View original (French)

My antivirus detects a Trojan Gen.2

Solved
Anonymous user -  
Fish66 Posted messages 18337 Status Contributeur sécurité -
Hello,

For the past week, my antivirus (Norton Internet Security) has been detecting a "virus" named trojan.gen.2

It is constantly being blocked by Norton approximately every 3-4 minutes, which is becoming increasingly annoying..

Thank you for your help,

<config>Windows 7 (64bits) / Google Chrome</config>

10 réponses

Réponse 1 / 10
Fish66 Posted messages 18337 Status Contributeur sécurité 1 318
 
Hi,
I advise you not to renew your Norton antivirus and to replace it (not now) with another free and effective one (Avira, for example)
==========================
* Download and save ZHPDiag
(by Nicolas Coolman) on your PC desktop from one of the two links: Link 1 or Link 2
* Run it, (Right-click "run as administrator" if you are using Vista/7)
* Click on the magnifying glass icon to start the diagnosis
* Host the ZHPDiag.txt report from your desktop on: malekal.com or cjoint.com
* Copy/paste the provided link in your next response
* ZHPDiag Help: <<< HERE >>>

@+

--
_ _ _ Fish66_ _ _ I''"""""I_ _ security contributor member_ _I''"""""I_ _ _
¤¤¤ The best remedy for all problems is patience.... ¤¤¤
0
Anonymous user
 
No, apparently Norton has removed the virus because I no longer have alerts.

But now the icons I have on my desktop are getting mixed up, and when I rearrange them and restart the computer, everything goes back to being mixed up.
0
Fish66 Posted messages 18337 Status Contributeur sécurité 1 318
  
Apparently Norton has removed the virus because I no longer have alerts.

Even though Norton is paid, it is not very effective :-)

Then prepare the ZHPDiag report to diagnose your PC..

@+
0
Anonymous user
 
Sorry, but when I run the diagnosis, it works for 5 seconds and then it says "ZHPDiag is not responding"

So I did a scan with HiJackThis:

https://pjjoint.malekal.com/files.php?read=HijackThis_20120602_k11v7l66u12
0
Réponse 2 / 10
Fish66 Posted messages 18337 Status Contributeur sécurité 1 318
 
Hello,

The Hijackthis report shows nothing!

Restart ZHPDiag in safe mode with network support:

To do this, repeatedly press the F8 key right at the start of the PC boot without stopping
A window will open where you navigate with the arrow keys to >> start in Safe Mode with Networking
then press enter.
Once on the desktop, if there are no colors and other things, that's normal!
(If F8 doesn't work, use the F5 key)

See you later

--
_ _ _ Fish66_ _ _ I''"""""I_ _ contributor member security_ _I''"""""I_ _ _
¤¤¤ The best remedy for all problems is patience.... ¤¤¤
0
Anonymous user
 
How long does a diagnosis with this software take?
0
Fish66 Posted messages 18337 Status Contributeur sécurité 1 318
 
It's not too much, a maximum of 3 minutes.
0
Anonymous user
 
I had never used safe mode and it works:

https://pjjoint.malekal.com/files.php?read=ZHPDiag_20120602_n8y8d10h10x14
0
Réponse 3 / 10
Fish66 Posted messages 18337 Status Contributeur sécurité 1 318
 
Re,

Restart your PC in normal mode then do this please:

Before using ComboFix:

CD emulation software such as Daemon Tools may interfere with disinfection tools. Use Defogger to temporarily disable them:

if you have this kind of tools on your pc, use Defogger to temporarily disable them: otherwise go straight to ComboFix

* Download Defogger (by jpshortstuff) to your Desktop
* Launch it

* A window will appear: click on "Disable"

* Restart the computer if the tool asks you to

Note: When we finish disinfection, you can reactivate these programs by relaunching Defogger and clicking on "Re-enable"

===================================================

Warning, before you start, read the procedure carefully

********************************************************

/!\ Do not use this software outside the context of this disinfection: DANGEROUS /!\

* Right-click on this link, save it to your desktop under a different name example "your username.exe"
Here is Help combofix

* /!\ Disconnect from the internet and TURN OFF YOUR PROTECTION SOFTWARE /!\


*Double-click on ComboFix.exe (or run as administrator for Vista and Seven)

A "pop-up" will appear saying that ComboFix is used at your own risk with no guarantees... Click yes to accept

** BE SURE TO INSTALL THE RECOVERY CONSOLE
(if it offers to install it, reconnect to the internet)

? Do not touch anything (mouse, keyboard) until the scan is complete, as you risk crashing your PC

*At the end of the scan, it is possible that ComboFix will need to restart the PC to finalize the disinfection, let it do so.

