Avast WEBforum

Other => Viruses and worms => Topic started by: sethuaug08 on December 03, 2009, 08:17:43 AM

Title: Win32-Malware-gen --> Unable to remove this malware
Post by: sethuaug08 on December 03, 2009, 08:17:43 AM

Hi Support Team,

I am using Avast Home Edition , My Virus database has been updated till date, but am keep getting the message that avast has detected a "Win32-Malware-gen" Virus/worm , it says recommended option to " Move to Chest " ,i tried to move it, but i keep getting this message various number of times , which is frustrating, And i tried with " delete " and " repair " option as well, which results the same.

Is that mean that avast is unable to delete that virus ? or please advise .

I would be happy if you guys can help me out to resolve this problem permanently.

Anyone who would like to help me can email me @ sethuaug08@gmail.com

Thanks for all your help in advance.

Regards,
Sethu

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: hpguru on December 06, 2009, 04:05:08 PM

Is your problem resolved by email?

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: essexboy on December 06, 2009, 04:07:03 PM

What is the file name and location ?

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: richdebc on December 06, 2009, 05:08:00 PM

I've just found exactly the same problem, and would love to know what to do about it! Don't want to hijack the thread, but my file is C:\Documents and Settings\Administrator\Application Data\Macromedia\Common\01b6201019.exe - there's also a dll with the same name there.

Cheers.

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: essexboy on December 06, 2009, 07:57:42 PM

@richdebc

(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php).

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: BradJ on December 07, 2009, 01:03:35 PM

Does it seem like a similar problem I have been having here:

http://forum.avast.com/index.php?topic=51859.0

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: richdebc on December 07, 2009, 08:39:05 PM

Thanks Essexboy. MBAM kept crashing, including after I reinstalled it, but once I got as far as telling it to remove the 17 problems it found before it crashed.

After that I ran a Boot-time scan using Avast! which found a whole host of infected files. I moved them all to the chest except explorer.exe which it wouldn't move. Now there's no sign of the virus - I can't figure out if it's actually gone though, since explorer wasn't dealt with? A jotti scan of explorer.exe found nothing, and the computer seems to be working fine.

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: essexboy on December 07, 2009, 09:34:51 PM

@richdebc Explorer was probably hooked by the malware but not infected

Do you have the MBAM log to see what was there and whether it needs a deeper look

@BradJ Looking now

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: richdebc on December 07, 2009, 10:06:45 PM

This is the log... It missed the exe Avast found as I think it was moved to the chest at the time, but found the dll with the same file name (01b620101).

Cheers.

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: essexboy on December 07, 2009, 10:19:39 PM

msqpdxserv.sys This is a member of the TDSS family so it may be worth doing a deeper scan if you want

If you want a deeper scan

To ensure that I get all the information this log will need to uploaded to Mediafire (http://www.mediafire.com/) and post the sharing link.

Download OTS (http://oldtimer.geekstogo.com/OTS.exe) to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under Additional Scans check the following:
Reg - Shell Spawning
File - Lop Check
File - Purity Scan
Evnt - EvtViewer (last 10)

Under custom scans copy and paste the following

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
/md5stop
%systemroot%\*. /mp /s
c:\$recycle.bin\*.* /s
CREATERESTOREPOINT[/list]

Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: richdebc on December 08, 2009, 09:53:48 PM

OTS seems very thorough! Here's the log: http://www.mediafire.com/?woxiinhztte

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: essexboy on December 08, 2009, 10:18:00 PM

Aye 'tis a thorough log - so far I can see one downloader plus a few of its mates

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1004336348-879983540-725345543-500\] > -> 
YN -> HKEY_USERS\S-1-5-21-1004336348-879983540-725345543-500\: SearchURL\\"provider" -> gogl
< Run [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "rundll32.exe" -> []
< Run [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "rundll32.exe" -> []
[Files/Folders - Modified Within 30 Days]
NY ->  leocfucb.job -> C:\WINDOWS.0\tasks\leocfucb.job
NY ->  sdfinacs.dll -> C:\WINDOWS.0\sdfinacs.dll
[File - Lop Check]
NY ->  com.gog.downloader.87F90EC6C28C7E479115BE2E026DB87A08BC420D.1 -> C:\Documents and Settings\Administrator\Application Data\com.gog.downloader.87F90EC6C28C7E479115BE2E026DB87A08BC420D.1
[Custom Scans]
YY ->  setuplog.exe -> C:\setuplog.exe
YY ->  WHAT.EXE -> C:\WHAT.EXE
NY ->  1 C:\*.tmp files -> C:\*.tmp
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: richdebc on December 08, 2009, 11:01:43 PM

Fix log: http://www.mediafire.com/?zm41mowzgod
OTS log after fix: http://www.mediafire.com/?tcizyjinvb2

Not seen any problems since running the avast boot scan...

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: essexboy on December 08, 2009, 11:13:26 PM

That looks good

Run OTS and hit the cleanup button. It will remove all the programmes we have used plus itself.

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: richdebc on December 09, 2009, 08:56:17 PM

Brilliant! Thanks so much for your help!

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: shel on January 18, 2010, 01:20:49 AM

aah i av a virus on my computer, tried avast, avg, spybot S&D, malwarebytes n now microsoft security essentials. it's a win32. malware-gen virus/worm. so bloody annoying! anyone know how to get rid of it??? keeps popn up every 10 mins from avast saying caution virus detected, tried deleting file, moving to virus vault n even repairing it n nothing works, even googled it n followed all advice I could find... please HELP me. i tried looking up that OTS thing but can't find it anywhere, can I please have a link to it please? >:( ???

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: DavidR on January 18, 2010, 01:51:47 AM

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe

- Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.

So are you saying that avast can't move it to the chest ?
If so what errors are given (for deletion also) ?

Have you tried an avast boot-time scan - If you have Win2k, XP, vista or Win7 (all 32bit), you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php (http://www.digitalred.com/avast-boot-time.php). Don't opt for deletion (you have no options left), always send to the chest and investigate.

Look in the C:\Program Files\Alwil Software\Avast4\DATA\report\aswBoot.txt file, check this file using notepad and copy and past the info on the detection.

I hope you haven't got AVG and avast installed at the same time, not advised.
Having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: tehpyro on March 18, 2010, 09:30:49 PM

I have this same problem. I ran malwarebytes, avast, OTS, and my avast full system scan still detects it. When I try to move it to the chest with avast, it says "Error: The system cannot find the file specified (2)"
I'm running windows 7 64-bit so i can't do a boot scan. Can anyone help?

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: DavidR on March 18, 2010, 09:55:54 PM

Help us out with the file name and location.

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: tehpyro on March 18, 2010, 11:46:52 PM

under File name it says
'C:\System Volume Information\_restore{615D86ED-B9C8-A1EC-A6CFCAD89AF3}\RP27\A0004670.rbf'

says severity is high =/ at one point my computer said my video driver crashed but was back on and I don't know what else it might do (if that was from it) so I don't know if I should stop everything I'm doing to get rid of it now or not. thanks

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: essexboy on March 18, 2010, 11:49:31 PM

If it is in the system restore then just reset your restore points

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: DavidR on March 19, 2010, 01:08:22 AM

Quote from: tehpyro on March 18, 2010, 11:46:52 PM

under File name it says
'C:\System Volume Information\_restore{615D86ED-B9C8-A1EC-A6CFCAD89AF3}\RP27\A0004670.rbf'

says severity is high =/ at one point my computer said my video driver crashed but was back on and I don't know what else it might do (if that was from it) so I don't know if I should stop everything I'm doing to get rid of it now or not. thanks

I doubt the video driver crashing has anything to do with this file as restore points are inert, up until you use system restore and go back to a point where the restore point would be included in any system restore.

As essexboy suggests, resetting your restore points will clear this out:
- Infected Restore Points - There really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore.

- Worst case scenario it isn't infected and you delete it, you can't use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.

