Need help with infection

[Nikilet]

Once a week I do a full scan and this week an infection was found. I took a screenshot of the page but can't share it right now because I am working on an old laptop which essex boy helped me clean up. (Thank you)

The file in question was in C\Windows\Installer ... and then there was a whole string of numbers & letters. I tried the repair option and that didn't work, so I moved it to the chest. That was successful, it said, however, then I got a window asking me if I wanted to reboot and select to do a boot scan to finish removing the infection so I decided to go with that. It just keeps scanning and scanning. I really can't figure out what is going on. It found one thing and gave me a bunch of numbers to choose what to do. I chose move to chest and then it started scanning again.

Something else came up giving me all those options again and this time it said moving to the chest wasn't an option for this file so I selected to ignore and then it took off scanning again. It is still scanning. I think when this is over I will select to escape and hopefully it will reboot because I don't know what I'm doing and I think it would be better to do no harm and get some help before going any further.

So I will wait for help and in the meantime hopefully my main computer will stop scanning and I will be able to access it.

[Nikilet]

I am back on my main computer and have attached screenshot of the window shown after Avast scan; also of virus chest.

The two cnet items must be what I was able to put in the virus chest during the boot scan. The virus description on both of those is Win32:InstallCore-AM [PUP]

On that first one the virus description is Win32:Malware-gen

But remember there was at least one item during the boot scan for which I was told this type of archive could not be placed in the virus chest.

During boot scan there was also the following item that I happened to write down: C\Users\Me\AppData\Roaming\SuperAntispyware.com\SuperAntispyware\Quarantine\quarantine.db l>data error 42125 {sip file is corrupted}

So I guess this is all I can add for now and will wait to hear.

[Nikilet]

No response since posting yesterday at 2 pm, so will have to bring to the top again.

I did another FULL scan with Avast yesterday and nothing was found. I also did a quick scan with Malwarebytes and nothing was found.

However, today I did another Avast boot scan and this Win32:Malware-gen was found in a file again. I found the file in C/Windows/Installer. I opened and it shows "Install Wizard - Microsoft Streets & Tips Setup." I scanned this individual file with Avast and it again reported a threat and shows it as high risk.

Wondering why a full scan didn't find it, but a boot scan did.

If someone would respond and help me get rid of this I would be much obliged.

[Nikilet]

I forgot to add that I could not send it to the chest and the error code was 42111 - Operation not supported by this type of archive. I also tried repair which didn't work so I next chose to ignore.

Sorry -- I just noticed the Modify button.

[Nikilet]

Can someone from Avast help me or tell me where I can go for help. I have Googled as much as I can and read that this Win32:Malware-gen should be removed as soon as possible. Avast rates the risk as high. I'm really getting nervous about not getting it cleaned off my computer. I can't move it to the chest and can't repair it. I know there are lots of people needing help, but I'm one of them and I haven't had a response of any kind in 30 hours.

[SafeSurf]

I'm sorry it's taken so long for someone to respond.  Please do the following:

Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0. 

Follow the directions of obtaining an MBAM log (make sure you update MBAM first) and the OTL logs (save them as ANSI), and aswMBR log.  Post the logs as an attachment (Additional Options > Attach > Post). 

In the meantime, do not sync anything to your machine, if it is on a network disconnect it from the network, and try not to use the machine.  Only follow the instructions of the malware removal specialist or an Avast Evang. at this point.

Once the logs are posted, one of our malware removal specialist will assist you.  Please let us know if you have any questions.  Thank you.

[essexboy]

Hi Nikilet, lets cut straight to the chase.. Apologies for not seeing this before

Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Local\AutoProxyCache /s
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Attach both logs

THEN

Download aswMBR.exe ( 4.8mb ) to your desktop.
 Double click the aswMBR.exe to run it  Click the "Scan" button to start scan 



On completion of the scan click save log, save it to your desktop and post in your next reply

[Nikilet]

Thank you so much for responding! I had just run a full scan with Malwarebytes yesterday and saved the log. Nothing was found. I ran a full scan with Avast also and nothing was found. It was found only in the boot scan.