* Once the scan is finished, a report will display: Post its content

** /!\ Reactivate the real-time protection of your antivirus and antispyware before reconnecting to the Internet. /!\

*Note: The report is also located here: C:\ComboFix.txt

@+

--
_ _ _ Fish66_ _ _ I''"""""I_ _ contributing security member_ _I''"""""I_ _ _
¤¤¤ The best remedy for all problems is patience.... ¤¤¤
0
Anonymous user
 
The scan for how long? Like the other one?

I also remind you that my problem is no longer that I have a virus, but that the icons on my desktop all go to the left at startup... Is that what you're looking at?
0
Anonymous user
 
Here is the scan:
https://pjjoint.malekal.com/files.php?read=20120602_o6s10n5h13k7

Apparently my desktop is properly recording the position of the icons after several restarts and I no longer receive alerts from Norton about "Trojan.gen.2"

Thanks again =)

But can I delete "arlextra.exe"?
0
Réponse 4 / 10
Fish66 Posted messages 18337 Status Contributeur sécurité 1 318
 
Re,
1/
Download AdwCleaner (thanks to Xplode)
Launch AdwCleaner
Click on the [ Delete ] button
Wait...
Post the report that appears at the end of the scan.
(The report is also saved under C:\ AdwCleaner[SX].Txt)

2/
/!\ WARNING: this scan may take a few hours /!\

* Download MBAM and install it to the default location
https://www.malwarebytes.com/mwb-download/
* Install it and then configure it as indicated: <<< HERE >>>
* if you made no changes, just quit, otherwise save
* Launch Malwarebytes' Anti-Malware

=================================
If MBAM is already installed, go directly to the update and then to the scan.

==> This free software is to be kept.

=================================

* Update it
* Click on the "Scan" tab
* Check the option "Perform a full scan" then click on the "Scan" button
* Choose to scan all your hard drives, then click on 'Start Scan'

At the end of the scan, if MBAM found nothing:

* Click on OK, the report will open automatically

If threats were detected:

* Click on OK then "Show results"
* Check that all lines are checked
* Choose the "Remove selected" option
* If MBAM asks to restart Windows: Click on "Yes"
* The report opens automatically after deletion, it is also found in the “Reports/Logs” tab

* Copy/paste the report in the next message

====================

Note:
- If there is a problem updating MBAM, you can do it manually by downloading this file and then running it.

3/
Do you have a problem with: arlextra.exe

You can analyze it with Virus Total:

To verify that the file below is infected, go to this website
Virus Total

* Click on " choose file "
* Go to your disk to find this file at this location:

path of arlextra.exe


* Then click on the « Scan it » button
* Wait for the scan to complete, which depends on the size of the file
* Once finished, the detection ratio will appear
* Communicate it in your next response on the forum and also share the link to the VirusTotal page by copying it from the address bar and pasting it into your next response

=======================
arlextra is your nickname, how do you want to delete it? lol

@+

_ _ _ Fish66_ _ _ I''"""""I_ _ contributor member security_ _I''"""""I_ _ _
¤¤¤ The best remedy for all problems is patience.... ¤¤¤
0
Anonymous user
 
1)
Here it is:
https://pjjoint.malekal.com/files.php?read=20120602_v10z13o7n14o7

2)
I already did this search yesterday and it took me 2 hours, so I don't really want to do it again :/ (It just found a malware in my FruitNinja game.
Otherwise, here it is:
https://pjjoint.malekal.com/files.php?read=20120602_k5q1314j9m7

3)
The file "arlextra.exe" is actually the program "ComboFix" that you asked me to rename ^^
0
Réponse 5 / 10
Fish66 Posted messages 18337 Status Contributeur sécurité 1 318
 
Re,
1/
Launch ZHPDiag from the desktop and please prepare a new ZHPDiag report

2/ 
The file "arlextra.exe" is actually the program "ComboFix" that you asked me to rename ^^

We're going to delete all the disinfection tools used!