- So if there is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.

~~~~
-- Create Clean Restore Point - Clear old Restore Points.
Create a clean System Restore point:
1. Click Start, All Programs, Accessories, System tools, System Restore.
2. In the pop-up that appears fill in the radio button to Create a Restore Point
3. Click NEXT
4. Enter a useful name that you will remember if you need to find this again (Clean Restore Point)
5. Click CREATE

You now have a clean restore point, you should clear the old ones:
1. Click Start, All Programs, Accessories, System tools, Disk Clean Up
2. Click OK on the C: drive
3. Click the More Options tab
4. In the System Restore section click the Clean Up button

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: Tnek on March 19, 2010, 08:06:25 PM

I have the same Win32-Malware-gen that my Avast! home is reporting. I ran OTS, thinking that the report I would get would enable me--by looking at what Essexboy did on December 08, 2009, 08:18:00 PM--to do that same thing. But I can't figure out what to do. Might someone help me as well? I would be most grateful.

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: Pondus on March 19, 2010, 08:12:07 PM

Quote from: Tnek on March 19, 2010, 08:06:25 PM

I have the same Win32-Malware-gen that my Avast! home is reporting. I ran OTS, thinking that the report I would get would enable me--by looking at what Essexboy did on December 08, 2009, 08:18:00 PM--to do that same thing. But I can't figure out what to do. Might someone help me as well? I would be most grateful.

you should have started a new topic and not asking for help inside this

Follow this guide from Essexboy and start a new topic where you post the log`s. then Essexboy will help you
http://forum.avast.com/index.php?topic=53253.0

if the log is big: look in down/left corner additional options > attach

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: DavidR on March 19, 2010, 08:38:21 PM

Quote from: GKC on March 19, 2010, 08:06:25 PM

I have the same Win32-Malware-gen that my Avast! home is reporting. I ran OTS, thinking that the report I would get would enable me--by looking at what Essexboy did on December 08, 2009, 08:18:00 PM--to do that same thing. But I can't figure out what to do. Might someone help me as well? I would be most grateful.

Aside from what has been mentioned about creating your own new topic, I doubt that your problem is exactly the same, so stepping into OTS as a first step I feel is too much too soon.

In your new topic please give the following information:
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

What actions did you take upon detection by avast (it should have been sent to the chest) ?

If it is the chest, what is the problem that you feel some other actions are required ?

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: essexboy on March 19, 2010, 08:45:34 PM

Correct David, generally MBAM will clear the infection by itself, manual cleaning is really only required for the deeper rooted types

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: tehpyro on March 20, 2010, 07:56:54 AM

Well I created a new restore point and deleted old ones, and ran another full avast scan and it still showed up, I think same location and everything. Any other tips? I'd really just feel more comfortable if my scans would turn up clean, even if this has a possibility of not being a problem now =/ thanks

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: essexboy on March 20, 2010, 02:09:37 PM

I can look deeper if you wish

Download the GMER Rootkit Scanner (http://www.gmer.net/gmer.zip). Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.

Once the scan is complete, you may receive another notice about rootkit activity.

Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

THEN

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.*
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: jrf274 on April 18, 2010, 04:19:24 PM

**edit**....I apologize, I did what essexboy instructed with logs (OTL) and attached them in that thread....sorry about that!

Hello everyone!

I am having the same trouble with this malware and I cannot remove it using Avast. I'm not too computer savvy so please bear with me. I run AdAware, Avast, Malwarebytes, CC cleaner, and Spybot weekly.

No problems show up except when I run Avast, I get the following message when I start the scan.

File Name:

\\?\globalroot\device\ide\ideport3\worabvpu\worabvpu\z00clicker.dll

Malware Name: Win32: Malware-gen

I can't delete, repair, or move to chest. Here is what is says. "The process cannot access the file because it is being used by another process".

Cannot process "\\?globalroot\device\ide\ideport3\worabvpu\worabvpu\Z00clicker.dtll" file

I have tried rebooting and doing a full computer scan and this hasn't fixed the problem.

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: essexboy on April 18, 2010, 05:38:45 PM

Ah found you - I need to do a rootkit scan for files in that area. Are you suffering from redirects ?

(http://www.geekstogo.com/misc/guide_icons/gmer.png) GMER Rootkit Scanner - Download (http://www.gmer.net/gmer.zip) - Homepage (http://www.gmer.net/)

Download GMER
Extract the contents of the zipped file to desktop.
Double click GMER.exe.

(http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif)

If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
(http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg) (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
Click the image to enlarge it

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
Save the log where you can easily find it, such as your desktop.

**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: jrf274 on April 22, 2010, 01:47:26 AM

essexboy,

Thank you so much for the detailed instructions the pictures.

Here is that report (sorry it took a few days, I was away).

Again, I really appreciate your help!

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-21 19:23:00
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Josh\LOCALS~1\Temp\awliyaob.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF42486B8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF73EFE64]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF73CFEEE]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF73D00E0]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF73F0652]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF73F0906]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF424814C]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF73EEB64]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF424808C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF42480F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF424876E]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF73F0D72]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF424872E]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF73F0124]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF73CFB5C]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF742B780]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F741EB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort0 [F741EB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort1 [F741EB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort2 [F741EB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort3 [F741EB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e [F741EB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Fastfat \Fat EFE78D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: essexboy on April 22, 2010, 08:45:58 PM

Quote

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF742B780]

This states you have the TDSS rootkit

Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.

Extract the file and run it.
Once completed it will create a log in your C:\ drive
Reboot your computer
Please post the contents of that log

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: jrf274 on April 23, 2010, 02:26:26 AM

Here it is. Thanks again!!

20:21:17:203 3572   TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
20:21:17:203 3572   ================================================================================
20:21:17:203 3572   SystemInfo:

20:21:17:203 3572   OS Version: 5.1.2600 ServicePack: 3.0
20:21:17:203 3572   Product type: Workstation
20:21:17:203 3572   ComputerName: JOSH-DELLE510
20:21:17:203 3572   UserName: Josh
20:21:17:203 3572   Windows directory: C:\WINDOWS
20:21:17:203 3572   Processor architecture: Intel x86
20:21:17:203 3572   Number of processors: 2
20:21:17:203 3572   Page size: 0x1000
20:21:17:203 3572   Boot type: Normal boot
20:21:17:203 3572   ================================================================================
20:21:17:500 3572   UnloadDriverW: NtUnloadDriver error 2
20:21:17:500 3572   ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
20:21:17:875 3572   wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
20:21:17:875 3572   wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:21:17:875 3572   wfopen_ex: Trying to KLMD file open
20:21:17:875 3572   wfopen_ex: File opened ok (Flags 2)
20:21:17:875 3572   wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
20:21:17:875 3572   wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:21:17:875 3572   wfopen_ex: Trying to KLMD file open
20:21:17:875 3572   wfopen_ex: File opened ok (Flags 2)
20:21:17:875 3572   Initialize success
20:21:17:875 3572
20:21:17:875 3572   Scanning   Services ...
20:21:19:640 3572   Raw services enum returned 313 services
20:21:19:656 3572
20:21:19:656 3572   Scanning   Kernel memory ...
20:21:19:656 3572   Devices to scan: 4
20:21:19:656 3572
20:21:19:656 3572   Driver Name: Disk
20:21:19:656 3572   IRP_MJ_CREATE : F7618BB0
20:21:19:656 3572   IRP_MJ_CREATE_NAMED_PIPE : 804F4562
20:21:19:656 3572   IRP_MJ_CLOSE : F7618BB0
20:21:19:656 3572   IRP_MJ_READ : F7612D1F
20:21:19:656 3572   IRP_MJ_WRITE : F7612D1F
20:21:19:656 3572   IRP_MJ_QUERY_INFORMATION : 804F4562
20:21:19:656 3572   IRP_MJ_SET_INFORMATION : 804F4562
20:21:19:656 3572   IRP_MJ_QUERY_EA : 804F4562
20:21:19:656 3572   IRP_MJ_SET_EA : 804F4562
20:21:19:656 3572   IRP_MJ_FLUSH_BUFFERS : F76132E2
20:21:19:656 3572   IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
20:21:19:656 3572   IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
20:21:19:656 3572   IRP_MJ_DIRECTORY_CONTROL : 804F4562
20:21:19:656 3572   IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
20:21:19:656 3572   IRP_MJ_DEVICE_CONTROL : F76133BB
20:21:19:656 3572   IRP_MJ_INTERNAL_DEVICE_CONTROL : F7616F28
20:21:19:656 3572   IRP_MJ_SHUTDOWN : F76132E2
20:21:19:656 3572   IRP_MJ_LOCK_CONTROL : 804F4562
20:21:19:656 3572   IRP_MJ_CLEANUP : 804F4562
20:21:19:656 3572   IRP_MJ_CREATE_MAILSLOT : 804F4562
20:21:19:656 3572   IRP_MJ_QUERY_SECURITY : 804F4562
