul 12 2010 11:10 PM
-
This topic is locked
12 replies to this topic
#1
Un1man
-
- Members
-
- 9 posts
Newbie
Posted 12 July 2010 - 11:10 PM
Hi, Ad-Aware detects two processes: smss.exe and svchost.exe as Trojan.Win32.Generic!BT . I've tried quarantining and deleting these files, but they still appear after reboot. Sound has disappeared on my computer and I get a login window to sign in as a user on my computer even when I never created any alternative users. So I think I really have a trojan virus. Any help in deleting it is appreciated!
#2
LS Albin (former Lavasoft employee)
-
- Members
-
- 407 posts
Former Lavasoft Staff
Posted 13 July 2010 - 08:27 AM
Hi, Ad-Aware detects two processes: smss.exe and svchost.exe as Trojan.Win32.Generic!BT . I've tried quarantining and deleting these files, but they still appear after reboot. Sound has disappeared on my computer and I get a login window to sign in as a user on my computer even when I never created any alternative users. So I think I really have a trojan virus. Any help in deleting it is appreciated!
Hi!
This is a forum dedicated to false positive issues. Please use this link for more help:
http://www.lavasofts...hp?showforum=61
Thanks
Albin
Lavasoft Malware Labs
#3
Un1man
-
- Members
-
- 9 posts
Newbie
Posted 13 July 2010 - 03:00 PM
Hi!
This is a forum dedicated to false positive issues. Please use this link for more help:
http://www.lavasofts...hp?showforum=61
Thanks
Albin
Lavasoft Malware Labs
Well, if it's a false positive I don't need to delete anything, right? What I mean is that this seems to be the right forum for my issue.
#4
LS Albin (former Lavasoft employee)
-
- Members
-
- 407 posts
Former Lavasoft Staff
Posted 14 July 2010 - 08:40 AM
Hi!
You can submit the detected files in this thread. It would be helpful so we could look further into this issue.
Here is instructions how to post a FP:
http://www.lavasofts...showtopic=18033
Thanks
Albin
Lavasoft Malware Labs
You can submit the detected files in this thread. It would be helpful so we could look further into this issue.
Here is instructions how to post a FP:
http://www.lavasofts...showtopic=18033
Thanks
Albin
Lavasoft Malware Labs
#5
Un1man
-
- Members
-
- 9 posts
Newbie
Posted 15 July 2010 - 11:49 PM
Hi,
Since I don't have access to the suspected files, I copied their paths from the quarantine. I hope that's helpful.
Since I don't have access to the suspected files, I copied their paths from the quarantine. I hope that's helpful.
Attached Files
-
Filepaths.txt 127bytes
4 downloads
#6
LS Albin (former Lavasoft employee)
-
- Members
-
- 407 posts
Former Lavasoft Staff
Posted 16 July 2010 - 08:36 AM
Hi,
Since I don't have access to the suspected files, I copied their paths from the quarantine. I hope that's helpful.
Hi!
It would be nice if it was possible to get hold of the actual files.
I don't believe this is fp's, smss.exe and svchost.exe should not be located in: c:\system volume information\_restore{d5fffa500b1b}. I can't tell you for sure until we get hold of the files.
Thanks
Albin
Lavasoft Malware Labs
#7
visitor
-
- Valued Member
-
- 2855 posts
Advanced Member
Posted 17 July 2010 - 08:00 AM
Why not restore the files from quarantine? At least temporarily, so you can upload them. Then you can scan/quarantine them again until you find out if they're safe or not.Since I don't have access to the suspected files, I copied their paths from the quarantine.
Before posting, please read the pinned topics atop the forums or check the Lavasoft searchable FAQs.
Lavasoft Support for Plus/Pro paid licenses.
Help fight malware! Upload Suspicious Files to Lavasoft.
Malware removal assistance? Please read this first.
After following the instructions, open a new thread in the HijackThis Forum where you can copy/paste your HJT log.
