[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1004336348-879983540-725345543-500\] > ->
YN -> HKEY_USERS\S-1-5-21-1004336348-879983540-725345543-500\: SearchURL\\"provider" -> gogl
< Run [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "rundll32.exe" -> []
< Run [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "rundll32.exe" -> []
[Files/Folders - Modified Within 30 Days]
NY -> leocfucb.job -> C:\WINDOWS.0\tasks\leocfucb.job
NY -> sdfinacs.dll -> C:\WINDOWS.0\sdfinacs.dll
[File - Lop Check]
NY -> com.gog.downloader.87F90EC6C28C7E479115BE2E026DB87A08BC420D.1 -> C:\Documents and Settings\Administrator\Application Data\com.gog.downloader.87F90EC6C28C7E479115BE2E026DB87A08BC420D.1
[Custom Scans]
YY -> setuplog.exe -> C:\setuplog.exe
YY -> WHAT.EXE -> C:\WHAT.EXE
NY -> 1 C:\*.tmp files -> C:\*.tmp
[Empty Temp Folders]
under File name it says
'C:\System Volume Information\_restore{615D86ED-B9C8-A1EC-A6CFCAD89AF3}\RP27\A0004670.rbf'
says severity is high =/ at one point my computer said my video driver crashed but was back on and I don't know what else it might do (if that was from it) so I don't know if I should stop everything I'm doing to get rid of it now or not. thanks
I have the same Win32-Malware-gen that my Avast! home is reporting. I ran OTS, thinking that the report I would get would enable me--by looking at what Essexboy did on December 08, 2009, 08:18:00 PM--to do that same thing. But I can't figure out what to do. Might someone help me as well? I would be most grateful.you should have started a new topic and not asking for help inside this
I have the same Win32-Malware-gen that my Avast! home is reporting. I ran OTS, thinking that the report I would get would enable me--by looking at what Essexboy did on December 08, 2009, 08:18:00 PM--to do that same thing. But I can't figure out what to do. Might someone help me as well? I would be most grateful.
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF742B780]This states you have the TDSS rootkit
TDL::
c:\windows\system32\drivers\atapi.sys
C:\WINDOWS\system32\drivers\mrxsmb.sys
:OTL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - No CLSID value found.
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]
I put it in as an exclusion and that doesn't work. I know this is false positive and I want to play my game.
What is the file name and location ?
This morning I also got a notification that I had Win32: Malware-gen...
I used Malwarebytes Antimalware as suggested in this thread and will upload the log file.
I can't tell from the log--was Win32: Malware-gen removed??
This morning I also got a notification that I had Win32: Malware-gen...
<snip>
I can't tell from the log--was Win32: Malware-gen removed??
Hi Guys,
I have had real problems with my laptop today...been sortin it for almost 13 hours now..started with Win32:Patched-RP[Trj. Which with the help of this forum I sucessfully got rid of by using Dr.Web CureIt.THANKS!
Thought I would run windows onecare on the pc just to make sure..now this opened up a whole new can of worms!! My main worry is a TrojanDownloader:Java\Rexec.B!! I have only found info on this on microsoft and it is severe! But they only posted it yesterday so not much info is known..Avast dont seem to even realize it is there but when I Google a page avast comes up with malicious malware warning and stops me entering the site...or it directs me to a completely different web site..often an offensive one.
I followed the path to where the TrojanDownloader is C:\users\name\appdata\locallow\sun\java\deployment\cashe\6.0\
When i went there the folder 6.0 has numbers from 1 to 13 now an hour later its up to 63!! also files named Host, Muffin, Tmp, LastAccessed..When I hold my curser over the file/s (NOT CLICK) they all claim to be empty. I also just checked my REG EDIT and it looks like something is different from yesterday!!
Please Help Me!!
msqpdxserv.sys This is a member of the TDSS family so it may be worth doing a deeper scan if you wantHi essexyboy, I have the same problem as richdebc. I've sent you my log after scanning with OTS. Kindly help please. Thanks in advance.
If you want a deeper scan
To ensure that I get all the information this log will need to uploaded to Mediafire (http://www.mediafire.com/) and post the sharing link.
Download OTS (http://oldtimer.geekstogo.com/OTS.exe) to your Desktop
- Close ALL OTHER PROGRAMS.
- Double-click on OTS.exe to start the program.
