Avast WEBforum

Other => Viruses and worms => Topic started by: donfriesen on January 13, 2013, 12:25:59 AM

Title: Win32\Malware-gen
Post by: donfriesen on January 13, 2013, 12:25:59 AM

An 'Avast free' scan revealed the Win32 Malware-gen virus in the d: colorcpl exe. Any help to remove would be greatly appreciated. Thanks.

Title: Re: Win32\Malware-gen
Post by: Pondus on January 13, 2013, 12:42:29 AM

upload colorcpl exe to www.virustotal.com and test with 40+ malware scanners
post link to scan result here when done


Malware removers are notified. It may take hours before one arrive so be patient

also run AdwCleaner and post log   ;)

Title: Re: Win32\Malware-gen
Post by: polonus on January 13, 2013, 01:13:32 AM

See: http://www.faultwire.com/file_report/colorcpl.exe.html

polonus

Title: Re: Win32\Malware-gen
Post by: Pondus on January 13, 2013, 01:21:53 AM

What is the "colorcpl.exe" ?
http://systemexplorer.net/file-database/file/colorcpl-exe
http://www.processchecker.com/file/colorcpl.exe.html

there is also this  http://support.microsoft.com/kb/2643719

Quote

MS12-012: Vulnerability in Color Control Panel could allow remote code execution: February 14, 2012

Title: Re: Win32\Malware-gen
Post by: magna86 on January 13, 2013, 02:44:40 AM

@ donfriesen
Hello and welcome to avast!. I reviewed posted logs and I don't see active malware in it.
----------------------------------------------------------------------------

Code: [Select]

AutoRun File - [ ... ] - D:\Autorun.inf

I recommendet to check USB storage devices / removable drives if you will.

---   ---   ---   ---

• Download MCShield from one of the following links:
  

MyCity -  Official download link (http://amf.mycity.rs/mcshield/)
Softpedija - Mirror download link (http://www.softpedia.com/get/Antivirus/MCShield.shtml)

• Double click MCShield-Setup to install the application.
  
• Wait a few seconds to MCShield finish initial scan.

Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.

• Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that has made MCShield.

Start -> All Programs -> MCShield -> Logs

Attach here -> AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

***********************


 Please download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
- Temporaly disable malwarebytes.

• Please double-click TFC.exe to run it. (Note: If you are running on Vista and above, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

*****************

• Download AdwCleaner (http://www.general-changelog-team.fr/en/downloads/finish/20-outils-de-xplode/2-adwcleaner) (by Xplode) on your desktop.
  
• Launch it, click on [Search] and wait for the scan.
  
• When the scan ends, notepad with the report will appears.
• Click on the [Delete] Wait for the programme completes his work.
  The program will close all active programs. Click OK to confirm that.
  On the next two windows that open ( Informations and Restart required ) click OK
  
• The computer will restart and open a notepad ( C:\AdwCleaner[S1].txt ) with the report.
• Save the notepad report on the Desktop
• Please attach here C:\AdwCleaner[S1].txt

Note: The report will also be stored on C:\AdwCleaner[S1].txt [/list]

***************************

> Re-run OTL and click on CleanUp! button.

You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.




**************************
I also recommendet to run some leght registry cleaner ( as CCleaner (http://www.piriform.com/ccleaner) for example if you will ).

Title: Re: Win32\Malware-gen
Post by: donfriesen on January 14, 2013, 01:30:31 AM

Quote from: Pondus on January 13, 2013, 12:42:29 AM

upload colorcpl exe to www.virustotal.com and test with 40+ malware scanners
post link to scan result here when done


Malware removers are notified. It may take hours before one arrive so be patient

also run AdwCleaner and post log   ;)

Pondus reply#1   The Avast scan revealed the virus to be in the D recovery partition. I can't access this and I also don't know how to upload this file to the website you  requested.

Here is the adw Cleaner log:

# AdwCleaner v2.105 - Logfile created 01/13/2013 at 18:27:32
# Updated 08/01/2013 by Xplode
# Operating system : Windows Vista (TM) Home Basic Service Pack 2 (32 bits)
# User : Don dec15 - DON-PC
# Boot Mode : Normal
# Running from : C:\Users\Don dec15\Downloads\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Mozilla Firefox v18.0 (en-US)

File : C:\Users\ducky\AppData\Roaming\Mozilla\Firefox\Profiles\1btrr2wm.default-1351037531189\prefs.js

[OK] File is clean.

