Spyware, Viruses, & Security forum

General discussion

Trojan

by shelbud / March 16, 2009 8:13 AM PDT

I recently ran a scan with my BitDefender anti-virus and it came up with the following and said it could not be deleted.

Gen.Trojan.Heur 2015 EAF 2F2 It also said microsoft anti-spyware.

So, my question is what the heck is it, do I need to remove it and if yes, how do I do it?

I'm running Windows XP Home on a Dell desktop. Recently I installed recommended updates among which was a tool to run an virus scan. Could that be it?

Sheldon

Post a reply
Discussion is locked
You are posting a reply to: Trojan
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Trojan
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Gen.Trojan.Heur
by Marianna Schmudlach / March 16, 2009 8:21 AM PDT
In reply to: Trojan

According to Sunbelt:

Name Gen-Trojan.Heur
Type Malware
Type Description Malware ("malicious software") consists of software with clearly malicious, hostile, or harmful functionality or behavior and that is used to compromise and endanger individual PCs as well as entire networks.
Category Trojan
Category Description Trojan is a general term for malicious software that is installed under false or deceptive pretenses or is installed without the user's full knowledge and consent. Most Trojans exhibit some form of malicious, hostile, or harmful functionality or behavior.


http://research.sunbelt-software.com/threatdisplay.aspx?name=Gen-Trojan.Heur&threatid=4080923

Try the following:


Please download Malwarebytes Anti-Malware (v1.33) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.

* Make sure you are connected to the Internet.
* Double-click on mbam-setup.exe to install the application.
* When the installation begins, follow the prompts and do not make any changes to default settings.
* When installation has finished, make sure you leave both of these checked:
o Update Malwarebytes' Anti-Malware
o Launch Malwarebytes' Anti-Malware
* Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

* If an update is found, the program will automatically update itself.
* Press the OK button to close that box and continue.
* If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.

On the Scanner tab:

* Make sure the "Perform Quick Scan" option is selected.
* Then click on the Scan button.
* If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
* The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
* When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
* Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

* Click on the Show Results button to see a list of any malware that was found.
* Make sure that everything is checked, and click Remove Selected.
* When removal is completed, a log report will open in Notepad.
* The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
* Copy and paste the contents of that report in your next reply and exit MBAM.

Notes: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes. Click this link to see a list of programs that should be disabled.



Download and scan with SUPERAntiSpyware Free for Home Users

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):

Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.

* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".

Collapse -
Still working on the issue
by shelbud / March 16, 2009 10:32 AM PDT
In reply to: Gen.Trojan.Heur

Thank you for your suggestions. I downloaded both softwares you recommended. Here is the log.Malwarebytes' Anti-Malware 1.34
Database version: 1856
Windows 5.1.2600 Service Pack 2

3/16/2009 3:40:59 PM
mbam-log-2009-03-16 (15-40-59).txt

Scan type: Quick Scan
Objects scanned: 65365
Time elapsed: 4 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 4
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\Quarantine (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\Registry Backups (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\Settings (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\AdwareAlert\ErrorLog.txt (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\Launcher.exe (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\SpyLog.txt (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\Settings\CustomScan.stg (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\Settings\IgnoreList.stg (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\Settings\ScanInfo.stg (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\Settings\SelectedFolders.stg (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\Settings\Settings.stg (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\Settings\Spywares.stg (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

I don't see the Trojan, do you?

Is it any coincidence that while working on my desktop, I lost use of the internet? I also have a Lynksis wireless router for my wife's laptop. Apparently the drivers have disappeared and the router no longer works. I had to unplug it and plug my cable modem directly into the desktop? does that make sense?

I am going to run Bitdefender again and see if the Trojan is still there.

Sheldon

Collapse -
o.k.
by Marianna Schmudlach / March 16, 2009 11:12 AM PDT

Trojan
A trojan (or Trojan horse) is a small malicious program that pretends to have a particular function, but that only shows its real purpose after execution and that purpose is often destructive. Trojans cannot multiply themselves, which differentiates them from viruses and worms.

Did you run Bitdefender again and it is now clean?

Did SAS finds anything?

Strange, that you lost your internet connection........ could it be because of:

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

I just found a threat at DLSR ....

do you have the Security Center set to not notify if those things are not checked then malwarebytes as well as spybot S&D and probably others will report this, because malware of sorts also do this so they can do the dirty work that they do.

