Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: qrius2noall on March 04, 2010, 07:04:04 PM

Title: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: qrius2noall on March 04, 2010, 07:04:04 PM

I have been using Avast Free for the last four years(with mixed kind of emotions)and recently switched to AVAST 5 FREE.While downloading and installing some app Avast went crazy and gave alarms about WIN 32:malware gen(quite sad because while downloading and prior to install that app ,I had repeatedly scanned it with Avast but nothing was flagged as malware at that time.The trouble started after installation of that downloaded app )As Avast Was unable to delete the infection(file being offline or read only,as informed by Avast)I did reinstall of C drive but the trouble prevails.Dependable utilities (i have been using for years like CCLEANER uTORRENT,Malwre bytes etc) are being flagged troublesome and it is just annoying to say the least.Repeated uninstall and reinstall of AVAST 5 have not resolved the issue and as a last resort,I wanted to scan the PC in safe mode but sadly again,AVAST CANNOT SCAN IN SAFE MODE:ERROR MESSAGE BEING-UNABLE TO START SCAN THERE ARE NO MORE END POINTS AVAILABLE FROM THE END POINT MAPPER

while right click scanning of c drive ,Avast shows signs of WIN32:malware genbut not able to delete these or move to chest.Same is the case with boottime scan also

So You Can imagine ,I am feeling helpless and irritated-doubting whether these are false alarms(PC is working Reasonably Ok,no issues of slow or crashes)because at start of any app,AVAST starts flagging these as malware but unable to do anything about these infection-MILLION DOLLAR QUESTION-WHAT IS THE POINT IN KEEPON USING AVAST IF IT CANNOT PROTECT FROM MALWARE OR DELETE IT IF DETECTED

Any suggestions as to how to resolve this issue are most welcome and appreciated

q2na

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: Pondus on March 04, 2010, 07:08:09 PM

No security program have 100% detection or removal, that is why you should have moore than one (only one antivirus )

Check your computer for Malware with

Malwarebytes Antimalware http://filehippo.com/download_malwarebytes_anti_malware/
after install click UPDATE and run cuick scan, click on REMOVE SELECTED to quarantine anything found

SUPERAntiSpyware http://filehippo.com/download_superantispyware/
Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26

If anything is found come back and post the scan logs here

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: DavidR on March 04, 2010, 07:26:01 PM

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

Why can't avast delete it, e.g. what error is given ?
Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest and investigate.

- If you have Win2k, XP, vista or Win7 (all 32bit), you could enable a boot time scan. From the avast UI, Scan Computer, Boot-time Scan, Schedule Now button and reboot.

Look in the C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\report\aswBoot.txt file, check this file using notepad for info on the scan/detections, etc.

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: qrius2noall on March 04, 2010, 07:32:30 PM

Thks For your quick reply

I had Done Complete and full scan with MALWARE BYTE(Avast Flagged It too) Prior to posting this problem in this forum.Whatever Was pointed out by MALWARE BYTES scan results ,I got it deleted with malware bytes and restarted PC ,But sadly the problem still persists,that is one reason for feeling helpless and frustrated.

I have portable version of SUPER ANTISPYWARE and can do the scan with that also

Any suggestions are still most welcome(can these be false alarms)

q2na

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: essexboy on March 04, 2010, 07:37:43 PM

Could you post the MBAM log please and then

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire (http://www.mediafire.com/) and post the sharing link.

Download OTS (http://oldtimer.geekstogo.com/OTS.exe) to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under Additional Scans check the following:
Reg - Shell Spawning
File - Lop Check
File - Purity Scan
Evnt - EvtViewer (last 10)

Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav

Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: qrius2noall on March 04, 2010, 07:48:37 PM

THKS for your reply

THE SCAN REPORTS (AVAST 5 FREE)

03/04/2010 07:44
Scan of C:

Scan of C:\*

File C:\WINDOWS\system32\ole32.dll is infected by Win32:Malware-gen, Delete: Error 0xC0000121 {An attempt has been made to remove a file or directory that cannot be deleted.}, Delete: Error 0xC0000121 {An attempt has been made to remove a file or directory that cannot be deleted.}, Delete: Error 0xC0000121 {An attempt has been made to remove a file or directory that cannot be deleted.}, Delete: Error 0xC0000121 {An attempt has been made to remove a file or directory that cannot be deleted.}, Delete: Error 0xC0000121 {An attempt has been made to remove a file or directory that cannot be deleted.}, Move to chest: Error 0xC0000121 {An attempt has been made to remove a file or directory that cannot be deleted.}, Move to chest: Error 0xC0000121 {An attempt has been made to remove a file or directory that cannot be deleted.}, Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}
Number of searched folders: 939
Number of tested files: 54344
Number of infected files: 1

Another scan done with avast 5 free

* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Thursday, March 04, 2010 7:33:58 AM
*

3/4/2010 7:34:12 AM   C:\WINDOWS\SYSTEM32\OLE32.DLL [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only
3/4/2010 7:43:15 AM   C:\WINDOWS\SYSTEM32\OLE32.DLL [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Thursday, March 04, 2010 7:57:10 AM
*

3/4/2010 7:57:32 AM   C:\WINDOWS\SYSTEM32\OLE32.DLL [L] Win32:Malware-gen (0)
3/4/2010 7:57:32 AM   C:\WINDOWS\SYSTEM32\OLE32.DLL [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only
While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only
3/4/2010 8:00:29 AM   C:\Documents and Settings\Daksh\Local Settings\Temporary Internet Files\Content.IE5\U7RGV9WY\f[1].exe [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The process cannot access the file because it is being used by another process
During the file delete, error occurred: The process cannot access the file because it is being used by another process
3/4/2010 8:00:30 AM   C:\DOCUME~1\Daksh\LOCALS~1\Temp\yyyyy [L] Win32:Malware-gen (0)
File was successfully moved to chest...
3/4/2010 8:18:12 AM   C:\WINDOWS\SYSTEM32\OLE32.DLL [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only
3/4/2010 8:21:06 AM   C:\WINDOWS\SYSTEM32\OLE32.DLL [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only
3/4/2010 3:13:49 PM   C:\WINDOWS\SYSTEM32\OLE32.DLL [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only
3/4/2010 5:48:07 PM   C:\WINDOWS\SYSTEM32\OLE32.DLL [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only
3/4/2010 5:49:22 PM   C:\Documents and Settings\Daksh\Local Settings\Temporary Internet Files\Content.IE5\U7RGV9WY\f[1].exe [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The process cannot access the file because it is being used by another process
During the file delete, error occurred: The process cannot access the file because it is being used by another process
3/4/2010 5:49:24 PM   C:\DOCUME~1\Daksh\LOCALS~1\Temp\ttttt [L] Win32:Malware-gen (0)
File was successfully moved to chest...
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Thursday, March 04, 2010 7:24:07 PM
*

3/4/2010 7:25:14 PM   C:\WINDOWS\SYSTEM32\OLE32.DLL [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only
3/4/2010 7:27:21 PM   C:\Documents and Settings\Daksh\Local Settings\Temporary Internet Files\Content.IE5\48Q0UBAF\f[1].exe [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The process cannot access the file because it is being used by another process
During the file delete, error occurred: The process cannot access the file because it is being used by another process
3/4/2010 7:27:22 PM   C:\DOCUME~1\Daksh\LOCALS~1\Temp\yyyyy [L] Win32:Malware-gen (0)
File was successfully moved to chest...
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Thursday, March 04, 2010 9:31:58 PM
*

3/4/2010 9:42:03 PM   C:\Documents and Settings\Daksh\Local Settings\Temporary Internet Files\Content.IE5\48Q0UBAF\f[1].exe [L] Win32:Malware-gen (0)
File was successfully moved to chest...
3/4/2010 9:42:05 PM   C:\Documents and Settings\Daksh\Local Settings\Temporary Internet Files\Content.IE5\U7RGV9WY\f[1].exe [L] Win32:Malware-gen (0)
File was successfully moved to chest...
3/4/2010 10:22:18 PM   E:\SETUPS DOWNLOADED\Morpheus.Photo.Animation.Suite.v3.11\MorpheusPhotoAnimationSuite-311.exe [L] Win32:CabMod [Drp] (0)
File was successfully moved to chest...
3/4/2010 10:22:31 PM   E:\SETUPS DOWNLOADED\Farmatech Radmin 3.4\Radmin Viewer 3.4 Portable.exe [L] Win32:Malware-gen (0)
File was successfully moved to chest...
3/4/2010 10:24:08 PM   E:\SETUPS DOWNLOADED\MP3 RESIZER EDITOR-MADE PORTABLE\$TEMP\EULA.exe|>wibb32.exe|>$TEMP\nvvscv.exe|>nsis.hdr [L] NSIS:Downloader-T [Trj] (0)
File was successfully moved to chest...
3/4/2010 10:24:09 PM   E:\SETUPS DOWNLOADED\MP3 RESIZER EDITOR-MADE PORTABLE\$TEMP\EULA.exe|>wibb32.exe|>$TEMP\nvscv.exe|>nsis.hdr [L] NSIS:Downloader-T [Trj] (0)
While moving file to chest, error occurred: The system cannot find the file specified
During the file delete, error occurred: The system cannot find the file specified
3/4/2010 10:27:10 PM   E:\System Volume Information\_restore{A12F6E18-3525-4DAA-8A1C-4568EE3DE2D8}\RP1\A0000113.exe [L] Win32:CabMod [Drp] (0)
File was successfully moved to chest...
3/4/2010 10:27:13 PM   E:\System Volume Information\_restore{A12F6E18-3525-4DAA-8A1C-4568EE3DE2D8}\RP1\A0000114.exe [L] Win32:Malware-gen (0)
File was successfully moved to chest...
3/4/2010 10:27:14 PM   E:\System Volume Information\_restore{A12F6E18-3525-4DAA-8A1C-4568EE3DE2D8}\RP1\A0000115.exe|>wibb32.exe|>$TEMP\nvvscv.exe|>nsis.hdr [L] NSIS:Downloader-T [Trj] (0)
File was successfully moved to chest...
3/4/2010 10:27:14 PM   E:\System Volume Information\_restore{A12F6E18-3525-4DAA-8A1C-4568EE3DE2D8}\RP1\A0000115.exe|>wibb32.exe|>$TEMP\nvscv.exe|>nsis.hdr [L] NSIS:Downloader-T [Trj] (0)
While moving file to chest, error occurred: The system cannot find the file specified
During the file delete, error occurred: The system cannot find the file specified
3/4/2010 10:27:41 PM   E:\TEST DOWNLOADS\MEDIA -Video Splitter-SOLVEIGMM-portable v1.2.705.4\Stubs\5283da368222ccee720a9482cb6c6788524b080\wmplayer.exe [L] Win32:Trojan-gen (0)
File was successfully moved to chest...
3/4/2010 10:36:09 PM   E:\TEST DOWNLOADS\AutoRun Typhoon 4.3.0 Portable\patch\autorun.typhoon.pro.4.3.0-patch.exe [L] Win32:Malware-gen (0)
File was successfully moved to chest...
3/4/2010 10:38:07 PM   E:\USEFUL CRUCIAL UTILITIES FOLDER\FOXIT READER-UTILITY SUITE\Infix PDF Editor 4.0.4 Portable.exe [L] Win32:Agent-AJGY [Trj] (0)
File was successfully moved to chest...
3/4/2010 10:52:50 PM   C:\WINDOWS\SYSTEM32\OLE32.DLL [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Thursday, March 04, 2010 10:54:15 PM
*

