Avast WEBforum

Other => Viruses and worms => Topic started by: shels60 on July 15, 2012, 03:44:59 PM

Title: Also need help with Win32: Malware-gen
Post by: shels60 on July 15, 2012, 03:44:59 PM
I recently downloaded Avast.  I may not have had any antivirus protection for a few months.  I had previously run Mcafee that was provided by my internet service provider.  In March, they said that they would no longer provide this feature, however, when I would check my McAfee subscription status, it always said that it was current.  Anyway, after I installed Avast, I ran a full scan which detected the win32:malware-gen.  I was able to put this in the chest.  However, when I ran the recommended bootscan, multiple infections of this virus were found.  I was unable to perform any of the suggested fixes.  I don't know where to find the log from this bootscan.

I see that the starting point for fixing these problem is to run malwarebytes Anti- Malware, which I have done.  This log shows different files that are infected than the files found on the avast bootscan. 

I'd appreciate any help you can give me (in as simple terms as possible, since I'm not that computer literate!)

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.15.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.11
Owner :: I1 [administrator]

Protection: Enabled

7/15/2012 8:08:53 AM
mbam-log-2012-07-15 (08-08-53).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 250393
Time elapsed: 15 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4D25F926-B9FE-4682-BF72-8AB8210D6D75} (PUP.MyWebSearch) -> Data:  -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks|{4D25F926-B9FE-4682-BF72-8AB8210D6D75} (PUP.MyWebSearch) -> Data:  -> Quarantined and deleted successfully.

Registry Data Items Detected: 2
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 3
C:\Program Files\MyWaySA (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe\1.bin (PUP.MyWebSearch) -> Quarantined and deleted successfully.

Files Detected: 0
(No malicious items detected)

(end)




Title: Re: Also need help with Win32: Malware-gen
Post by: jeffce on July 15, 2012, 04:16:27 PM
Hi and welcome!

Please visit the site located here (http://forum.avast.com/index.php?topic=53253.0).  Follow the directions
for running OTL, aswMBR.exe and Malwarebytes and then attach the logs that are created to your next reply.  :)
Title: Re: Also need help with Win32: Malware-gen
Post by: shels60 on July 15, 2012, 06:27:41 PM
Thanks for the welcome.

Attached are the logs from OTL and aswMBR.  I was unclear if I should run Malwarebytes one more time or if my original posting with the malwarebytes log was sufficient.
Title: Re: Also need help with Win32: Malware-gen
Post by: jeffce on July 16, 2012, 02:21:12 PM
Hi,

No it's no problem to use the Malwarebytes log you already posted.  :)

Please download and run ERUNT (http://www.snapfiles.com/get/erunt.html) (Emergency Recovery Utility NT).  This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.  **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

If you are running Malwarebytes 1.6 or better, please disable it for the duration of this run.

To disable Malwarebytes
(http://i1224.photobucket.com/albums/ee380/jeffce74/MBAM16orgreater.jpg)

Once complete continue with the instructions...
----------

Run OTL.exe
Code: [Select]
:Services

:OTL
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\\npViewpoint.dll ()
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: //@mail.mar@ ([]msn in Local intranet)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: //@signup.mar@ ([]msn in My Computer)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: aol.com ([objects] * is out of zone range -  5)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: hotmail.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: msn.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: passport.net ([]https in Trusted sites)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: turbotax.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-548709012-2417198083-2935930457-1005\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/bingame/popcaploader_v10.cab (PopCapLoader Object)
[11 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2005/08/18 07:46:14 | 000,011,264 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

:Files
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]
Title: Re: Also need help with Win32: Malware-gen
Post by: shels60 on July 16, 2012, 11:02:55 PM
Uh oh!  I ran Erunt and got to running OTL.  There was a message that I needed to reboot in order for OTL to move files.  A new OTL.exe screen came on, that I clicked run.  I think it was completed when an Avast sandbox notepad screen came on for a little bit and then the screen blanked out and is now sitting there with a blank blue screen.  I didn't see much of the notepad screen other than things had been disabled.  Help!
Title: Re: Also need help with Win32: Malware-gen
Post by: shels60 on July 17, 2012, 12:41:15 AM
I just restarted my computer and it started up ok.  There is a new box that says "Restore" and below it "Exit".  Is this from ERUNT?  Before the computer went blank, I did not see a log from OTL.  Please advise on what I should do next. Thanks!
Title: Re: Also need help with Win32: Malware-gen
Post by: jeffce on July 17, 2012, 01:55:19 PM
Hi,

