trojan.gen.2 keeps coming back

BLM91 · ‎06-09-2012

So yesterday I somehow got the trojan.gen.2 virus and it keeps attacking me every 4 mins or so by that and a trojan horse. Norton 360 keeps blocking and quarantining but it keeps coming back.

I've done a full system scan and used Norton Eraser tool and it hasn't solved the problem!
Please please help!

The trojan.gen.2 keeps creating the following: c:\windows\installer\{cea0a3ad-2ed8-03e7-6196-0fd2a981fd4e}\u\80000000.@

PS. If this should have been posted in the Norton 360 forum, I could always restart it there.

Quads · ‎07-21-2008

Please do not run any tools unless instructed to do so.

We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.

Please read every post completely before doing anything.

Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.

Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forum, (sometimes )
Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.

Download OTL hxxp://oldtimer.geekstogo.com/OTL.exe (change the hxxp to http) save it to your Desktop.

Double click on OTL.exe to run it. Right click OTL.exe and select run as administator for Vista and Win 7.

Disable Norton for say 30 minutes

Start OTL,

Click the Scan All Users checkbox.

Change file age to 60 days

under Copy and paste what is below between the lines

msconfig
activex
drivers32
netsvcs
C:\Program Files\Common Files\ComObjects\*.* /s
%systemroot%\*. /mp /s
%systemroot%\*. /rp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.sys
atapi.sys
explorer.exe
winlogon.exe

mswsock.dll
wininit.exe
services.exe

svchost.exe
tdx.sys
afd.sys
cdrom.sys
i8042prt.sys
netbt.sys
redbook.sys

mrxsmb.sys

/md5stop

hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs

Press the

An OTL.txt will be created.

Quads

BLM91 · ‎06-09-2012

The scan is still running but norton came back on after 15 mins (think I might have clicked the wrong time to disable by mistake), i turned it back off again but will it affect the OTL at the end of the scan?
If so, would it be worth re-starting the scan?

BLM91 · ‎06-09-2012

Okay so I've got the OTL txt file (and also one called Extras) from the scan that's just finished.

Quads · ‎07-21-2008

Ok firstly we will break and move the CLSID, But you also have the bad services.exe and other items to deal with we will get them later

Remember to carefully read the instructions.

Disable Norton for say 30 minutes

Start OTL, under Copy and paste the custom script attached which you open in for instance Notepad,(include the : at the start of :OTL and all the way to the end / bottom) and run the script. (Click the Red Run Fix Button)

The output log, should be placed in the C:\ _OTL folder after.

Quads

BLM91 · ‎06-09-2012

I've just done exactly as you said but OTL crashed and closed.
I cant see the windows startbar or any of my desktop icons now either....

Quads · ‎07-21-2008

Use Task manager and in the file menu select new task.

Then type explorer.exe

Quads

BLM91 · ‎06-09-2012

Do I need to do the scan again or will it have done?

Also I have 3 new icons on my desktop (but they are clear/see through). 2 are called desktop.ini and one is called ~$dia Performance Essay

Quads · ‎07-21-2008

You Still have zeroaccess rootkit on your system (bad services.exe) , now some CLSID variants block OTL at some stage.

At least 2 of the files on your desktop is due to the folder options to show hidden files and folders or OTL managed to break the CLSID even though it crashed.

Lets try this way around to see if we might have to use FRST, FRST has been updated to show the CLSID for malware removers.

Now we will scan the PC of everything to see if there are any leftover files anywhere it uses up to date databases back at the servers

Please read carefully and Slowly

Please scan with ESET next

I'd like us to scan your machine with ESET OnlineScan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on to download the ESET Smart Installer. Save it to your desktop.
- Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Under scan settings, check and DON'T (NO) check Remove found threats (reason for this is we don't want something deleted and then Windows won't load).
Click Advanced settings and select the following:
- Scan potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth technology
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
Attach the resulting log in your next reply

If you think a log should have been generated then go to C:\Program Files\ESET\ESET Online Scanner\log.txt to find it.

Quads

BLM91 · ‎06-09-2012

Just letting you know it's 11:20 PM where I am and the scan is at 46% after 2hrs46mins so if by some chance it finished soon, I'll post what you need, if not it'll be tomorrow