20:21:19:656 3572   IRP_MJ_SET_SECURITY : 804F4562
20:21:19:656 3572   IRP_MJ_POWER : F7614C82
20:21:19:656 3572   IRP_MJ_SYSTEM_CONTROL : F761999E
20:21:19:656 3572   IRP_MJ_DEVICE_CHANGE : 804F4562
20:21:19:656 3572   IRP_MJ_QUERY_QUOTA : 804F4562
20:21:19:656 3572   IRP_MJ_SET_QUOTA : 804F4562
20:21:19:718 3572   C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
20:21:19:718 3572
20:21:19:718 3572   Driver Name: Disk
20:21:19:718 3572   IRP_MJ_CREATE : F7618BB0
20:21:19:718 3572   IRP_MJ_CREATE_NAMED_PIPE : 804F4562
20:21:19:718 3572   IRP_MJ_CLOSE : F7618BB0
20:21:19:718 3572   IRP_MJ_READ : F7612D1F
20:21:19:718 3572   IRP_MJ_WRITE : F7612D1F
20:21:19:718 3572   IRP_MJ_QUERY_INFORMATION : 804F4562
20:21:19:718 3572   IRP_MJ_SET_INFORMATION : 804F4562
20:21:19:718 3572   IRP_MJ_QUERY_EA : 804F4562
20:21:19:718 3572   IRP_MJ_SET_EA : 804F4562
20:21:19:718 3572   IRP_MJ_FLUSH_BUFFERS : F76132E2
20:21:19:718 3572   IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
20:21:19:718 3572   IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
20:21:19:718 3572   IRP_MJ_DIRECTORY_CONTROL : 804F4562
20:21:19:718 3572   IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
20:21:19:718 3572   IRP_MJ_DEVICE_CONTROL : F76133BB
20:21:19:718 3572   IRP_MJ_INTERNAL_DEVICE_CONTROL : F7616F28
20:21:19:718 3572   IRP_MJ_SHUTDOWN : F76132E2
20:21:19:718 3572   IRP_MJ_LOCK_CONTROL : 804F4562
20:21:19:718 3572   IRP_MJ_CLEANUP : 804F4562
20:21:19:718 3572   IRP_MJ_CREATE_MAILSLOT : 804F4562
20:21:19:718 3572   IRP_MJ_QUERY_SECURITY : 804F4562
20:21:19:718 3572   IRP_MJ_SET_SECURITY : 804F4562
20:21:19:718 3572   IRP_MJ_POWER : F7614C82
20:21:19:718 3572   IRP_MJ_SYSTEM_CONTROL : F761999E
20:21:19:718 3572   IRP_MJ_DEVICE_CHANGE : 804F4562
20:21:19:718 3572   IRP_MJ_QUERY_QUOTA : 804F4562
20:21:19:718 3572   IRP_MJ_SET_QUOTA : 804F4562
20:21:19:750 3572   C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
20:21:19:750 3572
20:21:19:750 3572   Driver Name: Disk
20:21:19:750 3572   IRP_MJ_CREATE : F7618BB0
20:21:19:750 3572   IRP_MJ_CREATE_NAMED_PIPE : 804F4562
20:21:19:750 3572   IRP_MJ_CLOSE : F7618BB0
20:21:19:750 3572   IRP_MJ_READ : F7612D1F
20:21:19:750 3572   IRP_MJ_WRITE : F7612D1F
20:21:19:750 3572   IRP_MJ_QUERY_INFORMATION : 804F4562
20:21:19:750 3572   IRP_MJ_SET_INFORMATION : 804F4562
20:21:19:750 3572   IRP_MJ_QUERY_EA : 804F4562
20:21:19:750 3572   IRP_MJ_SET_EA : 804F4562
20:21:19:750 3572   IRP_MJ_FLUSH_BUFFERS : F76132E2
20:21:19:750 3572   IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
20:21:19:750 3572   IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
20:21:19:750 3572   IRP_MJ_DIRECTORY_CONTROL : 804F4562
20:21:19:750 3572   IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
20:21:19:750 3572   IRP_MJ_DEVICE_CONTROL : F76133BB
20:21:19:750 3572   IRP_MJ_INTERNAL_DEVICE_CONTROL : F7616F28
20:21:19:750 3572   IRP_MJ_SHUTDOWN : F76132E2
20:21:19:750 3572   IRP_MJ_LOCK_CONTROL : 804F4562
20:21:19:750 3572   IRP_MJ_CLEANUP : 804F4562
20:21:19:750 3572   IRP_MJ_CREATE_MAILSLOT : 804F4562
20:21:19:750 3572   IRP_MJ_QUERY_SECURITY : 804F4562
20:21:19:750 3572   IRP_MJ_SET_SECURITY : 804F4562
20:21:19:750 3572   IRP_MJ_POWER : F7614C82
20:21:19:750 3572   IRP_MJ_SYSTEM_CONTROL : F761999E
20:21:19:750 3572   IRP_MJ_DEVICE_CHANGE : 804F4562
20:21:19:750 3572   IRP_MJ_QUERY_QUOTA : 804F4562
20:21:19:750 3572   IRP_MJ_SET_QUOTA : 804F4562
20:21:19:750 3572   C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
20:21:19:750 3572
20:21:19:750 3572   Driver Name: atapi
20:21:19:750 3572   IRP_MJ_CREATE : F741F6F2
20:21:19:750 3572   IRP_MJ_CREATE_NAMED_PIPE : 804F4562
20:21:19:750 3572   IRP_MJ_CLOSE : F741F6F2
20:21:19:750 3572   IRP_MJ_READ : 804F4562
20:21:19:750 3572   IRP_MJ_WRITE : 804F4562
20:21:19:750 3572   IRP_MJ_QUERY_INFORMATION : 804F4562
20:21:19:750 3572   IRP_MJ_SET_INFORMATION : 804F4562
20:21:19:750 3572   IRP_MJ_QUERY_EA : 804F4562
20:21:19:750 3572   IRP_MJ_SET_EA : 804F4562
20:21:19:750 3572   IRP_MJ_FLUSH_BUFFERS : 804F4562
20:21:19:750 3572   IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
20:21:19:750 3572   IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
20:21:19:750 3572   IRP_MJ_DIRECTORY_CONTROL : 804F4562
20:21:19:750 3572   IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
20:21:19:750 3572   IRP_MJ_DEVICE_CONTROL : F741F712
20:21:19:750 3572   IRP_MJ_INTERNAL_DEVICE_CONTROL : F741B852
20:21:19:750 3572   IRP_MJ_SHUTDOWN : 804F4562
20:21:19:750 3572   IRP_MJ_LOCK_CONTROL : 804F4562
20:21:19:750 3572   IRP_MJ_CLEANUP : 804F4562
20:21:19:750 3572   IRP_MJ_CREATE_MAILSLOT : 804F4562
20:21:19:750 3572   IRP_MJ_QUERY_SECURITY : 804F4562
20:21:19:750 3572   IRP_MJ_SET_SECURITY : 804F4562
20:21:19:750 3572   IRP_MJ_POWER : F741F73C
20:21:19:750 3572   IRP_MJ_SYSTEM_CONTROL : F7426336
20:21:19:750 3572   IRP_MJ_DEVICE_CHANGE : 804F4562
20:21:19:750 3572   IRP_MJ_QUERY_QUOTA : 804F4562
20:21:19:750 3572   IRP_MJ_SET_QUOTA : 804F4562
20:21:19:796 3572   C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1
20:21:19:796 3572
20:21:19:796 3572   Completed
20:21:19:796 3572
20:21:19:796 3572   Results:
20:21:19:796 3572   Memory objects infected / cured / cured on reboot:   0 / 0 / 0
20:21:19:796 3572   Registry objects infected / cured / cured on reboot:   0 / 0 / 0
20:21:19:796 3572   File objects infected / cured / cured on reboot:   0 / 0 / 0
20:21:19:796 3572
20:21:19:796 3572   fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
20:21:19:812 3572   fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
20:21:19:812 3572   KLMD(ARK) unloaded successfully

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: essexboy on April 23, 2010, 08:39:53 PM

OK you have the new variant

Download ComboFix from one of these locations:

Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/whatnext.png)

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: jrf274 on April 24, 2010, 06:54:34 AM

Thanks again!!

(Part 1)

ComboFix 10-04-21.01 - Josh 04/24/2010 0:44.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.619 [GMT -4:00]
Running from: c:\documents and settings\Josh\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100423-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-03-24 to 2010-04-24 )))))))))))))))))))))))))))))))
.

2010-04-07 23:39 . 2010-04-07 23:39   --------   d-sh--w-   c:\documents and settings\LocalService\UserData
2010-04-07 23:37 . 2010-04-07 23:37   --------   d-sh--w-   c:\documents and settings\LocalService\PrivacIE
2010-04-07 23:37 . 2010-04-07 23:37   --------   d-sh--w-   c:\documents and settings\LocalService\IECompatCache
2010-04-07 23:36 . 2010-04-07 23:36   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert
2010-04-03 21:46 . 2010-04-03 21:46   --------   d-sh--w-   c:\windows\system32\config\systemprofile\IETldCache
2010-04-03 21:08 . 2010-04-03 21:08   --------   d-----w-   c:\documents and settings\Josh\Application Data\Malwarebytes
2010-04-03 21:08 . 2010-03-29 19:24   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-03 21:08 . 2010-04-03 21:08   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-03 21:08 . 2010-03-29 19:24   20824   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-04-03 21:08 . 2010-04-03 21:08   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-04-02 06:06 . 2010-04-02 06:06   --------   d-----w-   c:\documents and settings\Josh\Local Settings\Application Data\Threat Expert
2010-04-02 03:12 . 2010-04-02 03:12   516480   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerAddin.dll
2010-03-28 15:37 . 2009-11-24 22:48   23120   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-03-28 15:37 . 2009-11-24 22:49   48560   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-03-28 15:37 . 2009-11-24 22:47   27408   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2010-03-28 15:37 . 2009-11-24 22:51   93424   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2010-03-28 15:37 . 2009-11-24 22:50   94160   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2010-03-28 15:37 . 2009-11-24 22:50   114768   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-03-28 15:37 . 2009-11-24 22:50   20560   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-03-28 15:37 . 2009-11-24 22:47   97480   ----a-w-   c:\windows\system32\AvastSS.scr
2010-03-28 15:37 . 2009-11-24 22:54   1280480   ----a-w-   c:\windows\system32\aswBoot.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-24 04:39 . 2009-06-01 22:23   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-04-24 04:34 . 2010-03-20 02:54   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-23 00:19 . 2004-08-04 10:00   96512   ----a-w-   c:\windows\system32\drivers\atapi.sys
2010-04-22 03:37 . 2010-03-13 02:22   598368   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScanner.dll
2010-04-18 09:48 . 2010-03-08 03:19   --------   d-----w-   c:\program files\Google
2010-04-14 03:28 . 2009-06-07 21:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-10 22:12 . 2009-06-28 19:45   966104   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-04-10 22:12 . 2009-06-28 19:45   1265264   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-03-20 19:40 . 2009-05-18 00:08   --------   d-----w-   c:\program files\Alwil Software
2010-03-20 18:30 . 2010-03-20 18:30   --------   d-----w-   c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-20 11:18 . 2009-06-01 22:23   --------   d-----w-   c:\program files\SpywareBlaster
2010-03-20 02:55 . 2010-03-20 02:54   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-03-13 02:22 . 2010-03-13 02:22   95024   ----a-w-   c:\windows\system32\drivers\SBREDrv.sys
2010-03-13 02:22 . 2010-03-13 02:22   95024   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2010-03-13 02:22 . 2010-03-13 02:22   566608   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2010-03-13 02:22 . 2009-06-12 23:47   15880   ----a-w-   c:\windows\system32\lsdelete.exe
2010-03-13 02:22 . 2009-06-01 22:28   15880   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-03-13 02:22 . 2010-03-13 02:22   1230160   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2010-03-13 02:22 . 2010-03-13 02:22   247120   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2010-03-13 02:22 . 2009-06-28 19:45   6330848   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-03-13 02:22 . 2010-03-13 02:22   17480   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
2010-03-13 02:21 . 2010-03-11 19:44   --------   dc-h--w-   c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-12 23:15 . 2009-06-21 14:05   1324   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-03-12 16:01 . 2010-03-13 01:43   170978   ----a-w-   c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-03-11 19:44 . 2009-06-01 22:26   --------   d-----w-   c:\program files\Lavasoft
