Avast Says i have Win32:Malware-gen

[DaveTIsMe]

Avast Free says i am infected with Win32:Malware-gen. The Avast popup only appears once a day (not at the same time each day) and only started last week when i updated to the latest version of Avast.

Can someone help?

OTL.txt attached. Other files in following posts.

Dave

[DaveTIsMe]

Here is Extras.Txt, mbam-log.txt, and aswMBR.txt.

Dave

[SafeSurf]

After reviewing your logs, I am going to refer you to our Certified Malware expert, named Essexboy.  He will also review your logs and give you further instructions, however he comes on the forum late UK time (6 - 8 PM).  He will respond to you in this thread, so remember to check this thread daily.

Please do not make any further changes to your machine since you have provided the logs.

IMPORTANT: If you are on a home network, disconnect the affected machine from the network.  Do not share a USB/flash drive with this affected machine.  Do not use this machine unless Essexboy instructs you do to malware removal instructions; use a different machine to check email, do not sync your phone or any other device with this machine.

Let me know if you have any questions.  Thank you.

[essexboy]

What file is Avast reporting as infected ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

  :OTL
  O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
  O3 - HKU\S-1-5-21-527701978-4243745748-3329972647-1000\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
  O3 - HKU\S-1-5-21-527701978-4243745748-3329972647-1000\..\Toolbar\WebBrowser: (no name) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No CLSID value found.
  O4 - HKLM..\Run: [] File not found
  
  :Files
  ipconfig /flushdns /c
   
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[DaveTIsMe]

I took a screenshot of the popup box yesterday just in case you asked. See attached Avast-Notice.jpg.

The popup says "Malware Blocked." The object listed is: C:Windows\...\_A6AB176A953A_4ACA_B22B_DC5BE6B01EE9.exe. The Process listed is: C:\windows\system32\rundll32.exe.

I'll run OTL and post in another reply.

Thanks.

Dave

[essexboy]

What is the full location of that file ?

Run OTL
In the custom scans box paste the following in and press quick scan

/md5start
_A6AB176A953A_4ACA_B22B_DC5BE6B01EE9.exe
/md5stop

Attach the log produced please

[DaveTIsMe]

Ran Run Fix. Report attached as 07102012_145206.log

FYI, during the restart after the reboot avast auto-updated my definition file.

Selected "Scan All Users" and ran Quick Scan. Report attached as OTL-2.Txt

I did a search in Windows Explorer and it found the file in: C:\Windows\Installer\{83ED1E80-A1B7-4226-BCF1-AC4A88151A6B}
In the context menu i told Explorer to open file location. The only other file listed is: misc.exe.D0DF3458_A845_11D3_8D0A_0050046416B9
Both files have the exact modified date and time: 5/26/2010 at 1:50am and are listed as Applications.
The file you asked about is 84IB in size. The misc.exe... file is 34KB in size.

Don't know if it matters at all, but on Saturday i ran a full disk scan with MBAM Free and it found nothing. I also ran a full disc scan with Windows Defender and it didn't find anything either.

I'll run OTL again and post in another reply.

Thanks.

[essexboy]

Looks like a false positive to me

[DaveTIsMe]

Selected "Scan All Users" and ran Quick Scan again with the md5 commands. Two reports attached.

I tried to save the report as ANSI and got a dialog that said some unicode information would be lost if i did. Didn't know if that was important so saved it as unicode and ANSI.
OTL-3.Txt (unicode)
OTL-3B.TXT (ANSI)

I'll take a false positive. Should i let Avast know that their new version is generating a false positive or just ignore it? And if i ignore it, what if another similar warning pops up but with a different file?

Thanks.

[essexboy]

Can you right click the file within the virus chest and submit to the labs as a false positive

Open Avast and go to the virus chest
Right click the blank area and select add


Navigate to C:\Windows\Installer\{83ED1E80-A1B7-4226-BCF1-AC4A88151A6B}\_A6AB176A953A_4ACA_B22B_DC5BE6B01EE9.exe



Select the file


Right click the file in the chest and select submit to virus labs


Once done manually update the virus definitions to send it

[DaveTIsMe]

Can't submit the false positive. I selected the file, selected False Positive as the type, selected "I know what I'm Doing" at the bottom (because YOU do), but it tells me i need to fill in the missing information before i can submit. Actually, the dialog that comes up says "Please make sure that all the fields are filled in with correct data."

??

Screenshot attached: submitFPToAvast.jpg

[essexboy]

In the programme name - version etc... Just put unknown and it should then go

[DaveTIsMe]

Submitted.

Thank you for your help. Have a good week.

Dave

[essexboy]

Scan the file in the chest daily until it finds no virus... It should be fairly soon

Run OTL and hit the cleanup button to remove it 

[DaveTIsMe]

OK.