Note: do not bump HJT threads by replying - volunteer security advisors help the 0 reply threads on a first-come, first-served basis.
Lavasoft Support for Plus/Pro paid licenses.
Help fight malware! Upload Suspicious Files to Lavasoft.
Malware removal assistance? Please read this first.
After following the instructions, open a new thread in the HijackThis Forum where you can copy/paste your HJT log.
Note: do not bump HJT threads by replying - volunteer security advisors help the 0 reply threads on a first-come, first-served basis.
#8
Un1man
-
- Members
-
- 9 posts
Newbie
Posted 18 July 2010 - 03:24 AM
Thanks for your help guys, I'm not too experienced with this, had some trouble zipping the files. Here they are.
Attached Files
-
smss.zip 27.07K
1 downloads
-
svchost.zip 20.62K
1 downloads
#9
LS Albin (former Lavasoft employee)
-
- Members
-
- 407 posts
Former Lavasoft Staff
Posted 19 July 2010 - 07:47 AM
Hi !
Smss.exe is a malicious file. I couldn't extract the archive for svchost.exe. I guess you typed some wrong letter in the password. The password should be infected. My assumption is that svhost.exe is a malicious file aswell.
Thanks for your report
Albin
Lavasoft Malware Labs
Smss.exe is a malicious file. I couldn't extract the archive for svchost.exe. I guess you typed some wrong letter in the password. The password should be infected. My assumption is that svhost.exe is a malicious file aswell.
Thanks for your report
Albin
Lavasoft Malware Labs
#10
Un1man
-
- Members
-
- 9 posts
Newbie
Posted 19 July 2010 - 01:24 PM
Hello,
Thanks for letting me know of that, but do you know how to get rid of these files? I've tried SuperAntiSpyware, MalwareBytes, and Ad-Aware, none of them can delete these files...
Thanks for letting me know of that, but do you know how to get rid of these files? I've tried SuperAntiSpyware, MalwareBytes, and Ad-Aware, none of them can delete these files...
#12
Un1man
-
- Members
-
- 9 posts
Newbie
Posted 19 July 2010 - 07:24 PM
Hi Anders,
I have posted it there already but the topic was locked by another Lavasoft staff. It's here: http://www.lavasofts...showtopic=29637 .
I have posted it there already but the topic was locked by another Lavasoft staff. It's here: http://www.lavasofts...showtopic=29637 .
#13
visitor
-
- Valued Member
-
- 2855 posts
Advanced Member
Posted 19 July 2010 - 11:33 PM
That was before you uploaded the files to confirm they're malicious. Now that it's confirmed, you should follow the instructions in my signature for posting in the HijackThis forum. After following the steps, someone can help you diagnose and remove malware.Hi Anders,
I have posted it there already but the topic was locked by another Lavasoft staff. It's here: http://www.lavasofts...showtopic=29637 .
Edit: now that user has posted in HJT, I'll close this thread. Moved/merged the GMER log posted here to there:
http://www.lavasofts...showtopic=29686
Edited by visitor, 21 July 2010 - 02:35 PM.
Before posting, please read the pinned topics atop the forums or check the Lavasoft searchable FAQs.
Lavasoft Support for Plus/Pro paid licenses.
Help fight malware! Upload Suspicious Files to Lavasoft.
Malware removal assistance? Please read this first.
After following the instructions, open a new thread in the HijackThis Forum where you can copy/paste your HJT log.
Note: do not bump HJT threads by replying - volunteer security advisors help the 0 reply threads on a first-come, first-served basis.
Lavasoft Support for Plus/Pro paid licenses.
Help fight malware! Upload Suspicious Files to Lavasoft.
Malware removal assistance? Please read this first.
After following the instructions, open a new thread in the HijackThis Forum where you can copy/paste your HJT log.
Note: do not bump HJT threads by replying - volunteer security advisors help the 0 reply threads on a first-come, first-served basis.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
