Author Topic: w32.malware-gen <- I got it, and I can't get rid of it.  (Read 4038 times)

Offline alexandermrgn

  • Newbie
  • *
  • Posts: 8
    • Personal Message (Offline)
w32.malware-gen <- I got it, and I can't get rid of it.
« on: October 20, 2010, 07:34:35 AM »
Hi everyone,
Last night I went out for a friend's birthday party and when I came back I noticed that my laptop had restart, and that Google Chrome no longer worked at all. (Doesn't load pages or menus, and most times just crashes on startup anyway now) I'm using 64-bit IExplorer instead. I scanned using spybot and it came up with 7 entires, which I "fixed" and then still had problems. I've ran Avast! several times now on a completely thorough custom scan and each time it will remove 2 or 3, tell me there were issues with some of the files and that they can't be removed! What do I do? I fear for my online banking, which I'm not touch with a 10-foot pole til my laptop is cleaned.

Also, just for reference I have Windows 7 64-bit, and after my first "clean" and restart my computer takes forever to start up now. I had to go into task manager and Run explorer.exe manually cause it wasn't starting despire being running except in the process list.
« Last Edit: October 20, 2010, 07:38:06 AM by alexandermrgn »

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21689
  • Gender: Male
    • Personal Message (Offline)
Re: w32.malware-gen <- I got it, and I can't get rid of it.
« Reply #1 on: October 20, 2010, 07:53:00 AM »
Quote
I scanned using spybot and it came up with 7 entires, which I "fixed" and then still had problems
well spybot is not a good program, it was but not anymore

Try this

Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
always run update before you scan so you have the latest database
click on the remove selected button to quarantine anything found
if anything is found you may post the scan log here

If avast! can`t remove then you should try running avast! boot scan
http://sites.google.com/site/spg20scottsweb/home/avast-5-boot-time-scan
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline SafeSurf

  • avast! Evangelist
  • Ultra Poster
  • ***
  • Posts: 4926
    • Personal Message (Offline)
Re: w32.malware-gen <- I got it, and I can't get rid of it.
« Reply #2 on: October 20, 2010, 07:58:04 AM »
Hello alexandermrgn and welcome to the forum.

I know you ran a Custom scan on Avast and you "fixed" it.  Did anything run an Avast Full scan and put items into the Virus Chest?

Right now, please check your computer for malware with Malwarebytes’ Anti-Malware (MBAM).
·    Download free http://www.malwarebytes.org/ for an on-demand scanner.
·    Double Click mbam-setup.exe to install the application.
·    After install, click update so you have latest database before scanning.
·    Under Settings:
o    General: Automatically Save File After Scan Completes is checked off
o    Scanner SettingsCheck all boxes
o    Updater: Download and install update if available is checked off
·    Once the program has loaded, select "Perform FULL Scan", then click Scan.
·    The scan may take some time to finish, so please be patient.
·    When the disinfection scan is complete, a log will appear in Notepad and you may be prompted to Restart. (See Extra Note).
·    Click the “remove selected” button to quarantine anything found.  You will find the infection details under the Quarantine tab.
·    The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
·    Copy & Paste the entire report in your next reply.

After posting your MBAM report, keep your Avast definitions are up to date.  You can also perform an Avast Full scan; if anything shows up, put it in the Virus Chest and do NOT delete anything.

Next, check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0

Follow the directions for obtaining  the OTL logs.  Post the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post).  We will analyze them and instruct you further. 

Please let me know if you have any questions.  Thank you.

iMac (Mavericks)/Safari and Firefox (NoScript/AdBlockPlus/BetterPrivacy/Ghostey)/
Vista Home Prem (same add-on's)/Avast Free/Online Armor Premium Firewall/MBAM Prem)/ Avast Mobile Security with MBAM Pro/ iPad 4th gen.

Offline SafeSurf

  • avast! Evangelist
  • Ultra Poster
  • ***
  • Posts: 4926
    • Personal Message (Offline)
Re: w32.malware-gen <- I got it, and I can't get rid of it.
« Reply #3 on: October 20, 2010, 08:01:06 AM »
We both instructed you to run MBAM.  ;)

I do not think you will be able to run the Avast boot scan with your 64-bit machine; this feature will be available in the newer Avast release, which will be out soon.

Please follow the remainder of my instructions, but post your MBAM post first.  Thank you.
iMac (Mavericks)/Safari and Firefox (NoScript/AdBlockPlus/BetterPrivacy/Ghostey)/
Vista Home Prem (same add-on's)/Avast Free/Online Armor Premium Firewall/MBAM Prem)/ Avast Mobile Security with MBAM Pro/ iPad 4th gen.

Offline alexandermrgn

  • Newbie
  • *
  • Posts: 8
    • Personal Message (Offline)
Re: w32.malware-gen <- I got it, and I can't get rid of it.
« Reply #4 on: October 20, 2010, 08:24:25 AM »
Running MBAM!  :D
I had run it without applying all the settings you asked for the first time so I stopped it halfway to reapply them, but during that halfway it did manage to pick up something nasty *blegh* Removed it succesfully though! Once this proper scans finishes I'll post a log of what happens, thanks! Also, is it odd that a) my google chrome is dead and b) my internet explorer occasionally refuses to load pages? Also, will my start-up delay problems go away once the virus/ trojan/ worm/ whatever it may be is removed?

