windows file infected with Win32: Malware-gen cannot move delete or fix

[welshniceguy]

Hello, i need a little help and advice with the infection found by Avasts Boot scanner, 2 infected files, 1st moved to the virus vault as it was a absolute software Lo Jack file, the 2nd was a windows file which will not move to chest - object name not found, Delete - The operation is not supported for this type of archive., Repair - Object name already exists. had to ignore the infection.

It is the Win32: Malware-gen.
1st infection.
File C:\Program Files (x86)\Absolute Software\LoJack Install\FactoryInstallerLib.DLL|>[Embedded_I#0601c] is infected by Win32:Malware-gen, Moved to chest

2nd infection.
File C:\WINDOWS\Installer\f1b2.msi|>_A752C74228F5CF2AA93A043C19DD56E0|>_DFB7B5BFA295555328DE038386F8BCAA|>[Embedded_I#0601c] is infected by Win32:Malware-gen, Delete: Error 42111 {The operation is not supported for this type of archive.}


help and advice on what to do with this infection is much appreciated, thankyou.

paul

[argus]

Hello Paul


Please download DDS and save it to your Desktop from here:
http://www.bleepingcomputer.com/download/dds/dl/104/

Double click to run the tool, click the Start button.

   * When done, DDS will open two (2) logs:
         1. DDS.txt
         2. Attach.txt

Save both reports to your desktop. DDS.txt and Attach.txt attach back to topic.

[welshniceguy]

here are the 2 txt files

[argus]

Uninstall AVG Antivirus, next

Uninstall Programs and Features and run AVG Uninstall tool http://www.avg.com/ww-en/utilities



Please download Farbar Recovery Scan Tool () by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Under Optional Scan ensure "Driver MD5" are ticked.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

[welshniceguy]

AVG was uninstalled but when it uninstalled it recommended that the Link scanner by left on the system but i thought the actual AVG 2014 was uninstalled, was it mistake to listen to it and leave the Link scanner in place.

[argus]

Run FRST program.

[welshniceguy]

AVG 2014 link scanner uninstalled.
AVG uninstaller run, rebooted once.
FRST run.
2 x txt attached

[argus]

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

Start
(AVG Secure Search) C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\17.0.12\ToolbarUpdater.exe
HKLM-x32\...\Run: [vProt] - C:\Program Files (x86)\AVG Nation toolbar\vprot.exe [2403144 2013-11-13] ()
C:\Program Files (x86)\AVG Nation toolbar\vprot.exe
SearchScopes: HKCU - {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://avg.nation.com/avgtbavg/search/web?cid={5DDCC39A-1768-4A65-B1F6-1706368FDFA3}&mid=33a27b5c7da247d386f82104e470021e-6185edbb78741edceb805eebace7fc7d38e79f1a&lang=en&ds=AVG&coid=avgtbavg&pr=pr&d=2013-11-12 13:58:55&v=17.0.0.12&pid=nation&sg=0&sap=dsp&q={searchTerms}
BHO-x32: No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} -  No File
Toolbar: HKLM-x32 - No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} -  No File
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -  No File
Handler-x32: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\17.0.12\ViProtocol.dll (AVG Secure Search)
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin - C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\17.0.12\\npsitesafety.dll (AVG Technologies)
CHR HKLM-x32\...\Chrome\Extension: [ndibdjnfmopecpmkdieinmbadjfpblof] - C:\ProgramData\\ChromeExt\\avg.crx
R2 vToolbarUpdater17.0.12; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\17.0.12\ToolbarUpdater.exe [1733448 2013-11-12] (AVG Secure Search)
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\17.0.12\ToolbarUpdater.exe
R1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [46368 2013-11-12] (AVG Technologies)
C:\Windows\system32\drivers\avgtpx64.sys
2013-12-06 10:41 - 2013-12-06 10:41 - 00000000 ____D C:\Users\User\AppData\Local\AVG Secure Search
2013-12-06 10:33 - 2013-12-06 10:33 - 04434976 _____ (AVG Technologies) C:\Users\User\Desktop\avg_isct_stb_all_2014_4161.exe
2013-11-12 13:58 - 2013-11-12 13:57 - 00046368 _____ (AVG Technologies) C:\Windows\system32\Drivers\avgtpx64.sys
2013-11-13 16:11 - 2013-11-12 13:58 - 00000000 ____D C:\Program Files (x86)\AVG Nation toolbar
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
File: c:\windows\system32\services.exe
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

.




********** Next **********






Please download zoek.zip or zoek.rar by smeenk () from here or here and save it to your Desktop.
Unpack the archive...

• Close any open browsers
• Temporarily disable your AntiVirus program. (If necessary)
  If you are unsure how to do this please read this or this Instruction.
  
  
• Double click on zoek.exe to run the tool .
  Please wait while the tool does not start...
  
  
• Copy the text present inside the code box below and paste it into the large window in the zoek tool:

Code: [Select]

filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;

• Click on button.
  Please wait until a logreport will open (this can be after reboot)
  
  
• Save notepad to your Desktop and attach here zoek-results.log
  Note: It will also create a log in the C:\ directory named "zoek-results.log"
  

[welshniceguy]

this help is amazing argus, but i'm not sure what just happened? i ran frst64 and it updated then i clicked fix once it created Fixlog.txt i saw it saved to the desktop then the laptop restarted and now the desktop has dissappeared and i got basic grey theme all quick launch short cuts are gone and most of the programs that were running are now off, only the dell dat safe is running?  did something break, omg this is my managers laptop, so i hope not, :-(
the desktop is just black a windows fault appeared unable to find the desktop.

[welshniceguy]

I need sleep now mate, i may have to use system restore back to the point AVG was removed i have 4 restore points to choose from.
 
my manager is tank sized 6 1/2ft ex Slovenian Nato army lietenant,on this laptop i fixed the broken defender, i fixed the broken windows update which was stopping service pack 1 and 81 other updates from installing, i removed mcafees security scanner, removed pandas free anti virus and removed trial full AVG2014 and put AVAST on as its the only anti virus i recommend by a mile. the only thing left to fix was that one win32: malware-gen infection. hope its an easy fix, thanks for all the help so far its much appreciated.

[argus]

ctrl+alt+del

Start Task manager
 Click File > New task run

write  explorer.exe click OK

[welshniceguy]

i did that and i got a dong windows error noise.
Location is not available.
c:\\windows system32\config\system profile\Desktop refers to a location that is unavailable.

[argus]

Reboot comp. click F8 choose last good known configuration

[welshniceguy]

that worked ty, desktop running again.
attached the file.

[argus]

Code: [Select]

"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender\en-US" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.

it was malware. 


How is your computer behaving now ?