2010-03-10 06:15 . 2004-08-04 10:00   420352   ----a-w-   c:\windows\system32\vbscript.dll
2010-03-01 23:28 . 2009-06-28 19:45   25440   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2010-03-01 23:28 . 2009-09-21 22:28   3701760   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-02-25 06:24 . 2006-03-04 03:33   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 10:00   455680   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2005-03-30 01:21   2146304   ----a-w-   c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2005-03-30 01:01   2024448   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 10:00   100864   ----a-w-   c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 10:00   226880   ----a-w-   c:\windows\system32\drivers\tcpip6.sys
2010-02-04 15:53 . 2010-03-13 02:21   2954656   -c--a-w-   c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-04 15:53 . 2009-06-01 22:28   64288   ----a-w-   c:\windows\system32\drivers\Lbd.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: jrf274 on April 24, 2010, 06:55:15 AM

(Part 2)

.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-02 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-04-02 818256]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-21 148888]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 282624]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/1/2009 6:28 PM 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [3/28/2010 11:37 AM 114768]
R1 NEOFLTR_630_13725;Juniper Networks TDI Filter Driver (NEOFLTR_630_13725);c:\windows\system32\drivers\NEOFLTR_630_13725.sys [11/21/2008 4:37 AM 64480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/28/2010 11:37 AM 20560]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/7/2010 11:19 PM 135664]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1265264]
.
Contents of the 'Scheduled Tasks' folder

2010-04-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 03:12]

2010-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-08 03:19]

2010-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cac1545c83bbd2.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-08 03:19]

2010-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-08 03:19]

2010-04-24 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
SafeBoot-klmdb.sys

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3092)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-04-24 00:49:50
ComboFix-quarantined-files.txt 2010-04-24 04:49

Pre-Run: 65,471,037,440 bytes free
Post-Run: 65,523,560,448 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 7B26023C403890A142785EAC95F3FF8B

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: essexboy on April 24, 2010, 02:37:05 PM

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: [Select]

TDL::
c:\windows\system32\drivers\atapi.sys
C:\WINDOWS\system32\drivers\mrxsmb.sys

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new OTListit log.

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: jrf274 on April 24, 2010, 05:15:34 PM

ok....

Here is Part 1 of the combofix log

ComboFix 10-04-21.01 - Josh 04/24/2010 11:08:39.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.488 [GMT -4:00]
Running from: c:\documents and settings\Josh\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Josh\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100424-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-03-24 to 2010-04-24 )))))))))))))))))))))))))))))))
.

2010-04-07 23:39 . 2010-04-07 23:39   --------   d-sh--w-   c:\documents and settings\LocalService\UserData
2010-04-07 23:37 . 2010-04-07 23:37   --------   d-sh--w-   c:\documents and settings\LocalService\PrivacIE
2010-04-07 23:37 . 2010-04-07 23:37   --------   d-sh--w-   c:\documents and settings\LocalService\IECompatCache
2010-04-07 23:36 . 2010-04-07 23:36   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert
2010-04-03 21:46 . 2010-04-03 21:46   --------   d-sh--w-   c:\windows\system32\config\systemprofile\IETldCache
2010-04-03 21:08 . 2010-04-03 21:08   --------   d-----w-   c:\documents and settings\Josh\Application Data\Malwarebytes
2010-04-03 21:08 . 2010-03-29 19:24   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-03 21:08 . 2010-04-03 21:08   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-03 21:08 . 2010-03-29 19:24   20824   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-04-03 21:08 . 2010-04-03 21:08   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-04-02 06:06 . 2010-04-02 06:06   --------   d-----w-   c:\documents and settings\Josh\Local Settings\Application Data\Threat Expert
2010-04-02 03:12 . 2010-04-02 03:12   516480   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerAddin.dll
2010-03-28 15:37 . 2009-11-24 22:48   23120   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-03-28 15:37 . 2009-11-24 22:49   48560   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-03-28 15:37 . 2009-11-24 22:47   27408   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2010-03-28 15:37 . 2009-11-24 22:51   93424   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2010-03-28 15:37 . 2009-11-24 22:50   94160   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2010-03-28 15:37 . 2009-11-24 22:50   114768   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-03-28 15:37 . 2009-11-24 22:50   20560   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-03-28 15:37 . 2009-11-24 22:47   97480   ----a-w-   c:\windows\system32\AvastSS.scr
2010-03-28 15:37 . 2009-11-24 22:54   1280480   ----a-w-   c:\windows\system32\aswBoot.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-24 04:39 . 2009-06-01 22:23   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-04-24 04:34 . 2010-03-20 02:54   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-23 00:19 . 2004-08-04 10:00   96512   ----a-w-   c:\windows\system32\drivers\atapi.sys
2010-04-22 03:37 . 2010-03-13 02:22   598368   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScanner.dll
2010-04-18 09:48 . 2010-03-08 03:19   --------   d-----w-   c:\program files\Google
2010-04-14 03:28 . 2009-06-07 21:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-10 22:12 . 2009-06-28 19:45   966104   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-04-10 22:12 . 2009-06-28 19:45   1265264   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-03-20 19:40 . 2009-05-18 00:08   --------   d-----w-   c:\program files\Alwil Software
2010-03-20 18:30 . 2010-03-20 18:30   --------   d-----w-   c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-20 11:18 . 2009-06-01 22:23   --------   d-----w-   c:\program files\SpywareBlaster
2010-03-20 02:55 . 2010-03-20 02:54   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-03-13 02:22 . 2010-03-13 02:22   95024   ----a-w-   c:\windows\system32\drivers\SBREDrv.sys
2010-03-13 02:22 . 2010-03-13 02:22   95024   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2010-03-13 02:22 . 2010-03-13 02:22   566608   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2010-03-13 02:22 . 2009-06-12 23:47   15880   ----a-w-   c:\windows\system32\lsdelete.exe
2010-03-13 02:22 . 2009-06-01 22:28   15880   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-03-13 02:22 . 2010-03-13 02:22   1230160   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2010-03-13 02:22 . 2010-03-13 02:22   247120   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2010-03-13 02:22 . 2009-06-28 19:45   6330848   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-03-13 02:22 . 2010-03-13 02:22   17480   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
2010-03-13 02:21 . 2010-03-11 19:44   --------   dc-h--w-   c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-12 23:15 . 2009-06-21 14:05   1324   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-03-12 16:01 . 2010-03-13 01:43   170978   ----a-w-   c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-03-11 19:44 . 2009-06-01 22:26   --------   d-----w-   c:\program files\Lavasoft
2010-03-10 06:15 . 2004-08-04 10:00   420352   ----a-w-   c:\windows\system32\vbscript.dll
2010-03-01 23:28 . 2009-06-28 19:45   25440   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2010-03-01 23:28 . 2009-09-21 22:28   3701760   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-02-25 06:24 . 2006-03-04 03:33   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 10:00   455680   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2005-03-30 01:21   2146304   ----a-w-   c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2005-03-30 01:01   2024448   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 10:00   100864   ----a-w-   c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 10:00   226880   ----a-w-   c:\windows\system32\drivers\tcpip6.sys
2010-02-04 15:53 . 2010-03-13 02:21   2954656   -c--a-w-   c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-04 15:53 . 2009-06-01 22:28   64288   ----a-w-   c:\windows\system32\drivers\Lbd.sys
.

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: jrf274 on April 24, 2010, 05:16:10 PM

Part 2

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-02 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-04-02 818256]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-21 148888]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 282624]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/1/2009 6:28 PM 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [3/28/2010 11:37 AM 114768]
R1 NEOFLTR_630_13725;Juniper Networks TDI Filter Driver (NEOFLTR_630_13725);c:\windows\system32\drivers\NEOFLTR_630_13725.sys [11/21/2008 4:37 AM 64480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/28/2010 11:37 AM 20560]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1265264]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/7/2010 11:19 PM 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-04-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 03:12]

2010-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-08 03:19]

2010-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cac1545c83bbd2.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-08 03:19]

2010-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-08 03:19]

2010-04-24 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3948)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-04-24 11:13:28
ComboFix-quarantined-files.txt 2010-04-24 15:13

Pre-Run: 65,504,874,496 bytes free
Post-Run: 65,514,487,808 bytes free

- - End Of File - - 39B33A5F3808B757960FF01885244759

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: jrf274 on April 24, 2010, 05:22:00 PM

OTL Part 1.....

OTL logfile created on: 4/24/2010 11:17:30 AM - Run 2
OTL by OldTimer - Version 3.2.1.2 Folder = C:\Documents and Settings\Josh\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 162.00 Mb Available Physical Memory | 16.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 66.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.44 Gb Total Space | 61.02 Gb Free Space | 86.62% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JOSH-DELLE510
