Problem removing Win32.downloader.gen

HWM Fear

New Member
Thread author
Aug 29, 2013
13
I hope that a solution can be acquired for this particular problem of mine. I thank the community for their support and time, in helping me with this issue.
 

Attachments

  • OTL.Txt
    90.9 KB · Views: 116
  • aswMBR.txt
    1.5 KB · Views: 84
  • Combofixlog.txt
    19.6 KB · Views: 113
  • AdwCleaner[S0].txt
    2.4 KB · Views: 110
  • JRT.txt
    626 bytes · Views: 93
  • ESET Scan.txt
    237 bytes · Views: 92
  • Spybot report.txt
    205 KB · Views: 153
  • OTL2.Txt
    122.2 KB · Views: 112

Jack

Administrator
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
Hi and welcome to the malwaretips.com forums!

I'm Jack and I am going to try to assist you with your problem. Please take note of the below:
  • I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.


Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.


STEP 1 : Run a scan with Combofix
Please read and follow very carefully the below instructions
 
Download ComboFix from one of the following locations: 

COMBOFIX DOWNLOAD LINK #1 (This link will automatically download Combofix on your computer)
COMBOFIX DOWNLOAD LINK #2  (This link will automatically download Combofix on your computer)
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop  
<ul>
<li>Close any open browsers.</li>
<li><>Very Important!</> Temporarily <>disable</> your <>anti-virus</>, <>script blocking</> and any <>anti-malware</> real-time protection <em><>before</></em>performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause <em>"unpredictable results"</em>.</li>
<li><>WARNING: Combofix will disconnect your machine from the Internet as soon as it starts</></li>
<li>Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.</li>
</ul>

How to run the Combofix scan :
  1. Double click on ComboFix.exe & follow the prompts.
  2. Accept the disclaimer and allow to update if it asks
  3. Combofix will now start scanning your computer.
  4. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Additional notes:
<ol><li> DO NOT mouse-click Combofix's window while it is running. That may cause it to stall.</li>
<li>DO NOT "re-run" Combofix. If you have a problem, reply back for further instructions.</li>
<li>IF after the reboot you get errors about programs being marked for deletion then reboot, that will cure it.</li></ol>




What's next?

Add the following logs to your next post (You can find here details on how to use the Attachment System):
1.Combofix log
2.Let me know if you had any problems with the above instructions and also <>let me know how things are running now!</>
 
Last edited:

HWM Fear

New Member
Thread author
Aug 29, 2013
13
I have finished running combo fix and now have the log attached to this post. So far the computer is running the same as it was before with no noticeable changes.
 

Jack

Administrator
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
Lets run these three scans:
STEP 1: Run a scan with AdwCleaner

<ol><li>Download AdwCleaner from the below link.
<><a href="http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner" target="_blank">ADWCLEANER DOWNLAOD LINK</a></> (This link will automatically download AdwCleaner on your computer)</li>

<li>Close all open programs and internet browsers.</li>
<li>Double click on <>adwcleaner.exe</> to run the tool.</li>
<li>Click on <>Delete</>,then confirm each time with <>Ok</>.</li>
<li>Your computer will be rebooted automatically. A text file will open after the restart.</li>
<li>Please post the contents of that logfile with your next reply.</li>
<li>You can find the logfile at <>C:\AdwCleaner[S1].txt</> as well.</li>
</ol>
<hr/>
STEP 2: Run a scan with Junkware Removal Tool

  1. Please download Junkware Removal Tool to your desktop from the following link:
    JUNKWARE REMOVAL TOOL DOWNLOAD LINK (This link will automatically download Junkware Removal Tool on your computer)
  2. Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
  3. The tool will open and start scanning your system
  4. Please be patient as this can take a while to complete depending on your system's specifications
  5. On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
  6. Post the contents of JRT.txt into your next reply


STEP 2: Run a scan with ESET Online Scanner
<ol>
<li>Download ESET Online Scanner utility from the below link
<><a title="External link" href="http://download.eset.com/special/eos/esetsmartinstaller_enu.exe" rel="nofollow">ESET ONLINE SCANNER DOWNLOAD LINK</a></> <em>(This link will automatically download ESET Online Scanner on your computer.)</em></li>
<li>Double click on the Eset installer program (esetsmartinstaller_enu.exe).</li>
<li>Check <>Yes, I accept the Terms of Use</></li>
<li>Click the <>Start</> button.</li>
<li>Check <>Scan archives</></li>
<li>Push the <>Start</> button.</li>
<li>ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.</li>
<li>When the scan completes, push <>List of found threats</></li>
<li>Push <>Export to Text file </> and save the file to your desktop using a unique name, such as <>ESET Scan</>. Include the contents of this report in your next reply.Note - when ESET doesn't find any threats, no report will be created.</li>
<li>Push the <>back</> button.</li>
<li>Push <>Finish</></li>
</ol>
<hr />
What's next?