See you later

--
_ _ _ Fish66_ _ _ I''"""""I_ _ contributor member security_ _I''"""""I_ _ _
¤¤¤ The best remedy for all problems is patience.... ¤¤¤
0
Réponse 6 / 10
Fish66 Posted messages 18337 Status Contributeur sécurité 1 318
 
Re,
1/
Uninstall Software: Plants vs. Zombies

2/
Copy all the text in bold below (select it with your mouse / Right-click on it and choose "copy" or press Ctrl+C)


[HKLM\Software\PopCap]
O43 - CFD: 29/01/2012 - 17:48:26 - [50,601] ----D C:\Program Files (x86)\PopCap Games
O43 - CFD: 28/01/2012 - 11:17:10 - [49,487] ----D C:\ProgramData\PopCap Games
O43 - CFD: 28/01/2012 - 10:49:45 - [0,000] ----D C:\ProgramData\Trymedia
O43 - CFD: 29/01/2012 - 17:48:26 - [50,601] ----D C:\Program Files (x86)\PopCap Games
[HKCU\Software\PopCap]
[HKLM\Software\WOW6432Node\PopCap]
C:\Program Files (x86)\PopCap Games
C:\ProgramData\PopCap Games
C:\ProgramData\Trymedia
O43 - CFD: 28/05/2012 - 10:37:54 - [0] ----D C:\Users\Arnaud\AppData\Local\BorisFX
O43 - CFD: 12/03/2012 - 20:13:19 - [0] --HAD C:\Users\Arnaud\AppData\Local\NheF9a67wDln
O43 - CFD: 28/05/2012 - 12:07:22 - [0] ----D C:\Users\Arnaud\AppData\Local\{05EA84C5-2E1C-4E00-8F7F-6C27805108B9}
O43 - CFD: 25/05/2012 - 19:34:15 - [0] ----D C:\Users\Arnaud\AppData\Local\{088561E5-B934-4F8A-BF20-E2577AA38536}
O43 - CFD: 27/05/2012 - 21:04:44 - [0] ----D C:\Users\Arnaud\AppData\Local\{1ED24E5C-EB41-4C3A-A21C-D595787B756F}
O43 - CFD: 28/05/2012 - 12:07:11 - [0] ----D C:\Users\Arnaud\AppData\Local\{2C94DA83-1566-46D9-9EF0-E0C252B79606}
O43 - CFD: 01/06/2012 - 19:23:36 - [0] ----D C:\Users\Arnaud\AppData\Local\{4470DBE1-C2F6-498C-A2DA-9240D8FE579B}
O43 - CFD: 27/05/2012 - 21:04:55 - [0] ----D C:\Users\Arnaud\AppData\Local\{4C8788EB-A436-47DE-A223-34C907CAEC65}
O43 - CFD: 02/06/2012 - 12:58:25 - [0] ----D C:\Users\Arnaud\AppData\Local\{5EB55125-6748-4593-8E15-E2EBA4596418}
O43 - CFD: 30/05/2012 - 13:19:55 - [0] ----D C:\Users\Arnaud\AppData\Local\{68F54EC0-5C3C-4947-84B1-3503A7EAA05F}
O43 - CFD: 26/05/2012 - 10:18:10 - [0] ----D C:\Users\Arnaud\AppData\Local\{71DC0C46-663C-4C62-97C8-D6F1706158FE}
O43 - CFD: 25/05/2012 - 19:34:03 - [0] ----D C:\Users\Arnaud\AppData\Local\{7BCB3D44-618F-4047-8973-7CDF6DC4D2C2}
O43 - CFD: 26/05/2012 - 10:18:21 - [0] ----D C:\Users\Arnaud\AppData\Local\{7C7A1840-CE68-419B-A37B-B854E113E415}
O43 - CFD: 30/05/2012 - 13:20:11 - [0] ----D C:\Users\Arnaud\AppData\Local\{8EF1E5DF-0D26-4E8B-A10A-1CA1D423AC22}
O43 - CFD: 01/06/2012 - 19:23:24 - [0] ----D C:\Users\Arnaud\AppData\Local\{9BCA6DBB-FE39-4DFC-8CAE-E705BE86C203}
O43 - CFD: 02/06/2012 - 12:58:37 - [0] ----D C:\Users\Arnaud\AppData\Local\{9BD0F539-194F-4DEB-86AE-40D16101D19F}
O43 - CFD: 31/05/2012 - 19:25:39 - [0] ----D C:\Users\Arnaud\AppData\Local\{AF03C111-DCA4-44B1-BBA6-58AF76985E27}
O43 - CFD: 31/05/2012 - 19:25:28 - [0] ----D C:\Users\Arnaud\AppData\Local\{E3604090-14AB-4613-ACD4-7656F7BB8F80}
[HKCU\Software\AppDataLow\7c7a3a05]
FirewallRAZ
EmptyTemp
EmptyFlash


Then Run ZHPFix from the desktop shortcut.

* Once the ZHPFix tool is open, click on the [ H ] button ( "paste Helper lines" ).

* In the main box, you will see the lines you copied earlier appear.