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21689
  • Gender: Male
    • Personal Message (Offline)
Re: w32.malware-gen <- I got it, and I can't get rid of it.
« Reply #5 on: October 20, 2010, 08:33:16 AM »
Quote
I do not think you will be able to run the Avast boot scan with your 64-bit machine; this feature will be available in the newer Avast release, which will be out soon.
yepp, correct did no notice the 64bit...... ::)

Quote
Also, will my start-up delay problems go away once the virus/ trojan/ worm/ whatever it may be is removed?
well you just have to wait and see what happens after the MBAM scan  ;)


Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline alexandermrgn

  • Newbie
  • *
  • Posts: 8
    • Personal Message (Offline)
Re: w32.malware-gen <- I got it, and I can't get rid of it.
« Reply #6 on: October 20, 2010, 09:18:05 AM »
Well now it's saying I'm clean even though I *know* it isn't. I'll give it a restart and get right back to you! After 5 various scans I might actually be getting somewhere, good heavens!

Offline SafeSurf

  • avast! Evangelist
  • Ultra Poster
  • ***
  • Posts: 4926
    • Personal Message (Offline)
Re: w32.malware-gen <- I got it, and I can't get rid of it.
« Reply #7 on: October 20, 2010, 09:27:59 AM »
Next, check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0.  

Follow the directions for obtaining  the OTL logs.  Post the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post).  We will analyze them and instruct you further.  
Do not reboot....do the OTL log next.  Thank you.

Oh...and cut and paste your MBAM log here.
iMac (Mavericks)/Safari and Firefox (NoScript/AdBlockPlus/BetterPrivacy/Ghostey)/
Vista Home Prem (same add-on's)/Avast Free/Online Armor Premium Firewall/MBAM Prem)/ Avast Mobile Security with MBAM Pro/ iPad 4th gen.

Offline alexandermrgn

  • Newbie
  • *
  • Posts: 8
    • Personal Message (Offline)
Re: w32.malware-gen <- I got it, and I can't get rid of it.
« Reply #8 on: October 20, 2010, 09:58:16 AM »
Ehh...a little late on the reboot, I wasn't sure I had it at all so I'd rebooted into safe mode and I'm in the middle of one more scan, then I'll get back to you on those OTL logs, nothing yet after 20 minutes but we'll see. I was looking at things that might seem at all suspicious and...I'm not very well versed in the inner workings of Skype...but does this look right? That's a heckuva lot of firewall exception for one program.

Offline alexandermrgn

  • Newbie
  • *
  • Posts: 8
    • Personal Message (Offline)
Re: w32.malware-gen <- I got it, and I can't get rid of it.
« Reply #9 on: October 20, 2010, 10:05:31 AM »
And as an additional suspicion, where di these two users come from?? They were never there before to my knowledge...and they almost never show up except in a few certain menus. How do I remove them, cause UAC doesn't list them as existing?
*Edit* OTL.txt attached, having trouble attaching Extras.txt for some reason, and I *really* don't want to triple post here. I'll try again though!
« Last Edit: October 20, 2010, 10:22:42 AM by alexandermrgn »

Offline alexandermrgn

  • Newbie
  • *
  • Posts: 8
    • Personal Message (Offline)
Re: w32.malware-gen <- I got it, and I can't get rid of it.
« Reply #10 on: October 20, 2010, 10:29:21 AM »
Argh, no luck attaching, keeps giving me errors so I'm really sorry for the triple post! I've attached extras.txt here because it wouldn't attach to the previous. Thanks for the help, it's really appreciated!

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21689
  • Gender: Male
    • Personal Message (Offline)
Re: w32.malware-gen <- I got it, and I can't get rid of it.
« Reply #11 on: October 20, 2010, 10:42:02 AM »
Essexboy will look at your log`s when he arrives, late uk time
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Online essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28975
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Online)
Re: w32.malware-gen <- I got it, and I can't get rid of it.
« Reply #12 on: October 20, 2010, 07:03:17 PM »
As this is a 64bit system I have few automatic tools that work so I will need to go in baby steps.  On completion of this run can you let me know what problems you are having.  Also did you set this proxy ? 
"ProxyServer" = 198.163.152.230:3128

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Quote
    :OTL
    [2010/10/03 14:00:59 | 000,045,056 | ---- | C] () -- C:\Windows\SysNative\acovcnt.exe

    :Files
    ipconfig /flushdns /c
    C:\Windows\tasks\At*.job

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Offline alexandermrgn

  • Newbie
  • *
  • Posts: 8
    • Personal Message (Offline)
Re: w32.malware-gen <- I got it, and I can't get rid of it.
« Reply #13 on: October 20, 2010, 07:30:02 PM »
All done! I can access my folders again  :D Oh happy day! Thank you so much. I definitely did not install a proxy myself, but I am on a University network? (But they didn't install anything either) Would that be why my Google Chrome still refuses to load any pages? It just sits spinning on a blank page.
« Last Edit: October 20, 2010, 07:32:03 PM by alexandermrgn »

Online essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28975
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Online)
Re: w32.malware-gen <- I got it, and I can't get rid of it.
« Reply #14 on: October 20, 2010, 07:40:49 PM »
OK I will remove the proxy - if it is legit you may need to reset it

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Quote
    :OTL
    IE - HKU\S-1-5-21-1923341402-1981331949-2595207276-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 198.163.152.230:3128

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done

As for Chrome that may need a re-install.  Again after this run let me know of any problems 

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now