Avast WEBforum

Other => Viruses and worms => Topic started by: noobje on January 23, 2010, 06:03:05 PM

Title: Win32: Malware-gen who to remove?
Post by: noobje on January 23, 2010, 06:03:05 PM

ey,

I have a problem. My computer has been infected with malware and my Avast spawns.

my Avast says this:

C:\Windows\Temp\qwhg.tmp\svchost.exe\[UPX]
Win32: Malware-gen

HELP. I tried everything.

Title: Re: Win32: Malware-gen who to remove?
Post by: essexboy on January 23, 2010, 06:19:37 PM

Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

If that does not resolve the problem I will look deeper

Title: Re: Win32: Malware-gen who to remove?
Post by: noobje on January 23, 2010, 09:17:42 PM

 Ey,

I dont think the problem is solved. cuz my computer still crashes and it still pops u
This is the log from Malwarebytes:

Malwarebytes' Anti-Malware 1.44
Database versie: 3620
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

23-1-2010 21:03:48
mbam-log-2010-01-23 (21-03-48).txt

Scan type: Snelle Scan
Objecten gescand: 105699
Verstreken tijd: 6 minute(s), 10 second(s)

Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 0
Registerwaarden geïnfecteerd: 0
Registerdata bestanden geïnfecteerd: 0
Mappen geïnfecteerd: 4
Bestanden geïnfecteerd: 3

Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registerwaarden geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registerdata bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)

Mappen geïnfecteerd:
C:\Users\Niels\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AntiVirus Plus (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D} (Trojan.Swisyn) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome (Trojan.Swisyn) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content (Trojan.Swisyn) -> Quarantined and deleted successfully.

Bestanden geïnfecteerd:
C:\Users\Niels\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AntiVirus Plus\EULA.url (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf (Trojan.Swisyn) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul (Trojan.Swisyn) -> Quarantined and deleted successfully.

Title: Re: Win32: Malware-gen who to remove?
Post by: essexboy on January 23, 2010, 10:27:52 PM

OK lets look deeper and see what is there

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire (http://www.mediafire.com/) and post the sharing link.

Download OTS (http://oldtimer.geekstogo.com/OTS.exe)  to your Desktop

• Close ALL OTHER PROGRAMS.
  
• Double-click on OTS.exe to start the program.
  
• Check the box that says Scan All Users
  
• Under Additional Scans check the following:
• Reg - Shell Spawning
• File - Lop Check
• File - Purity Scan
• Evnt - EvtViewer (last 10)

• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles

• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
  
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
  
• Once it has uploaded, click the Manage Current Attachments drop down box
  
• Click on (http://www.geekstogo.com/forum/style_images/11168623649/folder_attach_images/attach_add.png) to insert the attachment into your post

Title: Re: Win32: Malware-gen who to remove?
Post by: noobje on January 23, 2010, 11:11:52 PM

Ey,

I did the scan on OTS and her are the results.

http://www.mediafire.com/?tmzu3an2nim (http://www.mediafire.com/?tmzu3an2nim)

Title: Re: Win32: Malware-gen who to remove?
Post by: essexboy on January 23, 2010, 11:17:30 PM

Let me know of any problems after this run

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Registry - Safe List]
< FireFox Extensions [Program Folders] > ->
YY -> LoudMo Contextual Ad Assistant   -> C:\Program Files\Mozilla Firefox\extensions\{e7e9e41b-cf71-05aa-8a51-c1a2a15fe6c2}
[Empty Temp Folders]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Title: Re: Win32: Malware-gen who to remove?
Post by: noobje on January 23, 2010, 11:40:55 PM

Ey,

If done the run fix. but if dont have the result, cuz my computer crashed on me. If looked in taskmanager and there still stand several svchost activated (like 10 of them) with username local server or network server.

so I think thers still a problem because Avast said: C:\Windows\Temp\qwhg.tmp\svchost.exe\[UPX].

(I tried to detele it from the proces schrem but them i get a bleu schrem and my computer shuts down)

??? I just a sec ago my Avast still spawn the same virus.

C:\Windows\Temp\qwhg.tmp\svchost.exe\[UPX]
Win32: Malware-gen

Title: Re: Win32: Malware-gen who to remove?
Post by: essexboy on January 23, 2010, 11:47:10 PM

OK time for the big boy

Download ComboFix from one of these locations:


Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/whatnext.png)


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Title: Re: Win32: Malware-gen who to remove?
Post by: noobje on January 24, 2010, 12:25:15 AM

Ey,

Still in my taskmngr I see the svchost processing.

her is the link of the result:
http://www.mediafire.com/?tmzu3an2nim

Title: Re: Win32: Malware-gen who to remove?
Post by: essexboy on January 24, 2010, 12:55:58 AM

If you could run Combofix please - svchost is a standard windows file and does run multiple services

Title: Re: Win32: Malware-gen who to remove?
Post by: noobje on January 25, 2010, 04:14:45 PM

owhh oke, srry about the late reply.
If runned Combofix and i think the problem is solved.
I dont know if u want a log to check it. if so let me know.

Thanks for the help :-* ;)

Title: Re: Win32: Malware-gen who to remove?
Post by: essexboy on January 25, 2010, 10:41:40 PM

Yes please if you could attach it - as Combofix does not always get every piece away

Title: Re: Win32: Malware-gen who to remove?
Post by: noobje on January 26, 2010, 04:33:44 PM

its the log on? C:\Combofix.txt

http://www.mediafire.com/?2vqiwhjm0ny

Title: Re: Win32: Malware-gen who to remove?
Post by: essexboy on January 26, 2010, 08:56:29 PM

OK looks good run OTS and hit the cleanup button to remove the tools

Title: Re: Win32: Malware-gen who to remove?
Post by: noobje on January 28, 2010, 05:36:47 PM

OKe, did it.
thanks for all. ur the king. ;D

Title: Re: Win32: Malware-gen who to remove?
Post by: artbookpad on January 31, 2010, 06:10:35 AM

Hi both,

The results of the latest scan with Avast! shown that my PC is infected with Win32:Malware-gen, Win32:Trojan-gen & Win32:Adware-gen. Immediately following this, my dvd player cannot read the disc content despite attempts to reinstall and removing upperfilters and lowerfilters from registry. Hence, I have the following queries:

1) I suspected Win32 virus are corrupting the driver and causing my dvd player not working. Do you think so? If so, which one?
2) I'm interested in getting rid of Win32:Malware-gen. Can I zoomed straight to "ComboFix.exe" and followed the steps as mentioned by essexboy? Does this ComboFix also remove other related Win32 virus such trojan and adware?

Appreciate your assistance and many thanks.

Title: Re: Win32: Malware-gen who to remove?
Post by: prateek007391 on February 22, 2010, 06:10:30 PM

Me too facing similar problem

Tried scanning with MBAM, but no use, the Malware Is generated again

Avast keeps on reporting *.tmp\svchost.exe is blocked

What should I do