Current User Name: Josh
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/18 10:23:42 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Josh\Desktop\OTL.exe
PRC - [2010/04/10 18:12:52 | 001,265,264 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/04/02 00:08:54 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2010/04/01 23:12:19 | 000,818,256 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2009/11/24 18:51:40 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 18:51:35 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 18:43:56 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/04/17 03:35:18 | 000,408,424 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/02/10 12:17:04 | 000,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe

========== Modules (SafeList) ==========

MOD - [2010/04/18 10:23:42 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Josh\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2010/04/10 18:12:52 | 001,265,264 | ---- | M] (Lavasoft) [On_Demand | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/11/24 18:51:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 18:51:21 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 18:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 18:43:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2005/10/28 08:41:52 | 000,491,520 | ---- | M] ( ) [On_Demand | Stopped] -- C:\WINDOWS\System32\dlcccoms.exe -- (dlcc_device)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = :0

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: jrf274 on April 24, 2010, 05:22:33 PM

OTL Part 2....

O1 HOSTS File: ([2010/04/02 00:09:08 | 000,385,900 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1   www.007guard.com
O1 - Hosts: 127.0.0.1   007guard.com
O1 - Hosts: 127.0.0.1   008i.com
O1 - Hosts: 127.0.0.1   www.008k.com
O1 - Hosts: 127.0.0.1   008k.com
O1 - Hosts: 127.0.0.1   www.00hq.com
O1 - Hosts: 127.0.0.1   00hq.com
O1 - Hosts: 127.0.0.1   010402.com
O1 - Hosts: 127.0.0.1   www.032439.com
O1 - Hosts: 127.0.0.1   032439.com
O1 - Hosts: 127.0.0.1   www.0scan.com
O1 - Hosts: 127.0.0.1   0scan.com
O1 - Hosts: 127.0.0.1   1000gratisproben.com
O1 - Hosts: 127.0.0.1   www.1000gratisproben.com
O1 - Hosts: 127.0.0.1   1001namen.com
O1 - Hosts: 127.0.0.1   www.1001namen.com
O1 - Hosts: 127.0.0.1   100888290cs.com
O1 - Hosts: 127.0.0.1   www.100888290cs.com
O1 - Hosts: 127.0.0.1   www.100sexlinks.com
O1 - Hosts: 127.0.0.1   100sexlinks.com
O1 - Hosts: 127.0.0.1   10sek.com
O1 - Hosts: 127.0.0.1   www.10sek.com
O1 - Hosts: 127.0.0.1   www.1-2005-search.com
O1 - Hosts: 127.0.0.1   1-2005-search.com
O1 - Hosts: 13312 more lines...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [Microsoft Default Manager] C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe (Microsoft Corp.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Program Files\Juniper Networks\Secure Application Manager\samnsp.dll (Juniper Networks)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Juniper Networks\Secure Application Manager\samnsp.dll (Juniper Networks)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1244848019812 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Josh\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Josh\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/05/17 19:37:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: jrf274 on April 24, 2010, 05:23:14 PM

OTL Part 3...

========== Files/Folders - Created Within 14 Days ==========

[2010/04/24 11:07:36 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/04/24 00:43:53 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/04/24 00:43:08 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/24 00:43:08 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/24 00:43:08 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/24 00:43:08 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/24 00:43:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/24 00:23:52 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/22 20:18:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Josh\Desktop\tdsskiller
[2010/04/22 00:04:02 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Josh\Recent
[2010/04/18 10:23:28 | 000,562,176 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Josh\Desktop\OTL.exe
[2010/04/07 19:39:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/04/07 19:37:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/04/07 19:36:57 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/04/07 19:36:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Threat Expert
[2010/04/07 19:36:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2010/04/07 19:36:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Google
[2010/03/24 21:48:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/03/07 23:24:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/08/07 13:46:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/06/01 19:54:26 | 000,638,976 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccpmui.dll
[2009/06/01 19:54:24 | 000,483,328 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcclmpm.dll
[2009/06/01 19:54:24 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcccomm.dll
[2009/06/01 19:54:24 | 000,114,688 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccpplc.dll
[2009/06/01 19:54:23 | 001,134,592 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccusb1.dll
[2009/06/01 19:54:23 | 000,774,144 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcchbn3.dll
[2009/06/01 19:54:22 | 000,704,512 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcccomc.dll
[2009/06/01 19:54:22 | 000,155,648 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccprox.dll
[2009/06/01 19:54:21 | 001,183,744 | ---- | C] ( ) -- C:\WINDOWS\System32\dlccserv.dll
[2009/05/17 19:36:57 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/04/24 11:13:29 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/24 11:11:51 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/24 11:07:17 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/04/24 10:47:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/24 08:39:28 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Josh\My Documents\~$Doc1.docx
[2010/04/24 08:39:19 | 007,077,888 | ---- | M] () -- C:\Documents and Settings\Josh\NTUSER.DAT
[2010/04/24 05:47:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/24 01:15:30 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Josh\Desktop\Microsoft Word 2007.lnk
[2010/04/24 00:43:57 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/04/24 00:41:15 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/24 00:41:05 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/04/24 00:41:04 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore1cac1545c83bbd2.job
[2010/04/24 00:40:53 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/24 00:39:58 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Josh\ntuser.ini
[2010/04/24 00:37:38 | 003,923,062 | R--- | M] () -- C:\Documents and Settings\Josh\Desktop\ComboFix.exe
[2010/04/23 13:46:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/22 20:17:32 | 000,154,469 | ---- | M] () -- C:\Documents and Settings\Josh\Desktop\tdsskiller.zip
[2010/04/22 20:14:45 | 000,017,861 | ---- | M] () -- C:\Documents and Settings\Josh\Desktop\Josh Freeman Case 19.xlsx
[2010/04/21 22:26:50 | 000,012,179 | ---- | M] () -- C:\Documents and Settings\Josh\Desktop\Josh Freeman Case 19.docx
[2010/04/21 18:38:39 | 000,237,917 | ---- | M] () -- C:\Documents and Settings\Josh\My Documents\Doc1.docx
[2010/04/19 21:08:15 | 000,000,165 | -H-- | M] () -- C:\Documents and Settings\Josh\Desktop\~$Josh Freeman Case 19.xlsx
[2010/04/18 12:23:59 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Josh\Desktop\gmer.zip
[2010/04/18 10:23:42 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Josh\Desktop\OTL.exe
[2010/04/17 18:15:22 | 000,670,673 | ---- | M] () -- C:\Documents and Settings\Josh\My Documents\doc.docx
[2010/04/17 17:52:17 | 000,177,935 | ---- | M] () -- C:\Documents and Settings\Josh\My Documents\Fed Government Applications.docx
[2010/04/17 17:46:20 | 000,016,610 | ---- | M] () -- C:\Documents and Settings\Josh\My Documents\Joshua Freeman - USAJOBS Resume.docx
[2010/04/15 06:09:51 | 000,078,230 | ---- | M] () -- C:\Documents and Settings\Josh\My Documents\Josh Freeman Case 2.pptx
[2010/04/15 06:08:33 | 000,029,614 | ---- | M] () -- C:\Documents and Settings\Josh\My Documents\Josh Freeman Case 2.xlsx
[2010/04/14 16:46:56 | 000,002,483 | ---- | M] () -- C:\Documents and Settings\Josh\Desktop\Microsoft PowerPoint 2007.lnk
[2010/04/13 23:27:20 | 000,000,283 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010/04/12 19:33:23 | 000,033,955 | ---- | M] () -- C:\Documents and Settings\Josh\My Documents\HADM 543 Final Paper - Josh Freeman.docx
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: jrf274 on April 24, 2010, 05:23:43 PM

Part 4 (OTL)

========== Files Created - No Company Name ==========

[2010/04/24 08:39:28 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Josh\My Documents\~$Doc1.docx
[2010/04/24 00:43:57 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/04/24 00:43:54 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/24 00:43:08 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/24 00:43:08 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/24 00:43:08 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/24 00:43:08 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/24 00:43:08 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/24 00:23:14 | 003,923,062 | R--- | C] () -- C:\Documents and Settings\Josh\Desktop\ComboFix.exe
[2010/04/22 20:17:31 | 000,154,469 | ---- | C] () -- C:\Documents and Settings\Josh\Desktop\tdsskiller.zip
[2010/04/21 22:26:49 | 000,012,179 | ---- | C] () -- C:\Documents and Settings\Josh\Desktop\Josh Freeman Case 19.docx
[2010/04/21 18:38:38 | 000,237,917 | ---- | C] () -- C:\Documents and Settings\Josh\My Documents\Doc1.docx
[2010/04/21 18:00:26 | 000,017,861 | ---- | C] () -- C:\Documents and Settings\Josh\Desktop\Josh Freeman Case 19.xlsx
[2010/04/19 21:08:15 | 000,000,165 | -H-- | C] () -- C:\Documents and Settings\Josh\Desktop\~$Josh Freeman Case 19.xlsx
[2010/04/18 12:23:56 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Josh\Desktop\gmer.zip
[2010/04/17 18:15:22 | 000,670,673 | ---- | C] () -- C:\Documents and Settings\Josh\My Documents\doc.docx
[2010/04/15 06:08:45 | 000,078,230 | ---- | C] () -- C:\Documents and Settings\Josh\My Documents\Josh Freeman Case 2.pptx
[2010/04/15 06:08:26 | 000,029,614 | ---- | C] () -- C:\Documents and Settings\Josh\My Documents\Josh Freeman Case 2.xlsx