More here:

http://www.dslreports.com/forum/r22070204-Stuck-at-a-screen-as-we-speak-with-Malwarebytes-help

Collapse -
Trojan
by shelbud / March 16, 2009 11:39 AM PDT
In reply to: o.k.

I ran BitDefender again and it appeared. When I clicked on remove, it said the threat was no longer there. But the same thing happened earlier and it re-appeared. Here is the full notation for Gen.Trojan.Heur.2015EAF2F2.

infected:C:\Windows\Downloaded Installations\{0F5BF410-4D79-4DBE-AF54-C3271D47D4BD}MicrosoftAntiSpyware.msi=>(Embedded CAB)=>gcIPtoHostQueue.exe

SAS just found 5 tracking cookies.

I'm confused by your comment "I just found a threat at DLSR" and by everything that follows. I also ran Registry Mechanic and it cleaned up a few things but I did not see anything like you report.

Sheldon

Collapse -
Gen.Trojan.Heur
by Marianna Schmudlach / March 16, 2009 11:54 AM PDT
In reply to: Trojan

Hi Sheldon,


I gave the link to DSLR because in there was the topic:

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

what MBAM found on your computer and that's why my observation was :

do you have the Security Center set to not notify if those things are not checked then malwarebytes as well as spybot S&D and probably others will report this.

Now I am in doubt "what" Bitdefender found is a "trojan" at all.

Here is a thread in French about the same

C:\WINDOWS\Downloaded Installations\{0F5BF410-4D79-4DBE-AF54-C3271D47D4BD}\Microsoft AntiSpyware.msi=>(Embedded CAB)=>gcIPtoHostQueue.exe Infect

Collapse -
Trojan
by shelbud / March 16, 2009 2:01 PM PDT
In reply to: Gen.Trojan.Heur

I've submitted the information to BitDefender.

thanks.

Collapse -
(NT) Excellent - You Are Welcome !
by Marianna Schmudlach / March 16, 2009 3:05 PM PDT
In reply to: Trojan
Collapse -
Trojan
by shelbud / March 17, 2009 8:31 AM PDT

Well, I don't think it was a malicious trojan after all.

I think I had written that the MS Spyware tool was recently installed along with some recommended updates. I went into my C drive>windows>download installations and I found the MS Spyware tool with the exact code that I had earlier given you. I deleted it and re-ran BitDefender and it came back clean.

Interesting that BitDefender trated the MS Spyware tool as a trojan.

Thanks for your help.

Sheldon

Collapse -
Meaning, it was a F\P .........
by Marianna Schmudlach / March 17, 2009 8:35 AM PDT
In reply to: Trojan

After I read that French thread, I also had the impression it was a F|P.

Glad to hear you figured it out Happy

You Are Very Welcome !

Collapse -
I have 10 of these critters
by Sattamander / August 26, 2009 10:51 AM PDT
In reply to: Gen.Trojan.Heur

Thought I would drop in here since you seem to be rather familiar with these types of "viruses". I also am running Bit Defender 2009 version and it shows 10 Gen:Trojan.Heur "viruses" also giving error messages saying C:\WINDOWS|explorer.exe is infected along with a file called herss.exe.

I have repeatedly cleaned these files up only to have them reappear after rebooting. Well today I had even more fun. After cleaning them all out with Bit Defender and it telling me there were no issues about two hours later , without turning the laptop off I decided to run another scan just on a whim. Bang! There they all were again. So much for no issues.

So why does Bit Defender keep having these problems? Another strange thing is when I ran CCleaner it said Bit Defender was missing 40 .dlls. I just loaded it 3 days ago and I haven't moved a thing or deleted any .dlls. Do you think someone is hacking their software. After four days of this I am getting pretty sick of "cleaning" up, especially when it isn't staying clean.

Here is a list of the infections:

Gen:Trojan.Heur.Nsanti.qq7@bCrMX1o Gen:Trojan.Heur.PT.5eZ@b0dvRWn
Gen:Trojan.Heur.PT.KeZ@b0dvRWn Gen:Trojan.Heur.PT.bey@b0dvRWn
Gen:Trojan.Heur.PT.ceZ@b0dvRWn Gen:Trojan.Heur.PT.eeZ@b0dvRWn
Gen:Trojan.Heur.PT.feZ@b0dvRWn Gen:Trojan.Heur.PT.ieZ@b0dvRWn
Gen:Trojan.Heur.PT.leZ@b0dvRWn Gen:Trojan.Heur.PT.zeZ@b0dvRWn

I can't find any documentation on the internet on these specific "viruses". Any help would be greatly appreciated.

