Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

User Folder "generic" Corrupted


  • Please log in to reply
9 replies to this topic

#1 RockMaster

RockMaster

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 08 September 2008 - 11:27 AM

Alright, I'm not entirely sure how or why, but for some reason C:\Users\generic is corrupt. Until now, that hasn't been a problem. However, when I tried to install the XPS/PDF plugin for Word, I got the error that my copy wasn't able to be validated. The fix specified that I delete a file in generic. So, I went to go see how to repair it. I found this: How to Fix Corrupted User Accounts in Vista

I could not complete the fix, no files would copy. So, my next idea was to use the latest Ubuntu build as a Live CD to go in and see if I could get around it. However, I've heard that messing with the NTFS partition from Linux was not exactly safe, and who knows with this corrupted folder, so I don't want to do that just yet. Is there anything else I can do? This computer is very new, so I find it odd that I'm already getting errors like this. As per school mandate, we can only have Sophos Antivirus on here, but I ran Malware-Byte's Antimalware anyway, with no results.

Pertinent System Info:

Vista Business SP1

EDIT: Wait a sec, now it's picking up on a massive trojan infection, and on a Quick Scan no less. Last time I ran it, a Full Scan found nothing. Let's see if this solves the problem.

EDIT2: It came back on the reboot full force. Looks like this is now an infection; could a mod move this to the appropriate section? By the way, here's the log.

Malwarebytes' Anti-Malware 1.27
Database version: 1130
Windows 6.0.6001 Service Pack 1

9/8/2008 1:33:58 PM
mbam-log-2008-09-08 (13-33-57).txt

Scan type: Quick Scan
Objects scanned: 58302
Time elapsed: 5 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 33

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("%1" %*) Good: ("%1" /S) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\generic\svchosts.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\generic\setup.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\generic\runmgr.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\generic\sccs.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\generic\ppxcs.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\generic\xfya.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\generic\oghpd.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\generic\schosst.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\generic\r3.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\generic\xxy_kjvw.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\generic\tfm.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\generic\win.dll (Trojan.Agent) -> Delete on reboot.
C:\Users\generic\svchost.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\generic\smss.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\generic\services.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\generic\ntuser.com (Trojan.Agent) -> Delete on reboot.
C:\Users\generic\nww.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\generic\tmp.exe (Trojan.Dropper) -> Delete on reboot.
C:\Users\generic\result.txt (Malware.Trace) -> Delete on reboot.
C:\Users\generic\nax.exe (Trojan.Downloader) -> Delete on reboot.
C:\Users\generic\results.txt (Malware.Trace) -> Delete on reboot.
C:\Users\generic\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Delete on reboot.
C:\Users\generic\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Delete on reboot.
C:\Users\generic\win32.exe (Trojan.Dropper) -> Delete on reboot.
C:\Users\generic\win321.exe (Trojan.Dropper) -> Delete on reboot.
C:\Users\generic\wr-1-863 (Trojan.Dropper) -> Delete on reboot.
C:\Users\generic\xXx.exe (Trojan.Downloader) -> Delete on reboot.
C:\Users\generic\win.exe (Trojan.Downloader) -> Delete on reboot.
C:\Users\generic\ntuser.exe (Trojan.Downloader) -> Delete on reboot.
C:\Users\generic\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\Users\generic\spoolsv.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\Users\generic\userinit.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.
C:\Users\generic\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.

EDIT3: Well, ran it again (both times in a domain based account with admin rights). Same thing. Ran a full scan from the local admin account, and it picked up nothing until the end, the "Performing Heuristics and Extra Scans" part. Found the exact same infections again. What's up with this? I'm going to try disconnecting my ethernet and giving it another run, with another quick scan this time, since that picks it up just the same.

EDIT4: Ran it at least six times, and it comes back the same every time. I have a feeling that it has something to do with permissions in Vista. Any idea how to fix it? It hasn't done anything beyond making generic innaccessible and slowing my computer down if I let it run for a while, but last time I had a latent infection, it struck months later with an attack that almost ended the life of my computer, so an expedient reply would be appreciate.

Edited by RockMaster, 08 September 2008 - 06:27 PM.

Yes, I am addicted to Orson Scott Card. Can't...stop...reading...

BC AdBot (Login to Remove)

 


#2 RockMaster

RockMaster
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 10 September 2008 - 10:32 AM

Well, it's been a few days and my computer is becoming increasingly unstable, and I hvae yet to get a single response. Does anyone have any idea what infection could take control over all these important system files?
Yes, I am addicted to Orson Scott Card. Can't...stop...reading...

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:32 PM

Posted 10 September 2008 - 04:21 PM

Hello, first i need to ask the obvious. Did you do the reboot that is required, Please update the MBAM,rescan and post a new log.
Let's run this if you can. It is stronger from safe mode.

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 RockMaster

RockMaster
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 10 September 2008 - 10:37 PM

Yes, I've ran and rebooted at least 6 times, and MBAM is updated. This log is from before the reboot, but it is the exact same log every time. I have yet to try Safe Mode with either program, but I will this scanner and post the log soon.
Yes, I am addicted to Orson Scott Card. Can't...stop...reading...

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:32 PM

Posted 10 September 2008 - 10:43 PM

Ok ,good that will help.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 RockMaster

RockMaster
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 13 September 2008 - 10:25 AM

Alright, I ran it and got just tracking cookies. For some reason it didn't save the log though, unless it's only capable of being seen from the Administrator account where I ran the scan. I also noticed this when I was in non-safe mode administrator a while back:

Posted Image

This happened while simply opening a normal Word document. I know that some famous viruses in the past have used Word templates to infect/spread; could this possibly be the case?

Edited by RockMaster, 13 September 2008 - 10:26 AM.

Yes, I am addicted to Orson Scott Card. Can't...stop...reading...

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:32 PM

Posted 13 September 2008 - 08:37 PM

Do you have QuickBooks by Intuit installed??

Error: "Building Blocks.dotx is locked for editing by <username>"
http://support.quickbooks.intuit.com/suppo...article/1008192
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 RockMaster

RockMaster
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 13 September 2008 - 10:08 PM

Never heard of it. Still getting periodic slowdown, still can't access the generic folder. It appears as though validation for Word through Word itself can be done, but not from the website, which is odd. Also, slowdown is aggravated most by hibernation or system strain. It doesn't seem to be normal slowdown though, because my computer wasn't this prone to it just a short time ago. Sudden though though, could using Tune Up Utilities 2008 cause instability? It seems to like to mess with system files without really telling me what it does.
Yes, I am addicted to Orson Scott Card. Can't...stop...reading...

#9 RockMaster

RockMaster
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 18 September 2008 - 09:09 AM

Alright, it's been nearly a week, probably safe to bump this back up to the top. Still having some odd slowdown that really shouldn't exist on a computer less than a month old with the kind of specs it's got.
Yes, I am addicted to Orson Scott Card. Can't...stop...reading...

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:32 PM

Posted 18 September 2008 - 04:13 PM

Perhaps it is best to let the HJT Team have a look.

Preparation Guide for use before posting a HijackThis Log

Edited by boopme, 18 September 2008 - 04:13 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users