[2010/04/13 23:27:20 | 000,000,283 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/04/12 19:33:23 | 000,033,955 | ---- | C] () -- C:\Documents and Settings\Josh\My Documents\HADM 543 Final Paper - Josh Freeman.docx
[2009/12/17 18:43:57 | 000,199,784 | ---- | C] () -- C:\Documents and Settings\Josh\Application Data\JuniperSetup.exe
[2009/12/03 22:17:53 | 000,045,132 | ---- | C] () -- C:\Documents and Settings\Josh\Application Data\JuniperExtXP.exe
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/06/01 19:54:26 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\dlccinsr.dll
[2009/06/01 19:54:25 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\dlccins.dll
[2009/06/01 19:54:25 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlccvs.dll
[2009/06/01 19:54:20 | 000,430,080 | ---- | C] () -- C:\WINDOWS\System32\dlccutil.dll
[2009/06/01 19:54:20 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\dlcccu.dll
[2009/06/01 19:54:20 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\dlcccur.dll
[2009/06/01 19:54:16 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\dlccinsb.dll
[2009/06/01 19:54:16 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\dlcccub.dll
[2009/06/01 19:54:15 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\dlccjswr.dll
[2009/06/01 19:54:08 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\dlcccfg.dll
[2009/05/17 19:55:02 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Josh\ntuser.dat.LOG
[2009/05/17 19:55:02 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Josh\ntuser.ini
[2009/05/17 19:55:01 | 007,077,888 | ---- | C] () -- C:\Documents and Settings\Josh\NTUSER.DAT

========== LOP Check ==========

[2010/03/20 14:30:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/12/03 22:18:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Juniper Networks
[2010/04/24 00:39:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/03/12 22:21:08 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2009/12/18 06:11:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Josh\Application Data\Juniper Networks
[2010/04/24 11:07:17 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2010/04/24 00:41:05 | 000,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: essexboy on April 24, 2010, 07:48:35 PM

Do you still have redirects ?

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code: [Select]

:OTL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - No CLSID value found.

:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: jrf274 on April 24, 2010, 08:37:32 PM

essex boy....I ran that....thanks again for such detailed instructions....I can't thank you enough.

I apologize, but I'm not 100 % sure what you mean by "redirects"? Do you mean, when I open Avast for a scan? As I originally said, before you helped me, there was a warning coming up on my screen saying I had this Win32 Malware virus....however, I just tried opening Avast and it looks like it's gone since there was no error message.

I guess I can assume that took care of the problem, because that warning didn't pop up, my computer hasn't been as loud, and it seems to be running better.

Here is the log of that last scan if you need it for anything.

Thank you so much!!! (I'm assuming I should go ahead and enable all of my virus scans again??)

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0F3D1B-0909-4FF4-B272-609CCE6054E7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0F3D1B-0909-4FF4-B272-609CCE6054E7}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Josh
->Temp folder emptied: 12040817 bytes
->Temporary Internet Files folder emptied: 43814465 bytes
->Java cache emptied: 227463 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 8792 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2195181 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16823 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 56.00 mb

[EMPTYFLASH]

User: All Users

User: Default User

User: Josh
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.1.2 log created on 04242010_142826

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Josh\Local Settings\Temp\fla2B.tmp not found!
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\UFBALH5S\;afc=1;kga=-1;shortform=1;u=Zx3m4e45bTo%7C119;kgg=-1;kcr=us;khd=0;dc_dedup=1;kpu=parlophone;kmyd=watch-channel-brand-div;dc_seed=215454529;tile=1;ord=486015402[1].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\UFBALH5S\AshleyY[1].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\UFBALH5S\inbox[2].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\UFBALH5S\index[5].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\UFBALH5S\load_ad[1].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\UFBALH5S\main[1].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\UFBALH5S\tpp[1].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\UFBALH5S\watch[1].txt moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\UFBALH5S\xd_receiver[1].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\DVLV2D3R\index[1].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\DVLV2D3R\load_ad[1].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\DVLV2D3R\login_status[1].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\DVLV2D3R\start[2].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\5ACAKLVX\container[1].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\0I76EBCO\left[1].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\0I76EBCO\load_ad[1].htm moved successfully.
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\WINDOWS\temp\Perflib_Perfdata_574.dat moved successfully.

Registry entries deleted on Reboot...

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: essexboy on April 25, 2010, 12:02:16 AM

OK numpty misread ??? I meant the alerts, the previous one I posted for was a redirect

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Do not show hidden files and folders.
Click Yes to confirm.
Click OK.

(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif) Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 20 (http://java.sun.com/javase/downloads/index.jsp).
Click the "Download" button to the right.
Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
Click on Continue.
Click on the link to download Windows Offline Installation (jre-6u20-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u20-windows-i586-p.exe and select "Run as an Administrator.")

SPRING CLEAN

Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download Flush Flash from Here (http://www.xs4all.nl/~fstaal01/flushflash-us.html) and follow the easy to use instructions on the same page

NEXT

Download and run Puran Disc Defragmenter (http://www.puransoftware.com/Puran-Defrag-Download.html)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) to help prevent spyware from installing in the first place.
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

Microsoft Windows Update (http://windowsupdate.microsoft.com)

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Keep safe :wave:

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: jrf274 on April 25, 2010, 01:55:27 PM

essex,

I do have Malwarebytes, Spyware Blaster, and do the Windows Updates on a routine basis (at least once a week)....so thank you for that advice.

Also, I have to say that you are by far the best person that I've ever asked for help, to help clean my computer of malware. I'm not *that* computer savvy, and it's amazing how detailed you were with your instructions, your diagrams of how to do them, and how you could look at an extensive log and find a problem. Thank you so much for your quick follow-up....I cannot tell you how helpful you were and how much I appreciate it.

It's frustrating knowing your computer is infected but not knowing how to fix it....so again, I thank you and so does my computer! ; )

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: essexboy on April 25, 2010, 04:54:56 PM

No problem, it took a lot of people to ensure that the responses were easy to follow. Some I made and some were made by others. Keep safe

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: Bj1937 on July 10, 2010, 08:31:08 PM

I have the same alert and mine is moved to the vault. The problem with mine is it comes from a game I have been play for over a year on this PC and longer than that on my last PCs. It is supposedly in my Jewel Quest game. I think the problem is in the latest update. I put it in as an exclusion and that doesn't work. I know this is false positive and I want to play my game.

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: Asyn on July 11, 2010, 01:55:13 AM

Quote from: Bj1937 on July 10, 2010, 08:31:08 PM

I put it in as an exclusion and that doesn't work. I know this is false positive and I want to play my game.

Where did you exclude it..?
Be sure it is also excluded in the file shield settings..!
asyn

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: AshleyZ on July 29, 2010, 11:51:08 AM

Quote from: essexboy on December 06, 2009, 04:07:03 PM

What is the file name and location ?

c:\windows\system32\byyxvv.dll

I looked for this earlier and I didn't see it.

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: amzolt on August 07, 2010, 07:26:21 PM

This morning I also got a notification that I had Win32: Malware-gen...

I used Malwarebytes Antimalware as suggested in this thread and will upload the log file.

I can't tell from the log--was Win32: Malware-gen removed??

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: Asyn on August 07, 2010, 07:54:40 PM

Quote from: amzolt on August 07, 2010, 07:26:21 PM

This morning I also got a notification that I had Win32: Malware-gen...
I used Malwarebytes Antimalware as suggested in this thread and will upload the log file.
I can't tell from the log--was Win32: Malware-gen removed??

Run an avast boot time scan.
Update and run Mbam again.
Report back.
Btw, next time open a new thread...! Thanks...
asyn

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: DavidR on August 07, 2010, 09:31:22 PM

Quote from: amzolt on August 07, 2010, 07:26:21 PM

This morning I also got a notification that I had Win32: Malware-gen...
<snip>
I can't tell from the log--was Win32: Malware-gen removed??

1. What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

2. We can't tell if MBAM removed it (presumably you allowed avast to send it to the chest) as we have no idea what of was (1 above). If it was in the chest, a protected area them mbam won't have been able to scan it.

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: amzolt on August 08, 2010, 12:38:07 AM

I started responding in this thread because I had the same problem but someone said I should start my own thread--it will be called "Removing Win32: Malware-gen ??"

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: mehackett on September 21, 2010, 03:46:03 PM