Thanks!

Collapse -
Bitdefender......
by Marianna Schmudlach / August 26, 2009 11:07 AM PDT

Hi,

I would suggest going for an on-line scan.

F-Secure on-line scan:

http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/online-scanner/index.html


I also would suggest:

Please download Malwarebytes Anti-Malware (v1.33) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.

* Make sure you are connected to the Internet.
* Double-click on mbam-setup.exe to install the application.
* When the installation begins, follow the prompts and do not make any changes to default settings.
* When installation has finished, make sure you leave both of these checked:
o Update Malwarebytes' Anti-Malware
o Launch Malwarebytes' Anti-Malware
* Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

* If an update is found, the program will automatically update itself.
* Press the OK button to close that box and continue.
* If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.

On the Scanner tab:

* Make sure the "Perform Quick Scan" option is selected.
* Then click on the Scan button.
* If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
* The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
* When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
* Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

* Click on the Show Results button to see a list of any malware that was found.
* Make sure that everything is checked, and click Remove Selected.
* When removal is completed, a log report will open in Notepad.
* The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
* Copy and paste the contents of that report in your next reply and exit MBAM.

Notes: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes. Click this link to see a list of programs that should be disabled.


Do both scans come up CLEAN ?

Collapse -
Still cleaning up
by Sattamander / August 26, 2009 6:10 PM PDT
In reply to: Bitdefender......

I read your other post and ran the Malwarebytes' Anti-Malware and it found a lot of adware, I think 14. Then I ran SuperAntiSpyware and it caught and cleaned something else. Finally I am just finishing an online scan with Trend Micro's Housecall and it just found a worm_gamethi.fnv and it is in the process of deleting it. One thing for sure I will think twice about working on other people's PCs.

I haven't removed Bitdefender yet and now it is saying it block Java. I think BD has gone nuts.

As if all this wasn't enough fun now Microsoft is saying this guy's XP Pro didn't pass the validation process. I hate dealing with Microsoft!

It is 1 am and I am going to bed. I will run one or two more scans with other software tomorrow including the F-Secure and then write back.

Thanks for your time! Much appreciated.

Collapse -
You Are Doing A Great Job !
by Marianna Schmudlach / August 27, 2009 1:13 AM PDT
In reply to: Still cleaning up

Take it easy and do not get "frustrated" Wink

Keep up the great work !

Collapse -
Got it!
by Sattamander / August 27, 2009 5:28 AM PDT

Well for some reason Trend seemed to hang up so I changed all the folder attributes so that I could see the infamous C:\g8k.exe and then wiped it out with a great little toy I found called Unlocker. As of this morning eveything came back clean, even the dreaded BitDefender thought so.

I removed BitDefender from my friend's laptop because he sent hem a request for his money back. Needless to say he was not happy not having his laptop for 4 days. I also told him he better stay off the internet until he buys and installs some other Antivirus though I did tell him that an Internet Suite would probably be better for him.

As for his problems with Microsoft that's for him to fix. You use someone else's disk you pay the price.

Thanks again for your time it was most helpful. After about 40 hours of fighting that mess I am glad to be rid of it.

Collapse -
Excellent Job !
by Marianna Schmudlach / August 27, 2009 8:57 AM PDT
In reply to: Got it!

You Are Very Welcome Happy

Collapse -
u try this
by osra76 / August 27, 2009 8:19 PM PDT
In reply to: Trojan

U try ESET Smart Security, which will remove trojans instantly. you may download this from http://www.eset.com/

Popular Forums
icon
Computer Help 49,613 discussions
icon
Computer Newbies 10,349 discussions
icon
Laptops 19,436 discussions
icon
Security 30,426 discussions
icon
TVs & Home Theaters 20,308 discussions
icon
Windows 10 360 discussions
icon
Phones 15,802 discussions
icon
Windows 7 7,351 discussions
icon
Networking & Wireless 14,641 discussions

Tech explained

Do you know what an OLED TV is?

CNET explains how OLED technology differs from regular TVs, and what you need to know to make the right shopping decision.