Just go ahead and run a Quick Scan with OTL and post that new log.  :)
Title: Re: Also need help with Win32: Malware-gen
Post by: shels60 on July 17, 2012, 02:50:34 PM
Hi, When I ran OTL, I did see the log file from yesterday.  I have attached that file and today's log file.
Title: Re: Also need help with Win32: Malware-gen
Post by: jeffce on July 17, 2012, 04:28:49 PM
Good...

Malwarebytes

I see that you have Malwarebytes already on your computer.  Please open Malwarebytes, update it and then run a Quick Scan.  Save the log that is created for your next reply.
----------

Please run a free online scan with the ESET Online Scanner (http://www.eset.com/onlinescan/)
Note: You will need to use Internet Explorer for this scan[/i]----------
Title: Re: Also need help with Win32: Malware-gen
Post by: shels60 on July 17, 2012, 05:47:20 PM
Here is the Malwarebytes log.  I will post the Eset log when done.
Title: Re: Also need help with Win32: Malware-gen
Post by: shels60 on July 17, 2012, 08:48:12 PM
This is the ESET log:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17110 (vista_gdr.120419-1718)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=a92a0f9576b8844bbdbe181e37acea45
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-07-17 06:45:23
# local_time=2012-07-17 02:45:23 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 124282777 124282777 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=140929
# found=0
# cleaned=0
# scan_time=5732
Title: Re: Also need help with Win32: Malware-gen
Post by: jeffce on July 17, 2012, 08:48:12 PM
Ok.  :)
Title: Re: Also need help with Win32: Malware-gen
Post by: shels60 on July 18, 2012, 02:06:15 PM
I ran one more Avast full scan and it did not find anything.  Does this mean my computer is "cured"?  If so, is it best to keep all the programs that I downloaded or should use add/remove programs to delete them.  Thank you SO MUCH for helping me with this virus!
Title: Re: Also need help with Win32: Malware-gen
Post by: jeffce on July 18, 2012, 02:22:36 PM
Hi,

Things are looking better.  How is your system running?  :)

Download Security Check by screen317 from here (http://"http://screen317.spywareinfoforum.org/SecurityCheck.exe") or here (http://"http://screen317.changelog.fr/SecurityCheck.exe").
Title: Re: Also need help with Win32: Malware-gen
Post by: shels60 on July 18, 2012, 04:23:43 PM
I think my computer is running fine.  It is pretty old (about 6 years old), so it always ran fairly slow.  I tried to download Security Check, but I think the 2 links are broken.  Internet Explorer could not find the webpage.
Title: Re: Also need help with Win32: Malware-gen
Post by: jeffce on July 18, 2012, 06:26:12 PM
Sorry...that was my fault the link was broken... try this...

Download Security Check by screen317 from here (http://screen317.spywareinfoforum.org/SecurityCheck.exe) or here (http://screen317.changelog.fr/SecurityCheck.exe).
Title: Re: Also need help with Win32: Malware-gen
Post by: shels60 on July 18, 2012, 07:11:10 PM
Hi,  I forgot to mention when I first tried to open the file, I had to enable Intranet Settings.  Is this something I should leave as is?  If not, would you please tell me how to disable them?

Here is the Security Check Log.   Should I just close out of the Security Check black screen?
Title: Re: Also need help with Win32: Malware-gen
Post by: jeffce on July 18, 2012, 08:08:07 PM
Hi,

No that shouldn't be a problem.
--------

Please go to Start > Control Panel > Add/Remove Programs > remove all the Java Programs you see, now download the latest Java from the following link and install it:

http://java.com/en/download/index.jsp
----------

While in Add/Remove programs delete Adobe Reader 9
----------

Let me know how your system is running now.  :)
Title: Re: Also need help with Win32: Malware-gen
Post by: shels60 on July 19, 2012, 02:03:37 PM
I did the remove/reinstall of Java.  However, I did not see Adobe Reader 9 in the add/remove menu.  Adobe Reader x (10.1.3) was listed.