Hi Tech Team!
I have found Win32:Malware-gen using the boot sector scan and was able to delete all but one file, which has located in a protected file. The location is C:Windows\Installer\63d76.msij>Binary.NewBinary22. This appears to be a file associated with the reinstallation portion of Windows and I believe it is a part of the safe-restore/restore point program. I can't locate the entire Windows\Installer file where it was located, and think it might have been hidden. Avast still shows the virus as present. I've tried MalwareBytes and this program doesn't find the virus. I've tried Spybot, same thing. When I ran Avast on that file alone, it showed a virus present again, but refuses to alter or delete the file as it is protected. Help!

Best,
MEHackett

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: HelpPlz on September 22, 2010, 04:24:35 PM

Dear Avast staff,

i have a similar problem so i deciced not to start my own thread. I can neither delete nor move the infected file into the container.( pics are attached ) Quote from the warning log :

Sign of "Win32:Malware-gen" has been found in "C:\Windows\Installer\3a3f57.msp\PCW_CAB_H15\MSTORDB.EXE" file.
(http://images2.bilder-speicher.de/show-image_100b-10092216153163.jpg)
I keep trying to delete it and it fails like : For this kind of archive the action is not possible.
(http://images2.bilder-speicher.de/show-image_100b-10092216758948.jpg)

please help me. I checked google and the kaspersky site but both didnt have any information about this malware.
and it seems that im not the only person.

im looking forward to hearing from u soon. best regards.

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: Mystical Paradox on September 22, 2010, 06:27:18 PM

Hi Guys,

I have had real problems with my laptop today...been sortin it for almost 13 hours now..started with Win32:Patched-RP[Trj. Which with the help of this forum I sucessfully got rid of by using Dr.Web CureIt.THANKS!
Thought I would run windows onecare on the pc just to make sure..now this opened up a whole new can of worms!! My main worry is a TrojanDownloader:Java\Rexec.B!! I have only found info on this on microsoft and it is severe! But they only posted it yesterday so not much info is known..Avast dont seem to even realize it is there but when I Google a page avast comes up with malicious malware warning and stops me entering the site...or it directs me to a completely different web site..often an offensive one.

I followed the path to where the TrojanDownloader is C:\users\name\appdata\locallow\sun\java\deployment\cashe\6.0\
When i went there the folder 6.0 has numbers from 1 to 13 now an hour later its up to 63!! also files named Host, Muffin, Tmp, LastAccessed..When I hold my curser over the file/s (NOT CLICK) they all claim to be empty. I also just checked my REG EDIT and it looks like something is different from yesterday!!

Please Help Me!!

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: ARNAUD2309 on February 06, 2011, 05:45:10 PM

Quote from: Mystical Paradox on September 22, 2010, 06:27:18 PM

Hi Guys,

I have had real problems with my laptop today...been sortin it for almost 13 hours now..started with Win32:Patched-RP[Trj. Which with the help of this forum I sucessfully got rid of by using Dr.Web CureIt.THANKS!
Thought I would run windows onecare on the pc just to make sure..now this opened up a whole new can of worms!! My main worry is a TrojanDownloader:Java\Rexec.B!! I have only found info on this on microsoft and it is severe! But they only posted it yesterday so not much info is known..Avast dont seem to even realize it is there but when I Google a page avast comes up with malicious malware warning and stops me entering the site...or it directs me to a completely different web site..often an offensive one.

I followed the path to where the TrojanDownloader is C:\users\name\appdata\locallow\sun\java\deployment\cashe\6.0\
When i went there the folder 6.0 has numbers from 1 to 13 now an hour later its up to 63!! also files named Host, Muffin, Tmp, LastAccessed..When I hold my curser over the file/s (NOT CLICK) they all claim to be empty. I also just checked my REG EDIT and it looks like something is different from yesterday!!

Please Help Me!!

Quote from: essexboy on December 07, 2009, 10:19:39 PM

msqpdxserv.sys This is a member of the TDSS family so it may be worth doing a deeper scan if you want

If you want a deeper scan

To ensure that I get all the information this log will need to uploaded to Mediafire (http://www.mediafire.com/) and post the sharing link.

Download OTS (http://oldtimer.geekstogo.com/OTS.exe) to your Desktop
Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under Additional Scans check the following:
Reg - Shell Spawning
File - Lop Check
File - Purity Scan
Evnt - EvtViewer (last 10)
Under custom scans copy and paste the following
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
/md5stop
%systemroot%\*. /mp /s
c:\$recycle.bin\*.* /s
CREATERESTOREPOINT[/list]
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Hi essexyboy, I have the same problem as richdebc. I've sent you my log after scanning with OTS. Kindly help please. Thanks in advance.

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: ARNAUD2309 on February 06, 2011, 05:55:58 PM

Hi essexyboy, I have the same problem as richdebc. I've sent you my log after scanning with OTS. Kindly help please. Thanks in advance.

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: essexboy on February 06, 2011, 06:02:56 PM

Hi ARNAUD2309 I generally unsubscribe from threads after they have been resolved, which is why it is best to create your own thread

What are your problems ?

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Win32 Services - Safe List]
YN -> (NAV) Norton AntiVirus [Unknown | Stopped] -> 
[Driver Services - Safe List]
YY -> (EraserUtilRebootDrv) EraserUtilRebootDrv [Kernel | On_Demand | Running] -> C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
YY -> (eeCtrl) Symantec Eraser Control driver [Kernel | System | Running] -> C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
YY -> (SymEvent) SymEvent [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\SYMEVENT.SYS
YY -> (IDSxpx86) IDSxpx86 [Kernel | On_Demand | Stopped] -> C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20101026.001\IDSXpx86.sys
YY -> (BHDrvx86) BHDrvx86 [Kernel | System | Running] -> C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20101001.001\BHDrvx86.sys
YY -> (SymIRON) Symantec Iron Driver [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\NAV\1107000.00C\Ironx86.SYS
YY -> (SymEFA) Symantec Extended File Attributes [File_System | Boot | Running] -> C:\WINDOWS\system32\drivers\NAV\1107000.00C\SYMEFA.SYS
YY -> (SRTSPX) Symantec Real Time Storage Protection (PEL) [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\NAV\1107000.00C\SRTSPX.SYS
YY -> (ccHP) Symantec Hash Provider [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\NAV\1107000.00C\ccHPx86.sys
YY -> (SymDS) Symantec Data Store [Kernel | Boot | Running] -> C:\WINDOWS\system32\drivers\NAV\1107000.00C\SYMDS.SYS
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} [HKLM] -> [Symantec Intrusion Prevention]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "System Startup Registry" -> [C:\WINDOWS\system\smss.exe]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-1275210071-796845957-839522115-1003\] > -> HKEY_USERS\S-1-5-21-1275210071-796845957-839522115-1003\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{B58926D6-CFB0-45d2-9C28-4B5A0F0368AE}" [HKLM] -> [Reg Error: Key error.]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\Documents and Settings\myrose\Desktop\PortForward.exe" -> [C:\Documents and Settings\myrose\Desktop\PortForward.exe:*:Enabled:PortForward]
YN -> "I:\CDS\Nero\Installation\SetupX.exe" -> [I:\CDS\Nero\Installation\SetupX.exe:*:Enabled:Nero ProductSetup]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{3a224cb2-4f74-11df-b78c-00e04d6f59fa} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3a224cb2-4f74-11df-b78c-00e04d6f59fa}\Shell\AutoRun\command -> 
YN -> \{3a224cb2-4f74-11df-b78c-00e04d6f59fa}\Shell\AutoRun\command\\"" -> [driver\S-1-4-89-654352344-54323413-6452342-4545\service.exe]
YN -> \{3a224cb2-4f74-11df-b78c-00e04d6f59fa} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3a224cb2-4f74-11df-b78c-00e04d6f59fa}\Shell\open\command -> 
YN -> \{3a224cb2-4f74-11df-b78c-00e04d6f59fa}\Shell\open\command\\"" -> [driver\S-1-4-89-654352344-54323413-6452342-4545\service.exe]
[Files - No Company Name]
NY ->  mgxoschk.ini -> C:\WINDOWS\mgxoschk.ini
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[Reboot]

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: ARNAUD2309 on February 06, 2011, 06:53:53 PM

All Processes Killed
[Win32 Services - Safe List]
Error: No service named NAV was found to stop!
[Driver Services - Safe List]
Error: Unable to stop service EraserUtilRebootDrv!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EraserUtilRebootDrv deleted successfully.
C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys moved successfully.
Service eeCtrl stopped successfully!
Service eeCtrl deleted successfully!
C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys moved successfully.
Error: Unable to stop service SymEvent!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SymEvent deleted successfully.
C:\WINDOWS\system32\drivers\SYMEVENT.SYS moved successfully.
Service IDSxpx86 stopped successfully!
Service IDSxpx86 deleted successfully!
C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20101026.001\IDSXpx86.sys moved successfully.
Error: Unable to stop service BHDrvx86!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BHDrvx86 deleted successfully.
C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20101001.001\BHDrvx86.sys moved successfully.
Error: Unable to stop service SymIRON!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SymIRON deleted successfully.
C:\WINDOWS\system32\drivers\NAV\1107000.00C\Ironx86.SYS moved successfully.
Error: Unable to stop service SymEFA!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SymEFA deleted successfully.
C:\WINDOWS\system32\drivers\NAV\1107000.00C\SYMEFA.SYS moved successfully.
Service SRTSPX stopped successfully!
Service SRTSPX deleted successfully!
C:\WINDOWS\system32\drivers\NAV\1107000.00C\SRTSPX.SYS moved successfully.
Error: Unable to stop service ccHP!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ccHP deleted successfully.
C:\WINDOWS\system32\drivers\NAV\1107000.00C\ccHPx86.sys moved successfully.
Error: Unable to stop service SymDS!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SymDS deleted successfully.
C:\WINDOWS\system32\drivers\NAV\1107000.00C\SYMDS.SYS moved successfully.
