Author Topic: I have problem with win32:malware-gen  (Read 58775 times)

0 Members and 1 Guest are viewing this topic.

jeffce

  • Guest
Re: I have problem with win32:malware-gen
« Reply #75 on: March 23, 2012, 02:34:41 PM »
Hi QNtas,

Yes but I need to see a couple of things first.  You had an infection with a specific worm and it went crazy in your system. 

Was there a log created after you ran this last OTL fix showing what was removed?  If so post that please. 
----------

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code: [Select]
:Services

:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes,DefaultScope = {EEE6C360-6118-11DC-9C72-001320C79847}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&st=1&q={searchTerms}&barid={1AC2C624-E9E9-11E0-80EA-CCAF785422B8}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = lt
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 93 29 6A E5 03 08 CD 01  [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&st=1&q={searchTerms}&barid={1AC2C624-E9E9-11E0-80EA-CCAF785422B8}
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EEE6C35B-6118-11DC-9C72-001320C79847} - No CLSID value found.
[2 C:\Users\Public\Documents\*.tmp files -> C:\Users\Public\Documents\*.tmp -> ]

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
--------------

Open Malwarebytes, update it and then run a new Quick Scan and save the log for your next reply.
-------------

Run a new scan with ESET online scanner and save that log for your next reply.
------------

In your next reply I need the logs created by OTL, Malwarebytes and ESET online scanner


QNtas

  • Guest
Re: I have problem with win32:malware-gen
« Reply #76 on: March 23, 2012, 06:12:00 PM »
no log was created

jeffce

  • Guest
Re: I have problem with win32:malware-gen
« Reply #77 on: March 23, 2012, 06:26:07 PM »
Do you mean with ESET

QNtas

  • Guest
Re: I have problem with win32:malware-gen
« Reply #78 on: March 23, 2012, 06:28:45 PM »
you asked that (Was there a log created after you ran this last OTL fix showing what was removed?  If so post that please. ) so there wont be created any log after i run OTL fix

jeffce

  • Guest
Re: I have problem with win32:malware-gen
« Reply #79 on: March 23, 2012, 06:39:44 PM »
Oh ok....

When you get the new OTL, Malwarebytes and ESET logs post those please. 

QNtas

  • Guest
Re: I have problem with win32:malware-gen
« Reply #80 on: March 26, 2012, 07:56:19 PM »

jeffce

  • Guest
Re: I have problem with win32:malware-gen
« Reply #81 on: March 26, 2012, 08:40:26 PM »
Hi,

