trojan.gen.2.

Ryan_Black134 · ‎06-12-2012

norton is finding and fixing the problem but every time i start my laptop the same problem is coming up norton is also popping up saying that it is blocking windows defender from accesing internet

below is what it is telling me but i cant seem to get rid of it wha shuld i do?

Quads · ‎07-21-2008

Please do not run any tools unless instructed to do so.

We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.

Please read every post completely before doing anything.

Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.

Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forum, (sometimes )
Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.

Download OTL hxxp://oldtimer.geekstogo.com/OTL.exe (change the hxxp to http) save it to your Desktop.

Double click on OTL.exe to run it. Right click OTL.exe and select run as administator for Vista and Win 7.

Disable Norton for say 30 minutes

Start OTL,

Click the Scan All Users checkbox.

Change file age to 60 days

under Copy and paste what is below between the lines

msconfig
activex
drivers32
netsvcs
C:\Program Files\Common Files\ComObjects\*.* /s
%systemroot%\*. /mp /s
%systemroot%\*. /rp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.sys
atapi.sys
explorer.exe
winlogon.exe

mswsock.dll
wininit.exe
services.exe

svchost.exe
tdx.sys
afd.sys
cdrom.sys
i8042prt.sys
netbt.sys
redbook.sys

mrxsmb.sys

/md5stop

hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs

Press the

An OTL.txt will be created.

Quads

Ryan_Black134 · ‎06-12-2012

ok its running a scan now

Ryan_Black134 · ‎06-12-2012

ok we got 2 files

Quads · ‎07-21-2008

I have found some of it and one file I am trying to work out what it is.

seeing on your screenshot can you instead please click the Copy to Clipbard button, then you can paste the info back in a message.

Quads

Ryan_Black134 · ‎06-12-2012

Full Path: c:\users\michael\appdata\roaming\windowsdefender.exe
Threat: Trojan.Gen.2
____________________________
____________________________
On computers as of 07/06/2012 at 16:51:34
Last Used 12/06/2012 at 19:37:39
Startup Item Yes
Launched Yes
____________________________
____________________________
Very Few Users
Fewer than 5 users in the Norton Community have used this file.
____________________________
Very New
This file was released less than 1 week ago.
____________________________
High
This file risk is high.
____________________________
Threat Details
Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.
____________________________

Source File:
zipper.exe
File Created:
java.exe
File Created:
gpjcpaqu.exe
File Created:
windowsdefender.exe
____________________________
File Actions
File: c:\users\michael\appdata\roaming\local.exe
Removed
Event: Running process: c:\Users\Michael\AppData\Roaming\windowsdefender.exe
No fix attempted
Infected file: c:\Users\Michael\AppData\Roaming\windowsdefender.exe
No fix attempted
____________________________
Registry Actions
Registry change: HKEY_USERS\S-1-5-21-2987770335-1501293673-996271820-1000\Software\Microsoft\Windows\CurrentVersion\Run->local
No fix attempted
____________________________
File Thumbprint - SHA:
8a2064e75ef38ac022dbaacb03bb24e3c2faa8fba69f8dde1f6c0ff5a2d370bc
____________________________
File Thumbprint - MD5:
b185b3888b39105c76f97735c28019fd
____________________________

Ryan_Black134 · ‎06-12-2012

When i click locate it is bringing up roaming windows defender as the infected area

Quads · ‎07-21-2008

Disable Norton for say 30 minutes

Start OTL, under Copy and paste the custom script attached which you open in for instance Notepad,(include the : at the start of :OTL and all the way to the end / bottom) and run the script. (Red Run Fix Button)

The output log, should be placed in the C:\ _OTL folder after.

Quads

Ryan_Black134 · ‎06-12-2012

ok it did that rebooted and i got this when it loaded up

Quads · ‎07-21-2008

Did that stop the detections??

Items involved and OTL moved

Registry value HKEY_USERS\S-1-5-21-2987770335-1501293673-996271820-1000\Software\Microsoft\Windows\CurrentVersion\Run\\dymqxyyv deleted successfully.
Registry value HKEY_USERS\S-1-5-21-2987770335-1501293673-996271820-1000\Software\Microsoft\Windows\CurrentVersion\Run\\winlogon deleted successfully.
C:\Users\Michael\AppData\Roaming\LivestreamerDFLS4d.exe moved successfully.

C:\Users\Michael\AppData\Roaming\keylog moved successfully.
File C:\Users\Michael\AppData\Roaming\LivestreamerDFLS4d.exe not found.
C:\Users\Michael\gpJCpAQu.exe moved successfully.
File\Folder c:\users\michael\appdata\roaming\local.exe not found.
File\Folder c:\Users\Michael\AppData\Roaming\windowsdefender.exe not found.

Quads