seeking assistance to remove win32.downloader.gen

[leroy17]

Seeking assistance with the removal of win32.downloader.gen.

Logs provided as requested.

I really am at a loss as I am not sure what else to do.

Thanks in advance for your assistance.

 

[Jack]

Hi and welcome to the malwaretips.com forums!

I'm Jack and I am going to try to assist you with your problem. Please take note of the below:

• I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine!
• The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Refrain from running self fixes as this will hinder the malware removal process.
• It may prove beneficial if you print of the following instructions or save them to notepad as I post them.

Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.


Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

---

STEP 1 : Run a scan with Combofix

Please read and follow very carefully the below instructions​

 
Download ComboFix from one of the following locations: 

COMBOFIX DOWNLOAD LINK #1 (This link will automatically download Combofix on your computer)
COMBOFIX DOWNLOAD LINK #2  (This link will automatically download Combofix on your computer)
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop  
<ul>
<li>Close any open browsers.</li>
<li><>Very Important!</> Temporarily <>disable</> your <>anti-virus</>, <>script blocking</> and any <>anti-malware</> real-time protection <em><>before</></em>performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause <em>"unpredictable results"</em>.</li>
<li><>WARNING: Combofix will disconnect your machine from the Internet as soon as it starts</></li>
<li>Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.</li>
</ul>

How to run the Combofix scan :

1. Double click on ComboFix.exe & follow the prompts.
2. Accept the disclaimer and allow to update if it asks
3. Combofix will now start scanning your computer.
4. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Additional notes:
<ol><li> DO NOT mouse-click Combofix's window while it is running. That may cause it to stall.</li>
<li>DO NOT "re-run" Combofix. If you have a problem, reply back for further instructions.</li>
<li>IF after the reboot you get errors about programs being marked for deletion then reboot, that will cure it.</li></ol>


<hr />
What's next?

Add the following logs to your next post (You can find here details on how to use the Attachment System):
1.Combofix log
2.Let me know if you had any problems with the above instructions and also <>let me know how things are running now!</>

 

[leroy17]

Hi Jack,

Thanks for your reply and assistance.

I have followed your instructions, disabled antivirus, downloaded and updated combo fix and run.

Copy of the text document attached.

Do a run a new scan of say spybot to see if win32.downloader.gen is still there yet.

Thanks again in advance for your assistance.

L

 

[leroy17]

Hi Jack,

O.K... this is where I am a complete novice. With what you can see do you have any recommendations or suggestions about cleaning up what I have or which anti-virus to use as well as spyware etc.

Thanks mate.

L

 

[Jack]

Hello,
Can you run the below scans, then run a scan with Spybot and post the log here, so that we may take a look what files are detected as malware by this antivirus.

STEP 1: Run a computer scan with Malwarebytes Anti-Malware Free

1. You can download Malwarebytes Anti-Malware Free from the below link.
   MALWAREBYTES ANTI-MALWARE DOWNLOAD LINK (This link will open a new web page from where you can download Malwarebytes Anti-Malware Free)
2. Double-click mbam-setup.exe and follow the prompts to install the program.
3. At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
4. Once the program has loaded, select Perform full scan, then click on the Scan button.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Be sure that everything is checked, and click Remove Selected.
7. When completed, a log will open in Notepad. Post the log back here.

---

STEP 2: Run a scan with AdwCleaner

<ol><li>Download AdwCleaner from the below link.
<><a href="http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner" target="_blank">ADWCLEANER DOWNLAOD LINK</a></> (This link will automatically download AdwCleaner on your computer)</li>

<li>Close all open programs and internet browsers.</li>
<li>Double click on <>adwcleaner.exe</> to run the tool.</li>
<li>Click on <>Delete</>,then confirm each time with <>Ok</>.</li>
<li>Your computer will be rebooted automatically. A text file will open after the restart.</li>
<li>Please post the contents of that logfile with your next reply.</li>
<li>You can find the logfile at <>C:\AdwCleaner[S1].txt</> as well.</li>
</ol>
<hr />
STEP 3: Run a scan with Junkware Removal Tool

1. Please download Junkware Removal Tool to your desktop from the following link:
   JUNKWARE REMOVAL TOOL DOWNLOAD LINK (This link will automatically download Junkware Removal Tool on your computer)
2. Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
3. The tool will open and start scanning your system
4. Please be patient as this can take a while to complete depending on your system's specifications
5. On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
6. Post the contents of JRT.txt into your next reply

---

What's next?