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code: [Select]
:Services

:Files
C:\Users\Admin\Documents\Documents.exe
C:\Users\Admin\Documents\CAPCOM\DEVILMAYCRY4\DEVILMAYCRY4.exe
C:\Users\Admin\Documents\FIFA 12\FIFA 12.exe
C:\Users\Admin\Documents\FIFA 12\instance0\instance0.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\Age of Empires 3.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\AI\AI.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\campaign\campaign.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\RM\RM.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\Savegame\Savegame.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\Trigger\Trigger.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\Users\Users.exe
C:\Users\Admin\Documents\My Games\Rise Of Legends\Rise Of Legends.exe
C:\Users\Admin\Documents\My Games\Rise Of Legends\Mantas\Mantas.exe
C:\Users\Admin\Documents\My Games\Rise Of Legends\Mantas\Saves\AutoSaves\AutoSaves.exe
C:\Users\Admin\Documents\My Games\Rise Of Legends\Mantas\Saves\Game Setup Files\Game Setup Files.exe
C:\Users\Admin\Documents\My Games\Rise Of Legends\Mantas\Saves\Game Setup Files\CTW\CTW.exe
C:\Users\Admin\Documents\My Games\Skyrim\Skyrim.exe
C:\Users\Admin\Documents\My Games\Skyrim\Saves\Saves.exe
C:\Users\Admin\Documents\NFS Most Wanted\Mantas\Mantas.exe
C:\Users\Admin\Documents\OneNote Notebooks\Personal\Personal.exe
C:\Users\Admin\Documents\Outlook Files\Outlook Files.exe
C:\Users\Admin\Downloads\SoftonicDownloader_for_teamspeak.exe
C:\Users\Admin\Pictures\about.Brontok.A.html
C:\Users\Public\Public.exe
C:\Users\Public\trz3CE5.tmp
C:\Users\Public\Documents\Documents.exe
C:\Users\Public\Documents\trz46A6.tmp
C:\Users\Public\Documents\trz4753.tmp
C:\Users\Public\Downloads\Downloads.exe
C:\Users\Public\Downloads\trz4773.tmp
C:\Users\Public\Libraries\Libraries.exe
del C:\Users\Public\Libraries\trz*.tmp /f /q /c
del C:\Users\Public\Pictures\trz*.tmp /f /q /c
C:\Users\Public\Pictures\NVIDIA Corporation\3D Vision Experience\3D Vision preview pack 1\3D Vision preview pack 1.exe
del "C:\Users\Public\Pictures\NVIDIA Corporation\3D Vision Experience\3D Vision preview pack 1\trz*.tmp" /f /q /c
C:\Users\Public\Pictures\Sample Pictures\Sample Pictures.exe
del "C:\Users\Public\Pictures\Sample Pictures\trz*.tmp" /f /q /c
C:\Users\Public\Recorded TV\Recorded TV.exe
del "C:\Users\Public\Recorded TV\trz*.tmp" /f /q /c
C:\Users\Public\Recorded TV\Sample Media\Sample Media.exe
del "C:\Users\Public\Recorded TV\Sample Media\trz*.tmp" /f /q /c
C:\Users\Public\Videos\Sample Videos\Sample Videos.exe
C:\Windows\AutoKMS.exe
del C:\Windows\ShellNew\trz*.tmp /f /q /c
C:\Windows\SoftwareDistribution\DataStore\Logs\trzB77C.tmp
C:\Windows\SoftwareDistribution\DataStore\Logs\trzC716.tmp
del C:\Windows\temp\_avast_\unp*.tmp /f /q /c

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered.  There will be a log created when it completes that I will need in your next reply.  Reboot when it is done.
  • Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
After OTL has run the fix there should be a log automatically created.  Please post that and the OTL log that is made with your new scan. 

QNtas

  • Guest
Re: I have problem with win32:malware-gen
« Reply #82 on: March 26, 2012, 09:42:40 PM »
After OTL has run the fix there no log  created.

jeffce

  • Guest
Re: I have problem with win32:malware-gen
« Reply #83 on: March 27, 2012, 02:17:47 AM »
Hi QNtas,

When you are running these fixes are you being sure to press the Run Fix button and not the Run Scan button?

QNtas

  • Guest
Re: I have problem with win32:malware-gen
« Reply #84 on: March 27, 2012, 08:53:51 AM »
yes, and then i run it it show me cmd console

QNtas

  • Guest

jeffce

  • Guest
Re: I have problem with win32:malware-gen
« Reply #86 on: March 28, 2012, 02:15:40 AM »
Hi QNtas,

We need to something a little bit different. 

Please disable your Avast antivirus program for the time being as it seems that it is blocking our fix.

Reboot Your System in Safe Mode

  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe mode menu item
  • Press Enter.
----------