3/4/2010 10:56:05 PM   C:\WINDOWS\SYSTEM32\OLE32.DLL [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only
3/4/2010 10:56:39 PM   C:\Documents and Settings\Daksh\Local Settings\Temporary Internet Files\Content.IE5\48Q0UBAF\f[1].exe [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The process cannot access the file because it is being used by another process
During the file delete, error occurred: The process cannot access the file because it is being used by another process
3/4/2010 10:56:40 PM   C:\DOCUME~1\Daksh\LOCALS~1\Temp\yyyyy [L] Win32:Malware-gen (0)
File was successfully moved to chest...

CONTD. IN THE NEXT POST
*

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: qrius2noall on March 04, 2010, 07:51:23 PM

CONTINUED FROM PREVIOUS

*

* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Thursday, March 04, 2010 7:33:58 AM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Thursday, March 04, 2010 7:57:10 AM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Thursday, March 04, 2010 7:24:07 PM
*

3/4/2010 7:33:42 PM   http://www.ebookslib.org/the-global-money-markets.html [L] JS:Small-C [Trj] (0)
3/4/2010 7:33:45 PM   http://www.ebookslib.org/favicon.ico [L] JS:Small-C [Trj] (0)
3/4/2010 7:34:01 PM   http://www.ebookslib.org/the-global-money-markets.html [L] JS:Small-C [Trj] (0)
3/4/2010 7:34:05 PM   http://www.ebookslib.org/favicon.ico [L] JS:Small-C [Trj] (0)
3/4/2010 7:34:32 PM   http://www.ebookslib.org/cellular-mobile-radio-systems-designing-systems-for-capacity-optimization.html [L] JS:Small-C [Trj] (0)
3/4/2010 7:34:34 PM   http://www.ebookslib.org/favicon.ico [L] JS:Small-C [Trj] (0)
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Thursday, March 04, 2010 9:31:58 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Thursday, March 04, 2010 10:54:15 PM

THKS FOR YOUR REPLIES-IWANT TO GET TO THE BOTTOM OF IT BEFORE I THINK OF UNINSTALLING AVAST
*

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: qrius2noall on March 04, 2010, 07:55:45 PM

STRANGELY WHY AVAST 5 FREE NOT ABLE TO SCAN IN SAFE MODE-THE ERROR IT SHOWS IN SAFE MODE SCAN IS:

UNABLE TO START SCAN THERE ARE NO MORE END POINTS AVAILABLE FROM THE END POINT MAPPER

ANY IDEA WHAT THAT MEANS ?

Thanks Once again

Q2na

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: qrius2noall on March 04, 2010, 08:34:43 PM

Thanks Once again ESSEXBOY

Here is the malware byte scan report-apparently all what was flagged bad has been quarentined and deleted by MALWARE BYTE

Malwarebytes' Anti-Malware 1.44
Database version: 3824
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

3/4/2010 10:52:49 PM
mbam-log-2010-03-04 (22-52-49).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 235366
Time elapsed: 1 hour(s), 10 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
D:\SOFTWARE FOLDER JUMBO-SETUPS\SETUPS DOWNLOADED\WINDOWS SIMULATOR FOR INSTALLTION-SETUP-\winxp_simulator.exe (Trojan.Logger) -> Quarantined and deleted successfully.
D:\SOFTWARE FOLDER JUMBO-SETUPS\SETUPS DOWNLOADED\tcp ip patcher\EvID4226Patch.exe (Malware.Tool) -> Quarantined and deleted successfully.
D:\SOFTWARE FOLDER JUMBO-SETUPS\SETUPS DOWNLOADED\REG ERROR REPAIR-SETUP\erpsetup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
D:\SOFTWARE FOLDER JUMBO-SETUPS\SETUPS DOWNLOADED\ERROR REPAIR UTILITY-PORTABLE\erpsetup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
D:\SOFTWARE FOLDER JUMBO-SETUPS\SETUPS DOWNLOADED\Ebooster 3 build 491 plus patch\patch\eBoostr 3.0 build 491 Patch.exe (Trojan.Agent) -> Quarantined and deleted successfully.
E:\NOT IN ACTIVE USE UTILITIES\xp key changer\update_xp_cd_key.exe (Backdoor.IRCbot) -> Quarantined and deleted successfully.
E:\SETUPS DOWNLOADED\tcp ip patcher\EvID4226Patch.exe (Malware.Tool) -> Quarantined and deleted successfully.
E:\SETUPS DOWNLOADED\FLV Direct Player-SETUP\FLVDirect.exe (Adware.MediaPass) -> Quarantined and deleted successfully.
E:\SETUPS DOWNLOADED\PDF UTILITY-Nitro PDF PRO-Setup\keygen\kg_nitro_pdf_professional.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
E:\SETUPS DOWNLOADED\Sandboxie.v3.42.WinAll.Incl.Keygen-CRD\keygen\kg.exe (Trojan.Agent) -> Quarantined and deleted successfully.
E:\SETUPS DOWNLOADED\exe dll files extractor-PE EXPLORER-SETUP\crack.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
E:\TEST DOWNLOADS\WORD PROCESSOR-ATLANTIS-PORTABLE\AtlantisPortable\App\Atlantis\unicows.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
E:\Z-CRUCIAL SETUPS FOR REINSTALL\FOXIT READER-UTILITY SUITE SETUPS\Foxit Reader Pro 2.3.2008.2825 - Olexijl\patch.exe (Trojan.Bancos) -> Quarantined and deleted successfully.

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: essexboy on March 04, 2010, 08:38:00 PM

Quote

:\NOT IN ACTIVE USE UTILITIES\xp key changer\update_xp_cd_key.exe (Backdoor.IRCbot) -> Quarantined and deleted successfully.
E:\SETUPS DOWNLOADED\tcp ip patcher\EvID4226Patch.exe (Malware.Tool) -> Quarantined and deleted successfully.
E:\SETUPS DOWNLOADED\FLV Direct Player-SETUP\FLVDirect.exe (Adware.MediaPass) -> Quarantined and deleted successfully.
E:\SETUPS DOWNLOADED\PDF UTILITY-Nitro PDF PRO-Setup\keygen\kg_nitro_pdf_professional.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
E:\SETUPS DOWNLOADED\Sandboxie.v3.42.WinAll.Incl.Keygen-CRD\keygen\kg.exe (Trojan.Agent) -> Quarantined and deleted successfully.
E:\SETUPS DOWNLOADED\exe dll files extractor-PE EXPLORER-SETUP\crack.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
E:\TEST DOWNLOADS\WORD PROCESSOR-ATLANTIS-PORTABLE\AtlantisPortable\App\Atlantis\unicows.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
E:\Z-CRUCIAL SETUPS FOR REINSTALL\FOXIT READER-UTILITY SUITE SETUPS\Foxit Reader Pro 2.3.2008.2825 - Olexijl\patch.exe (Trojan.Bancos) -> Quarantined and deleted successfully.

Well that is where it came from

If you could run and then post OTS I will see what remains

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: qrius2noall on March 04, 2010, 08:45:00 PM

Thanks Once Again ESSEXBOY

here is the link for OTS scan report

http://www.mediafire.com/download.php?wwvyk0wwomh

http://www.mediafire.com/download.php?wwvyk0wwomh (http://www.mediafire.com/download.php?wwvyk0wwomh)

Thks for your help

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: essexboy on March 04, 2010, 08:49:25 PM

You have set it to private - could you unlock and post the sharing link - or attach the OTS log to your post

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: qrius2noall on March 05, 2010, 02:23:52 AM

hi ESSEXBOY

Sorry for messing up with mediafire link-it is first time I have uploaded.Anyway The file is public for download

Meanwhile I have done couple of scans with AVAST 5 FREE and the report is as follows:

avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Friday, March 05, 2010 5:33:53 AM
*

3/5/2010 5:40:45 AM   C:\WINDOWS\SYSTEM32\OLE32.DLL [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only
3/5/2010 5:40:48 AM   C:\WINDOWS\system32\core.dll [L] Win32:Malware-gen (0)
File was successfully moved to chest...
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Friday, March 05, 2010 5:52:23 AM
*

3/5/2010 5:56:35 AM   C:\WINDOWS\SYSTEM32\OLE32.DLL [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Friday, March 05, 2010 6:25:55 AM
*

As you can see Avast is detecting the infection but is not able to remove it

C:\WINDOWS\winstart.bat
Error:File is offline-it is currently not available(ERROR 42006)

C:\WINDOWS\SYS32\ole32.dll
threat high Win32:Malware-gen
The Specified file is read only(Error 6009)

I hope this new info helps you to help me in this lousy situation

Funny thing is I canot do the scan in SAFE MODE-The error message from AVAST is

UNABLE TO START SCAN.THERE ARE NO MORE END POINTS AVAILABLE FROM THE END POINT MAPPER

Any idea what it implies?