Add the following logs to your next post (You can find here details on how to use the Attachment System):
1.AdwCleaner log
2. Junkware Removal Tool log
3.ESET log
4.Let me know if you had any problems with the above instructions and also <>let me know how things are running now!</>
 
Last edited:

HWM Fear

New Member
Thread author
Aug 29, 2013
13
Thanks again, for the ongoing assistance Jack. I haven't noticed any significant changes in the running of the computer. I have uploaded the aforementioned text logs, again to the original post. During the Eset scan, it detected two Win32/Bagle.gen.zip worms; one of which it deleted and the other no action was taken for. The location of the left one had spybot search and destroy in it's location. Does that mean that it has been corrupted?
 

HWM Fear

New Member
Thread author
Aug 29, 2013
13
Update: For some reason the browsers are now faster but my computer has been acting strangely; automatic updates were turned off, avast anti virus was off and for some I have seen the tool bar turn white momentarily. I am also having some difficulty turning the anti virus back on it seems, it launches manually but windows informs that it is turned off the contrary. When I attempt to turn it back on from the action centre, nothing comes of it... Update: Everything seems to be running fine now, after I restarted my computer perhaps just a temporary scare.
 

Jack

Administrator
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
Hello HWM Fear,
Is spybot still saying that you are infected with Win32.downloader.gen? Which file is this program detecting as malware?
What other issues are you experiencing with your computer?
 

HWM Fear

New Member
Thread author
Aug 29, 2013
13
Hello Jack, spybot is still detecting an infection though I am not sure how to depict the file being flagged as malware. Is their a way to export a log or distinguish it, like with the other programs? Also as for my computer the only suspicious thing that I have noticed, is that as it was being shutdown it flagged a non-responsive program as a contact name found in Skype; however Skype was turned off at the time. According to windows action centre the only two known issues are the fact that I haven't set a backup and that the graphics driver has malfunctioned several times. I don't know of any other problems, thanks again for your help on this issue. Update: I think I figured out how to depict it, and have uploaded the log. It should be noted that spybot detected additional malware indicating the downloader is still active. Update: I ran a scan with hitman pro which resulted in it finding some malware. As a result I activated the free trial and have uploaded the log; I hope that this action is not inhibiting the removal processes. Update: For some reason I can't upload the the file, as it's a .log. Thanks, Fear
 

HWM Fear

New Member
Thread author
Aug 29, 2013
13
I don't mean to spam but is there a next course of action or would you recommend bringing my pc into a shop?
 

Fiery

Level 1
Jan 11, 2011
2,007
Hi,

I think Jack is busy at the moment, I will assist you until Jack get's back :)

Download Farbar Recovery Scan Tool from the below link:
<ul><li>For 64 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST64.exe" rel="nofollow external"><>Farbar Recovery Scan Tool x64</></a> and save it to a USB/flash drive.</li>

<li>Plug the flashdrive into the infected PC.</li>

<li>Enter <>System Recovery Options</>.</li>

<>To enter System Recovery Options from the Advanced Boot Options:</>
<ul>
<li>Restart the computer.</li>
<li>As soon as the BIOS is loaded begin tapping the<> F8</> key until Advanced Boot Options appears.</li>
<li>Use the arrow keys to select the <>Repair your computer</> menu item.</li>
<li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
<li>Select the operating system you want to repair, and then click <>Next</>.</li>
<li>Select your user account an click <>Next</>.</li>
</ul>

