Infected with Win32:malware.gen .... Please help !!!

[essexboy]

Here is one I did earlier http://forum.avast.com/index.php?topic=125321.msg949304#msg949304

[Hakimati]

Thanks for the link ......... going though it ..... Here is OTL log after runing costume Fix ............

[essexboy]

Have the alerts ceased ?

[Hakimati]

Just started system ....... on alerts yet ......... will update accordingly ........

[Hakimati]

Just got it again .......... & firefox did crushed 2 times yesterday ..... I have the crush log of firefox if this helps ......... Am stating to think If there is some thing else in my system that's infecting again n again or avast is declaring a false Alert ... I thought to include the firefox crush report b/c if someone or thing is tempering with it this may revival

Fire Fox Crush Report

AdapterDeviceID: 0x683f
AdapterVendorID: 0x1002
Add-ons: testpilot%40labs.mozilla.com:1.2.2,%7Bd40f5e7b-d2cf-4856-b441-cc613eeffbe3%7D:1.68,%7Be001c731-5e37-4538-a5cb-8168736a2360%7D:0.9.9.119,autofillForms%40blueimp.net:0.9.9.0,%7Ba0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7%7D:20130515,fdm_ffext%40freedownloadmanager.org:1.5.8,vdpure%40link64:1.97.5,wrc%40avast.com:8.0.1489,hotfix%40mozilla.org:2.0,%7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:22.0,%7Bd10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d%7D:2.3.2
AvailablePageFile: 4093247488
AvailablePhysicalMemory: 1617731584
AvailableVirtualMemory: 1218826240
BuildID: 20130618035212
CrashTime: 1376452151
EMCheckCompatibility: true
FramePoisonBase: 00000000f0de0000
FramePoisonSize: 65536
InstallTime: 1372887549
Notes: AdapterVendorID: 0x1002, AdapterDeviceID: 0x683f, AdapterSubsysID: 25511458, AdapterDriverVersion: 12.104.0.0
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+
ProductID: {ec8030f7-c20a-464f-9b0e-13a3a9e97384}
ProductName: Firefox
ReleaseChannel: release
SecondsSinceLastCrash: 939053
StartupTime: 1376451566
SystemMemoryUsePercentage: 49
Theme: classic/1.0
Throttleable: 1
TotalVirtualMemory: 2147352576
URL: http://freemusicarchive.org/
Vendor: Mozilla
Version: 22.0
Winsock_LSP: MSAFD Tcpip [TCP/IP] : 2 : 1 : %SystemRoot%\system32\mswsock.dll
 MSAFD Tcpip [UDP/IP] : 2 : 2 : 
 MSAFD Tcpip [RAW/IP] : 2 : 3 : %SystemRoot%\system32\mswsock.dll
 MSAFD Tcpip [TCP/IPv6] : 2 : 1 : 
 MSAFD Tcpip [UDP/IPv6] : 2 : 2 : %SystemRoot%\system32\mswsock.dll
 MSAFD Tcpip [RAW/IPv6] : 2 : 3 : 
 RSVP TCPv6 Service Provider : 2 : 1 : %SystemRoot%\system32\mswsock.dll
 RSVP TCP Service Provider : 2 : 1 : 
 RSVP UDPv6 Service Provider : 2 : 2 : %SystemRoot%\system32\mswsock.dll
 RSVP UDP Service Provider : 2 : 2 : 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{B0124C05-A27B-4713-91B5-4FF4696B2FCE}] SEQPACKET 4 : 2 : 5 : %SystemRoot%\system32\mswsock.dll
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{B0124C05-A27B-4713-91B5-4FF4696B2FCE}] DATAGRAM 4 : 2 : 2 : 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{AF477438-4DD9-458B-A2D4-2639BDE009AF}] SEQPACKET 6 : 2 : 5 : %SystemRoot%\system32\mswsock.dll
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{AF477438-4DD9-458B-A2D4-2639BDE009AF}] DATAGRAM 6 : 2 : 2 : 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{5565AD11-9EB5-426B-A5F7-630B509ACEDD}] SEQPACKET 1 : 2 : 5 : %SystemRoot%\system32\mswsock.dll
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{5565AD11-9EB5-426B-A5F7-630B509ACEDD}] DATAGRAM 1 : 2 : 2 : 
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{B0124C05-A27B-4713-91B5-4FF4696B2FCE}] SEQPACKET 5 : 2 : 5 : %SystemRoot%\system32\mswsock.dll
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{B0124C05-A27B-4713-91B5-4FF4696B2FCE}] DATAGRAM 5 : 2 : 2 : 
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{AF477438-4DD9-458B-A2D4-2639BDE009AF}] SEQPACKET 7 : 2 : 5 : %SystemRoot%\system32\mswsock.dll
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{AF477438-4DD9-458B-A2D4-2639BDE009AF}] DATAGRAM 7 : 2 : 2 : 
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{CFA7D5E0-5B1E-46F5-BCD2-9AE97C43E4F7}] SEQPACKET 3 : 2 : 5 : %SystemRoot%\system32\mswsock.dll
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{CFA7D5E0-5B1E-46F5-BCD2-9AE97C43E4F7}] DATAGRAM 3 : 2 : 2 : 
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{AD848BFC-163B-47FC-A91F-AA34873887DA}] SEQPACKET 0 : 2 : 5 : %SystemRoot%\system32\mswsock.dll
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{AD848BFC-163B-47FC-A91F-AA34873887DA}] DATAGRAM 0 : 2 : 2 : 
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{5565AD11-9EB5-426B-A5F7-630B509ACEDD}] SEQPACKET 2 : 2 : 5 : %SystemRoot%\system32\mswsock.dll
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{5565AD11-9EB5-426B-A5F7-630B509ACEDD}] DATAGRAM 2 : 2 : 2 :