- Check the box that says Scan All Users
- Under Additional Scans check the following:
- Reg - Shell Spawning
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
- Under custom scans copy and paste the following
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
/md5stop
%systemroot%\*. /mp /s
c:\$recycle.bin\*.* /s
CREATERESTOREPOINT[/list]
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
[Unregister Dlls]
[Win32 Services - Safe List]
YN -> (NAV) Norton AntiVirus [Unknown | Stopped] ->
[Driver Services - Safe List]
YY -> (EraserUtilRebootDrv) EraserUtilRebootDrv [Kernel | On_Demand | Running] -> C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
YY -> (eeCtrl) Symantec Eraser Control driver [Kernel | System | Running] -> C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
YY -> (SymEvent) SymEvent [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\SYMEVENT.SYS
YY -> (IDSxpx86) IDSxpx86 [Kernel | On_Demand | Stopped] -> C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20101026.001\IDSXpx86.sys
YY -> (BHDrvx86) BHDrvx86 [Kernel | System | Running] -> C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20101001.001\BHDrvx86.sys
YY -> (SymIRON) Symantec Iron Driver [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\NAV\1107000.00C\Ironx86.SYS
YY -> (SymEFA) Symantec Extended File Attributes [File_System | Boot | Running] -> C:\WINDOWS\system32\drivers\NAV\1107000.00C\SYMEFA.SYS
YY -> (SRTSPX) Symantec Real Time Storage Protection (PEL) [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\NAV\1107000.00C\SRTSPX.SYS
YY -> (ccHP) Symantec Hash Provider [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\NAV\1107000.00C\ccHPx86.sys
YY -> (SymDS) Symantec Data Store [Kernel | Boot | Running] -> C:\WINDOWS\system32\drivers\NAV\1107000.00C\SYMDS.SYS
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} [HKLM] -> [Symantec Intrusion Prevention]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "System Startup Registry" -> [C:\WINDOWS\system\smss.exe]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-1275210071-796845957-839522115-1003\] > -> HKEY_USERS\S-1-5-21-1275210071-796845957-839522115-1003\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{B58926D6-CFB0-45d2-9C28-4B5A0F0368AE}" [HKLM] -> [Reg Error: Key error.]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\Documents and Settings\myrose\Desktop\PortForward.exe" -> [C:\Documents and Settings\myrose\Desktop\PortForward.exe:*:Enabled:PortForward]
YN -> "I:\CDS\Nero\Installation\SetupX.exe" -> [I:\CDS\Nero\Installation\SetupX.exe:*:Enabled:Nero ProductSetup]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{3a224cb2-4f74-11df-b78c-00e04d6f59fa} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3a224cb2-4f74-11df-b78c-00e04d6f59fa}\Shell\AutoRun\command ->
YN -> \{3a224cb2-4f74-11df-b78c-00e04d6f59fa}\Shell\AutoRun\command\\"" -> [driver\S-1-4-89-654352344-54323413-6452342-4545\service.exe]
YN -> \{3a224cb2-4f74-11df-b78c-00e04d6f59fa} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3a224cb2-4f74-11df-b78c-00e04d6f59fa}\Shell\open\command ->
YN -> \{3a224cb2-4f74-11df-b78c-00e04d6f59fa}\Shell\open\command\\"" -> [driver\S-1-4-89-654352344-54323413-6452342-4545\service.exe]
[Files - No Company Name]
NY -> mgxoschk.ini -> C:\WINDOWS\mgxoschk.ini
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[Reboot]
User: Default UserThe reason is that OTS had to clear 3,333.00 mb of temporary files before it could create the rstore point. What problems are you experiencing ?
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: myrose
->Temp folder emptied: 1702167 bytes
->Temporary Internet Files folder emptied: 210378897 bytes
->Google Chrome cache emptied: 430004082 bytes
->Apple Safari cache emptied: 19246080 bytes
->Flash cache emptied: 96891 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 240459051 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 3116561 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 57247805 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 62261712 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 2467780657 bytes
Total Files Cleaned = 3,333.00 mb
[EMPTYFLASH]
User: All Users
User: Default User
User: LocalService
User: myrose
->Flash cache emptied: 0 bytes
User: NetworkService
Total Flash Files Cleaned = 0.00 mb
Restore point Set: OTS Restore Point (0)
:Commands[/list]
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
That looks good
Run OTS and hit the cleanup button. It will remove all the programmes we have used plus itself.
Why were you unable to remove it ?
It is only in the Temporary Internet Files folder and you can clear that location from your IE browser settings.
Hi there let me see what you have
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
(http://public.avast.com/~gmerek/aswMBR1.png)
On completion of the scan click save log, save it to your desktop and post in your next reply
(http://public.avast.com/~gmerek/aswMBR2.png)
THEN
Download OTS (http://oldtimer.geekstogo.com/OTS.exe) to your Desktop and double-click on it to run itReg - Disabled MS Config Items
- Make sure you close all other programs and don't use the PC while the scan runs.
- Select All Users
- Under additional scans select the following
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Checknetsvcs
- Under the Custom Scan box paste this in
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT
- Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
- When the scan is complete Notepad will open with the report file loaded in it.
- Please attach the log in your next post.