Add the following logs to your next post (You can find here details on how to use the Attachment System):
1.Malwarebytes Anti-Malware log
2.AdwCleaner log
3. Junkware Removal Tool log
4.Let me know if you had any problems with the above instructions and also <>let me know how things are running now!</>

 

[leroy17]

Hi Jack,

Thanks again for your assistance.

I have completed step 1 and step 2 (logs attached) however have not been able to effect step 3.

I have been able to download JRT and run both as administrator as advised and also just run however the lines of text keep saying as below.

The system cannot find the path specified.

I attempted this a number of times however the exact same response and then the scan stops and the desktop is normal.

Therefore I am unable to get any JRT.txt log.

Hope this makes sense.

L

 

[leroy17]

I forgot to mention that I ran spybot and the win32.downloader.gen was not there.

Just in case I ran it again and it was clear.

Thank you for your time and direction on this.

Now with all the different downloads that I have there now, do I clean these up or leave them alone.

Thanks again with your advice.

L

 

[Jack]

Great.Lets run these two scan, to verify that there are no remaining threats:

STEP 1: Run a scan with ESET Online Scanner
<ol>
<li>Download ESET Online Scanner utility from the below link
<><a title="External link" href="http://download.eset.com/special/eos/esetsmartinstaller_enu.exe" rel="nofollow">ESET ONLINE SCANNER DOWNLOAD LINK</a></> <em>(This link will automatically download ESET Online Scanner on your computer.)</em></li>
<li>Double click on the Eset installer program (esetsmartinstaller_enu.exe).</li>
<li>Check <>Yes, I accept the Terms of Use</></li>
<li>Click the <>Start</> button.</li>
<li>Check <>Scan archives</></li>
<li>Push the <>Start</> button.</li>
<li>ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.</li>
<li>When the scan completes, push <>List of found threats</></li>
<li>Push <>Export to Text file </> and save the file to your desktop using a unique name, such as <>ESET Scan</>. Include the contents of this report in your next reply.Note - when ESET doesn't find any threats, no report will be created.</li>
<li>Push the <>back</> button.</li>
<li>Push <>Finish</></li>
</ol>
<hr />

STEP 2: Run a computer scan with HitmanPro
<ol>
<li><>Download the latest official version of HitmanPro</>.
<a href="http://www.surfright.nl/en/hitmanpro/" rel="nofollow" target="_blank"> <>HITMANPRO DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download HitmanPro)</em></li>
<li>Start HitmanPro  by <>double clicking on the previously downloaded file</> and then following the prompts.
<img src="http://malwaretips.com/images/removalguide/hpro4.png" alt="[Image: hitmanproscan4.png]" border="0" /></li>
<li>Once the scan is complete, a screen displaying all the malicious files that the program found will be shown as seen in the image below. Click Next.
<img src="http://malwaretips.com/blogs/wp-content/uploads/2012/02/rsz_hpro5.png" alt="[Image: hitmanproscan5.png]" border="0" /></li>
<li>Click <>Activate free license</> to start the free 30 days trial and remove the malicious files.
<img src="http://malwaretips.com/images/removalguide/hpro6.png" alt="[Image: hitmanproscan6.png]" border="0" /></li>
</ol>

What's next?
Attach the following logs to your post (You can find here details on how to use the Attachment System):
1. ESET log
2.HitmanPro Log
3.Let me know if you had any problems with the above instructions and also let me know how things are running now!

