Author Topic: BV:malware-gen...HELP!!!  (Read 6187 times)

Offline labelcomp

  • Newbie
  • *
  • Posts: 2
    • Personal Message (Offline)
BV:malware-gen...HELP!!!
« on: August 06, 2008, 09:06:36 AM »
How do I deal with this virus, how do I get rid of it- for free?
Also, when the virus has been moved to the chest, what does that mean?
I suppose I cant get into email accounts that are important right now huh?

there are 4 avast listed:
instal privacy danger.bat 2 of them
and
tt4.tmp.vbs
tt6.tmp.vbs


below is the virus information from avast(scroll down to end), and Hijack This:

THANKS!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:59:45 AM, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pphc1e5j0e127.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Alwil Software\Avast4\ashChest.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = ?
O21 - SSODL: tfnslopk - {5699F8CF-779F-4D45-8B7B-8BCCE3E264E1} - C:\WINDOWS\tfnslopk.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 3355 bytes



here is the avast Virus chest infromation

Scanning of selected files
------------------------------------------------------------------------------------------
Program will try to scan 1 selected file(s) in the Chest

Move files to temporary folder: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_avast4_\unp195473510.tmp
FileID: 0000000018  Original file name: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\install-privacy-danger.bat  New folder: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_avast4_\unp195473510.tmp\18.bat

Scan files in the temporary folder: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_avast4_\unp195473510.tmp
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_avast4_\unp195473510.tmp\18.bat  BV:Malware-gen
------------------------------------------------------------------------------------------
Action was completed successfully!
Scanning of selected files
------------------------------------------------------------------------------------------
Program will try to scan 1 selected file(s) in the Chest

Move files to temporary folder: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_avast4_\unp255980103.tmp
FileID: 0000000017  Original file name: C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\.tt6.tmp.vbs  New folder: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_avast4_\unp255980103.tmp\17.vbs

Scan files in the temporary folder: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_avast4_\unp255980103.tmp
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_avast4_\unp255980103.tmp\17.vbs  VBS:Malware-gen
------------------------------------------------------------------------------------------
Action was completed successfully!

Offline Jtaylor83

  • avast! Evangelist
  • Advanced Poster
  • ***
  • Posts: 1068
  • Gender: Male
    • Personal Message (Offline)
Re: BV:malware-gen...HELP!!!
« Reply #1 on: August 06, 2008, 09:46:43 AM »
It appears you have been infected with the VideoAccessCodec.

O21 - SSODL: tfnslopk - {5699F8CF-779F-4D45-8B7B-8BCCE3E264E1} - C:\WINDOWS\tfnslopk.dll

I suggest you download and run MalwareBytes' Anti-Malware

This file looks suspicious: C:\WINDOWS\system32\pphc1e5j0e127.exe

Upload the file above to VirusTotal and post the results.

On a positive side, you did a good job sending the files to the chest.
« Last Edit: August 06, 2008, 09:49:58 AM by Jtaylor83 »
Avast 6.0, MalwareByte's Anti-Malware, CCleaner, Defraggler, DownloadHelper, WOT, NoScript, KeyScrambler, Thunderbird, Firefox, Windows XP SP3.

Offline labelcomp

  • Newbie
  • *
  • Posts: 2
    • Personal Message (Offline)
what does putting stuff in the "Chest" mean?
« Reply #2 on: August 07, 2008, 06:29:24 AM »
I have all of the infected files put into the "chest", what does that mean?  What does the chest do?  I keep getting infections as teh virus continues and I continue to put them in the chest.. then what?

Offline Jtaylor83

  • avast! Evangelist
  • Advanced Poster
  • ***
  • Posts: 1068
  • Gender: Male
    • Personal Message (Offline)
Re: BV:malware-gen...HELP!!!
« Reply #3 on: August 07, 2008, 08:18:58 AM »
The Virus Chest is where infected files are kept so they can't harm your computer.
Avast 6.0, MalwareByte's Anti-Malware, CCleaner, Defraggler, DownloadHelper, WOT, NoScript, KeyScrambler, Thunderbird, Firefox, Windows XP SP3.