Willbe waiting fot replies from YOU, David and PONDUS

Thank you All

q2na

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: essexboy on March 05, 2010, 01:41:00 PM

Avast is not in its default folder which may be part of the problem

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Processes - Safe List]
YY -> statbar  .exe -> E:\USEFUL CRUCIAL UTILITIES FOLDER\statbar  .exe
[Registry - Safe List]
< Run [HKEY_USERS\S-1-5-21-1078081533-1682526488-839522115-1003\] > -> HKEY_USERS\S-1-5-21-1078081533-1682526488-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "StatBar" -> E:\USEFUL CRUCIAL UTILITIES FOLDER\statbar  .exe [E:\USEFUL CRUCIAL UTILITIES FOLDER\statbar  .exe]
[Files - No Company Name]
NY ->  winstart.bat -> C:\WINDOWS\winstart.bat
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

I will review the information when it comes back in.

I can see no indication that ole32.dll has been modified. However, I will search for a spare copy and do a replace

Run OTS

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under the Custom Scan box paste this in

/md5start
OLE32.DLL
/md5stop

Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: bobo1 on March 05, 2010, 03:10:59 PM

Did you just format C: ?.
Could be a boot sector virus! on your multiple partitions?. Deleting the C: & multipartitions and recreate new other partitions using a DOS win 98 start up disk via floppydrive A: is only cure to get rid of boot sector viruses or use XP cd rom and del partition! and do a clean install of xp. Rather drastic though. This is what i do if anyone has widespread virus problems on their PCs to repair on large disks i create 2 partitions C: & D: depending how big the drive is in the first place.

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: qrius2noall on March 05, 2010, 08:27:06 PM

Thanks ESSEXBOY for your help extended in this painful episode

Yesterday after posting this,I did a scan with sunbelt-vipre in safe mode(as AVAST IS NOT ABLE TO SCAN IN SAFE MODE(AS POSTED ABOVE-QUITE STRANGE THOUGH)and deleted whatever it posted as troublesome-the result was another tragedy-I could no longer boot the PC-the error being OLE32.dll cannot be located(another nightmarish situation),so I did a repair install of windows XPand and again reinstalled AVAST 5 FREE,did boottime scan with it and again-it detects infection but cannnot quarantine or delete it-with error message :While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only

After PC boots,as soon as i start any app AVAST starts going nuts with notification about infection with win32:malware-gen

I might mention here that except these notifications from AVAST,the system seems to be working okay-I mean there are no unusual processes in the task manager,no issue with slowdown or crash etc-SO COULD THIS WHOLE SCENARIO MIGHT BE A PART OF FALSE POSITIVES-? I have already submitted the false positive report(after start of utorrent.ccleaner,task manager etc)to avast and hopefully something may come out of this

Anyway,I have run the script fix with OTS and rebooted the pc about 5 minutes ago
-the app STATBAR(quite useful and have been using for last 3-4 years without any issues)is no more starting-so you want me to put a stop to its start with windows or not to use it at all-Personally I like Using it and it has been very helpful

AND AGAINST ALL HOPES ,AVAST IS STILL GOING NUTS AS SOON AS I STARTED UTORRENT,SO THE ISSUE STILL REMAINS....
OTS scan reportis being posted in the next post

Till then thanks once again

q2na

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: essexboy on March 05, 2010, 08:40:13 PM

That was infected - I don't know if you noticed but there was a space between STATBAR .exe that was an old Renv/vundo infection

If you run OTS I will see if there is a spare copy that I can replace it with - see the bottom of post 13

Or we can use a bigger hammer

Download ComboFix from one of these locations:

Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/whatnext.png)

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: qrius2noall on March 05, 2010, 09:07:10 PM

Thanks ESSEXBOY for your help and patience-Iam not all that bright with computers ,so you might have to bear with me please

here is the text file after the fix script

All Processes Killed
[Processes - Safe List]
No active process named statbar .exe was found!
E:\USEFUL CRUCIAL UTILITIES FOLDER\statbar .exe moved successfully.
[Registry - Safe List]
Registry value HKEY_USERS\S-1-5-21-1078081533-1682526488-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\StatBar deleted successfully.
File E:\USEFUL CRUCIAL UTILITIES FOLDER\statbar .exe not found.
[Files - No Company Name]
C:\WINDOWS\winstart.bat moved successfully.
[Empty Temp Folders]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: Daksh
->Temp folder emptied: 32768 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 2525625 bytes
->Flash cache emptied: 405 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 6428142 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 25221561 bytes

Total Files Cleaned = 33.00 mb

< End of fix log >
OTS by OldTimer - Version 3.1.25.0 fix logfile created on 03062010_001154

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\_avast5_\Webshlock.txt not found!

Registry entries deleted on Reboot...

due to some confusion I guess(nervousness) I ran the scriptfix again and after the reboot the text file has the following report

All Processes Killed
[Processes - Safe List]
No active process named statbar .exe was found!
E:\USEFUL CRUCIAL UTILITIES FOLDER\statbar .exe moved successfully.
[Registry - Safe List]
Registry value HKEY_USERS\S-1-5-21-1078081533-1682526488-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\StatBar deleted successfully.
File E:\USEFUL CRUCIAL UTILITIES FOLDER\statbar .exe not found.
[Files - No Company Name]
C:\WINDOWS\winstart.bat moved successfully.
[Empty Temp Folders]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: Daksh
->Temp folder emptied: 32768 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 2525625 bytes
->Flash cache emptied: 405 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 6428142 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 25221561 bytes

Total Files Cleaned = 33.00 mb

< End of fix log >
OTS by OldTimer - Version 3.1.25.0 fix logfile created on 03062010_001154

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\_avast5_\Webshlock.txt not found!

Registry entries deleted on Reboot...

Also on C DRIVE there is a folder _OTS with two subfolders named C_WINDOWS (empty folder) and E_USEFUL CRUCIAL UTILITIES FOLDER(contains the moved STATBAR app file

meanwhile I will do the next OTS scan and then COMBOFIX one- As i said I want to get to the bottom of it before I give up on AVAST-I have been using it for the last 4 years and had been recommending it to lot of people here-so it is kind of hard to adnit that it is giving troubles.....

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: essexboy on March 05, 2010, 09:10:18 PM

No problem ;D

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: qrius2noall on March 05, 2010, 09:28:46 PM

Here It Come ESSEXBOY ,COMBOFIX report I will post it in two three posts if it seems very big

part-1

ComboFix 10-03-04.06 - Daksh 03/06/2010 1:50.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.317 [GMT 5.5:30]
Running from: c:\documents and settings\Daksh\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ole32.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))
.

2010-03-05 18:41 . 2010-03-05 18:41   --------   d-----w-   C:\_OTS
2010-03-05 16:15 . 2010-01-07 10:37   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-05 16:15 . 2010-01-07 10:37   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-03-05 14:02 . 2010-03-05 15:08   --------   d-----w-   c:\program files\Panda Security
2010-03-05 13:28 . 2010-03-05 13:28   --------   d-----w-   c:\documents and settings\Daksh\DoctorWeb
2010-03-05 11:27 . 2010-03-05 11:27   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\400000b00002i\Ras.exe
2010-03-05 11:27 . 2010-03-05 11:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\Rising
2010-03-05 11:27 . 2009-04-16 20:43   629360   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\Rsaupd.exe
2010-03-05 11:27 . 2010-03-05 11:27   518808   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\Ntlib.dll
2010-03-05 11:27 . 2010-03-05 11:25   637592   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%SystemSystem%\kmon.dll
2010-03-05 11:24 . 2010-03-05 11:24   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\4000009c00002i\Rsaupd.exe
2010-03-05 11:23 . 2010-03-05 11:23   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\4000007200002i\knownsvr.exe
2010-03-05 11:23 . 2010-03-05 11:23   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\4000008000002i\Splash Screen.exe
2010-03-05 01:58 . 2010-03-05 01:58   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Runscanner.net
2010-03-05 01:53 . 2010-03-05 01:53   160272   ----a-w-   c:\windows\system32\drivers\tmcomm.sys
2010-03-05 00:03 . 2010-02-11 18:42   162512   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-03-05 00:03 . 2010-02-11 18:38   19024   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-03-05 00:03 . 2010-02-11 18:42   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-03-05 00:03 . 2010-02-11 18:39   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-03-05 00:03 . 2010-02-11 18:38   100432   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2010-03-05 00:03 . 2010-02-11 18:38   94800   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2010-03-05 00:03 . 2010-02-11 18:38   28880   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2010-03-05 00:03 . 2010-02-11 18:53   38848   ----a-w-   c:\windows\system32\avastSS.scr
2010-03-05 00:03 . 2010-02-11 18:53   153184   ----a-w-   c:\windows\system32\aswBoot.exe
2010-03-04 23:25 . 2004-08-03 17:31   70144   -c--a-w-   c:\windows\system32\dllcache\pintlphr.exe
2010-03-04 23:24 . 2001-08-23 11:30   10096640   -c--a-w-   c:\windows\system32\dllcache\hwxcht.dll
2010-03-04 23:23 . 2004-05-12 19:09   598071   -c--a-w-   c:\windows\system32\dllcache\fpmmc.dll
2010-03-04 23:17 . 2004-08-03 17:01   20992   ----a-w-   c:\windows\system32\drivers\RTL8139.sys
2010-03-04 23:15 . 2001-08-23 11:30   24661   -c--a-w-   c:\windows\system32\dllcache\spxcoins.dll
2010-03-04 23:15 . 2001-08-23 11:30   24661   ----a-w-   c:\windows\system32\spxcoins.dll
2010-03-04 23:15 . 2001-08-23 11:30   13312   -c--a-w-   c:\windows\system32\dllcache\irclass.dll
2010-03-04 23:15 . 2001-08-23 11:30   13312   ----a-w-   c:\windows\system32\irclass.dll
2010-03-04 20:50 . 2010-03-04 20:50   --------   d-----w-   c:\documents and settings\All Users\Application Data\Sunbelt
2010-03-04 16:07 . 2010-03-04 16:07   --------   d-----w-   c:\documents and settings\Daksh\Application Data\Malwarebytes
2010-03-04 16:07 . 2010-03-04 16:07   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-04 14:20 . 2010-03-04 14:20   --------   d-----w-   c:\documents and settings\Daksh\Application Data\FILEminimizerPictures
2010-03-04 14:19 . 2010-03-04 14:20   --------   d-----w-   c:\documents and settings\Daksh\Application Data\FILEminimizer
2010-03-02 12:46 . 2010-03-02 12:46   --------   d--h--w-   c:\windows\PIF
2010-03-02 06:24 . 2010-03-02 06:24   --------   d-----w-   c:\windows\Sun
2010-02-27 06:37 . 2010-02-27 06:37   --------   d-----w-   c:\program files\NCH Swift Sound
2010-02-26 20:09 . 2010-02-26 20:16   --------   d-----w-   c:\documents and settings\Daksh\Application Data\FreeFixer
2010-02-26 20:09 . 2010-02-26 20:09   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\FreeFixer
2010-02-26 18:41 . 2010-02-26 18:41   --------   d-----w-   c:\program files\FoxPlayer
2010-02-26 15:27 . 2010-02-26 15:27   --------   d-----w-   c:\documents and settings\Daksh\Application Data\PolyEdit Lite
2010-02-26 14:57 . 2010-02-26 14:57   --------   d-----w-   c:\documents and settings\Daksh\Application Data\SAIG
2010-02-26 14:41 . 2010-02-26 14:41   --------   d-----w-   c:\documents and settings\Daksh\Application Data\Apago
2010-02-25 06:01 . 2010-02-25 06:01   --------   d-----r-   C:\Sandbox
2010-02-24 19:38 . 2010-02-24 19:38   --------   d--h--r-   c:\documents and settings\Daksh\Application Data\JAM Software
2010-02-24 11:52 . 2010-02-24 11:52   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Identities
2010-02-24 08:17 . 2008-01-01 01:30   78848   ----a-w-   c:\windows\system32\VISCDRTL.DLL
2010-02-24 08:17 . 2008-01-01 01:30   152064   ----a-w-   c:\windows\system32\VISCDUNR.DLL
2010-02-24 08:17 . 2008-01-01 01:30   143360   ----a-w-   c:\windows\system32\VISCDUNZ.DLL
2010-02-23 19:57 . 2010-02-23 19:57   0   ----a-w-   c:\windows\nsreg.dat
2010-02-23 19:56 . 2010-02-23 19:56   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Mozilla
2010-02-23 19:33 . 2010-03-05 11:23   --------   d-----w-   c:\documents and settings\Daksh\Application Data\Thinstall
2010-02-23 19:33 . 2010-02-23 19:33   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Thinstall
2010-02-23 18:15 . 2010-02-23 18:15   --------   d--h--w-   c:\windows\system32\GroupPolicy

