Trojan.generic 2344630

Hey. My sis received a dubious file via email from her friend and ran it on my machine and now I keep getting persistent Trojan.Generic 2344630 Virus Alert messages. Turns out that the file uploaded itself to her pal's google talk friend list and sent itself to all her contacts.


It seems the trojan is creating a .tmp file in C:\Windows\Temp. Everytime the new .tmp file is generated it is deleted by Bitdefender 2009. After a while a new .tmp file is created in the same folder under a different name. Examples of the .tmp files;


UACb1e9.tmp,UAC3588.tmp,UAC263d.tmp, UAC75e2.tmp, UAC81e8.tmp


I have run Full system scans and in depth scans after updating and each time nothing has been detected. The registry scanner also shows that all is in order.I've even run a scan using House Call and it says the system is clean.I have sent the quarantined objects to the Bitdefender labs.


I also have the link to the suspicious file that was downloaded, I can post it here if it is allowed.


Any help solving this will be greatly appreciated. Thanks.

Comments

  • Hello senalsesi,


    Please be so kind to send me the download link through PM. Please do NOT post it on the public forum, as other users might get infected.


    After I take a look at that file I will be able to give you further instructions.


    Cris.

  • Unfortunately Rapidshare deleted the link.

  • Do you still have the original file on you system? If you do, please archive it with a password ( details ), upload it on rapidshare and send me the link.


    Cris.

  • Hey Cris,


    The file is no longer on my system.Its called setup.exe and I've searched everywhere and I cant find it.

  • OK, let's try something else.


    Go HERE, and download and run Avis and GMER, as explained in that article. Upload the 2 logs HERE and reply in this topic with the download links. I will take a look and give you further advices.


    Cris.

  • Hi,


    I have run the scans as you had told me.I put the logs in one .rar archive for easy downloading.The link is


    Scan_Logs


    GMER found a rootkit,uac... something and its really worked its way in about 10 folders. Any advice?

  • alexcrist
    alexcrist
    edited September 2009

    Hello,


    Please try this:


    - download the latest version of gmer from HERE


    - unplug your network cable and disable BitDefender Realtime Protection


    - open gmer, wait for the quick startup scan to finish, then click on the "> > >" tab. Multiple tabs will appear.


    - select the Files tab, where you will find an Explorer-like interface (files and folders)


    - find the following files:


    C:\windows\System32\Drivers\spzb.sys
    C:\Windows\system32\drivers\UACxiaxvppfex.sys
    UACd.sys (either in System32, or in system32\drivers)
    C:\windows\system32\drivers\UACxiaxvppfex.sys
    any file named "UAC*.*" in "C:\windows\system32[/b] or [b]system32\drivers"


    Keep in mind that browsing with gmer is a lot slower than conventional browsing (with Explorer, or any file manager), because it also searches for files hidden by rootkits, which is a slow process.


    For each file you find, select it and click Copy. Save all files in a new, empty folder. Also, it might be a good idea to add a new extension to the files, but also keep the old extension (for instance filename.ext should become filename.ext.old or anything similar).


    - re-enable BitDefender Realtime Protection before re-connecting your network cable.


    Afterwards, put all the files in a password-protected archive (with the password infected; details HERE), upload the archive on a file-sharing service (details in the previous link) and send me the download link by PM.


    Cris.