Author Topic: Win32.Malware-gen and others...please help.  (Read 7642 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Win32.Malware-gen and others...please help.
« on: March 02, 2015, 05:23:42 AM »
Win32.Malware-gen

Avast free version found the above threat and suggested I run a scan during boot up which is almost complete. Before doing so, I ran malwarebytes and it found 2 things which did not mention malware-gen. Sorry I did not make note of them, but I had it take care of them. I am now waiting for the long Avast scan to complete while I type this on my phone.
It has found some things which I'll have to shorten since I can't copy. They all begin with File C:\users\Dee\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\2fc1f1cd-318afb4l->been\
Here's the endings:
nforce.class is infected by Java:Malware-gen [Trj]
piro.class is infected by Java:Agent
Scan completed and I didn't get to copy all. Went to Avast for results of 6 high severity threats! I'm not sure if Avast was able to fix but when I applied "fix automatically" it says "error the system cannot find the file specified. Here are the threats:
Java:cve-2010-0842-L Exp
" "      "           "    0842-E Exp
Java:Malware-gen Trj
Java Agent DU Exp
Java Malware-gen Trj
"           "           "          "
Please help me and instruct in very simple terms since I am a novice. Should I restore to an earlier date since my laptop is running really slow lately. Also is it safe for me to sign on to your forum on my infected computer? I greatly appreciate your help. I'm really worried about this.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Win32.Malware-gen and others...please help.
« Reply #1 on: March 02, 2015, 05:29:48 AM »
Follow the instructions:
https://forum.avast.com/index.php?topic=53253.0

The CVE is not malware, but a exploit, hence the EXP.
There is already a patch for it since 2010(!)
You really should keep your software up-to-date.
http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Exploit%3AJava%2FCVE-2010-0842.A

REDACTED

  • Guest
Re: Win32.Malware-gen and others...please help.
« Reply #2 on: March 02, 2015, 07:08:15 AM »
You are so sweet to help. For some reason I cannot find the export button after running malwarebytes. Btw there was nothing detected. I hate to go to the next step til I find it.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
Re: Win32.Malware-gen and others...please help.
« Reply #3 on: March 02, 2015, 07:40:45 AM »
open malwarebytes > (top right) History > (left side) Application Logs > Double click the one you want to open > (Lower left) Export to text file (txt)

Malwarebytes User Guide https://www.malwarebytes.org/support/guides/mbam/



Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
Re: Win32.Malware-gen and others...please help.
« Reply #4 on: March 02, 2015, 07:46:11 AM »
Quote
C:\users\Dee\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\2fc1f1cd-318afb4l->been\

empty/clear java cache ....

first run CCleaner free   https://www.piriform.com/ccleaner/download

then run TFC cleaner  http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/

make sure you have latest java, and if you see more then one listed in ad/remove programs, remove the old one(s)


continue with the logs from the guide Eddy gave you, then a malware expert will check when online .... it will take some hours

« Last Edit: March 02, 2015, 07:48:14 AM by Pondus »

REDACTED

  • Guest
Re: Win32.Malware-gen and others...please help.
« Reply #5 on: March 02, 2015, 08:15:54 AM »
On malwarebytes history log page, the export button is covered by my icons at bottom so not sure how to get to it. Also don't know how to clear java cache. Sorry I'm like a first grader when it comes to this stuff. Is it safe for me to log in here on my infected computer? It's hard to communicate on my phone.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Win32.Malware-gen and others...please help.
« Reply #6 on: March 02, 2015, 08:46:20 AM »
After Mbam finished scanning, you can chose to view details and there will be a button to export the log as well.

To clear the java cache, use the tools Pondus mentioned.

Please run Farbar (First) and attach the logs to your next post.
We really need those log files (FRST.txt and addition.txt)

REDACTED

  • Guest
Re: Win32.Malware-gen and others...please help.
« Reply #7 on: March 02, 2015, 08:23:43 PM »
Thanks again!  I ran Farbar...is it safe to sign on here using my infected computer and post results?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32.Malware-gen and others...please help.
« Reply #8 on: March 02, 2015, 08:36:34 PM »
Yes, attach the logs and I will create a script for you

REDACTED

  • Guest
Re: Win32.Malware-gen and others...please help.
« Reply #9 on: March 02, 2015, 09:27:12 PM »
Thanks, Essexboy!  You are so kind to help!
I ran the MBAM scan, but am having trouble getting to the buttons at the bottom of the page since they are covered by my icons.  Btw, there was nothing found on the scan.  Please instruct me on how to uncover the buttons so that I may post the results.
 