File : C:\Users\ducky\AppData\Roaming\Mozilla\Firefox\Profiles\ok0czt2u.default\prefs.js

[OK] File is clean.

File : C:\Users\Don dec15\AppData\Roaming\Mozilla\Firefox\Profiles\0r2t9cwv.default-1357513048235\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1132 octets] - [13/01/2013 00:02:34]
AdwCleaner[R2].txt - [1004 octets] - [13/01/2013 18:27:32]
AdwCleaner[S1].txt - [7178 octets] - [12/01/2013 12:56:01]

########## EOF - C:\AdwCleaner[R2].txt - [1124 octets] ##########

Title: Re: Win32\Malware-gen
Post by: donfriesen on January 14, 2013, 01:35:44 AM

Quote from: polonus on January 13, 2013, 01:13:32 AM

See: http://www.faultwire.com/file_report/colorcpl.exe.html

polonus

Polonus reply#2:  Thanks for your interest in this thread, and also for the info in the link you provided. Don

Title: Re: Win32\Malware-gen
Post by: magna86 on January 14, 2013, 02:34:31 PM

donfriesen, just reset your system restore ( turn off and then turn on ).

Title: Re: Win32\Malware-gen
Post by: donfriesen on January 15, 2013, 01:24:23 AM

Quote from: magna86 on January 14, 2013, 02:34:31 PM

donfriesen, just reset your system restore ( turn off and then turn on ).

Thanks Magna86 reply 7  I'll do that. What response should I expect from this action?

Title: Re: Win32\Malware-gen
Post by: donfriesen on January 15, 2013, 01:49:05 AM

Quote from: Pondus on January 13, 2013, 12:42:29 AM

upload colorcpl exe to www.virustotal.com and test with 40+ malware scanners
post link to scan result here when done


Malware removers are notified. It may take hours before one arrive so be patient

also run AdwCleaner and post log   ;)

Pondus reply 1:  Thanks for the quick response. I've tried twice to reply to your replies, working for over an hour each time and then having my responses disappear in the wind (obviously I'm very frustrated).

My 'Avast free' virsu scan showed the Win32\Malware-gen to be in the d drive ( my system restore files). I can't access the colourcpl.exe file in this location, but I did  a 'Virus Total' scan of this colorcpl.exe  from C drive location and the result was: no virus.  Can I safely assume that the file in the D drive  is also virus free?

Title: Re: Win32\Malware-gen
Post by: magna86 on January 15, 2013, 11:45:42 PM

Quote from: donfriesen on January 15, 2013, 01:24:23 AM

Quote from: magna86 on January 14, 2013, 02:34:31 PM

donfriesen, just reset your system restore ( turn off and then turn on ).

Thanks Magna86 reply 7  I'll do that. What response should I expect from this action?

Response is that detection should not occur anymore. ;D

Detections is AV heuristics related. And as i wrote above, your system is clean, there is no malware, so just reset your system restore ( turn of and than turn on ) system restore tool will delete old restore points ( ald old created "image" files), and after that AV should no longer display any future warnings.

Title: Re: Win32\Malware-gen
Post by: donfriesen on January 16, 2013, 02:08:21 AM

Quote from: magna86 on January 15, 2013, 11:45:42 PM

Quote from: donfriesen on January 15, 2013, 01:24:23 AM

Quote from: magna86 on January 14, 2013, 02:34:31 PM

donfriesen, just reset your system restore ( turn off and then turn on ).

Thanks Magna86 reply 7  I'll do that. What response should I expect from this action?

Response is that detection should not occur anymore. ;D

Magna86 reply 10    Thanks so much for all your help!  Don

Detections is AV heuristics related. And as i wrote above, your system is clean, there is no malware, so just reset your system restore ( turn of and than turn on ) system restore tool will delete old restore points ( ald old created "image" files), and after that AV should no longer display any future warnings.

Title: Re: Win32\Malware-gen
Post by: donfriesen on January 16, 2013, 02:14:40 AM

To all concerned:

This problem has been solved. According to the response from Magna86 I presume I had a false positive detection. Thanks to Magna86, Pondus, and Polonus for your interest and help. Don.