Jump to content

Trojan.Multi.GenAutorunReg.a striking again


Recommended Posts

Hi,

yeah, well -- I guess, now it's my turn to confess I've done something very, very stupid (that I'd normally never do, of course) by downloading a video from a rather dubious site yesterday.

And it didn't take too long, until Kaspersky Internet Security detected the malware during a routine Rootkit search last night -- after shamelessly letting it through in the first place.

Since then, I've run Kaspersky's "de-infect" function, followed by a complete search of my whole system, about 5 times, only to have the "malware found" notification

pop up again, after a couple of hours, each and every time. Luckily, I haven't really noticed any other weird things happening on my computer so far (apart from Thunderbird

refusing to start at a certain point, but that's now working again), and to my knowledge, my system has never been infected with malware before, in the 5+ years of using it.

So, I finally found this wonderful forum, installed MalwareBytes, ran a Threat Scan and followed the instructions in the "I'm infected" thread.

Please find attached all the relevant files. Unfortunately, FRST is running in German on my system -- I hope that isn't too much of a problem.
If it is, please tell me how to change the language to English.

Thank you for your support in advance!

ThreatScan.txt

Addition.txt

FRST.txt

Edited by NoahGrimaldi
Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please let me know what problem persists.

fixlist.txt

Link to post
Share on other sites

Hello,

while I was waiting for further instructions, I ran another complete scan with Kaspersky Internet Security and, shockingly, it detected another object - HEUR:Trojan.Win32.Generic - which it classified as malware and told me to delete it, which I did. However, after completing the scan, KIS tells me that "1 object [exactly the one mentioned above] was not processed". Please see the KIS report below.
(Language is German, because I can't change it to English. The standard method Shift+F12 doesn't work, it makes my system shut down and restart. In the report below, "nicht bearbeitet" means "not processed / not handled / done nothing about it" and "zurückgestellt" means "deferred".)

The malware that this thread is actually about, doesn't seem to have been found by KIS this time around.

How do we proceed now?

 

KIS_report.txt

Edited by NoahGrimaldi
Link to post
Share on other sites

Hi,

This looks like Kaspersky has deleted the attack and has removed it.
What you got is posibly a notification.

You can stop these notificattions.

Navigate to this page.
https://www.howtogeek.com/289054/how-to-get-rid-of-kasperskys-notifications-sounds-and-bundled-software/

Folllow the instructions under this section.
Disable Most of Kaspersky’s Notifications, Sounds, and Advertisements

===

Keep me posted if you have any issues with this computer.

Link to post
Share on other sites

Thanks for your prompt response.

Actually, what the report says is that the "object found (system memory) was not processed",
and Kaspersky is now showing it as a threat again, giving me the option to "de-infect",
just as it already happened several times before.

(Only that Kaspersky's "de-infection" never fixed anything.)

So, I'm basically exactly where I was when I started this thread again.

What should I do now?

 

Edited by NoahGrimaldi
Link to post
Share on other sites

Additional info:

Kaspersky has also been notifying me that Thunderbird "can't be protected because of an unknown mistake",
and the update function they offer (Thunderbird needs to be updated) is also not working.

I noticed this issue at the same time when the malware was first detected, but don't know if they're interrelated.

 

Link to post
Share on other sites

As I already explained, Kaspersky is still notifying me that the malware Trojan.Multi.GenAutorunReg.a
has been found on my computer (see KIS report #6), i. e. according to KIS it is still there,
and urging me to "de-infect" (see #6 and #8).

Every time I tried to "de-infect" with KIS, though, it didn't work - neither did the fix you suggested in #2,
according to KIS's notifications.

I guess that is a problem (right?), since I should not have malware on my computer,
although there haven't been visible consequences or damages yet.

Any more suggestions how to get rid of Trojan.Multi.GenAutorunReg.a
or be sure that it is a false positive (if that's what you're suggesting)?

However, it's probably not so far-fetched to believe that there might be a connection between the
video download (see post #1) and KIS finding the above-mentioned object only a couple of hours later?
(Never happened before, in 5+ years.)

Thanks a lot for your time and support so far.

Edited by NoahGrimaldi
Link to post
Share on other sites

Hi,

I guess that is a problem (right?), since I should not have malware on my computer,


although there haven't been visible consequences or damages yet.

Kis is using a heuristic means to find malware.
If found in a file and their database it's remove.
Strings in files can trigger this heuristic found, but cannot be removed by kis because it could cause the lost of some important information/file.

In the KIS_report_2.txt I see this file.

mortgage_information_pamphlet.exe

and archives file.

C:\Users\RioArp\AppData\Roaming\Thunderbird\Profiles\lusljeob.default\ImapMail\d284.x-mailer.de\Archives

If this file is important submit it to Virus total for a scan at:
https://www.virustotal.com/#/home/upload

Post the link for my review.

===

If possible delete the Thunderbird cache or old files.
===

Run this scan it may help.

This scan may take an hour or two. Execute it when you know you will not need the comuuter.

Please scan your computer with ESET Online Scanner.

  • Click on this link to open ESET Online Scanner in a new window.
    1. Click on the Scan Now button to download the esetonlinescanner_enu.exe file. Save it to your Desktop.
    2. Close all your programs and browsers.
    3. Please disable your antivirus program to avoid potential conflicts, improve the performance and speed up the scan.
    4. Double click on esetonlinescanner_enu.exe to start ESET Online Scanner. It will open a window with the Terms of Use.



Please re-enable your antivirus program.

Link to post
Share on other sites

  • 3 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.