Win32:Maleware-gen Help?

[mkis]

deleted

[Bandaids]

I believe the file has regenerated.
I have attached the report OTM produced in this post.

[mkis]

okay

is it still regenerating?
does everything seem to be running okay?

use ccleaner to clear the temporary internet cache  http://www.piriform.com/ccleaner

also make sure that Windows is always kept up to date  - you may have a necessary security update missing

Microsoft report
- http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader:Win32/Renos.KF

[Bandaids]

I believe the file is still regenerating as the value is still appearing in HijackThis.
I have fix checked it again, just to make sure.
But after i immediately redo the scan, the file shows up again.

Also it seems that 'gpr.exe' cannot be found in my Temp Folder.

[mkis]

make sure that you are disconnected from the internet

boot into Safe Mode
- turn computer off
- lightly tap F8 key as computer is turned on
- this should take you to page with Safe Mode option (you may first be asked what to boot - choose yr hard drive)

run HijackThis in Safe Mode and you should be able to remove the entry

then see how doing

[superhacker]

Use hijack free to kill the processhttp://www.hijackfree.de/en/hijackfree/
Then boot into safe mode
run ->cmd

taskkill /f /im gpr.exe
attrib -h -s -r c:\windows\temp\gpr.exe
del c:\windows\temp\gpr.exe

then disable the malware entry in registry by regedit or by msconfig.exe ->startups

[Bandaids]

as Mkis suggested.

I booted into safe mode and fix checked the gpr.exe processes using HijackThis.
Seems like they did not respawn after this.

Right now i'm doing a scan with MalwareBytes.

and is it better if i also did what superhacker said just to make sure?

[superhacker]

Yes it is better to ensure the malware removed completely

[mkis]

it is okay in this case seems a good procedure to run - especially if the malware did re-appear

I am not familiar with the procedure but I cant see anything untoward
another forum member may provide second opinion

[Bandaids]

@superhacker

sorry im kind of new to all of this.
so can you please elaborate how i can disable the malware entry via regedit?

[mkis]

are you still having problems Bandaids?

I meant I was unfamiliar with the Superhacker procedure but it all read good

This is how you disable the malware entry via regedit
- you go to the registry via regedit by click Start, go to Run, type in regedit and click OK
- you search in registry by open Edit on toolbar and choose Find from the dropdown menu - and type gpr.exe in the box, and press Enter

If you find an entry which is obviously the malware, then delete it - and press F3 to search for the next instance of the malware

And CAREFUL with editing in the Registry - reply post here before you do it, if you want

[Bandaids]

Thank you mkis.

When i was searching the registry for gpr.exe, nothing was found.
Does that mean it does not exist in the registry?

and since i have removed the virus.
is there a way to make sure its gone and should i remove it from avast virus chest?

[mkis]

well, normal running is the test - how are you doing?

you seemed adequately computer competent to carry out tasks to deal with any common problems
keep an eye in things - and this page directs towards how to ensure  yr system is kept clean of this malware

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader:Win32/Renos.KF#prevention_link

if files are in the chest you are protected from them
if you can provide a screen shot of what is in the chest, I can give you a further reply on that.

[Bandaids]

i have attached the screenshot in this post.

These files were all found before i posted on this forum for help.

[mkis]

they look genuine enough to delete

but you can leave off for a couple of weeks in case there is more malware work to do.
and concentrate now in making sure you tune yr system back to good running and keep an eye out for any problem areas, and if running satisfactorily cpme back in a few weeks and clear out yr chest.