Detection of Win32, etc.

Scanned with Avast this morning. Came up with some infections.

Win32:Dropper-gen
Win:32Malware-gen

I did a Malwarebytes scan a few minutes ago. Attached.

I also did a boot scan which did come up with some problems related. First, how do I get that report?

hello where did avast detect that ?

attach OTL diagnostic log. http://forum.avast.com/index.php?topic=53253.0

Here is the OTL Log.

Download and register ( direct link) : http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner

ADWCleaner on your Desktop.

Launch it , (For vista / 7 / 8 = > right click " run as administrator ") then click on “scan”

when done, click on “clean” and post C:\Adwcleaner[Sx].txt

How long does this scan take? It has been going for quite a while.

It is saying:

Pending. Please uncheck elements you don’t want to remove.

Here is the ADWCleaner log.

hello

If you have XP = > double click
If you have Vista or Windows 7 / 8 = > right click “as administrator”

On OTL.exe to Launch it.

Click here to configure it : http://www.archive-host.com/files/1897388/ecd939269bcc7cdfed2d2e726c22709a32db3067/OTL.PNG

Copy and Paste the contents of what follows in bold face in the bottom of OTL “Customization”(“Personalization”)


HKCU\Software
HKLM\Software
HKCU\Software\Microsoft\Command Processor /s
HKLM\Software\Microsoft\Command Processor /s
%Homedrive%*
%Homedrive%*.
%Userprofile%*
%Userprofile%*.
%Allusersprofile%*
%Allusersprofile%*.
%LocalAppData%*
%LocalAppData%*.
%Userprofile%\Local Settings\Application Data*
%Userprofile%\Local Settings\Application Data*.
%programFiles%*
%programfiles%\Google\Desktop\Install /s
%programFiles%*.
%Systemroot%\Installer*.
%Systemroot%\Temp*.exe /s
%systemroot%\system32*.dll /lockedfiles
%systemroot%\system32*.exe /lockedfiles
%systemroot%\system32*.in*
%systemroot%\Tasks*
%systemroot%\Tasks*.
%systemroot%\system32\Tasks*
%systemroot%\system32\Tasks*.
%systemroot%\system32\drivers*.sy* /lockedfiles
%systemroot%\system32\config*.exe /s
%Systemroot%\ServiceProfiles*.exe /s
%systemroot%\system32*.sys
dir %Homedrive%* /S /A:L /C
msconfig
activex
/md5start
explorer.exe
winlogon.exe
wininit.exe
volsnap.sys
atapi.sys
ndis.sys
cdrom.sys
i8042prt.sys
iastor.sys
tdx.sys
netbt.sys
afd.sys
/md5stop
netsvcs
safebootminimal
safebootnetwork
CREATERESTOREPOINT

Click on “Analyse”

At the end of the scan, Notepad is going to open with the reports (OTL.txt) and (Extras.txt).

These files are on your Desktop.

Give the links of both files

Sending each report individually. Error message: too large. Hope this works.

Second report

ok

select all this blue text , and CTRL + C :