This report also contains technical information about the state of the application when it crashed.

[essexboy]

It is either a site you are visiting with Firefox or a programme you have recently downloaded
Lets remove those folders

Please download OTM 

• Save it to your desktop.
  
• Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
   
  

Code: [Select]


:Files
c:\users\kingjohn\appdata\roaming\mcommon
c:\users\kingjohn\appdata\local\mozilla\firefox\profiles\klc9xlvr.default\cache\9
 
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


• Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
   
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTM and reboot your PC.
  

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start

[Hakimati]

What is this OTM Avast is warning about rear file type & saying to avoid

[Hakimati]

O.k the alert always pop's up when i lunch firefox & the home page is set to google.co.in .. So now i have changed it to www.yahoo.co.in ... if the previous was fake site & i was getting redirected ...  ..

Anyway there is the OTM report

[essexboy]

Do you get the same alert when you launch Internet explorer

[Hakimati]

Just got the alert again .... I was at https://www.slimwareutilities.com/slimdrivers.php trying to download slim drivers free version ....I have not worked with IE for a long time Firefox i have only used . It like 3-4 years now . If you want i can switch to IE n see what happens ...  Which version should i use Also should i use it without any plugin ... Please give directions

[essexboy]

Yes if you could try IE, I believe it is an addon within firefox but as of yet I am not 100% sure

[Hakimati]

Funny you mentioned that it might be a firefox addon i started this tread saying that there was an infection on firefox addon which showed an add of a company in all of my google searches. There am shearing a link where i have warmed other about it on another forum. Also It was the same time when i made the switch from MSE to avast.

http://www.thinkdigit.com/forum/internet-www/175983-fake-link-appers-google.html 

Think this might shead some light.

[essexboy]

Run Firefox in safe mode https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode let me know if that stops it, then we will start looking for the bad boy 

[Hakimati]

o.k i have read the Make permanent changes to Firefox in the Safe Mode window n will disable all add-ons,Reset toolbars and controls:,Reset all user preferences to Firefox defaults,Restore default search engines, execpt bookamrks. o.k will work for a week to see if any thing comes n report back

[essexboy]

Ta, the reason I think it is an addon is that the files are transient and not permanently visible