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\System Startup Registry deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1275210071-796845957-839522115-1003\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{B58926D6-CFB0-45d2-9C28-4B5A0F0368AE} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B58926D6-CFB0-45d2-9C28-4B5A0F0368AE}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\myrose\Desktop\PortForward.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\I:\CDS\Nero\Installation\SetupX.exe deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3a224cb2-4f74-11df-b78c-00e04d6f59fa}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3a224cb2-4f74-11df-b78c-00e04d6f59fa}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3a224cb2-4f74-11df-b78c-00e04d6f59fa}\Shell\AutoRun\command\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3a224cb2-4f74-11df-b78c-00e04d6f59fa}\Shell\AutoRun\command not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3a224cb2-4f74-11df-b78c-00e04d6f59fa}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3a224cb2-4f74-11df-b78c-00e04d6f59fa}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3a224cb2-4f74-11df-b78c-00e04d6f59fa}\Shell\open\command\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3a224cb2-4f74-11df-b78c-00e04d6f59fa}\Shell\open\command not found.
[Files - No Company Name]
C:\WINDOWS\mgxoschk.ini moved successfully.
[Empty Temp Folders]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: myrose
->Temp folder emptied: 1702167 bytes
->Temporary Internet Files folder emptied: 210378897 bytes
->Google Chrome cache emptied: 430004082 bytes
->Apple Safari cache emptied: 19246080 bytes
->Flash cache emptied: 96891 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 240459051 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 3116561 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 57247805 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 62261712 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 2467780657 bytes

Total Files Cleaned = 3,333.00 mb

[EMPTYFLASH]

User: All Users

User: Default User

User: LocalService

User: myrose
->Flash cache emptied: 0 bytes

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTS Restore Point (0)
< End of fix log >
OTS by OldTimer - Version 3.1.41.4 fix logfile created on 02062011_211510

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: ARNAUD2309 on February 06, 2011, 06:55:26 PM

@ esexyboy
Find above the informations after the fix. Why my computer took that long to shut down??

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: essexboy on February 06, 2011, 06:58:45 PM

Quote

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: myrose
->Temp folder emptied: 1702167 bytes
->Temporary Internet Files folder emptied: 210378897 bytes
->Google Chrome cache emptied: 430004082 bytes
->Apple Safari cache emptied: 19246080 bytes
->Flash cache emptied: 96891 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 240459051 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 3116561 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 57247805 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 62261712 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 2467780657 bytes

Total Files Cleaned = 3,333.00 mb

[EMPTYFLASH]

User: All Users

User: Default User

User: LocalService

User: myrose
->Flash cache emptied: 0 bytes

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTS Restore Point (0)

The reason is that OTS had to clear 3,333.00 mb of temporary files before it could create the rstore point. What problems are you experiencing ?

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: ARNAUD2309 on February 06, 2011, 07:07:25 PM

@ essexyboy
My computer has been reproducing files "Thumbs.db" in all folders. Also my hidden folders were not hidden. When i had run the avast scan, i found an unremovable virus which is: win32 malware-gen. After the fix, does OTS reboot my system when shutting down?

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: essexboy on February 06, 2011, 08:00:22 PM

Yes it does reboot the system. The programme unhides system files so that they can be seen during the fixing process

What is the name and location of the file that Avast is detecting ?

Download ComboFix from one of these locations:

Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: ARNAUD2309 on February 07, 2011, 04:37:02 PM

@ essexyboy
I forgot the location and avast has automatically deleted the log. Pfff...
But, at present, there is no "thumbs.db" file anywhere and my hidden folders are hidden. I think it's due to OTS scanning and fixing. Thank u very much for that... But now, i don't kwow if the problem is really solved. Find below, as an attachment, the log of COMBOFIX. Revert to me as soon as you can. I'll be online for the next 3 hours...

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: essexboy on February 07, 2011, 07:37:28 PM

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Run OTS

paste in the followingin the "Paste fix here" box and then click the Run Fix button.

Quote

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

[/list]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTS and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Do not show hidden files and folders.
Click Yes to confirm.
Click OK.

Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 23 (http://java.sun.com/javase/downloads/index.jsp).
Click the "Download" button to the right.
Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
Click on Continue.
Click on the link to download Windows Offline Installation (jre-6u23-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u23-windows-i586-p.exe and select "Run as an Administrator.")

SPRING CLEAN

Download and run Puran Disc Defragmenter (http://www.puransoftware.com/Puran-Defrag-Download.html)
For the first run I would recommend a boot defrag and disk check

(http://i1224.photobucket.com/albums/ee362/Essexboy3/Bootdefrag.jpg)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Update and run weekly to keep your system clean

Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

Microsoft Windows Update (http://windowsupdate.microsoft.com)

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe :wave:

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: ARNAUD2309 on February 08, 2011, 11:35:49 PM

@essexboy
Big problem dear. After running the fix (before removal of combofix) ,i was asked to reboot my computer. And when i agreed, my computer stays on the screen "windows is shutting down..." for more than 6 hours. So i've manually switched the computer off. Can you give me an explanation on what's happening please.

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: essexboy on February 09, 2011, 09:12:22 PM

It may have hung on resetting the restore points - this happens in about one in every thousand runs. Otherwise it is OK

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: ARNAUD2309 on February 11, 2011, 06:13:11 PM

@essexboy
All the updates on filehippo, are they free?? Because my updates includes Nero, WinRAR and NVidia forceware.

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: essexboy on February 11, 2011, 06:55:21 PM

The updates are free to download, if you own a registered version of the programmes then it will depend on the terms. Some companies give free updates others call it an upgrade and charge you for the privilege

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: Cloudy28 on May 30, 2011, 01:35:34 PM

I feel so lucky, thank you Essexboy!!! :)

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: essexboy on May 30, 2011, 05:21:07 PM

My pleasure ;D

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: neil0503 on June 01, 2011, 04:43:46 AM

i need help...

my avast is 4.8 professional....

the virus is Win32-Malware-gen and even if i scanned it...after a few minutes..it will return..T_T pls helpy me..T_T

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: neil0503 on June 01, 2011, 05:12:46 AM

btw..heres the address...

C:\Documents and Settings\User02\Local Settings\Temporary Internet Files\Content.IE5\TQU2MQX8\dbol[2]

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: neil0503 on June 01, 2011, 05:51:44 AM

Quote from: essexboy on December 08, 2009, 11:13:26 PM

That looks good

Run OTS and hit the cleanup button. It will remove all the programmes we have used plus itself.

can you help me with my problem? i know that you can..Thank you very mich! ^^

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: DavidR on June 01, 2011, 02:52:32 PM

Why were you unable to remove it ?
It is only in the Temporary Internet Files folder and you can clear that location from your IE browser settings.

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: essexboy on June 01, 2011, 08:40:27 PM

Hi there let me see what you have

Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
(http://public.avast.com/~gmerek/aswMBR1.png)

On completion of the scan click save log, save it to your desktop and post in your next reply
(http://public.avast.com/~gmerek/aswMBR2.png)

THEN

Download OTS (http://oldtimer.geekstogo.com/OTS.exe) to your Desktop and double-click on it to run it

Make sure you close all other programs and don't use the PC while the scan runs.
Select All Users
Under additional scans select the following

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
When the scan is complete Notepad will open with the report file loaded in it.
Please attach the log in your next post.

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: neil0503 on June 03, 2011, 05:55:14 PM

Quote from: David[table][tr][td][/td][/tr][/table]R on June 01, 2011, 02:52:32 PM

Why were you unable to remove it ?
It is only in the Temporary Internet Files folder and you can clear that location from your IE browser settings.

thanks for the reply! i already remove it..before you reply..btw..i apppreciate your reply..thanks! ^^

Title: Re: Win32-Malware-gen --> Unable to remove this malware
Post by: neil0503 on June 03, 2011, 05:57:40 PM

Quote from: essexboy on June 01, 2011, 08:40:27 PM

Hi there let me see what you have

Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
(http://public.avast.com/~gmerek/aswMBR1.png)

On completion of the scan click save log, save it to your desktop and post in your next reply
(http://public.avast.com/~gmerek/aswMBR2.png)

THEN

Download OTS (http://oldtimer.geekstogo.com/OTS.exe) to your Desktop and double-click on it to run it
Make sure you close all other programs and don't use the PC while the scan runs.
Select All Users
Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
When the scan is complete Notepad will open with the report file loaded in it.
Please attach the log in your next post.

thanks for your reply..but i already remove the malware by following your old post..btw..thanks for the reply though.