I received a new post while doing this. I have already attached logs but will re-run the OLT if you wish because I went by that page of instructions and the info pasted into the box was not the same as below. Please advise.

Add on: When I run OLT I do not get the box with the option to check "include 64-bit scans" I wouldn't think this would be necessary but just wanted to clarify.

[essexboy]

Hmm this one is not showing in OTL

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[Nikilet]

Here is the ComboFix log. I messed up in that I disabled Avast and Malwarebytes, but I forgot to unplug my DSL so hope I didn't pick up any further infections. Also, I did not disable WinPatrol. Should that one be disabled?

After this scan was complete IE icon ended up on my desktop. I use Firefox as my default browser. Also, I kept getting these windows wanting to change file associations. I clicked "no" to all of them and then finally clicked on the box to stop monitoring this File Type Extension. This puzzles me because you have had me use ComboFix before and I don't recall ever running into any of this. I have attached a couple of these boxes below.

I'm going to go ahead and post this, and then I'm going to run the OLT again with the info you gave me in your post pasted into that "Custom Scans/Fixes" box. Then I will come back and attach the logs.

[essexboy]

That is all your file associations being reset to default

Did you run this programme ? c:\program files\Unassoc.exe

[Nikilet]

I have attached the OLT log I got using your info in the box, but I only ended up with one file, not two.

No, I did not run the program you indicated. I didn't do anything at all. These boxes just suddenly started popping up, IE icon ended up on my desktop, and after posting below, suddenly I could not get a connection with Firefox. I could with IE, and I could get a Firefox connection on my old laptop. Then I went into Network & Sharing and selected that option to reset the adapter and then I could get back on with Firefox.

[essexboy]

Unassoc.exe This will show you how to set a file extension to be associated with nothing for all users instead of some default program without having to delete the file extension unless you wanted to.

This is what that file does...

I can see no apparent malware  there, is Avast alerting ?  How is the computer behaving 

[Nikilet]

Once, a very long time ago, I started getting these windows about wanting to change my file associations. At first I thought it was legitimate and clicked "yes" to the first couple. But they just kept popping up and I decided something was wrong. I ran into trouble on the two or three I had clicked "yes" on to start with. I think that is when I found and installed that Unassoc.exe program. But I haven't used it since. So now I started getting these windows popping all over the place again today for the first time since that long-ago occurrence. I had actually forgotten that I even had that Unassoc.exe.

I am very puzzled about this Win32:Malware-gen thing. When Avast first found this during a full scan on Sunday I placed it in the chest and that particular file is still there. Then Avast suggested a boot scan so I went ahead with that. It showed another Win32 infection in the same location, but a different installer, C\Windows\Installer\a6d64.msi. It would not allow me to put in the chest or to repair with an error 42111. I ended up doing the boot scan again later and it showed that infection. I looked in that location on my hard drive yesterday and found the file. I right-clicked on it several times throughout the day to scan with Avast and each time Avast showed the threat that was indicated during boot scan. I just went back and scanned that file again and now it shows no threat.

I got another program update come through on Avast this morning, which surprised me because I just had a major program update. Is there any possibility that this was some kind of false positive glitch by Avast, which has now been fixed by this update? If I have wasted your time I am very sorry for this because I see there are a lot of people needing help. I almost wonder what another boot scan would show. I may go ahead and do another boot scan and will let you know if this comes up again.

On your question as to how the computer is behaving, until the things I reported happening just this morning, it was behaving fine. It seems to be fine again now, but can't help wondering what was causing all that flurring this morning.

 

[essexboy]

Not a problem - trust me better safe than sorry

It does look like a false positive that has been corrected

I would like you to use the computer as normal and let me know tomorrow if there are any further symptoms