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: qrius2noall on March 05, 2010, 09:31:17 PM

part-2

2010-02-23 14:55 . 2004-08-03 19:56   221184   ----a-w-   c:\windows\system32\wmpns.dll
2010-02-23 13:21 . 2003-03-18 20:20   1060864   ----a-w-   c:\windows\system32\MFC71.dll
2010-02-23 13:21 . 2003-03-18 19:14   499712   ----a-w-   c:\windows\system32\MSVCP71.dll
2010-02-23 13:21 . 2003-02-21 03:42   348160   ----a-w-   c:\windows\system32\MSVCR71.dll
2010-02-23 10:56 . 2010-02-23 17:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-02-23 10:56 . 2010-02-23 10:56   --------   d-----w-   c:\program files\NCH Software
2010-02-23 10:56 . 2010-03-01 13:53   --------   d-----w-   c:\documents and settings\Daksh\Application Data\NCH Swift Sound
2010-02-23 10:49 . 2010-02-23 10:49   1078   ----a-r-   c:\documents and settings\Daksh\Application Data\Microsoft\Installer\{76EFAC4F-1712-401F-B2AE-590B170C9BCE}\_60c11ac7.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-05 20:13 . 2010-02-23 00:59   --------   d-----w-   c:\documents and settings\Daksh\Application Data\uTorrent
2010-03-05 11:26 . 2009-04-16 20:43   84632   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\UrlRule.dll
2010-03-05 11:26 . 2009-04-16 20:43   125592   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\SecScan.dll
2010-03-05 11:26 . 2009-04-16 20:43   92824   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\SecEx.dll
2010-03-05 11:26 . 2009-04-16 20:43   424560   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\runiep.dll
2010-03-05 11:26 . 2009-04-16 20:43   207512   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\rsdialog.dll
2010-03-05 11:26 . 2009-04-16 20:43   215704   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\pweb.dll
2010-03-05 11:26 . 2009-04-16 20:43   744088   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\ptools.dll
2010-03-05 11:26 . 2009-04-16 20:43   809624   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\pscan.dll
2010-03-05 11:25 . 2009-04-16 20:43   297584   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\KakaMgr.dll
2010-03-05 09:09 . 2010-02-23 00:14   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-03-04 23:55 . 2004-08-03 19:56   1281536   ----a-w-   c:\windows\system32\ole32.dll
2010-03-04 23:34 . 2010-02-23 03:59   12328   ----a-w-   c:\documents and settings\Daksh\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-04 23:21 . 2010-02-22 22:35   22748   ----a-w-   c:\windows\system32\emptyregdb.dat
2010-02-25 06:48 . 2010-02-22 22:38   86327   ----a-w-   c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-23 11:13 . 2010-02-23 11:13   32768   ----a-w-   c:\windows\Help\ItzilzIm.dll
2010-02-23 03:44 . 2010-02-23 03:44   --------   d-----w-   c:\program files\Common Files\InstallShield
2010-02-23 03:43 . 2010-02-23 03:43   --------   d-----w-   c:\program files\C-Media 3D Audio
2010-02-23 02:23 . 2010-02-23 02:23   --------   d-----w-   c:\documents and settings\Daksh\Application Data\SUPERAntiSpyware.com
2010-02-23 02:23 . 2010-02-23 02:23   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-23 00:14 . 2010-02-23 00:14   10134   ----a-r-   c:\documents and settings\Daksh\Application Data\Microsoft\Installer\{4C933A3B-6201-4C90-AB28-598561131C06}\_05672270EB30CCA6FD3838.exe
2010-02-23 00:14 . 2010-02-23 00:14   16958   ----a-r-   c:\documents and settings\Daksh\Application Data\Microsoft\Installer\{4C933A3B-6201-4C90-AB28-598561131C06}\_8C792585F69A42291AD1A1.exe
2010-02-23 00:14 . 2010-02-23 00:14   16958   ----a-r-   c:\documents and settings\Daksh\Application Data\Microsoft\Installer\{4C933A3B-6201-4C90-AB28-598561131C06}\_6FEFF9B68218417F98F549.exe
2010-02-23 00:14 . 2010-02-23 00:14   16958   ----a-r-   c:\documents and settings\Daksh\Application Data\Microsoft\Installer\{4C933A3B-6201-4C90-AB28-598561131C06}\_15D66DCE894BB3F91E0E6F.exe
2010-02-22 23:50 . 2010-02-22 23:50   411368   ----a-w-   c:\windows\system32\deploytk.dll
2010-02-22 23:50 . 2010-02-22 23:50   --------   d-----w-   c:\program files\Java
2010-02-22 23:50 . 2010-02-22 23:50   152576   ----a-w-   c:\documents and settings\Daksh\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-02-22 22:54 . 2010-02-22 22:54   --------   d-----w-   c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-22 22:39 . 2010-02-22 22:39   --------   d-----w-   c:\program files\microsoft frontpage
.

Code: [Select]

<pre>
c:\program files\Java\jre6\bin\jusched .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 86016]
"avast5"="e:\useful~1\ANTIVI~2\avastUI.exe" [2010-02-11 2756488]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
cmicnfg.cpl [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\ACTIVE DOWNLOADS\\uTORRENTS\\uTorrent.exe"=
"c:\\ODIN\\Diet\\DietOdin.exe"=
"e:\\TEST DOWNLOADS\\ANTI VIRUS MALWARE-REMOVEIT-\\Program Files\\InCode Solutions\\RemoveIT Pro v4 - SE\\removeit.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/5/2010 5:33 AM 162512]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/5/2010 5:33 AM 19024]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\12.tmp --> c:\windows\system32\12.tmp [?]
S3 SASENUM;SASENUM;

S3 SbieDrv;SbieDrv;e:\useful crucial utilities folder\SANDBOXIE\SbieDrv.sys [2/3/2010 4:10 PM 115432]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.freeware365.com/desktop/folderguide.htm
TCP: {66A4DF95-55B1-4AC1-9006-CE521313193D} = 202.56.215.6,202.56.230.6
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 01:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\12.tmp"
.
Completion time: 2010-03-06 01:54:14
ComboFix-quarantined-files.txt 2010-03-05 20:24

Pre-Run: 37,365,747,712 bytes free
Post-Run: 37,338,963,968 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 0E934A1A39777670895CC9D914CA9547

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: qrius2noall on March 05, 2010, 09:38:03 PM

Hi ESSEXBOY

Combofix scan says c:\windows\system32\ole32.dll . . . is infected!! the only thing I could easily Understand

So is it hard to fix or we might have to go for a Reinstall ? (which I personally dread to do)

So waiting for your further counsel

Thanks and cheers

Q2NA

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: essexboy on March 05, 2010, 10:01:13 PM

First we will see if combofix can find a spare copy - and one more renv file

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: [Select]

MIA::
c:\windows\system32\ole32.dll 

Renv::
c:\program files\Java\jre6\bin\jusched .exe
</pre>

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt .

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: qrius2noall on March 05, 2010, 10:16:35 PM

COMBOFIX REPORT part-1

ComboFix 10-03-04.06 - Daksh 03/06/2010 2:37.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.282 [GMT 5.5:30]
Running from: c:\documents and settings\Daksh\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Daksh\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ole32.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))
.