Offline rassel

  • avast! Evangelist
  • Poster
  • ***
  • Posts: 469
  • Gender: Male
  • Avast always the best choice
    • www.avast.com
    • Personal Message (Offline)
Re: BV:malware-gen...HELP!!!
« Reply #4 on: August 07, 2008, 09:22:29 AM »
Hope this will help you


Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Offline petmad4

  • Newbie
  • *
  • Posts: 1
    • Personal Message (Offline)
Re: BV:malware-gen...HELP!!!
« Reply #5 on: August 19, 2008, 01:27:07 AM »
Tried Combofix and it worked. Thank you

Offline wyrmrider

  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1299
    • Personal Message (Offline)
Re: BV:malware-gen...HELP!!!
« Reply #6 on: August 19, 2008, 01:34:57 AM »
just because it worked does not mean that you are clean
combo fix log and a new hjt if you wish to verify
there are infections that combofix does not get
did you run the malware bytes anti-malware and post the log

Offline rassel

  • avast! Evangelist
  • Poster
  • ***
  • Posts: 469
  • Gender: Male
  • Avast always the best choice
    • www.avast.com
    • Personal Message (Offline)
Re: BV:malware-gen...HELP!!!
« Reply #7 on: August 19, 2008, 06:30:22 AM »
Quote
Tried Combofix and it worked.

Worked for what? You are having the same problem too?

Offline powerade11

  • Newbie
  • *
  • Posts: 4
    • Personal Message (Offline)
Re: BV:malware-gen...HELP!!!
« Reply #8 on: August 20, 2008, 04:50:58 AM »
I read this post and my computer also got the .... tt4.tmp.vbs
I dont know if its totally clean!
I executed the combofix and it generated this:

Offline powerade11

  • Newbie
  • *
  • Posts: 4
    • Personal Message (Offline)
Re: BV:malware-gen...HELP!!!
« Reply #9 on: August 20, 2008, 05:12:08 AM »
Also I installed Malwarebytes' Anti-Malware and the log was:
Malwarebytes' Anti-Malware 1.25
Versão do banco de dados: 1062
Windows 5.1.2600 Service Pack 2

02:07:15 20/8/2008
mbam-log-08-20-2008 (02-07-15).txt

Tipo de Verificação: Rápida
Objetos verificados: 50175
Tempo decorrido: 3 minute(s), 26 second(s)

Processos da Memória infectados: 0
Módulos de Memória Infectados: 0
Chaves do Registro infectadas: 1
Valores do Registro infectados: 0
Ítens do Registro infectados: 0
Pastas infectadas: 0
Arquivos infectados: 1

Processos da Memória infectados:
(Nenhum ítem malicioso foi detectado)

Módulos de Memória Infectados:
(Nenhum ítem malicioso foi detectado)

Chaves do Registro infectadas:
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Valores do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Ítens do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Pastas infectadas:
(Nenhum ítem malicioso foi detectado)

Arquivos infectados:
C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Offline wyrmrider

  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1299
    • Personal Message (Offline)
Re: BV:malware-gen...HELP!!!
« Reply #10 on: August 20, 2008, 05:57:35 PM »
petmad
did you nitice that MBAM found malware AFTER combo fix for powerade11
Run MBAM
and START A NEW THREAD for your problem
you fix may be different that the others depending on the mix of malware
thanks
Wyrmrider
did you keep a combofix log?
other things I would like to see is a boot time Avast scan
and a scan with Super Anti Spyware

Offline powerade11

  • Newbie
  • *
  • Posts: 4
    • Personal Message (Offline)
Re: BV:malware-gen...HELP!!!
« Reply #11 on: August 21, 2008, 06:09:24 AM »
Thanks for answering.

Well I still have the combofix log.
I also did the boot time avast (got something there), and Superantispyware freezes my computer ( I tried to pause avast Resident protection but still freeze Pc...and i have to reset pc)

thanks

Offline powerade11

  • Newbie
  • *
  • Posts: 4
    • Personal Message (Offline)
Re: BV:malware-gen...HELP!!!
« Reply #12 on: August 21, 2008, 07:09:04 AM »
uff.. I finally made superantispyware to work and it didnt get anything. Also passed Spybot - Search & Destroy and it looks clean!

I think thats it, it´s clean, what u think?

thanks

Offline wyrmrider

  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1299
    • Personal Message (Offline)
Re: BV:malware-gen...HELP!!!
« Reply #13 on: August 21, 2008, 08:24:32 PM »
Powerade
what I thought was that you needed your own thread- or was that PetMad?
There are many versions of the fake alert trojan

I'd also run a on line kaspersky scan before I thought I was clean
If you want someone to look at a HJT (see stickie for instructions)
do start a new thread with a link to here

Spyware Doctor database shows
rojan.FakeAlert will hijack the desktop background with an image alerting the user that their computer system has been infected with spyware.
It also changes some settings of windows which include:- disabling permissions for the user to change the background image and setting the active desktop to 'show web content'.
It is usually installed in conjunction with a rogue anti-spyware application.

MBAM found one thing
where are the others? that is the question
did anything say exactly which version of trojan fake aleart you have
did the trojan have any friends at the party?

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now