Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

YeboYerp

6 Posts

17215

November 16th, 2007 21:00

Generic!atr Trojan

Hello,
 
I am running Windows XP on a Dell Optiplex GX745. I have McAfee Virus Scan Enterprise v8.5i. It{s real time analysis repetedly pops up advising that the trojan, Generic!atr (i.e. autorun.inf) was eliminated. I have downloaded McAfee updates, rebooted in safe mode (with System Restore disactivated) and run a full system scan, without success. I have only rudimentary computer knowledge. Please advise.

Bugbatter

20.5K Posts

November 16th, 2007 23:00

First, ENABLE System Restore! If anything were to happen during the course of cleaning, you would have no System Restore!

According to McAfee:
"This is a generic detection for a configuration text file (autorun.inf) used by many worms. This file is usually dropped onto the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed."
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=141387

It probably would be good if we could see what else is running around in there, so I'm going to send you for a diagnostic tool. After you run it and post on the HijackThis Board we will know more.
** There is a list of trained analysts at the top of that board in the Announcements. If someone else replies, it will be your decision whether or not you want to take advice from them.

Please download HJT Installer from Here to your desktop.
If not available use this alternate link: Here

Click the Download button.
When the Trend Micro HJT install box appears, double click on the HJTInstall.exe.
Click on Install.

It will be installed by default here: C:\Program Files\Trend Micro\HijackThis
A shortcut to the application will also be placed on your Desktop.
The program will open automatically after installation.
You can double-click the icon that was placed on the Desktop to run subsequent HijackThis scans or you can use the icon inside the folder.
The folder HijackThis is where you will find the HJT logs that you save. When you use the application to remove anything, you will also find the backup copies made by HJT inside this folder.

Close all open windows except HijackThis.
Click on " Do a system scan and save logfile" When the log pops up in Notepad copy and paste that file as a NEW MESSAGE on the HijackThis Board.

Before closing HJT, please click on the Analyze This button. "Analyze This" is for Trendmicro use, and does not mean "Analyze My Log". You must post on the forum in order to receive an analysis of your log.

Close the web page that appears and then close the program HJT.

Posting Your Log:

1. Just click the New Message button in the HijackThis forum here: http://www.dellcommunity.com/supportforums/board?board.id=si_hijack
to start your own thread requesting assistance.
2. In the Message Body window that opens, simply Right-Click and select Paste.
3. Please add text to describe your symptoms.
4. Include in the message subject line a description of your problem. For example, "Popups warning of infection".
5. Make certain you post the entire log by clicking the Preview Post link at the bottom of the window and comparing it to the log from your scan before you click Submit Post

** Note: "The box next to Automatically convert carriage returns to HTML line breaks" should be checked if that appears at the bottom of your Message Body when composing your post.


* DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or required.

YeboYerp

6 Posts

November 19th, 2007 21:00

Here is my HiJackThis log. Please advise on how to get rid of the Generic!atr which keeps poping up every few seconds in McAfee´s Real Tine Analysis (something to do with autorun.inf).
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:49:28 p.m., on 19/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Archivos de programa\Broadcom\ASFIPMon\AsfIpMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\McAfee\VirusScan Enterprise\Mcshield.exe
C:\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PRISMSVC.EXE
C:\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe
C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe
C:\Archivos de programa\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\RealPopup\RealPopup.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\McAfee\Common Framework\McTray.exe
C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Archivos de programa\Inalámbrica de Dell\PRISMCFG.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.care.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Archivos de programa\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Archivos de programa\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\ARCHIV~1\ARCHIV~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Archivos de programa\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Archivos de programa\Archivos comunes\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ShStatEXE] "C:\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPopup] "C:\RealPopup\RealPopup.exe" BOOT
O4 - HKCU\..\Run: [avpa] C:\WINDOWS\system32\avpo.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Utilidad de la tarjeta USB 2.0 inalámbrica para WLAN.lnk = ?
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187379426484
O20 - Winlogon Notify: !SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Archivos de programa\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Archivos de programa\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\RealVNC\VNC4\WinVNC4.exe
--
End of file - 7423 bytes

View More

View All

No Events found!

Top