2010-03-05 18:41 . 2010-03-05 18:41   --------   d-----w-   C:\_OTS
2010-03-05 16:15 . 2010-01-07 10:37   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-05 16:15 . 2010-01-07 10:37   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-03-05 14:02 . 2010-03-05 15:08   --------   d-----w-   c:\program files\Panda Security
2010-03-05 13:28 . 2010-03-05 13:28   --------   d-----w-   c:\documents and settings\Daksh\DoctorWeb
2010-03-05 11:27 . 2010-03-05 11:27   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\400000b00002i\Ras.exe
2010-03-05 11:27 . 2010-03-05 11:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\Rising
2010-03-05 11:27 . 2009-04-16 20:43   629360   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\Rsaupd.exe
2010-03-05 11:27 . 2010-03-05 11:27   518808   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\Ntlib.dll
2010-03-05 11:27 . 2010-03-05 11:25   637592   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%SystemSystem%\kmon.dll
2010-03-05 11:24 . 2010-03-05 11:24   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\4000009c00002i\Rsaupd.exe
2010-03-05 11:23 . 2010-03-05 11:23   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\4000007200002i\knownsvr.exe
2010-03-05 11:23 . 2010-03-05 11:23   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\4000008000002i\Splash Screen.exe
2010-03-05 01:58 . 2010-03-05 01:58   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Runscanner.net
2010-03-05 01:53 . 2010-03-05 01:53   160272   ----a-w-   c:\windows\system32\drivers\tmcomm.sys
2010-03-05 00:03 . 2010-02-11 18:42   162512   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-03-05 00:03 . 2010-02-11 18:38   19024   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-03-05 00:03 . 2010-02-11 18:42   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-03-05 00:03 . 2010-02-11 18:39   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-03-05 00:03 . 2010-02-11 18:38   100432   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2010-03-05 00:03 . 2010-02-11 18:38   94800   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2010-03-05 00:03 . 2010-02-11 18:38   28880   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2010-03-05 00:03 . 2010-02-11 18:53   38848   ----a-w-   c:\windows\system32\avastSS.scr
2010-03-05 00:03 . 2010-02-11 18:53   153184   ----a-w-   c:\windows\system32\aswBoot.exe
2010-03-04 23:25 . 2004-08-03 17:31   70144   -c--a-w-   c:\windows\system32\dllcache\pintlphr.exe
2010-03-04 23:24 . 2001-08-23 11:30   10096640   -c--a-w-   c:\windows\system32\dllcache\hwxcht.dll
2010-03-04 23:23 . 2004-05-12 19:09   598071   -c--a-w-   c:\windows\system32\dllcache\fpmmc.dll
2010-03-04 23:17 . 2004-08-03 17:01   20992   ----a-w-   c:\windows\system32\drivers\RTL8139.sys
2010-03-04 23:15 . 2001-08-23 11:30   24661   -c--a-w-   c:\windows\system32\dllcache\spxcoins.dll
2010-03-04 23:15 . 2001-08-23 11:30   24661   ----a-w-   c:\windows\system32\spxcoins.dll
2010-03-04 23:15 . 2001-08-23 11:30   13312   -c--a-w-   c:\windows\system32\dllcache\irclass.dll
2010-03-04 23:15 . 2001-08-23 11:30   13312   ----a-w-   c:\windows\system32\irclass.dll
2010-03-04 20:50 . 2010-03-04 20:50   --------   d-----w-   c:\documents and settings\All Users\Application Data\Sunbelt
2010-03-04 16:07 . 2010-03-04 16:07   --------   d-----w-   c:\documents and settings\Daksh\Application Data\Malwarebytes
2010-03-04 16:07 . 2010-03-04 16:07   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-04 14:20 . 2010-03-04 14:20   --------   d-----w-   c:\documents and settings\Daksh\Application Data\FILEminimizerPictures
2010-03-04 14:19 . 2010-03-04 14:20   --------   d-----w-   c:\documents and settings\Daksh\Application Data\FILEminimizer
2010-03-02 12:46 . 2010-03-02 12:46   --------   d--h--w-   c:\windows\PIF
2010-03-02 06:24 . 2010-03-02 06:24   --------   d-----w-   c:\windows\Sun
2010-02-27 06:37 . 2010-02-27 06:37   --------   d-----w-   c:\program files\NCH Swift Sound
2010-02-26 20:09 . 2010-02-26 20:16   --------   d-----w-   c:\documents and settings\Daksh\Application Data\FreeFixer
2010-02-26 20:09 . 2010-02-26 20:09   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\FreeFixer
2010-02-26 18:41 . 2010-02-26 18:41   --------   d-----w-   c:\program files\FoxPlayer
2010-02-26 15:27 . 2010-02-26 15:27   --------   d-----w-   c:\documents and settings\Daksh\Application Data\PolyEdit Lite
2010-02-26 14:57 . 2010-02-26 14:57   --------   d-----w-   c:\documents and settings\Daksh\Application Data\SAIG
2010-02-26 14:41 . 2010-02-26 14:41   --------   d-----w-   c:\documents and settings\Daksh\Application Data\Apago
2010-02-25 06:01 . 2010-02-25 06:01   --------   d-----r-   C:\Sandbox
2010-02-24 19:38 . 2010-02-24 19:38   --------   d--h--r-   c:\documents and settings\Daksh\Application Data\JAM Software
2010-02-24 11:52 . 2010-02-24 11:52   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Identities
2010-02-24 08:17 . 2008-01-01 01:30   78848   ----a-w-   c:\windows\system32\VISCDRTL.DLL
2010-02-24 08:17 . 2008-01-01 01:30   152064   ----a-w-   c:\windows\system32\VISCDUNR.DLL
2010-02-24 08:17 . 2008-01-01 01:30   143360   ----a-w-   c:\windows\system32\VISCDUNZ.DLL
2010-02-23 19:57 . 2010-02-23 19:57   0   ----a-w-   c:\windows\nsreg.dat
2010-02-23 19:56 . 2010-02-23 19:56   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Mozilla
2010-02-23 19:33 . 2010-03-05 11:23   --------   d-----w-   c:\documents and settings\Daksh\Application Data\Thinstall
2010-02-23 19:33 . 2010-02-23 19:33   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Thinstall
2010-02-23 18:15 . 2010-02-23 18:15   --------   d--h--w-   c:\windows\system32\GroupPolicy
2010-02-23 14:55 . 2004-08-03 19:56   221184   ----a-w-   c:\windows\system32\wmpns.dll
2010-02-23 13:21 . 2003-03-18 20:20   1060864   ----a-w-   c:\windows\system32\MFC71.dll
2010-02-23 13:21 . 2003-03-18 19:14   499712   ----a-w-   c:\windows\system32\MSVCP71.dll
2010-02-23 13:21 . 2003-02-21 03:42   348160   ----a-w-   c:\windows\system32\MSVCR71.dll
2010-02-23 10:56 . 2010-02-23 17:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-02-23 10:56 . 2010-02-23 10:56   --------   d-----w-   c:\program files\NCH Software
2010-02-23 10:56 . 2010-03-01 13:53   --------   d-----w-   c:\documents and settings\Daksh\Application Data\NCH Swift Sound
2010-02-23 10:49 . 2010-02-23 10:49   1078   ----a-r-   c:\documents and settings\Daksh\Application Data\Microsoft\Installer\{76EFAC4F-1712-401F-B2AE-590B170C9BCE}\_60c11ac7.exe

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: qrius2noall on March 05, 2010, 10:17:54 PM

part-2

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-05 20:13 . 2010-02-23 00:59   --------   d-----w-   c:\documents and settings\Daksh\Application Data\uTorrent
2010-03-05 11:26 . 2009-04-16 20:43   84632   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\UrlRule.dll
2010-03-05 11:26 . 2009-04-16 20:43   125592   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\SecScan.dll
2010-03-05 11:26 . 2009-04-16 20:43   92824   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\SecEx.dll
2010-03-05 11:26 . 2009-04-16 20:43   424560   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\runiep.dll
2010-03-05 11:26 . 2009-04-16 20:43   207512   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\rsdialog.dll
2010-03-05 11:26 . 2009-04-16 20:43   215704   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\pweb.dll
2010-03-05 11:26 . 2009-04-16 20:43   744088   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\ptools.dll
2010-03-05 11:26 . 2009-04-16 20:43   809624   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\pscan.dll
2010-03-05 11:25 . 2009-04-16 20:43   297584   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\KakaMgr.dll
2010-03-05 09:09 . 2010-02-23 00:14   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-03-04 23:55 . 2004-08-03 19:56   1281536   ----a-w-   c:\windows\system32\ole32.dll
2010-03-04 23:34 . 2010-02-23 03:59   12328   ----a-w-   c:\documents and settings\Daksh\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-04 23:21 . 2010-02-22 22:35   22748   ----a-w-   c:\windows\system32\emptyregdb.dat
2010-02-25 06:48 . 2010-02-22 22:38   86327   ----a-w-   c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-23 11:13 . 2010-02-23 11:13   32768   ----a-w-   c:\windows\Help\ItzilzIm.dll
2010-02-23 03:44 . 2010-02-23 03:44   --------   d-----w-   c:\program files\Common Files\InstallShield
2010-02-23 03:43 . 2010-02-23 03:43   --------   d-----w-   c:\program files\C-Media 3D Audio
2010-02-23 02:23 . 2010-02-23 02:23   --------   d-----w-   c:\documents and settings\Daksh\Application Data\SUPERAntiSpyware.com
2010-02-23 02:23 . 2010-02-23 02:23   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-23 00:14 . 2010-02-23 00:14   10134   ----a-r-   c:\documents and settings\Daksh\Application Data\Microsoft\Installer\{4C933A3B-6201-4C90-AB28-598561131C06}\_05672270EB30CCA6FD3838.exe
2010-02-23 00:14 . 2010-02-23 00:14   16958   ----a-r-   c:\documents and settings\Daksh\Application Data\Microsoft\Installer\{4C933A3B-6201-4C90-AB28-598561131C06}\_8C792585F69A42291AD1A1.exe
2010-02-23 00:14 . 2010-02-23 00:14   16958   ----a-r-   c:\documents and settings\Daksh\Application Data\Microsoft\Installer\{4C933A3B-6201-4C90-AB28-598561131C06}\_6FEFF9B68218417F98F549.exe
2010-02-23 00:14 . 2010-02-23 00:14   16958   ----a-r-   c:\documents and settings\Daksh\Application Data\Microsoft\Installer\{4C933A3B-6201-4C90-AB28-598561131C06}\_15D66DCE894BB3F91E0E6F.exe
2010-02-22 23:50 . 2010-02-22 23:50   411368   ----a-w-   c:\windows\system32\deploytk.dll
2010-02-22 23:50 . 2010-02-22 23:50   --------   d-----w-   c:\program files\Java
2010-02-22 23:50 . 2010-02-22 23:50   152576   ----a-w-   c:\documents and settings\Daksh\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-02-22 22:54 . 2010-02-22 22:54   --------   d-----w-   c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-22 22:39 . 2010-02-22 22:39   --------   d-----w-   c:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 86016]
"avast5"="e:\useful~1\ANTIVI~2\avastUI.exe" [2010-02-11 2756488]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\ACTIVE DOWNLOADS\\uTORRENTS\\uTorrent.exe"=
"c:\\ODIN\\Diet\\DietOdin.exe"=
"e:\\TEST DOWNLOADS\\ANTI VIRUS MALWARE-REMOVEIT-\\Program Files\\InCode Solutions\\RemoveIT Pro v4 - SE\\removeit.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/5/2010 5:33 AM 162512]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/5/2010 5:33 AM 19024]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\12.tmp --> c:\windows\system32\12.tmp [?]
S3 SASENUM;SASENUM;