 

[leroy17]

Hi Jack,

Thanks again mate, I appreciate the assistance.

I ran ESET however there were no threats found so no log.

I ran HitmanPro and have the log as attached. I went to reply and could not connect to google. So I restarted laptop and it ran through a slow startup and then HitmanPro ran again and I have a second log as this discovered 41 threats.

Hope that this makes sense.

Overall things appear to be o.k. however I noticed that at times I did not have the small utilities on the desktop (CPU clock, weather, memory etc). Not sure what that was about however it is back now as normal.

Logs attached. Just ran HitmanPro on startup again and all appears clear.

I now have much downloads for this removal, I look forward to any suggestions about what to keep as ongoing protection.

Thank you.
L

 

[leroy17]

I Jack,

For some reason I cant attach the logs from HitmanPro.

The message I am getting is as follows.

The type of file that you attached is not allowed. Please remove the attachment or choose a different type.

It is just a text log, I copied and posted into word and was being advised the same message.

Sorry for such a dumb response.

L

 

[Jack]

Hello Leroy,
You can just copy/paste the log here. How is everything running, any issues?

 

[leroy17]

Hi Jack,

I updateed and ran the following.

I just ran the ESET and no threats were found and no log created. I also ran Hitman Pro and no threats were found. I saved the log but still not able to attach so I have copied and pasted as below.

All appears to be running correct now, but I am wondering whick security and protection I should use as ongoing.

Thanks again and I hope that this log is of assistance.

Reagrds.

L

HitmanPro 3.7.7.205
www.hitmanpro.com

   Computer name . . . . : LEIGHANDRACH
   Windows . . . . . . . : 6.0.0.6000.X86/2
   User name . . . . . . : LeighandRach\Leroy & Rach
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Trial (19 days left)

   Scan date . . . . . . : 2013-09-02 05:33:22
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 6m 25s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 280

   Objects scanned . . . : 1,888,232
   Files scanned . . . . : 51,664
   Remnants scanned  . . : 417,514 files / 1,419,054 keys

Potential Unwanted Programs _________________________________________________

   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E\ (AskBar)

Cookies _____________________________________________________________________

   C:\Users\Leroy & Rach\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad-apac.doubleclick.net
   C:\Users\Leroy & Rach\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.360yield.com
   C:\Users\Leroy & Rach\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.yieldmanager.com
   C:\Users\Leroy & Rach\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.p161.net
   C:\Users\Leroy & Rach\AppData\Local\Google\Chrome\User Data\Default\Cookies:adserver.adtechus.com
   C:\Users\Leroy & Rach\AppData\Local\Google\Chrome\User Data\Default\Cookies:advertising.com
   C:\Users\Leroy & Rach\AppData\Local\Google\Chrome\User Data\Default\Cookies:apmebf.com
   C:\Users\Leroy & Rach\AppData\Local\Google\Chrome\User Data\Default\Cookies:atdmt.com
   C:\Users\Leroy & Rach\AppData\Local\Google\Chrome\User Data\Default\Cookies:bs.serving-sys.com
   C:\Users\Leroy & Rach\AppData\Local\Google\Chrome\User Data\Default\Cookies:c.atdmt.com
   C:\Users\Leroy & Rach\AppData\Local\Google\Chrome\User Data\Default\Cookies:casalemedia.com
   C:\Users\Leroy & Rach\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net
   C:\Users\Leroy & Rach\AppData\Local\Google\Chrome\User Data\Default\Cookies:fastclick.net
   C:\Users\Leroy & Rach\AppData\Local\Google\Chrome\User Data\Default\Cookies:h.atdmt.com
   C:\Users\Leroy & Rach\AppData\Local\Google\Chrome\User Data\Default\Cookies:invitemedia.com
   C:\Users\Leroy & Rach\AppData\Local\Google\Chrome\User Data\Default\Cookies:media6degrees.com
   C:\Users\Leroy & Rach\AppData\Local\Google\Chrome\User Data\Default\Cookies:mediaplex.com
   C:\Users\Leroy & Rach\AppData\Local\Google\Chrome\User Data\Default\Cookies:overture.com
   C:\Users\Leroy & Rach\AppData\Local\Google\Chrome\User Data\Default\Cookies:pool-eu-ie.creative-serving.com
   C:\Users\Leroy & Rach\AppData\Local\Google\Chrome\User Data\Default\Cookies:serving-sys.com
   C:\Users\Leroy & Rach\AppData\Local\Google\Chrome\User Data\Default\Cookies:stat.dealtime.com
   C:\Users\Leroy & Rach\AppData\Local\Google\Chrome\User Data\Default\Cookies:track.adform.net
   C:\Users\Leroy & Rach\AppData\Local\Google\Chrome\User Data\Default\Cookies:www.googleadservices.com