explorer.exe
iexplore.exe
firefox.exe
msnmsgr.exe
Teatimer.exe

:OTL
DRV - File not found [Kernel | On_Demand | Stopped] – C:\ProgramData\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081126.003\NAVEX15.SYS – (NAVEX15)
DRV - File not found [Kernel | On_Demand | Stopped] – C:\ProgramData\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20081126.003\NAVENG.SYS – (NAVENG)
IE - HKLM..\SearchScopes{57A0A9D6-7B3C-4CCC-9F38-CBDA0DF2DD6E}: “URL” = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=irmsd103&cd=2XzuyEtN2Y1L1Qzu0DtDyDyBzzyDyBtAtB0EtD0A0B0D0BtBtN0D0Tzu0CyCzztCtN1L2XzutBtFtBtFzztFtCtByEyBtN1L1Czu1L1C1H1B1QtCtDtA&cr=98619568&ir=
IE - HKLM..\SearchScopes{D7D7E51C-4790-489C-BF78-9B7CA5C3183E}: “URL” = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
IE - HKU\S-1-5-18..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-21-2496689375-1795694736-1448263659-1000..\SearchScopes{57A0A9D6-7B3C-4CCC-9F38-CBDA0DF2DD6E}: “URL” = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=irmsd103&cd=2XzuyEtN2Y1L1Qzu0DtDyDyBzzyDyBtAtB0EtD0A0B0D0BtBtN0D0Tzu0CyCzztCtN1L2XzutBtFtBtFzztFtCtByEyBtN1L1Czu1L1C1H1B1QtCtDtA&cr=98619568&ir=
IE - HKU\S-1-5-21-2496689375-1795694736-1448263659-1000..\SearchScopes{6D27FD24-A93D-4FE9-82BD-1630F0045217}: “URL” = http://search.avg.com/route/?d=4cb3188c&v=6.10.6.4&i=23&tp=chrome&q={searchTerms}&lng={language}&iy=&ychte=us
IE - HKU\S-1-5-21-2496689375-1795694736-1448263659-1000..\SearchScopes{864AD560-E997-43CA-B640-EF7A76453AA3}: “URL” = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3306061&CUI=UN38554777102902915&UM=2
IE - HKU\S-1-5-21-2496689375-1795694736-1448263659-1000..\SearchScopes{D7D7E51C-4790-489C-BF78-9B7CA5C3183E}: “URL” = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
IE - HKU\S-1-5-21-2496689375-1795694736-1448263659-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: “ProxyEnable” = 1
IE - HKU\S-1-5-21-2496689375-1795694736-1448263659-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: “ProxyOverride” =
FF - user.js - File not found
[2013/11/11 14:57:51 | 000,000,000 | —D | M] (No name found) – C:\Users\Carole\AppData\Roaming\Mozilla\Firefox\Profiles\8bnq2e1v.default\extensions\staged
[2013/11/11 14:57:51 | 000,000,000 | —D | M] (No name found) – C:\Users\Carole\AppData\Roaming\Mozilla\Firefox\Profiles\znyna0n8.default\extensions\staged
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O3 - HKLM..\Toolbar: (no name) - {8660E5B3-6C41-44DE-8503-98D99BBECD41} - No CLSID value found.
O3 - HKLM..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKU\S-1-5-21-2496689375-1795694736-1448263659-1000..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-2496689375-1795694736-1448263659-1000..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-2496689375-1795694736-1448263659-1000\Software\Policies\Microsoft\Internet Explorer\restrictions present
O20 - Winlogon\Notify!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - File not found
O33 - MountPoints2{359f69c8-271d-11e1-aa4b-0026187b353f}\Shell - “” = AutoRun
O33 - MountPoints2{359f69c8-271d-11e1-aa4b-0026187b353f}\Shell\AutoRun\command - “” = J:\VZAccess_Manager.exe /z detect
O33 - MountPoints2{359f69f6-271d-11e1-aa4b-0026187b353f}\Shell - “” = AutoRun
O33 - MountPoints2{359f69f6-271d-11e1-aa4b-0026187b353f}\Shell\AutoRun\command - “” = K:\VZAccess_Manager.exe /z detect
O33 - MountPoints2{473d4606-1d07-11e1-bfd3-0026187b353f}\Shell - “” = AutoRun
O33 - MountPoints2{473d4606-1d07-11e1-bfd3-0026187b353f}\Shell\AutoRun\command - “” = J:\VZAccess_Manager.exe /z detect
O33 - MountPoints2\K\Shell - “” = AutoRun
O33 - MountPoints2\K\Shell\AutoRun\command - “” = K:\VZAccess_Manager.exe /z detect
O37 - HKU\S-1-5-18.…exe [@ = exefile] – Reg Error: Key error. File not found
O37 - HKU\S-1-5-21-2496689375-1795694736-1448263659-1000.…exe [@ = exefile] – Reg Error: Key error. File not found
MsConfig - StartUpReg: bAdobe Reader Speed Launcher[/b] - hkey= - key= - File not found
MsConfig - StartUpReg: bDriverScanner[/b] - hkey= - key= - File not found
MsConfig - StartUpReg: bGoogle Update[/b] - hkey= - key= - File not found
[1 C:\Windows\System32\drivers*.tmp files → C:\Windows\System32\drivers*.tmp → ]
[2012/12/04 12:00:45 | 000,027,520 | ---- | C] () – C:\Users\Carole\AppData\Local\dt.dat
[2012/01/02 09:55:43 | 000,001,290 | -HS- | C] () – C:\Users\Carole\AppData\Local\702ao54ws08b66585568wakmrl1l858mpw2qq24801e
[2012/01/02 09:55:43 | 000,001,290 | -HS- | C] () – C:\ProgramData\702ao54ws08b66585568wakmrl1l858mpw2qq24801e
[2007/10/12 13:56:51 | 004,194,441 | ---- | C] () – C:\Users\Carole\AppData\Roaming\sdi.db
[2012/06/22 11:08:58 | 000,000,000 | —D | M] – C:\ProgramData\blekkotb_031
[2013/09/06 13:34:10 | 000,000,000 | —D | M] – C:\ProgramData\Spybot - Search & Destroy
[2012/06/22 10:35:21 | 000,000,000 | —D | M] – C:\Users\Carole\AppData\Local\blekkotb_031
[2013/09/06 13:34:10 | 000,000,000 | —D | M] – C:\Program Files\Spybot - Search & Destroy