S3 SbieDrv;SbieDrv;e:\useful crucial utilities folder\SANDBOXIE\SbieDrv.sys [2/3/2010 4:10 PM 115432]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.freeware365.com/desktop/folderguide.htm
TCP: {66A4DF95-55B1-4AC1-9006-CE521313193D} = 202.56.215.6,202.56.230.6
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Cmaudio - cmicnfg.cpl

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 02:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\12.tmp"
.
Completion time: 2010-03-06 02:40:36
ComboFix-quarantined-files.txt 2010-03-05 21:10
ComboFix2.txt 2010-03-05 20:24

Pre-Run: 37,344,792,576 bytes free
Post-Run: 37,337,743,360 bytes free

- - End Of File - - 9C637272C82A61E136A181D27FD96A9B

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: qrius2noall on March 05, 2010, 10:25:11 PM

Thks ESSEXBOY for your effeorts and helping hand

I have posted the latest combofix log(after running the script).

Also here is the media fire link for the OTS scan log (done after MD5 check)

http://www.mediafire.com/download.php?jfmlmkezjtk (http://www.mediafire.com/download.php?jfmlmkezjtk)

Looking forward for your furhter advice

Q2NA

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: essexboy on March 05, 2010, 10:31:03 PM

OK I have a spare copy of the file download it from here http://cid-32d8666f4048075b.skydrive.live.com/self.aspx/Malware%20files/ole32.dll?lc=2057

Place it on your c drive i.e c:\ole32.dll

If you are unsure about what to do then shout

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: [Select]

Fcopy::
c:\ole32.dll | c:\windows\system32\ole32.dll

Combofix.txt .

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: qrius2noall on March 05, 2010, 11:15:04 PM

hERE IS THE LATEST COMBOFIX LOG

PART-1

ComboFix 10-03-04.06 - Daksh 03/06/2010 3:39.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.312 [GMT 5.5:30]
Running from: c:\documents and settings\Daksh\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Daksh\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\ole32.dll --> c:\windows\system32\ole32.dll
.
((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))
.

2010-03-05 22:05 . 2010-03-05 21:54   1169920   ------w-   C:\ole32.dll
2010-03-05 21:34 . 2010-03-05 21:34   --------   d-s---w-   c:\windows\Cookies
2010-03-05 18:41 . 2010-03-05 18:41   --------   d-----w-   C:\_OTS
2010-03-05 16:15 . 2010-01-07 10:37   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-05 16:15 . 2010-01-07 10:37   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-03-05 14:02 . 2010-03-05 15:08   --------   d-----w-   c:\program files\Panda Security
2010-03-05 13:28 . 2010-03-05 13:28   --------   d-----w-   c:\documents and settings\Daksh\DoctorWeb
2010-03-05 11:27 . 2010-03-05 11:27   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\400000b00002i\Ras.exe
2010-03-05 11:27 . 2010-03-05 11:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\Rising
2010-03-05 11:27 . 2009-04-16 20:43   629360   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\Rsaupd.exe
2010-03-05 11:27 . 2010-03-05 11:27   518808   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\Ntlib.dll
2010-03-05 11:27 . 2010-03-05 11:25   637592   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%SystemSystem%\kmon.dll
2010-03-05 11:24 . 2010-03-05 11:24   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\4000009c00002i\Rsaupd.exe
2010-03-05 11:23 . 2010-03-05 11:23   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\4000007200002i\knownsvr.exe
2010-03-05 11:23 . 2010-03-05 11:23   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\4000008000002i\Splash Screen.exe
2010-03-05 01:58 . 2010-03-05 01:58   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Runscanner.net
2010-03-05 01:53 . 2010-03-05 01:53   160272   ----a-w-   c:\windows\system32\drivers\tmcomm.sys
2010-03-05 00:03 . 2010-02-11 18:42   162512   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-03-05 00:03 . 2010-02-11 18:38   19024   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-03-05 00:03 . 2010-02-11 18:42   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-03-05 00:03 . 2010-02-11 18:39   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-03-05 00:03 . 2010-02-11 18:38   100432   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2010-03-05 00:03 . 2010-02-11 18:38   94800   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2010-03-05 00:03 . 2010-02-11 18:38   28880   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2010-03-05 00:03 . 2010-02-11 18:53   38848   ----a-w-   c:\windows\system32\avastSS.scr
2010-03-05 00:03 . 2010-02-11 18:53   153184   ----a-w-   c:\windows\system32\aswBoot.exe
2010-03-04 23:25 . 2004-08-03 17:31   70144   -c--a-w-   c:\windows\system32\dllcache\pintlphr.exe
2010-03-04 23:24 . 2001-08-23 11:30   10096640   -c--a-w-   c:\windows\system32\dllcache\hwxcht.dll
2010-03-04 23:23 . 2004-05-12 19:09   598071   -c--a-w-   c:\windows\system32\dllcache\fpmmc.dll
2010-03-04 23:17 . 2004-08-03 17:01   20992   ----a-w-   c:\windows\system32\drivers\RTL8139.sys
2010-03-04 23:15 . 2001-08-23 11:30   24661   -c--a-w-   c:\windows\system32\dllcache\spxcoins.dll
2010-03-04 23:15 . 2001-08-23 11:30   24661   ----a-w-   c:\windows\system32\spxcoins.dll
2010-03-04 23:15 . 2001-08-23 11:30   13312   -c--a-w-   c:\windows\system32\dllcache\irclass.dll
2010-03-04 23:15 . 2001-08-23 11:30   13312   ----a-w-   c:\windows\system32\irclass.dll
2010-03-04 20:50 . 2010-03-04 20:50   --------   d-----w-   c:\documents and settings\All Users\Application Data\Sunbelt
2010-03-04 16:07 . 2010-03-04 16:07   --------   d-----w-   c:\documents and settings\Daksh\Application Data\Malwarebytes
2010-03-04 16:07 . 2010-03-04 16:07   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-04 14:20 . 2010-03-04 14:20   --------   d-----w-   c:\documents and settings\Daksh\Application Data\FILEminimizerPictures
2010-03-04 14:19 . 2010-03-04 14:20   --------   d-----w-   c:\documents and settings\Daksh\Application Data\FILEminimizer
2010-03-02 12:46 . 2010-03-02 12:46   --------   d--h--w-   c:\windows\PIF
2010-03-02 06:24 . 2010-03-02 06:24   --------   d-----w-   c:\windows\Sun
2010-02-27 06:37 . 2010-02-27 06:37   --------   d-----w-   c:\program files\NCH Swift Sound
2010-02-26 20:09 . 2010-02-26 20:16   --------   d-----w-   c:\documents and settings\Daksh\Application Data\FreeFixer
2010-02-26 20:09 . 2010-02-26 20:09   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\FreeFixer
2010-02-26 18:41 . 2010-02-26 18:41   --------   d-----w-   c:\program files\FoxPlayer
2010-02-26 15:27 . 2010-02-26 15:27   --------   d-----w-   c:\documents and settings\Daksh\Application Data\PolyEdit Lite
2010-02-26 14:57 . 2010-02-26 14:57   --------   d-----w-   c:\documents and settings\Daksh\Application Data\SAIG
2010-02-26 14:41 . 2010-02-26 14:41   --------   d-----w-   c:\documents and settings\Daksh\Application Data\Apago
2010-02-25 06:01 . 2010-02-25 06:01   --------   d-----r-   C:\Sandbox
2010-02-24 19:38 . 2010-02-24 19:38   --------   d--h--r-   c:\documents and settings\Daksh\Application Data\JAM Software
2010-02-24 11:52 . 2010-02-24 11:52   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Identities
2010-02-24 08:17 . 2008-01-01 01:30   78848   ----a-w-   c:\windows\system32\VISCDRTL.DLL
2010-02-24 08:17 . 2008-01-01 01:30   152064   ----a-w-   c:\windows\system32\VISCDUNR.DLL
2010-02-24 08:17 . 2008-01-01 01:30   143360   ----a-w-   c:\windows\system32\VISCDUNZ.DLL
2010-02-23 19:57 . 2010-02-23 19:57   0   ----a-w-   c:\windows\nsreg.dat
2010-02-23 19:56 . 2010-02-23 19:56   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Mozilla
2010-02-23 19:33 . 2010-03-05 11:23   --------   d-----w-   c:\documents and settings\Daksh\Application Data\Thinstall
2010-02-23 19:33 . 2010-02-23 19:33   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Thinstall
2010-02-23 18:15 . 2010-02-23 18:15   --------   d--h--w-   c:\windows\system32\GroupPolicy
2010-02-23 14:55 . 2004-08-03 19:56   221184   ----a-w-   c:\windows\system32\wmpns.dll
2010-02-23 13:21 . 2003-03-18 20:20   1060864   ----a-w-   c:\windows\system32\MFC71.dll
2010-02-23 13:21 . 2003-03-18 19:14   499712   ----a-w-   c:\windows\system32\MSVCP71.dll
2010-02-23 13:21 . 2003-02-21 03:42   348160   ----a-w-   c:\windows\system32\MSVCR71.dll
2010-02-23 10:56 . 2010-02-23 17:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-02-23 10:56 . 2010-02-23 10:56   --------   d-----w-   c:\program files\NCH Software
2010-02-23 10:56 . 2010-03-01 13:53   --------   d-----w-   c:\documents and settings\Daksh\Application Data\NCH Swift Sound
2010-02-23 10:49 . 2010-02-23 10:49   1078   ----a-r-   c:\documents and settings\Daksh\Application Data\Microsoft\Installer\{76EFAC4F-1712-401F-B2AE-590B170C9BCE}\_60c11ac7.exe

.

