Win:32 Malware-gen and Win32:Downloader-PKU[Trj] threats

Viruses and worms
1

I am having issues with Avast blocking Win:32 Malware-gen and Win32:Downloader-PKU[Trj] threats every five minutes or so. Ihave downloaded and tried all of the free mal-ware scanners I could find. Emisoft Malware Guard was the best one to find the threats, but when you tried to delete them it crashed the computer and now I have followed the directions in the forum and ran the Malwarebytes Anti-Malware, OTl, and aswMBR. I have attached all logs in ANSI format as described in the posting. Any help would be greatly appreciated. Thanks in advance. Rick

2

you seem to be running avast and norton/symantec

running multiple AV can result in mysterious windows errors and false positive detections, so one must go

it is also recomended that you run the vendors removal tool to clear any leftover files that may conflict

run and reboot - Uninstallers – Security Software http://singularlabs.com/uninstallers/security-software/

there also seems to be some other programs in there.
i would remove everything but avast and malwarebytes

anyway, you seem to have a siref rootkit infection…
malware removers are notified. it may take several hours before one arrive so be patient

3

Hello @shaggy27

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

Step 1
Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

:OTL
IE - HKU\S-1-5-21-1304161200-2304127156-581296910-1001\..\SearchScopes\{4F4B75E9-B324-49DB-B41D-7C414B55EBA6}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=AVR-3&o=APN10400&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=^ABY&apn_dtid=^YYYYYY^YY^US&apn_uid=3f963861-374f-4c1c-83cf-a458950a9168&apn_sauid=D3052367-C57B-4410-BF8E-08A19D2B73C8
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..keyword.URL: "http://websearch.ask.com/redirect?client=ff&src=kw&tb=AVR-3&o=APN10400&locale=en_US&apn_uid=3f963861-374f-4c1c-83cf-a458950a9168&apn_ptnrs=%5EABY&apn_sauid=D3052367-C57B-4410-BF8E-08A19D2B73C8&apn_dtid=%5EYYYYYY%5EYY%5EUS&&q="
O3 - HKU\S-1-5-21-1304161200-2304127156-581296910-1001\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1304161200-2304127156-581296910-1001\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-1304161200-2304127156-581296910-1001\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKU\S-1-5-21-1304161200-2304127156-581296910-1001\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O33 - MountPoints2\{7835628d-2382-11e0-9bf0-00266ca1b62c}\Shell - "" = AutoRun
O33 - MountPoints2\{7835628d-2382-11e0-9bf0-00266ca1b62c}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a

:files
ipconfig /flushdns /c
C:\windows\Installer\{e51ccf42-bba8-6d61-ba71-955d2dd9bc00}
C:\Users\Rick\AppData\Local\{e51ccf42-bba8-6d61-ba71-955d2dd9bc00}
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.6.22


:services
PCCUJobMgr

:Commands
[purity]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

step2

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program as before.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

4

I have followed all of the directions in your post. I am attaching the OTL and ComboFix log reports. After the computer restarted after the ComboFix report, I received a registry error dialog box. Then, when I clicked on IE, it also gave me a registry error; this file has been deleted. I then downloaded IE 9 off of another computer and reinstalled it. So far so good. No more malware errors being blocked by Avast. Thanks so much for your help. I really appreciate it. Thanks, Rick.

5

he is not finish… so dont go away before he say so. :wink:

6

.

7

OK

It is necessary to uninstall Combofix

Start (
http://fotkica.com/thumbs2/117539_tmb_191855275_Windows_Logo_key.gif
) >> Run

Combofix /Uninstall

Enter

Re-Run OTL and click CleanUp! button.
This command will also remove and other tools that we used.

Open notepad and copy/paste the text present inside the code box below:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Security Packages"=hex(7):6b,65,72,62,65,72,6f,73,00,6d,73,76,31,5f,30,00,73,\
  63,68,61,6e,6e,65,6c,00,77,64,69,67,65,73,74,00,74,73,70,6b,67,00,70,6b,75,\
  32,75,00,00

Save this as Fix.reg

Double click the Fix > Yes> OK

reboot

That would be all