• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Kudos0

Trojan.Gen.2 80000000.@ Security Risk

I keep getting security alerts from Norton about Trojan.Gen.2:

Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: Trojan.Gen.2
File: C:\Users\MyUserName\AppData\Local\{50a6c3a4-694c-557b-b769-90cc6b56eea6}\U\80000000.@

Location: Quarantine
Computer: MyComputer
User: MyUserName
Action taken: Quarantine succeeded : Access denied
Date found: ....I've tried lots of programs since these alerts started popping up about a week ago but none seem to have helped. Here's a list of scans performed on my PC so far:1. Norton Antivirus full system scan2. Malwarebytes Antiware smart and full scans3. Trojan Hunter full scan4. Spybot full scan5. Repeated above scans in Safe ModeNone of these scans reported issues.NPE (Norton Power Eraser) identified a problem with HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current\version\Image File Execution Options\ehshell.exe\"Debugger" but was unable to delete it.I'm running Windows 7 (64 bit). Any help would be greatly appreciated!Thanks!

Replies

Kudos0

Re: Trojan.Gen.2 80000000.@ Security Risk

Please do not run any tools unless instructed to do so. 

  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.

Please read every post completely before doing anything. 

  • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forum, (sometimes )

  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.

A 64 bit system so I am just thinking for a bit.

Quads

Kudos0

Re: Trojan.Gen.2 80000000.@ Security Risk

Download OTL   hxxp://oldtimer.geekstogo.com/OTL.exe   (change the hxxp to http) save it to your Desktop.

Double click on OTL.exe to run it.  Right click OTL.exe and select run as administator for Vista and Win 7.

Disable Norton for say 30 minutes

Start OTL,  

Click the Scan All Users checkbox.

Change file age to 60 days

under  Copy and paste what is below between the lines



msconfig
activex
drivers32
netsvcs
C:\Program Files\Common Files\ComObjects\*.* /s
%systemroot%\*. /mp /s
%systemroot%\*. /rp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.sys
atapi.sys
explorer.exe
winlogon.exe
wininit.exe
services.exe
tdx.sys
afd.sys
cdrom.sys
i8042prt.sys
netbt.sys
redbook.sys

mrxsmb.sys

/md5stop
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs


Press the 

An OTL.txt will be created.

Quads

Kudos0

Re: Trojan.Gen.2 80000000.@ Security Risk

Merged with original for better exposure.
Kudos0

Re: Trojan.Gen.2 80000000.@ Security Risk

Quads, Thank you for your help!

File Attachment: 
Kudos0

Re: Trojan.Gen.2 80000000.@ Security Risk

That just makes it harder

a) What did TDSSkiller find???

b) Uninstall Malwarebytes and Spybot S&D

Quads

Kudos0

Re: Trojan.Gen.2 80000000.@ Security Risk

TDSSKiller found 0 threats

Malwarebytes and Spybot S&D have been uninstalled.

Would you have me run OTL again?

Thanks

Kudos0

Re: Trojan.Gen.2 80000000.@ Security Risk

Lets break the first line of infection first

a) Is your username really called  C:\Users\MyUserName\AppData\Local\{50a6c3a4-694c-557b-b769-90cc6b56eea6}

Quads

Kudos0

Re: Trojan.Gen.2 80000000.@ Security Risk

kd12345

Symantec Alert:

Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: Trojan.Gen.2
File: C:\Users\kd12345.MYDOMAIN\AppData\Local\{50a6c3a4-694c-557b-b769-90cc6b56eea6}\U\80000000.@

Location: C:\Users\kd12345.MYDOMAIN\AppData\Local\{50a6c3a4-694c-557b-b769-90cc6b56eea6}\U
Computer: KDCOMPUTER
User: kd12345
Action taken: Pending Side Effects Analysis : Access denied
Kudos0

Re: Trojan.Gen.2 80000000.@ Security Risk

and .MYDOMAIN is actually part of the username for the path??

Quads

Kudos0

Re: Trojan.Gen.2 80000000.@ Security Risk

For other also.

When it comes to logs, scripting and finding the locations of objects don't change the information like the Username as then tools and myself won't  correctly be able to find or remove objects.

I don't care if your username on the system is FBI, AdolfHitler or Isuck,  the name has to stay.

Quads

Kudos0

Re: Trojan.Gen.2 80000000.@ Security Risk

I log in to my system as MYDOMAIN\kd12345 as part of a workgroup.

FYI, I'm not going to post my system internals for all the word to see without knowing if I'm going to receive help. Now that I'm being helped, the very first message that I posted on here had the user/computer name changed (and that was corrected in my previous post). Everything else is good.

I'm not sure if this would help you but the last time I rebooted, I got a 'The User Profile Service failed the logon' page so I had to log in to safe mode and make changes to the registry - http://support.microsoft.com/kb/947215

The changes worked fine but I'm wondering if this could have been caused by the trojan residing under my user profile.

Thanks

Kudos0

Re: Trojan.Gen.2 80000000.@ Security Risk

I believe these are the two infected files under my App Data folder:

AppData\Local\{50a6c3a4-694c-557b-b769-90cc6b56eea6}\@

AppData\Local\{50a6c3a4-694c-557b-b769-90cc6b56eea6}\n

I can't make changes or delete these files in safe mode either.

Thanks

Kudos0

Re: Trojan.Gen.2 80000000.@ Security Risk

Hi kd12345,

Please go to the quarantine folder and submit the detected file to Symantec. That will help the team to analyze the file.

-Vineeth

Kudos0

Re: Trojan.Gen.2 80000000.@ Security Risk


Vineeth wrote:

Hi kd12345,

Please go to the quarantine folder and submit the detected file to Symantec. That will help the team to analyze the file.

-Vineeth


Please stay out of the thread as I am pulling it out.

The Submit will still be there at the finish, and I have the droppers anyway. Tools like NPE, FixZeroaccess etc won't deal with it.

Quads  

Kudos0

Re: Trojan.Gen.2 80000000.@ Security Risk

First layer to break and shift

Disable Norton for say 30 minutes

Start OTL,   under   Copy and paste the custom script attached which you open in for instance Notepad,(include the : at the start of :OTL and all the way to the end / bottom)  and run the script. (Red Run Fix Button)

The output log, should be placed in the C:\ _OTL folder after.

Quads

File Attachment: 
Kudos0

Re: Trojan.Gen.2 80000000.@ Security Risk

Thanks and Regards--------------------------------------------------Mithun Sanghavi, TSE, Symantec Corporation

Replies are locked for this thread.