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: qrius2noall on March 05, 2010, 11:16:03 PM

ComboFix 10-03-04.06 - Daksh 03/06/2010 3:39.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.312 [GMT 5.5:30]
Running from: c:\documents and settings\Daksh\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Daksh\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\ole32.dll --> c:\windows\system32\ole32.dll
.
((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))
.

2010-03-05 22:05 . 2010-03-05 21:54   1169920   ------w-   C:\ole32.dll
2010-03-05 21:34 . 2010-03-05 21:34   --------   d-s---w-   c:\windows\Cookies
2010-03-05 18:41 . 2010-03-05 18:41   --------   d-----w-   C:\_OTS
2010-03-05 16:15 . 2010-01-07 10:37   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-05 16:15 . 2010-01-07 10:37   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-03-05 14:02 . 2010-03-05 15:08   --------   d-----w-   c:\program files\Panda Security
2010-03-05 13:28 . 2010-03-05 13:28   --------   d-----w-   c:\documents and settings\Daksh\DoctorWeb
2010-03-05 11:27 . 2010-03-05 11:27   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\400000b00002i\Ras.exe
2010-03-05 11:27 . 2010-03-05 11:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\Rising
2010-03-05 11:27 . 2009-04-16 20:43   629360   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\Rsaupd.exe
2010-03-05 11:27 . 2010-03-05 11:27   518808   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\Ntlib.dll
2010-03-05 11:27 . 2010-03-05 11:25   637592   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%SystemSystem%\kmon.dll
2010-03-05 11:24 . 2010-03-05 11:24   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\4000009c00002i\Rsaupd.exe
2010-03-05 11:23 . 2010-03-05 11:23   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\4000007200002i\knownsvr.exe
2010-03-05 11:23 . 2010-03-05 11:23   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\4000008000002i\Splash Screen.exe
2010-03-05 01:58 . 2010-03-05 01:58   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Runscanner.net
2010-03-05 01:53 . 2010-03-05 01:53   160272   ----a-w-   c:\windows\system32\drivers\tmcomm.sys
2010-03-05 00:03 . 2010-02-11 18:42   162512   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-03-05 00:03 . 2010-02-11 18:38   19024   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-03-05 00:03 . 2010-02-11 18:42   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-03-05 00:03 . 2010-02-11 18:39   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-03-05 00:03 . 2010-02-11 18:38   100432   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2010-03-05 00:03 . 2010-02-11 18:38   94800   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2010-03-05 00:03 . 2010-02-11 18:38   28880   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2010-03-05 00:03 . 2010-02-11 18:53   38848   ----a-w-   c:\windows\system32\avastSS.scr
2010-03-05 00:03 . 2010-02-11 18:53   153184   ----a-w-   c:\windows\system32\aswBoot.exe
2010-03-04 23:25 . 2004-08-03 17:31   70144   -c--a-w-   c:\windows\system32\dllcache\pintlphr.exe
2010-03-04 23:24 . 2001-08-23 11:30   10096640   -c--a-w-   c:\windows\system32\dllcache\hwxcht.dll
2010-03-04 23:23 . 2004-05-12 19:09   598071   -c--a-w-   c:\windows\system32\dllcache\fpmmc.dll
2010-03-04 23:17 . 2004-08-03 17:01   20992   ----a-w-   c:\windows\system32\drivers\RTL8139.sys
2010-03-04 23:15 . 2001-08-23 11:30   24661   -c--a-w-   c:\windows\system32\dllcache\spxcoins.dll
2010-03-04 23:15 . 2001-08-23 11:30   24661   ----a-w-   c:\windows\system32\spxcoins.dll
2010-03-04 23:15 . 2001-08-23 11:30   13312   -c--a-w-   c:\windows\system32\dllcache\irclass.dll
2010-03-04 23:15 . 2001-08-23 11:30   13312   ----a-w-   c:\windows\system32\irclass.dll
2010-03-04 20:50 . 2010-03-04 20:50   --------   d-----w-   c:\documents and settings\All Users\Application Data\Sunbelt
2010-03-04 16:07 . 2010-03-04 16:07   --------   d-----w-   c:\documents and settings\Daksh\Application Data\Malwarebytes
2010-03-04 16:07 . 2010-03-04 16:07   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-04 14:20 . 2010-03-04 14:20   --------   d-----w-   c:\documents and settings\Daksh\Application Data\FILEminimizerPictures
2010-03-04 14:19 . 2010-03-04 14:20   --------   d-----w-   c:\documents and settings\Daksh\Application Data\FILEminimizer
2010-03-02 12:46 . 2010-03-02 12:46   --------   d--h--w-   c:\windows\PIF
2010-03-02 06:24 . 2010-03-02 06:24   --------   d-----w-   c:\windows\Sun
2010-02-27 06:37 . 2010-02-27 06:37   --------   d-----w-   c:\program files\NCH Swift Sound
2010-02-26 20:09 . 2010-02-26 20:16   --------   d-----w-   c:\documents and settings\Daksh\Application Data\FreeFixer
2010-02-26 20:09 . 2010-02-26 20:09   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\FreeFixer
2010-02-26 18:41 . 2010-02-26 18:41   --------   d-----w-   c:\program files\FoxPlayer
2010-02-26 15:27 . 2010-02-26 15:27   --------   d-----w-   c:\documents and settings\Daksh\Application Data\PolyEdit Lite
2010-02-26 14:57 . 2010-02-26 14:57   --------   d-----w-   c:\documents and settings\Daksh\Application Data\SAIG
2010-02-26 14:41 . 2010-02-26 14:41   --------   d-----w-   c:\documents and settings\Daksh\Application Data\Apago
2010-02-25 06:01 . 2010-02-25 06:01   --------   d-----r-   C:\Sandbox
2010-02-24 19:38 . 2010-02-24 19:38   --------   d--h--r-   c:\documents and settings\Daksh\Application Data\JAM Software
2010-02-24 11:52 . 2010-02-24 11:52   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Identities
2010-02-24 08:17 . 2008-01-01 01:30   78848   ----a-w-   c:\windows\system32\VISCDRTL.DLL
2010-02-24 08:17 . 2008-01-01 01:30   152064   ----a-w-   c:\windows\system32\VISCDUNR.DLL
2010-02-24 08:17 . 2008-01-01 01:30   143360   ----a-w-   c:\windows\system32\VISCDUNZ.DLL
2010-02-23 19:57 . 2010-02-23 19:57   0   ----a-w-   c:\windows\nsreg.dat
2010-02-23 19:56 . 2010-02-23 19:56   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Mozilla
2010-02-23 19:33 . 2010-03-05 11:23   --------   d-----w-   c:\documents and settings\Daksh\Application Data\Thinstall
2010-02-23 19:33 . 2010-02-23 19:33   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Thinstall
2010-02-23 18:15 . 2010-02-23 18:15   --------   d--h--w-   c:\windows\system32\GroupPolicy
2010-02-23 14:55 . 2004-08-03 19:56   221184   ----a-w-   c:\windows\system32\wmpns.dll
2010-02-23 13:21 . 2003-03-18 20:20   1060864   ----a-w-   c:\windows\system32\MFC71.dll
2010-02-23 13:21 . 2003-03-18 19:14   499712   ----a-w-   c:\windows\system32\MSVCP71.dll
2010-02-23 13:21 . 2003-02-21 03:42   348160   ----a-w-   c:\windows\system32\MSVCR71.dll
2010-02-23 10:56 . 2010-02-23 17:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-02-23 10:56 . 2010-02-23 10:56   --------   d-----w-   c:\program files\NCH Software
2010-02-23 10:56 . 2010-03-01 13:53   --------   d-----w-   c:\documents and settings\Daksh\Application Data\NCH Swift Sound
2010-02-23 10:49 . 2010-02-23 10:49   1078   ----a-r-   c:\documents and settings\Daksh\Application Data\Microsoft\Installer\{76EFAC4F-1712-401F-B2AE-590B170C9BCE}\_60c11ac7.exe

.

