Struggling with malware-gen

[NedTheSnake]

Hello,

I am afraid I am another victim of Malware-gen, as Avast likes to remind me (
I have followed all instructions found on other people's posts but I guess each infection is specific so the removal parameters have to be as well...

So, instead I have followed the "Malwarebytes Anti-Malware" then "OTS" scan approach and I now hope someone can help me eradicate my unwanted visitor.

Could you guys please help my desperate self? 

More specifically, I have:

1. Malwarebytes' Anti-Malware
  * Installed mbam and downloaded the update
  * Performed a quick scan
  * Restarted my PC
  * Pasted the log file contents at the end of this post

2. OTS
  * Downloaded OTS
  * Close all other programs (but Avast)
  * Started OTS
  * Checked the box that says Scan All Users
  * Under Additional Scans checked the following:
    - Reg - Shell Spawning
    - File - Lop Check
    - File - Purity Scan
    - Evnt - EvtViewer (last 10)
  * Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
  * Clicked "Run Scan"
  * Uploaded the resulting log file here: http://www.mediafire.com/?b9y0vhdhh83bby3

===============================

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4610

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

14/09/2010 21:50:18
mbam-log-2010-09-14 (21-50-18).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 311839
Time elapsed: 1 hour(s), 30 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\z\keygen.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

===========================================================

Again, thanks in advance!

[polonus]

Hi NedTheSnake,

Concerning this malware,
 %SysDir%\keygen.exe

Name    %SysDir%\keygen.exe

Description
   keygen.exe is a worm W32.Delf-LY.
keygen.exe spreads via file sharing on P2P networks.
Related files:
%System%\keygen.exe
%System%\svchost.exe
More info: http://www.sophos.com/security/analyses/viruses-and-spyware/w32delfly.html
Removal:
Kill keygen.exe process and remove keygen.exe from Windows startup.

polonus

[essexboy]

Once this run is complete can you let me know what problems remain

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {BB902710-259F-4FA2-9A5B-12F1E8E0B8A7} [HKLM] -> C:\Windows\System32\dlo5fae.dll []
[Files/Folders - Created Within 30 Days]
NY ->  z -> C:\z
NY ->  tmp1 -> C:\tmp1
[Files/Folders - Modified Within 30 Days]
NY ->  T8O1x6Vak.dat -> C:\ProgramData\T8O1x6Vak.dat
NY ->  z -> C:\Users\God\z
NY ->  ÐøÃ -> C:\Windows\ÐøÃ
[Files - No Company Name]
NY ->  z -> C:\Users\God\z
NY ->  T8O1x6Vak.dat -> C:\ProgramData\T8O1x6Vak.dat
[Custom Items]
:files
C:\Windows\tasks\At*.job
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

[NedTheSnake]

EssexBoy,

Thanks so much for your help.  
After following your instructions, OTS said it had to reboot. After rebooting, here is the log I got: http://www.mediafire.com/?b9qa9x4xle90bli

Do I need to do anything more?

Thanks a bunch!
Ned

[essexboy]

Lets have a quick look for orphans - what problems are apparent now ?

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

[NedTheSnake]

Hi EssexBoy,

Following your instructions, the results look encouraging... Are they really?
I do not notice anything wrong now but the virus was not that visible before (sometimes several hours without anything wrong)

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4623

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

15/09/2010 22:21:54
mbam-log-2010-09-15 (22-21-54).txt

Scan type: Quick scan
Objects scanned: 136095
Time elapsed: 6 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[essexboy]

Leave it run for 24 hours and if there are no further problems I will remove my tools and tidy you up 

[NedTheSnake]

Great! Is it ok if I run a deep scan of Avast, Windows Defender and MalwareBytes AntiMalware?

Is there a risk that my external hard drive, which I disconnected since the virus showed up, has been infected as well? If so, should I run a scan for it too?

Many many thanks,
Ned

[NedTheSnake]

Hello,
I went ahead and ran full scans on the various tools I have. Results are:
* Malware Bytes Anti Malware - Full scan: nothing found
* Windows Defender - Full scan: nothing found
* OTS - Scan All Users + "All" options selected for processes, modules, etc. + all additional scans checkboxes ticked: nothing found
* Avast Full scan: 3 Trojan-gen threats detected, as shown in screenshot http://www.mediafire.com/?7jahw2j7ha2337m

I have not selected the action to perform in Avast yet.
What should I do here and then?

Many thanks,
Ned

[essexboy]

Let Avast remove them as they are temporary files

Any further re-currence ?

[NedTheSnake]

Hi EssexBoy,
This worked great - thanks soooooo much! 
Cheers,
Ned

[NedTheSnake]

Actually, while all scans are negative, I have a new issue, which is that Windows Update does not work anymore and gives me an error code 88072EFE. Googling that, I see that this can be affected by viruses.
Do you think this could be related here? :s
Thx,
Ned

[essexboy]

Try the MS fixit from here http://support.microsoft.com/kb/971058 as that is an unusual error