Win32-Malware-gen --> Unable to remove this malware

[shel]

aah i av a virus on my computer, tried avast, avg, spybot S&D, malwarebytes n now microsoft security essentials. it's a win32. malware-gen virus/worm. so bloody annoying! anyone know how to get rid of it??? keeps popn up every 10 mins from avast saying caution virus detected, tried deleting file, moving to virus vault n even repairing it n nothing works, even googled it n followed all advice I could find... please HELP me. i tried looking up that OTS thing but can't find it anywhere, can I please have a link to it please?   

[DavidR]

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
 
- Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.

So are you saying that avast can't move it to the chest ?
If so what errors are given (for deletion also) ?

Have you tried an avast boot-time scan - If you have Win2k, XP, vista or Win7 (all 32bit), you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php. Don't opt for deletion (you have no options left), always send to the chest and investigate.
 
Look in the C:\Program Files\Alwil Software\Avast4\DATA\report\aswBoot.txt file, check this file using notepad and copy and past the info on the detection.

I hope you haven't got AVG and avast installed at the same time, not advised.
Having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.

[tehpyro]

I have this same problem. I ran malwarebytes, avast, OTS, and my avast full system scan still detects it. When I try to move it to the chest with avast, it says "Error: The system cannot find the file specified (2)"
I'm running windows 7 64-bit so i can't do a boot scan. Can anyone help?

[DavidR]

Help us out with the file name and location.

[tehpyro]

under File name it says
'C:\System Volume Information\_restore{615D86ED-B9C8-A1EC-A6CFCAD89AF3}\RP27\A0004670.rbf'

says severity is high =/ at one point my computer said my video driver crashed but was back on and I don't know what else it might do (if that was from it) so I don't know if I should stop everything I'm doing to get rid of it now or not. thanks

[essexboy]

If it is in the system restore then just reset your restore points

[DavidR]

under File name it says
'C:\System Volume Information\_restore{615D86ED-B9C8-A1EC-A6CFCAD89AF3}\RP27\A0004670.rbf'

says severity is high =/ at one point my computer said my video driver crashed but was back on and I don't know what else it might do (if that was from it) so I don't know if I should stop everything I'm doing to get rid of it now or not. thanks

I doubt the video driver crashing has anything to do with this file as restore points are inert, up until you use system restore and go back to a point where the restore point would be included in any system restore.

As essexboy suggests, resetting your restore points will clear this out:
- Infected Restore Points - There really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore.
 
- Worst case scenario it isn't infected and you delete it, you can't use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.
 
- So if there is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.

~~~~
-- Create Clean Restore Point - Clear old Restore Points.
Create a clean System Restore point:
1. Click Start, All Programs, Accessories, System tools, System Restore.
2. In the pop-up that appears fill in the radio button to Create a Restore Point
3. Click NEXT
4. Enter a useful name that you will remember if you need to find this again (Clean Restore Point)
5. Click CREATE

You now have a clean restore point, you should clear the old ones:
1. Click Start, All Programs, Accessories, System tools, Disk Clean Up
2. Click OK on the C: drive
3. Click the More Options tab
4. In the System Restore section click the Clean Up button

[Tnek]

I have the same Win32-Malware-gen that my Avast! home is reporting.  I ran OTS, thinking that the report I would get would enable me--by looking at what Essexboy did on December 08, 2009, 08:18:00 PM--to do that same thing.  But I can't figure out what to do.  Might someone help me as well?  I would be most grateful.

[Pondus]

I have the same Win32-Malware-gen that my Avast! home is reporting.  I ran OTS, thinking that the report I would get would enable me--by looking at what Essexboy did on December 08, 2009, 08:18:00 PM--to do that same thing.  But I can't figure out what to do.  Might someone help me as well?  I would be most grateful.

you should have started a new topic and not asking for help inside this

Follow this guide from Essexboy and start a new topic where you post the log`s. then Essexboy will help you
http://forum.avast.com/index.php?topic=53253.0

if the log is big: look in down/left corner additional options > attach

[DavidR]

I have the same Win32-Malware-gen that my Avast! home is reporting.  I ran OTS, thinking that the report I would get would enable me--by looking at what Essexboy did on December 08, 2009, 08:18:00 PM--to do that same thing.  But I can't figure out what to do.  Might someone help me as well?  I would be most grateful.

Aside from what has been mentioned about creating your own new topic, I doubt that your problem is exactly the same, so stepping into OTS as a first step I feel is too much too soon.

In your new topic please give the following information:
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

What actions did you take upon detection by avast (it should have been sent to the chest) ?

If it is the chest, what is the problem that you feel some other actions are required ?

[essexboy]

Correct David, generally MBAM will clear the infection by itself, manual cleaning is really only required for the deeper rooted types

[tehpyro]

Well I created a new restore point and deleted old ones, and ran another full avast scan and it still showed up, I think same location and everything. Any other tips? I'd really just feel more comfortable if my scans would turn up clean, even if this has a possibility of not being a problem now =/ thanks

[essexboy]

I can look deeper if you wish

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.

Once the scan is complete, you may receive another notice about rootkit activity.

• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

THEN

Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.*
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    

[jrf274]

**edit**....I apologize, I did what essexboy instructed with logs (OTL) and attached them in that thread....sorry about that!




Hello everyone!

I am having the same trouble with this malware and I cannot remove it using Avast. I'm not too computer savvy so please bear with me. I run AdAware, Avast, Malwarebytes, CC cleaner, and Spybot weekly.

No problems show up except when I run Avast, I get the following message when I start the scan.

File Name:

\\?\globalroot\device\ide\ideport3\worabvpu\worabvpu\z00clicker.dll

Malware Name: Win32: Malware-gen


I can't delete, repair, or move to chest. Here is what is says. "The process cannot access the file because it is being used by another process".

Cannot process "\\?globalroot\device\ide\ideport3\worabvpu\worabvpu\Z00clicker.dtll" file


I have tried rebooting and doing a full computer scan and this hasn't fixed the problem.

[essexboy]

Ah found you - I need to do a rootkit scan for files in that area.  Are you suffering from redirects ?

GMER Rootkit Scanner - Download - Homepage

• Download GMER
• Extract the contents of the zipped file to desktop.
• Double click GMER.exe.

• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
  
  Click the image to enlarge it
  

• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt" 
  
• Save the log where you can easily find it, such as your desktop.

**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.