Multiple infections detected but unable to be deleted (Win32:Malware-gen/others)

[PaulQ]

Okay, long story short, I had a popup window that would not go away, and momentarily froze my laptop. When I was eventually able to close the window, I started receiving messages asking for permission for a program called 'Windows Command Processor' to make changes to my computer. This message just keeps popping up, no matter how many times you click 'no'.

So I started running virus scans. While MalwareBytes couldn’t seem to find anything, Microsoft Security Essentials and Avast both tell my they've identified the virus and removed them, but once I restart my computer the message just keeps popping up.

Losing my patience, I finally clicked 'yes'. Avast suggested I run the program in sandbox, which I did, and I immediately received warnings from both Security Essentials and Avast saying I have multiple infections (Security Essentials telling my that I have anywhere between 9 and 90 potential threats). Avast identifies the infection as "win32:Malware-gen", while Security Essentials detects “Trojan:WinNT/Ramnit.gen!A”

No matter how many virus scans I run that seemingly find and delete the virus, whenever my computer restarts, I am asked for permission for "Windows Command Prompt" to run.

If anyone can help, I’d really appreciate it, because I’m out of ideas.  I’m not very computer-savvy, and my usual technique of “run virus scan in safe mode” has failed me.

[SHARKY7SHARKY]

Why are you running two Antivirus programes?  Try boot time scan with Avast, & try Malwarebytes in safe mode

[DavidR]

Running two resident AVs is going to cause you nothing but grief as they fight for control over a file considered infected, like two dogs fighting over a bone.

Having two resident anti-virus scanners installed is one too many and not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avastUI, Real-Time Shields, File System Shield, Shield log.

For detection on on demand scans, check C:\Documents And Settings\All Users\Application Data\Alwil Software\Avast5\Log  (Windows 2000, Windows XP). Or C:\ProgramData\Alwil Software\Avast5\log (windows Vista, windows 7).

[Pondus]

...... & try Malwarebytes in safe mode

@SHARKY7SHARKY  not recomended as it is designed to work best in normal mode




quote nosirrah ( Bruce Harrison Vice President of Research Malwarebytes )

MBAM works from safemode but it is not designed to work that way .

 MBAM will work better from regular mode both in terms of what it detects and what it can remove .

 Doing a safemode scan with MBAM should only be done when a regular mode scan fails .

[PaulQ]

Thanks for the replies. I know more than one virus scanner causes problems, but when Security Essentials couldn't solve the problem, I downloaded Avast. Would uninstalling Security Essentials and then running a scan with Avast be an idea?

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

When the I click yes on the "Windows Command Processor" request, and Avast asks if I want to run it in sandbox, it gives the file location as "C:\Users\Paul\AppData\Local\Temp\ehknywwtsltfshyv.exe", and says it was opened by "C:\WindowszSysWOW64\cmd.exe".

But when I run it in sandbox, the virus alerts tell me the object is "C:\Users\Paul\AppData\Local\Temp\tqnaarna.sys", while giving "C:\Users\Paul\AppData\Local\Temp\ehknywwtsltfshyv.exe" again as the process.

[DavidR]

Well in the sandbox it is actually running in a virtual environment and that looks like a file that it created in the temp trying to run the executable again a bit of a weird cyclic issue.

This ehknywwtsltfshyv.exe file is highly suspect in itself as it looks like a randomly created file name and it should be sent to avast for analysis, see #### below.

However, that file aside there is something hidden responsible for using "C:\WindowszSysWOW64\cmd.exe" to launch the ehknywwtsltfshyv.exe file in the first place, that has to be found yet. Thankfully the autosandbox is preventing this suspect file ehknywwtsltfshyv.exe from being run.

You must uninstall MSE as a start point as the two AVs aren't helping in this matter at all, any conflict between both could well leave you more vulnerable.

####
Send the sample/s to avast as a Undetected Malware:
Open the chest and right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update. Note: manually adding to the chest doesn't remove them from the original location, so they still have to be dealt with in that location.
Or
Send the sample to virus (at) avast (dot) com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

^^^^
Run this tool after having send the sample to avast to clear all temp files:
TFC - Temp File Cleaner by OldTimer
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

~~~~
Run MBAM and do an update from normal windows mode, then scan and post the contents of the scan log ?

[PaulQ]

Sent a sample of ehknywwtsltfshyv.exe to avast, and cleared temp folders, but should I ignore the "Windows Command Processor" request while I run MBAM, or click yes and let Avast run it in sandbox? I'm just wondering if MBAM will have trouble detecting it if Avast is running it in sandbox?

[essexboy]

Run MBAM in normal mode otherwise it will not be able to remove anything

[PaulQ]

I ran a full MBAM scan with the "Windows Command Processor" message flashing away, and the scan came back with no malicious items found. Here's the log:

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7297

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

27/07/2011 19:06:24
mbam-log-2011-07-27 (19-06-24).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 335323
Time elapsed: 50 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[essexboy]

Any further problems ?

[PaulQ]

The MBAM scan has changed nothing. Afterwards, I clicked yes on the "Windows Command Processor" message and ran it in sandbox, and Avast instantly detected the infection again. I moved it to chest and deleted it (again), but when I restart my computer the message just comes back.

Perhaps I should try allowing the program (whatever it is) to run normally, not in sandbox, and then try MBAM scan?

[essexboy]

OK time to go digging

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is too large to attach then upload to Mediafire and post the sharing link.

Download OTS  to your Desktop

• Close ALL OTHER PROGRAMS.
  
• Double-click on OTS.exe to start the program.
  
• Check the box that says Scan All Users
  
• Under Additional Scans check the following:

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

• Under the Custom Scan box paste this in

%USERPROFILE%\..|smtmp;true;true;true /FP
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

Please attach the log in your next post.

[PaulQ]

Trying to post log, but I'm being told the file size is too big. It's 201kb, and apparently the limit is 192kb?

[essexboy]

Could you upload to mediafire, the link is in red on my previous post

[PaulQ]

Ugh, completely missed that, sorry. Here's the link:

http://www.mediafire.com/?y14wfhvhh5hsh77