 

[Jack]

Glad to see that everything is running fine! Lets run these two final scans, then I will give a few tips on how to secure your computer.
STEP 1. Run a scan with Kaspersky Virus Removal Tool
Click <a title="External link" href="http://www.kaspersky.com/antivirus-removal-tool?form=1" rel="nofollow external" rel="nofollow"><>here</></a> to download the Kaspersky Virus Removal Tool.
<ol>
<li>Save it to your desktop.</li>
<li>Double click the setup file to run it.</li>
<li>Follow the onscreen prompts until it is installed</li>
<li>Click the Options button (the 'Gear' icon), then make sure only the following are ticked:
<ul>
<li><span style="color: #ff0000;">System Memory</span></li>
<li><span style="color: #ff0000;">Hidden startup objects</span></li>
<li><span style="color: #ff0000;">Disk boot sectors</span></li>
<li><span style="color: #ff0000;">Local Disk (C: )</span></li>
<li><span style="color: #ff0000;">Also any other drives (Removable that you may have)</span></li>
</ul>
</li>
<li>Then click on <>Actions</> on the left hand side</li>
<li>Click <>Select Action</>, then make sure both <>Disinfect</> and <>Delete if disinfection fails</> are ticked</li>
<li>Click on <>Automatic Scan</></li>
<li>Now click the <>Start Scanning</> button, to run the scan</li>
<li>After the scan is complete, click the reports button ('Paper icon', next to the 'Gear' icon) on the right hand side</li>
<li>Click <>Detected threats</> on the left</li>
<li>Now click the <>Save</> button, and save it as <>kaslog.txt</> to your <>Desktop</></li>
<li>Please attach kaslog.txt in your next reply.</li>
</ol>
<hr/>
STEP 2: Run a scan with Security Check
<ol><li>Download <>Security Check</> from the below link:
<a href="http://screen317.spywareinfoforum.org/SecurityCheck.exe" target="_blank">SECURITY CHECK DOWNLOAD LINK</a> (This link will automatically download Security Check on your computer)</li>
<li>Double-click&nbsp;<>SecurityCheck.exe</></li>
<li>Follow the onscreen instructions inside of the black box.</li>
<li>A&nbsp;<>Notepad</>&nbsp;document should open automatically called&nbsp;<>checkup.txt</>; please post the contents of that document.
</ol>
<hr/>

What's next?
Attach the following logs to your post (You can find here details on how to use the Attachment System):
1. Kaspersky Virus Removal log
2.Security Check log
3.Let me know if you had any problems with the above instructions and also let me know how things are running now!

 

[leroy17]

Hi Jack, Thanks again for your assistance with this.

OK, downloaded and Kaspersky and it detected 1 threat and I have copied the log as below.

I now have also complete step 2 as you advised and the Notepad document opened however nill information was applied to this document.

The text box for the Administrator: Security Check displays as follows. Note that this is word for word as displayed.


Results have been copied to checkup.txt which should open...now!
The system cannot find the path specified.
The system cannot find the path specified.

I have run this again however received the same result.

I trust that this is of assistance and look forward to your next reply and instruction.

Cheers.
L