Avast WEBforum

Other => Viruses and worms => Topic started by: Sarpton on August 09, 2013, 05:00:26 PM

Title: Win32.Dowloader.gen Completely lost on how to remove this.
Post by: Sarpton on August 09, 2013, 05:00:26 PM

I've tried MBAM, Spybot SnD, Avast, and no joy so far.  I've down loaded the OTL and have my results but they mean nothing to me.  I've also done the safemode restart and no luck either.  Any help would be delightful.

Title: Re: Win32.Dowloader.gen Completely lost on how to remove this.
Post by: magna86 on August 09, 2013, 05:35:19 PM

Hi Sarpton,

I don't see nothing "essential" in the logs except the various crap files. Why do you think you're infected?

Re-run OTL.exe.

• Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
  
  

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKLM\..\URLSearchHook: {77beece6-3997-403a-92fa-0055bfcf88e5} - C:\Program Files (x86)\entrusted11\prxtbentr.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-3936099400-2982841587-4011832546-1000\..\URLSearchHook:  - No CLSID value found
IE - HKU\S-1-5-21-3936099400-2982841587-4011832546-1000\..\URLSearchHook: {77beece6-3997-403a-92fa-0055bfcf88e5} - C:\Program Files (x86)\entrusted11\prxtbentr.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-3936099400-2982841587-4011832546-1000\..\SearchScopes\{8F8DB2D7-105D-4502-AF30-B587CD9A3D7E}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3299568&CUI=UN40301065426403261&UM=2
CHR - default_search_provider: Conduit (Enabled)
CHR - default_search_provider: search_url = http://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&CUI=UN25951711121565173&ctid=CT3299568&UM=2
CHR - default_search_provider: suggest_url = http://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms}&CUI=UN25951711121565173&UM=2
CHR - homepage: http://search.conduit.com/?ctid=CT3299568&SearchSource=48&CUI=UN25951711121565173&UM=2
O2 - BHO: (entrusted11 Toolbar) - {77beece6-3997-403a-92fa-0055bfcf88e5} - C:\Program Files (x86)\entrusted11\prxtbentr.dll (Conduit Ltd.)
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (entrusted11 Toolbar) - {77beece6-3997-403a-92fa-0055bfcf88e5} - C:\Program Files (x86)\entrusted11\prxtbentr.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O15 - HKU\.DEFAULT\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: clonewarsadventures.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: freerealms.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: soe.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: sony.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: clonewarsadventures.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: freerealms.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: soe.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: sony.com ([]* in )
O15 - HKU\S-1-5-21-3936099400-2982841587-4011832546-1000\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-3936099400-2982841587-4011832546-1000\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-3936099400-2982841587-4011832546-1000\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-3936099400-2982841587-4011832546-1000\..Trusted Domains: sony.com ([]* in Trusted sites)
 
:Files
C:\Program Files (x86)\SearchProtect
C:\Program Files (x86)\entrusted11
ipconfig /flushdns /c

:Commands
[emptytemp]



• Then click the Run Fix button at the top.
  
• Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn't appear, it can be found here:

c:\_OTL\MovedFiles\mmddyyyy_hhmmss.log

========= then ==========


Follow this instructions from here:
http://forum.avast.com/index.php?topic=53253.0

Run and attach here AdwCleaner, Malwarebytes and aswMBR logs