Help: Win32:Malware-gen

[Nick33]

Hello

I have recently received warnings from Avast! regarding the above virus (Pop-up attached). I have deleted the two files displayed in the pop-up but they keep returning when I restart the system (internet connection?). The virus tries to disable Avast! on each start up (notification pop-up) which I choose "No" of course and I have attached the OTL, aswMRB, and SuperAntiSpyware logs.
I have downloaded ComboFix onto my desktop as well in preparation that I may need it but reading through some of the other posts it looks as though it is quite powerful so I don't think I want to be using it without some expert guidance.
All help is greatly appreciated!

Regards
Nick

[Nick33]

And the SuperAntiSpyware scan log.
Edit: I have also attached the Malwarebytes Anti-Malware log (yesterday after infection).

[Pondus]

removal specialists are notified. it may take hours before one arrive so be patient

[essexboy]

Let me know if this stops the alerts

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
O4 - HKCU..\Run: [JwvDfaej] C:\Users\Nick\AppData\Local\bqhquaye\jwvdfaej.exe File not found
O20 - HKLM Winlogon: UserInit - (C:\Users\Nick\AppData\Local\bqhquaye\jwvdfaej.exe) - C:\Users\Nick\AppData\Local\bqhquaye\jwvdfaej.exe File not found

:Files
C:\Users\Nick\AppData\Local\bqhquaye

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[Nick33]

Sorry for the delay, here is the Quick Scan and Run Fix logs. When the system restarted the Avast! alert with the blocked file was displayed again. Would the next step involve using ComboFix?

[essexboy]

I am loth to use combofix unless really necessary

Could you attach a screenshot of the latest alert please

I am removing the steam crack from startup as that may be the root of the problem

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\searchpredict@speedbit.com:
O4 - HKCU..\Run: [JwvDfaej] C:\Users\Nick\AppData\Local\bqhquaye\jwvdfaej.exe File not found
O20 - HKLM Winlogon: UserInit - (C:\Users\Nick\AppData\Local\bqhquaye\jwvdfaej.exe) - C:\Users\Nick\AppData\Local\bqhquaye\jwvdfaej.exe File not found
[2012-11-29 11:33:47 | 000,102,464 | ---- | C] () -- C:\Users\Nick\AppData\Roaming\LVx6d96.exe
[2012-11-27 20:24:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cracked Steam

:Files
c:\Users\Nick\AppData\Local\bqhquaye

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[Nick33]

I have attached screenshots of both pop-ups (virus attempt to shutdown avast and blocked virus files). I doubt that cracked steam is the problem since it has been installed for several months, but I have run the code as you have requested and the program seems to freeze when processing the first Firefox Extension - maybe it's because I don't have Firefox installed?

Regards
Nick

[essexboy]

OK lets continue with Combofix although the data appears to be in the temp files

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[Nick33]

I have tried to run ComboFix (as administrator) but it disappears without warning and the process is not present in task manager. This eratic program closing behaviour seems to also affect Google Chrome. Do you want me to try run ComboFix in safemode with or without networking?

[essexboy]

Try safe mode with networking, also rename combofix to Gotcha

[Nick33]

Renaming ComboFix to Gotcha has allowed it to run under normal system settings. I have attached the log as requested.

[essexboy]

OK lets now manually kill it

1. Close any open browsers.
 
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 
 
3. Open notepad and copy/paste the text in the quotebox below into it:
 

File::
c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jwvdfaej.exe
 
Folder::
c:\users\Nick\AppData\Local\bqhquaye
 
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JwvDfaej"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,
 

 
Save this as CFScript.txt, in the same location as ComboFix.exe
 
 
 
 
Refering to the picture above, drag CFScript into ComboFix.exe
 
When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[Nick33]

Here is the log as requested. I hope we are close to removing this stubborn infection.

[essexboy]

OK I will need to work outside of windows for this one

Could you reboot the computer and press F8
On the safe mode menu is the option "Repair my Computer" ?

If so do you have access to a USB drive

[Nick33]

Yes, I have rebooted the computer into "Repair my Computer" mode and I'm at the dialog box "System Recovery Options". I happen to have a USB right next to me.