Author Topic: Win32.Dowloader.gen Completely lost on how to remove this.  (Read 1950 times)

0 Members and 1 Guest are viewing this topic.

Sarpton

  • Guest
Win32.Dowloader.gen Completely lost on how to remove this.
« on: August 09, 2013, 05:00:26 PM »
I've tried MBAM, Spybot SnD, Avast, and no joy so far.  I've down loaded the OTL and have my results but they mean nothing to me.  I've also done the safemode restart and no luck either.  Any help would be delightful.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: Win32.Dowloader.gen Completely lost on how to remove this.
« Reply #1 on: August 09, 2013, 05:35:19 PM »
Hi Sarpton,

I don't see nothing "essential" in the logs except the various crap files. Why do you think you're infected?

Re-run OTL.exe.

  • Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

Code: [Select]
:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKLM\..\URLSearchHook: {77beece6-3997-403a-92fa-0055bfcf88e5} - C:\Program Files (x86)\entrusted11\prxtbentr.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-3936099400-2982841587-4011832546-1000\..\URLSearchHook:  - No CLSID value found
IE - HKU\S-1-5-21-3936099400-2982841587-4011832546-1000\..\URLSearchHook: {77beece6-3997-403a-92fa-0055bfcf88e5} - C:\Program Files (x86)\entrusted11\prxtbentr.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-3936099400-2982841587-4011832546-1000\..\SearchScopes\{8F8DB2D7-105D-4502-AF30-B587CD9A3D7E}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3299568&CUI=UN40301065426403261&UM=2
CHR - default_search_provider: Conduit (Enabled)
CHR - default_search_provider: search_url = http://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&CUI=UN25951711121565173&ctid=CT3299568&UM=2
CHR - default_search_provider: suggest_url = http://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms}&CUI=UN25951711121565173&UM=2
CHR - homepage: http://search.conduit.com/?ctid=CT3299568&SearchSource=48&CUI=UN25951711121565173&UM=2
O2 - BHO: (entrusted11 Toolbar) - {77beece6-3997-403a-92fa-0055bfcf88e5} - C:\Program Files (x86)\entrusted11\prxtbentr.dll (Conduit Ltd.)
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (entrusted11 Toolbar) - {77beece6-3997-403a-92fa-0055bfcf88e5} - C:\Program Files (x86)\entrusted11\prxtbentr.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O15 - HKU\.DEFAULT\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: clonewarsadventures.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: freerealms.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: soe.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: sony.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: clonewarsadventures.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: freerealms.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: soe.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: sony.com ([]* in )
O15 - HKU\S-1-5-21-3936099400-2982841587-4011832546-1000\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-3936099400-2982841587-4011832546-1000\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-3936099400-2982841587-4011832546-1000\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-3936099400-2982841587-4011832546-1000\..Trusted Domains: sony.com ([]* in Trusted sites)
 
:Files
C:\Program Files (x86)\SearchProtect
C:\Program Files (x86)\entrusted11
ipconfig /flushdns /c

:Commands
[emptytemp]

  • Then click the Run Fix button at the top.
  • Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
If the log doesn't appear, it can be found here:

c:\_OTL\MovedFiles\mmddyyyy_hhmmss.log

========= then ==========


Follow this instructions from here:
http://forum.avast.com/index.php?topic=53253.0

Run and attach here AdwCleaner, Malwarebytes and aswMBR logs
« Last Edit: August 09, 2013, 05:38:44 PM by magna86 »