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code: [Select]
:Services

:Files
C:\Users\Admin\Documents\Documents.exe
C:\Users\Admin\Documents\CAPCOM\DEVILMAYCRY4\DEVILMAYCRY4.exe
C:\Users\Admin\Documents\FIFA 12\FIFA 12.exe
C:\Users\Admin\Documents\FIFA 12\instance0\instance0.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\Age of Empires 3.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\AI\AI.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\campaign\campaign.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\RM\RM.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\Savegame\Savegame.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\Trigger\Trigger.exe
C:\Users\Admin\Documents\My Games\Age of Empires 3\Users\Users.exe
C:\Users\Admin\Documents\My Games\Rise Of Legends\Rise Of Legends.exe
C:\Users\Admin\Documents\My Games\Rise Of Legends\Mantas\Mantas.exe
C:\Users\Admin\Documents\My Games\Rise Of Legends\Mantas\Saves\AutoSaves\AutoSaves.exe
C:\Users\Admin\Documents\My Games\Rise Of Legends\Mantas\Saves\Game Setup Files\Game Setup Files.exe
C:\Users\Admin\Documents\My Games\Rise Of Legends\Mantas\Saves\Game Setup Files\CTW\CTW.exe
C:\Users\Admin\Documents\My Games\Skyrim\Skyrim.exe
C:\Users\Admin\Documents\My Games\Skyrim\Saves\Saves.exe
C:\Users\Admin\Documents\NFS Most Wanted\Mantas\Mantas.exe
C:\Users\Admin\Documents\OneNote Notebooks\Personal\Personal.exe
C:\Users\Admin\Documents\Outlook Files\Outlook Files.exe
C:\Users\Admin\Downloads\SoftonicDownloader_for_teamspeak.exe
C:\Users\Admin\Pictures\about.Brontok.A.html
C:\Users\Public\Public.exe
C:\Users\Public\trz3CE5.tmp
C:\Users\Public\Documents\Documents.exe
C:\Users\Public\Documents\trz46A6.tmp
C:\Users\Public\Documents\trz4753.tmp
C:\Users\Public\Downloads\Downloads.exe
C:\Users\Public\Downloads\trz4773.tmp
C:\Users\Public\Libraries\Libraries.exe
del C:\Users\Public\Libraries\trz*.tmp /f /q /c
del C:\Users\Public\Pictures\trz*.tmp /f /q /c
C:\Users\Public\Pictures\NVIDIA Corporation\3D Vision Experience\3D Vision preview pack 1\3D Vision preview pack 1.exe
del "C:\Users\Public\Pictures\NVIDIA Corporation\3D Vision Experience\3D Vision preview pack 1\trz*.tmp" /f /q /c
C:\Users\Public\Pictures\Sample Pictures\Sample Pictures.exe
del "C:\Users\Public\Pictures\Sample Pictures\trz*.tmp" /f /q /c
C:\Users\Public\Recorded TV\Recorded TV.exe
del "C:\Users\Public\Recorded TV\trz*.tmp" /f /q /c
C:\Users\Public\Recorded TV\Sample Media\Sample Media.exe
del "C:\Users\Public\Recorded TV\Sample Media\trz*.tmp" /f /q /c
C:\Users\Public\Videos\Sample Videos\Sample Videos.exe
C:\Windows\AutoKMS.exe
del C:\Windows\ShellNew\trz*.tmp /f /q /c
C:\Windows\SoftwareDistribution\DataStore\Logs\trzB77C.tmp
C:\Windows\SoftwareDistribution\DataStore\Logs\trzC716.tmp
del C:\Windows\temp\_avast_\unp*.tmp /f /q /c

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
----------

If there is a log created by OTL please post that.  After you have run a new scan with OTL please post that as well.  :)


QNtas

  • Guest
Re: I have problem with win32:malware-gen
« Reply #87 on: March 28, 2012, 07:26:19 AM »
do i need run OTL then my computer be in safe mode?

QNtas

  • Guest
Re: I have problem with win32:malware-gen
« Reply #88 on: March 28, 2012, 08:38:40 AM »
here it is. OLT fix created file

jeffce

  • Guest
Re: I have problem with win32:malware-gen
« Reply #89 on: March 28, 2012, 01:38:19 PM »
Hi QNtas,

I know this may seem like a lot of work and I appreciate your patience, but your system was heavily infected. 
-----------------

Boot back into Safe Mode.

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code: [Select]
:Services

:OTL
[28 C:\Users\Public\Documents\*.tmp files -> C:\Users\Public\Documents\*.tmp -> ]

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
Now run a new scan with Malwarebytes and ESET online scanner.

In your next reply please post the logs made by OTL, Malwarebytes and ESET online scanner.  :)