Help with the Win32:Malware-gen C:\Windows\Installer\...80000000.@ alerts

[Lurchhammer]

Hello, my first post here.

My Granddaughter loaded some kind of game related malware that makes Avast alert me every 2 minutes with 'Threat Detected' Win32:Malware-gen C:\Windows\Installer\...80000000.@

It looks like the common problem others are posting about recently. I tried to get rid of it with an Avast Boot Time Scan, Advanced System care, Spybot-SD, MbAB, IObit, etc and some files were deleted, but I guess I did't get all of it. Some of the garbage that came up and was deleted were:
C:\ProgramData\Microsoft\Windows\DRM\5AED.tmp
Win32:MDE-B(Susp)
Win32:PUP-gen [PUP]
Win64:Sirefef-F [Rtk]
Win32:Trojan-gen

MbAB comes up clean now, but I've attached my logs and would really appreciate your help getting rid of this bug.

Thank you,
Paul.

[Lurchhammer]

I just noticed that my Windows Update and Hp Update won't work anymore.

Hp Update say's Access Denied.

I ran the Troubleshooting Fix Problems with Windows Update, but it wouldn't fix the problems.

Thanks in advance for any help!

[DavidR]

 A malware removal specialist has been informed of your topic.

[essexboy]

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

  :OTL
  O3 - HKU\S-1-5-21-442203092-2771800596-1516199507-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
  O3 - HKU\S-1-5-21-442203092-2771800596-1516199507-1000\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
  
  :Files
  C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{68605e0d-daa6-1d6d-c742-08482023d0c2}
  C:\Windows\System32\config\systemprofile\AppData\Local\{68605e0d-daa6-1d6d-c742-08482023d0c2}
  C:\Windows\Installer\{68605e0d-daa6-1d6d-c742-08482023d0c2}
  ipconfig /flushdns /c
  netsh int ip reset c:\resetlog.txt  /c
  ipconfig /release /c
  ipconfig /renew /c
  sc create BITS binpath= "c:\windows\system32\svchost.exe -k netsvcs" start= delayed-auto /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

FINALLY

run farbar service scanner



Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

[Lurchhammer]

OK, finished all that and logs are attached.
I haven't had any alerts, and the computer seems to be running normal.
Thanks so much for your help! Is there more steps to do?

[essexboy]

Please  run the MSfixit from here http://support.microsoft.com/kb/971058#appliesto

Then let me know of any remaining problems

[Lurchhammer]

Ok, I ran the utility but it couldn't repair Windows Update. In the 'Details' section it read 'Change Windows Update locations to Windows default settings'. I did try to run Windows Update and I have an important update to install, but it would freeze up on 0% when downloading and then say 'Download failed'.

Still no alerts on Avast- that's good

[Lurchhammer]

The Windows Update program listed error #80246008 when the download failed, which is the BITS service. I tried to start BITS (it's set to Automatic (delayed start) already) but the error 'Module cannot be found' pops up?

I tried to run Hp Updates and it said Access Denied still, however I do see that I have Hp Support Assistant 6.1.12.1 running and up to date, so that should be good for Hp updates, right?

[Lurchhammer]

I see the path to BITS is C:\Windows\system32\svchost.exe -k netsvcs

That may be the corrupt malware that was removed?

[essexboy]

sc create BITS binpath= "c:\windows\system32\svchost.exe -k netsvcs" start= delayed-auto /c

This is the correct order to start the bits service

Download  Windows Repair (all in one)  from this site

Install the programme then run



Go to step 3 and allow it to run SFC



On the start repairs tab click start


Select the following  items and tick restart system when finished

[Lurchhammer]

I downloaded and ran Windows Repair (all in one) and MSfix-it but they both failed to fix the BITS program.

I did some reading about this BITS problem that seems to be common (because of this damn virus malware  thing) and I tried the Take Ownership program and a couple other things, but my BITS program is corrupt and will not run. The Installer folder is empty of all files including hidden ones.

I'll probably end up taking all of our stuff off of the computer and reformatting this thing. 

Question: How do I avoid getting this thing again, did my grandaughter voluntarily click on something or did it just get past Avast and other security programs?!!! It looks like a common infection now, is there a name for this thing and what are they doing about it? (very frustrated!)

[essexboy]

No this is a fairly new variant of zero access.. Up until two days ago it was repairable, this is only the third case I have seen, and the first where I have been told the  installer folder was empty

This would explain a lot..

I will see if there is a fix for this

[Lurchhammer]

Ok, thank you!

If I copy the folder from my other computer and drop it in that one, would it work?

[essexboy]

It may do but as of yet a solution is not showing itself.. But there are a few people working on it

[Lurchhammer]

I can't find that Install folder on either computer, how do I find it?

Also, how do you open a command prompt on Win7?

Thanks again for your help! Windows Update seems to be the only thing screwed up still.