I'm trying to attach Farbar FRST you requested.  Will try again if it doesn't work.

REDACTED

  • Guest
Re: Win32.Malware-gen and others...please help.
« Reply #10 on: March 02, 2015, 09:31:55 PM »
Here is farbar addition hopefully attached.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32.Malware-gen and others...please help.
« Reply #11 on: March 02, 2015, 10:08:19 PM »
If MBAM is clean then I have no need to see it :)

Could you let me know how the computer is after this

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
CreateRestorePoint:
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} ->  No File
BHO-x32: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} ->  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
Toolbar: HKU\S-1-5-21-3631994560-431200245-383745115-1001 -> No Name - {A13C2648-91D4-4BF3-BC6D-0079707C4389} -  No File
2015-02-13 14:18 - 2014-05-13 09:15 - 00010240 _____ () C:\Users\Dee\AppData\Local\Z@!-3bc42c48-12ad-4c7a-925c-188160370819.tmp
2015-02-13 14:18 - 2014-05-13 09:15 - 00009216 _____ () C:\Users\Dee\AppData\Local\Z@S!-a8409c65-1805-4541-9ec1-792047ff7241.tmp
2012-01-19 00:29 - 2012-01-20 12:19 - 0001883 _____ () C:\Users\Dee\AppData\Roaming\1e931802
2012-01-19 00:29 - 2012-01-20 12:19 - 0001960 _____ () C:\Users\Dee\AppData\Local\dd2c39f8
2015-02-13 14:18 - 2014-05-13 09:15 - 0010240 _____ () C:\Users\Dee\AppData\Local\Z@!-3bc42c48-12ad-4c7a-925c-188160370819.tmp
2015-02-13 14:18 - 2014-05-13 09:15 - 0009216 _____ () C:\Users\Dee\AppData\Local\Z@S!-a8409c65-1805-4541-9ec1-792047ff7241.tmp
2012-01-19 00:29 - 2012-01-20 12:19 - 0001838 _____ () C:\ProgramData\4b67dbe8
CustomCLSID: HKU\S-1-5-21-3631994560-431200245-383745115-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Dee\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-3631994560-431200245-383745115-1001_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Dee\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-3631994560-431200245-383745115-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Dee\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-3631994560-431200245-383745115-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Dee\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-3631994560-431200245-383745115-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Dee\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll No File
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

REDACTED

  • Guest
Re: Win32.Malware-gen and others...please help.
« Reply #12 on: March 03, 2015, 12:18:05 AM »
Essexboy, Sorry to bother you again, but wanted to make sure I do this right.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

How do I make sure where this was saved?
Is it the list like I sent you or something that was automatically saved?
The reason I ask is earlier after running Farbar I went to save the results that it printed out and it said I already had saved something with the same name.  Anyway, I named the one I was saving with a different name to make sure I had it since I wasn't sure if it was the results that were already saved or part of the program.  I believe all of them are saved in the same place with different names will that be a problem?
Hope you understand what I'm asking.



Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Win32.Malware-gen and others...please help.
« Reply #13 on: March 03, 2015, 12:26:47 AM »
Hi slow learner,

Probably you'd have to wait until to-morrow for an answer.
essexboy might have turned in and will be fast asleep.
He is facing another working day to-morrow and will be on duty later.
The clock is ticking well after midnight here in CET.
Just the night owls are still fumbling through some malcode descriptions,
like little old me,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

REDACTED

  • Guest
Re: Win32.Malware-gen and others...please help.
« Reply #14 on: March 03, 2015, 05:35:49 AM »
Essexboy,
I realize I have 2 downloads of FRST64
One is titled FRST64, the other FRST64 (1)
They are both 1.99 MB
One is file version: 29.2.2015.0 created 3/2/2015 12.29 AM
The other is file version 2.3.2015.0 created 3/2/2015 12:33 PM
 
Should I delete one of them before running it?
Which one should I run and which one should I delete?
Do I delete by right clicking?
Thanks again for your help.