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: essexboy on March 05, 2010, 11:17:31 PM

Now have a quick scan with Avast and I believe you will come up clean ;D

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: qrius2noall on March 05, 2010, 11:19:21 PM

part-2

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-05 21:54 . 2004-08-03 19:56   1169920   ----a-w-   c:\windows\system32\ole32.dll
2010-03-05 21:53 . 2010-02-23 00:59   --------   d-----w-   c:\documents and settings\Daksh\Application Data\uTorrent
2010-03-05 11:26 . 2009-04-16 20:43   84632   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\UrlRule.dll
2010-03-05 11:26 . 2009-04-16 20:43   125592   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\SecScan.dll
2010-03-05 11:26 . 2009-04-16 20:43   92824   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\SecEx.dll
2010-03-05 11:26 . 2009-04-16 20:43   424560   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\runiep.dll
2010-03-05 11:26 . 2009-04-16 20:43   207512   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\rsdialog.dll
2010-03-05 11:26 . 2009-04-16 20:43   215704   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\pweb.dll
2010-03-05 11:26 . 2009-04-16 20:43   744088   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\ptools.dll
2010-03-05 11:26 . 2009-04-16 20:43   809624   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\pscan.dll
2010-03-05 11:25 . 2009-04-16 20:43   297584   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\KakaMgr.dll
2010-03-05 09:09 . 2010-02-23 00:14   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-03-04 23:34 . 2010-02-23 03:59   12328   ----a-w-   c:\documents and settings\Daksh\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-04 23:21 . 2010-02-22 22:35   22748   ----a-w-   c:\windows\system32\emptyregdb.dat
2010-02-25 06:48 . 2010-02-22 22:38   86327   ----a-w-   c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-23 11:13 . 2010-02-23 11:13   32768   ----a-w-   c:\windows\Help\ItzilzIm.dll
2010-02-23 03:44 . 2010-02-23 03:44   --------   d-----w-   c:\program files\Common Files\InstallShield
2010-02-23 03:43 . 2010-02-23 03:43   --------   d-----w-   c:\program files\C-Media 3D Audio
2010-02-23 02:23 . 2010-02-23 02:23   --------   d-----w-   c:\documents and settings\Daksh\Application Data\SUPERAntiSpyware.com
2010-02-23 02:23 . 2010-02-23 02:23   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-23 00:14 . 2010-02-23 00:14   10134   ----a-r-   c:\documents and settings\Daksh\Application Data\Microsoft\Installer\{4C933A3B-6201-4C90-AB28-598561131C06}\_05672270EB30CCA6FD3838.exe
2010-02-23 00:14 . 2010-02-23 00:14   16958   ----a-r-   c:\documents and settings\Daksh\Application Data\Microsoft\Installer\{4C933A3B-6201-4C90-AB28-598561131C06}\_8C792585F69A42291AD1A1.exe
2010-02-23 00:14 . 2010-02-23 00:14   16958   ----a-r-   c:\documents and settings\Daksh\Application Data\Microsoft\Installer\{4C933A3B-6201-4C90-AB28-598561131C06}\_6FEFF9B68218417F98F549.exe
2010-02-23 00:14 . 2010-02-23 00:14   16958   ----a-r-   c:\documents and settings\Daksh\Application Data\Microsoft\Installer\{4C933A3B-6201-4C90-AB28-598561131C06}\_15D66DCE894BB3F91E0E6F.exe
2010-02-22 23:50 . 2010-02-22 23:50   411368   ----a-w-   c:\windows\system32\deploytk.dll
2010-02-22 23:50 . 2010-02-22 23:50   --------   d-----w-   c:\program files\Java
2010-02-22 23:50 . 2010-02-22 23:50   152576   ----a-w-   c:\documents and settings\Daksh\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-02-22 22:54 . 2010-02-22 22:54   --------   d-----w-   c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-22 22:39 . 2010-02-22 22:39   --------   d-----w-   c:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((( SnapShot@2010-03-05_20.23.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-05 21:34 . 2010-03-05 19:39   16384 c:\windows\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 86016]
"avast5"="e:\useful~1\ANTIVI~2\avastUI.exe" [2010-02-11 2756488]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\ACTIVE DOWNLOADS\\uTORRENTS\\uTorrent.exe"=
"c:\\ODIN\\Diet\\DietOdin.exe"=
"e:\\TEST DOWNLOADS\\ANTI VIRUS MALWARE-REMOVEIT-\\Program Files\\InCode Solutions\\RemoveIT Pro v4 - SE\\removeit.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/5/2010 5:33 AM 162512]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/5/2010 5:33 AM 19024]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\12.tmp --> c:\windows\system32\12.tmp [?]
S3 SASENUM;SASENUM;

S3 SbieDrv;SbieDrv;e:\useful crucial utilities folder\SANDBOXIE\SbieDrv.sys [2/3/2010 4:10 PM 115432]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.freeware365.com/desktop/folderguide.htm
TCP: {66A4DF95-55B1-4AC1-9006-CE521313193D} = 202.56.215.6,202.56.230.6
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 03:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\12.tmp"
.
Completion time: 2010-03-06 03:41:59
ComboFix-quarantined-files.txt 2010-03-05 22:11
ComboFix2.txt 2010-03-05 22:05
ComboFix3.txt 2010-03-05 21:10
ComboFix4.txt 2010-03-05 20:24

Pre-Run: 37,327,380,480 bytes free
Post-Run: 37,317,783,552 bytes free

- - End Of File - - F80584E1358D41E7CF22694C9F13CC

Now it is not saying that ole32.dll is corrupt,So does it mean that trouble is nearly over ESSEXBOY or there are still miles to go

thks and cheers

q2na

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: qrius2noall on March 05, 2010, 11:20:55 PM

ok doing it now and will post

thks

q2na

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: essexboy on March 05, 2010, 11:23:26 PM

Quote

Now it is not saying that ole32.dll is corrupt,So does it mean that trouble is nearly over ESSEXBOY or there are still Smiles to go

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so..Run OTL/S and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Do not show hidden files and folders.
Click Yes to confirm.
Click OK.

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

Select Start > All Programs > Accessories > System tools > System Restore.
On the dialogue box that appears select Create a Restore Point
Click NEXT
Enter a name e.g. Clean
Click CREATE

You now have a clean restore point, to get rid of the bad ones:

Select Start > All Programs > Accessories > System tools > Disk Cleanup.
In the Drop down box that appears select your main drive e.g. C
Click OK
The System will do some calculation and the display a dialogue box with TABS
Select the More Options Tab.
At the bottom will be a system restore box with a CLEANUP button click this
Accept the Warning and select OK again, the program will close and you are done

SPRING CLEAN

Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download Flush Flash from Here (http://www.xs4all.nl/~fstaal01/flushflash-us.html) and follow the easy to use instructions on the same page

NEXT

Download and run Puran Disc Defragmenter (http://www.puransoftware.com/Puran-Defrag-Download.html)

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: qrius2noall on March 05, 2010, 11:40:56 PM

Thanks A Lot ESSEXBOY

The quick scan has come out clean,though it says some of the files couldnot be scanned.

In the scan log it mentions about the moved file

c:\_OTS\Moved Files\C_WINDOWS\winstar.bat

error:file is offline.it is currently not available(42006)

So I will do the followup action as kindly suggested by you,step by step,now that the biggest headache is over ,but as they say IT AIN'T OVER UNTILL ITS OVER SO
on to next clean up,

I will keep you informed abou the progress and i have some followup questions which I hope you will kindly help me with

Thanks a million

Q2na

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: essexboy on March 06, 2010, 12:00:04 AM

No problem, I will be offline soon but back tomorrow

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: qrius2noall on March 06, 2010, 12:09:55 AM

HI ESSEXBOY

Avast has gone nuts again as soon as I started the app CCLEANER,with the same notification about win32:malware-gen infection and file has been moved to chest

Apparently it is a bigger problem than it looks right now

It is same as yesterday,whenever iam starting Ccleaner or utorrent or statbar ,AVAST starts giving threat notices although all these apps and the rest of PC seems to be working ok(no Major crashes or task manager problems or unwarranted CPU usage),so what do you reckon ? may be observe it some more or start the cleaning process once again or deleting the flagged utilities and reinstalling these again canbe helpful-in fact I use the portable version of CCLEANER so it is not even installed in registry

Waiting for your sage advice once again

Q2NA

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: essexboy on March 06, 2010, 01:36:51 PM

Dare I ask are these cracked programmes downloaded using P2P ?

Quote

Ccleaner or utorrent or statbar

Delete these programmes completely and re-install fresh copies - they may have residue renv infections

Let me know if that helps

Once you have deleted the said programmes - re-run MBAM and post the log

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: qrius2noall on March 06, 2010, 04:02:06 PM

Hi ESSEXBOY

These apps have been downloaded from original sites(all these are popular freeware,easily available from there original sites from download,so no point in getting these from any other site-cracked or otherwise)

Anyway,This Morning ALL HELL SEEMED TO HAVE BROKEN LOOSE-upon booting pc ,IT took extralong boottime with desktop having no taskbar and windows though workable,not being fully functional so the only alternative workable seemed to be -DO REPAIR REINSTALL of WIN XP,which I could and did,but troubles with AVAST started as usual-surely a pitiable state of affairs.

I had posted this problem in another site also,ther people suggested using rootkit scanners/killers ,but sadly nothing came out of rootkit scanners so nothing to kill.
Lastly A utility called HITMAN PRO seemed to have caught one trojan in Utorrent
file ,so after quarentining it and a reboot,every thing seems to be working ok so far.

I have since then discarded all Utorrent ,CCLEANER files from system,obtained Fresh setups from original sites,and installed these once again.Upon Start of these ,so far there are no warnings from AVAST and quick scan seems to be clean,Except warning that winstart.bat file (we moved yesterday with OTS is in RECYCLERS) cannot be scanned being offline,so I have since then stopped SYSTEM RESTORE fron working

I just wanted to know how to remove/delete files in RECYCLERS?W'd these be automatically removed upon creation of new restore point or not?If not then I better
leave SYSTEM RESTORE STOPPED for couple of days more-As I Certainly won't like to start this whole sad story to start once again

SO AT THE TIME OF POSTING THESE,everything seems to be working ok(keeping fingers crossed though) and before we close this post ,I will Inform YOU of the final state of affairs.....

Thanks a lot once again

Q2NA

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: essexboy on March 06, 2010, 04:51:49 PM

I would recommend against turning off system restore as it is a usefull safety net - once turned off all restore points are deleted, so you can turn it back on again

I actually had someone who had a cracked version of MBAM

Quote

have since then discarded all Utorrent ,CCLEANER files from system,obtained Fresh setups from original sites,and installed these once again

Sensible as the one file I found yesterday with renv means there could have been other crippled versions which restarted once you ran the programmes that had the infection

The problem with my scanners is they only check 30 days back - so if the infection was older I would not have seen them

Could you run another OTS scan change the file age to 90 days and I will see if there are any others remaining. It will be a big log though so will probably need to be uploaded to mediafire

Title: Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
Post by: qrius2noall on March 10, 2010, 09:30:49 PM

Hi ESSEXBOY

As i said im my earlier post,everything seems to have settled down to normal routine(last two days I hve been testing it extensively),So I guess we can safely close this post,if there is any fresh issue.i will give reference of this post also,and w'd post a fresh thread.

SO THANKS A LOT FOR COMING TO RESCUE AND EXTENDING A HELPING HAND.

Cheers

Q2NA