Things seem to be running very smoothly!  Thank you!  I'm not sure if this is just coincidental, but for the last few days (since the virus repair started) this message has popped up about once a day: "Adobe Flash Player Update Service 11.3 r 300 has encountered a problem and needs to close.  Please tell Microsoft about this problem".  I hit the report problem button and the message goes away.
Title: Re: Also need help with Win32: Malware-gen
Post by: jeffce on July 19, 2012, 02:11:23 PM
Hi,

Glad to hear your system is running well except for that Flash Player glitch.  I did some reading and it seems that everyone is having that problem and it seems that it is on Adobe's side and needs to be fixed.  Hopefully they will have this fixed up soon.  Just keep checking for updates for Flash Player.
----------

Providing there are no other malware related problems...

IT APPEARS THAT YOUR LOGS ARE NOW CLEAN :D  SO LETS DO A COUPLE OF THINGS TO WRAP THIS UP!! :D

This infection appears to have been cleaned, but I can not give you any absolute guarantees.  As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.
----------

Clean up with OTL:
----------

Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.
If you didn't already have it I would keep Malwarebytes AntiMalware though.

Here are some tips to reduce the potential for spyware infection in the future:

1. Internet Explorer.  Even if you don't use it as your main browser it should be kept up-to-date because that is the browser Windows uses for updates.
Make your Internet Explorer more secure - This can be done by following these simple instructions:
2. Enable Protected Mode in Internet Explorer.  This helps Windows Vista users stay more protected from attack by running Internet Explorer with restricted privileges as well as reducing the ability to write, alter or destroy data on your system or install malicious code.  To make sure this is running follow these steps:3. Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis.  With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

4. Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly.  A tutorial on firewalls can be found here[/color] (http://www.bleepingcomputer.com/forums/tutorial60.html).  **There are firewalls listed in this tutorial that could be downloaded and used but I would personally only recommend using one of the following two below:
Online Armor Free (http://download.cnet.com/Online-Armor-Free/3000-10435_4-10426782.html)
Agnitum Outpost Firewall Free (http://download.cnet.com/Agnitum-Outpost-Firewall-Free/3000-10435_4-10913746.html)

5. Make sure you keep your Windows OS currentWindows XP users can visit Windows update  (http://v4.windowsupdate.microsoft.com/en/default.asp)  regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems.  Without these you are leaving the back door open.

6.   WOT   (http://www.mywot.com/) (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites.  WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.

7.Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place?  (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
 
Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.
Title: Re: Also need help with Win32: Malware-gen
Post by: shels60 on July 19, 2012, 02:32:03 PM
I just tried to run OTL as administrator.  I did not have a password (am I supposed to create one?) and received an error : Unable to log on.  Logon failure: user account restriction.  Possible reasons are blank passwords are not allowed, .....
Title: Re: Also need help with Win32: Malware-gen
Post by: jeffce on July 20, 2012, 02:07:49 PM
Hi,

Just double-click on OTL and that should be fine.  :)
Title: Re: Also need help with Win32: Malware-gen
Post by: shels60 on July 20, 2012, 04:30:33 PM
One more question (I hope!)... I could not find Security Check in Add/Remove Programs.  How do I remove it?  Thanks for your patience!!
Title: Re: Also need help with Win32: Malware-gen
Post by: jeffce on July 20, 2012, 05:34:49 PM
Hi,

You can just delete that from your Desktop and that will be gone.  :)
Title: Re: Also need help with Win32: Malware-gen
Post by: shels60 on July 20, 2012, 08:57:33 PM
Jeff, You've been great!  Thank you so much for all your help and hand-holding!! 
Title: Re: Also need help with Win32: Malware-gen
Post by: jeffce on July 21, 2012, 04:42:04 AM
You are more than welcome.  It was a pleasure working with you.