Check that all the lines I asked you to copy (and only those) are in the window.

Click on the GO button

Copy/Paste the report on the screen into your next message.

3/
Perform an online antivirus scan using BitDefender online with Internet Explorer
Let yourself be guided. Paste the report here.

4/
How is your PC behaving now?

See you tomorrow

Good night

_ _ _ Fish66_ _ _ I''"""""I_ _ contributor security member_ _I''"""""I_ _ _
¤¤¤ The best remedy for all problems is patience.... ¤¤¤
0
Anonymous user
 
1) ok


2) Here it is:
https://pjjoint.malekal.com/files.php?read=20120603_o9g11j8y15f14


3) I completed the analysis but in the end, it didn't provide a report, it just said:

"No active infection was detected on your PC"

And it offers me to download bitdefender


4) It behaves very normally, I no longer receive blocking alerts from the Trojan and my icons are correctly back in place after a restart.

However, I still need to uninstall ZHP and combofix, right?
0
Réponse 7 / 10
Fish66 Posted messages 18337 Status Contributeur sécurité 1 318
 
Hello, 

All that’s left is to uninstall ZHP and combofix, right?


Yes, we will uninstall them by running Delfix!

To finish: 

Updatechecker:

Download updatechecker to indicate the software that is out of date and also allows you to perform these updates
You can use it once a week
===========================================
**Cleaning 
 Removing disinfection tools: * Download Delfix to your desktop. * Run it, type removal and then validate * Wait for the scan to finish until the report opens. * Copy/Paste the content of the report into your next reply. Note: The report can also be found under C:\DelFix.txt * You can uninstall it =========================================== <code>Defragmentation:

Defragment your hard drives using defraggler
You can use it once a quarter
=========================================== 

Cleaning files and registry keys:

* Download and install CCleaner Slim version
* Run it. (right-click "run as administrator" for Vista and Seven) Go to Options then
* Advanced and uncheck the box Clear only files etc....
* Go to Cleaner, choose Analyze. Once finished, run the cleaning.
* Then, choose Registry, then Search for errors. Once completed, fix all errors as many times as they are found in the scan.
** Help here: https://www.malekal.com/tutoriel-ccleaner/
You can use CCleaner once a week

=========================================== 
Purge system restore points:


* Disable and then re-enable system restore by following the procedures indicated in these links:

Windows XP

Windows Vista

Windows 7

* After emptying the system restore, it is necessary to create a new restore point ...

===========================================
Tips:
1/ I recommend using the Firefox browser and installing the add-ons
WOT WOT to indicate suspicious files and Adblock plus to block ads...

2/ You can also keep Malwarebytes and use it once a week.

3/ A bit of reading:
* The dangers of Peer-To-Peer, Emule etc..
* How to Secure your computer...
* Why and how do I get infected
* why keep your browser up to date

@+

--
_ _ _ Fish66_ _ _ I''"""""I_ _ contributor security member_ _I''"""""I_ _ _
¤¤¤ The best remedy for all problems is patience.... ¤¤¤
0
Anonymous user
 
For defragmentation, do you recommend Defraggler over Windows Disk Defragmenter?
0
Fish66 Posted messages 18337 Status Contributeur sécurité 1 318
 
Personally, I use Defraggler :-)
0
Anonymous user
 
Cleaning:
Here it is: https://pjjoint.malekal.com/files.php?read=20120603_q6j11b15f5u12


Defragmentation:
I looked it up on Google, apparently it would be better :p


Cleaning:
Here it is

Clearing system restore points:
It's good =)

Tips:
ok
0
Réponse 8 / 10
Fish66 Posted messages 18337 Status Contributeur sécurité 1 318
 
Hi again,

With that said, be careful and have a good surf...

--
_ _ _ Fish66_ _ _ I''"""""I_ _ contributing member safety_ _I''"""""I_ _ _
¤¤¤ The best remedy for all problems is patience.... ¤¤¤
0
Réponse 9 / 10
bart5 Posted messages 446 Status Membre 104
 
I'm telling you already to change your antivirus because Norton is the worst antivirus in the world.

Some good antivirus options:
- free: Avira Antivirus
- paid: Kaspersky Pure

But for your virus, check where it is
and let us know.
-2
Anonymous user
 
Alright, I'll check for my antivirus... Otherwise, the virus is located in:

"C:\windows\installer\{bd760e55-2575-62d3-5e6f-2eaeacb45ffe}\u\80000000.@"
0
Réponse 10 / 10
bart5 Posted messages 446 Status Membre 104
 
Uninstall Norton completely and the virus will disappear because it is due to your antivirus.
-3