:reg
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“”=-
[-HKEY_LOCAL_MACHINE\Software\SUPERAntiSpyware.com]
[-HKEY_LOCAL_MACHINE\Software\Symantec]
[-HKEY_LOCAL_MACHINE\Software\Safer Networking Limited]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
“EnableFirewall”=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
“EnableFirewall”=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
“EnableFirewall”=DWORD:0

:commands
[emptytemp][/b]

open OTL with right click “run as administrator” and paste the text , where you pasted before under “personalization” , and click “RUN FIX”

after the reboot , attach C:_OTL\Moved Files<date_and_hour>.txt

OTL stopped working about the time that it was ready to reboot. I had to shut down and reboot manually. What should I do? Should I redo the RUN FIX or should I sent the report as is? Will wait for your reply.

just send this report : C:_OTL\Moved Files<date_and_hour>.log

Okay, attempted to find this:
C:_OTL\Moved Files<date_and_hour>.log

Am not able to get past the Moved Files. I get the _OTL\Moved Files and when I click the Moved Files here is what I get: 12042013_084422

If I click that I get: C_Program Files and C_Program Data and C_Users

If I click either of them I get: C_Program Files Spybot - Search & Destroy

If I go beyond that it still does not give any log.

redo the RUN FIX in safemode

Finally got it. Thanks for the safe mode suggestion.

ok it had already work in the normal mode , i don’t understand why it didn’t give log.

look if Avast still detects what it did at the beginning of the topic

Avast clear

Malwarebytes detected one. Attached.

delete this forlder

C:\temp

that’s all

if you undertand this google traduction page http://translate.google.fr/translate?sl=fr&tl=en&js=n&prev=_t&hl=fr&ie=UTF-8&u=http%3A%2F%2Fwww.security-helpzone.com%2Fgen-hackman%2Fnettoyage-en-fin-de-desinfection%2F , sorry but it’s in french.

links for FlashPlayer don’t appear in the traduction :

No Internet Explorer
http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_plugin.exe

Internet Explorer :
http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_active_x.exe

Okay, deleted the Temp folder.

About the other things that you posted about are these things that I should be doing? A different PDF reader, etc. I guess I don’t understand. about that part. Also, about the FlashPlayer - is this something that you think I need? Or, are you suggesting that I get away from Adobe? Just wondering.

Thank you so much for all of your help.