<li>On the System Recovery Options menu you will get the following options:</span>
<pre>Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt</pre>
<ol>
<li>Select <>Command Prompt</></li>
<li>In the command window type in <>notepad</> and press <>Enter</>.</li>
<li>The notepad opens. Under File menu select <>Open</>.</li>
<li>Select "Computer" and find your flash drive letter and close the notepad.</li>
<li>In the command window type <><span style="color: #ff0000;">e</span>:\frst64</> and press <>Enter</>
<>Note:</><span style="color: #ff0000;"> Replace letter <>e</> with the drive letter of your flash drive.</span></li>
<li>The tool will start to run.</li>
<li>When the tool opens click <>Yes</> to disclaimer.</li>
<li>Press <>Scan</> button.</li>
<li><>FRST</> will let you know when the scan is complete and has written the <>FRST.txt</> to file, close the message.
<li>Type exit</li>
<li>Please copy and paste FRST.txt in your next reply</li></li>
</ol>
</ul>
 
Last edited by a moderator:

HWM Fear

New Member
Thread author
Aug 29, 2013
13
Hey, Fiery I am encountering difficulty with the launching of the frst64 program when under advanced boot state. After figuring out that my flashdrive is f, and then typing f:/frst64 into the command prompt; I get "device is not ready" as a response. Thanks,
Fear
 

Fiery

Level 1
Jan 11, 2011
2,007
Hi,

Ok, we will use OTL again for now to get a fresh look at your PC's current state and move on from there.

  • Double click on OTL.exe to run it.
  • Click the Scan All Users checkbox.
  • Check the boxes beside LOP Check and Purity Check
  • Click on Run Scan at the top left hand corner.
  • When done, one Notepad file will open.
  • Please attach the contents of the file in your next reply.
 

Fiery

Level 1
Jan 11, 2011
2,007
Hi,

Please attach future logs onto your new replies rather than your first one.

Firstly, please uninstall all Anvisoft products by going to Start > Control Panel > Uninstall program. Anvisoft isn't recommended.

Next, open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
O3 - HKLM\..\Toolbar: (no name) - {650598e1-b35a-45d3-b607-896d7acb64c3} - No CLSID value found.

:Commands
[EMPTYTEMP]

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
*SearchProtect*

:folderfind
*SearchProtect*

:Regfind
SearchProtect
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
 

HWM Fear

New Member
Thread author
Aug 29, 2013
13
Hey Fiery,

I got rid of the anvisoft program and had the logs uploaded as you requested. No problems this time with the process.

Thanks again,

Fear
 

Attachments

  • SystemLook.txt
    842 bytes · Views: 68
  • OTL3.txt
    1 KB · Views: 78

HWM Fear

New Member
Thread author
Aug 29, 2013
13
Hi,

My computer seems to be running at its usual speed. I ran another scan with spybot search and destroy, where it picked up on the downloader again but this time without any rightmedia or double click threats. I saved a log of it right before hitting the fix problem option, perhaps it will be of some use?

Thanks again,

Fear
 

Attachments

  • Spybot2.txt
    2.1 KB · Views: 84

Fiery

Level 1
Jan 11, 2011
2,007
Please download ERUNT from here to your USB and transfer it to your infected PC.
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the part that asks you to add ERUNT to the start-up folder.
  • Start ERUNT by double clicking on the desktop icon or choosing to
  • Choose a location for the backup
    (The default location is C:\WINDOWS\ERDNT)
  • Make sure that boxes beside System Registry and Current User Registry are checked
    emvFs.png
  • Press OK
  • Press YES to create the folder.

Open OTL. Under custom scan/fixes, copy and paste the following:

:reg
[-HKEY_USERS\S-1-5-21-2374682991-646272929-460161045-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchProtect]

:Commands
[EMPTYTEMP]

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

Then run another spybot scan and see if it still detects that entry. This isn't a big threat, just an adware registry entry.
 

HWM Fear

New Member
Thread author
Aug 29, 2013
13
Hi, I uploaded the logs as requested. Spybot search and destroy picked up on that persistent entry again. My computer speed is normal and I had hitman pro delete a couple of adware/cookie traces.

Thanks again, for your continued guidance.

Fear
 

Attachments

  • OTL4.txt
    4.7 KB · Views: 96
  • Spybot3.txt
    2.1 KB · Views: 94

Fiery

Level 1
Jan 11, 2011
2,007
Hi,

your spybot version seems to be extremely outdated. It seems like it's from 2009 as the newest version is 2.1 (you have 1.6). PLease uninstall your spybot version and if you wish, install the newest version from here: http://www.filehippo.com/download_spybot_search_destroy/

After installation, do a scan and let me know the results.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top