Win32:Malware-gen

[Blue.Ant]

Nachdem ich beim PC (W7) meines Mannes unbekannte Aktivitäten entdeckte, fand Avast Free Antivirus den Trojaner Win32:Malware-gen. Ich glaube, mich zu erinneren, dass vor knapp 2 Jahren dasselbe Problem auftauchte und dass ich es gemäss der Hilfe hier abarbeitete. Offenbar griffen die Massnahmen nicht oder es gab eine erneute Infektion. In einem der Logs entdeckte ich, dass die Infektionen in einem Lightroom-Ordner gefunden wurden. Das erstaunt mich. Mein Mann arbeitet mit vielen Adobe Programmen und wir dachten, Adobe wäre seriös. Zudem sind diese Dateien alle im Recycle-Bin. Vermutlich, weil ich gestern alle Sicherungen von AllSync in die Tonne schmiss. Das könnte bedeuten, dass der Trojaner in Sicherungen überlebte?

Wie ernst ist die Lage? Der PC ist in einem Homenetzwerk mit meinem PC (W7) und einigen mit WLAN verbundenen Geräten wie Handy und Tablets. Die LED, die Aktivitäten auf der Festplatte anzeigt, blinkt mehr als einmal pro Sekunde, mal flackert sie, mal leuchtet sie länger und heller. Am Router blinkt die Netzwerk-LED. Und das natürlich, wenn niemand am PC sitzt. Das ist übrigens auch jetzt noch so, nachdem ich die verschiedenen Tools habe laufen lassen, gemäss dem Thread Hilfe bei Infektionen.

Hoffentlich kann mir jemand helfen? Mein Mann und ich sind ältere Jahrgänge und nicht mit PCs aufgewachsen. Ich habe keine tiefergehenden Kenntnisse.

Herzlichen Dank an denjenigen, der sich erbarmt.

Die verlangten Logs habe ich alle angehängt. Ausser ASWmbr. Das Programm stürzt nach etwas über 4 Min. dauernd ab.

Gruss
Ingrid

[Asyn]

Ein Experte ist informiert.

LG Asyn

[essexboy]

Guten Tag, gibt es eine Möglichkeit, dass die Sicherungen angesteckt haben.
Ich gebe ein Programm, das Sie verwenden können, um später die Sicherungen überprüfen, währenddessen ich wird klar, was ich sehen kann, und führen Sie einen tieferen scan

Good afternoon, there is a possibility that the backups may have been infected.
I will give a programme that you can use to check the backups later, meanwhile I will clear what I can see and run a deeper scan


CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
C:\$Recycle.Bin\S-1-5-21-3366645687-1487830366-2275098547-1001
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[Blue.Ant]

Thanks for the instructions. I did everything (needs patience  )

Unfortunately there seems to be no improvement.
Start of pc need about 8 min. until I can work with it. (It's been like that for a long time) Then the occupation LED is still on (permantently) for another 15 min. After this time, it continues blinking like before.

I installed procmon.exe to search for unusual activities, but can't find anything. It looks like the printscreen sysinternal3 with a filter and like sysinternal4 without filter.

Do you have any other ideas? Sure you have... 

[essexboy]

I am glad you understand English as my German is atrocious

Sorry for the delay but, the programme I am going to use has changed so I had to amend my screenshots and instructions

I will do one further check for malware then we may need to look at the hard drive

Download AVP tool from Here

1.Run the program.
2.Click change parameters and ensure system drive is selected , OK out and then press scan

3.Wait until the scan is complete.
4.If any threats are detected during the scan, a notification with a request for action will be displayed.


5.If the infection is active then you will be offered a delete on reboot


6.To view the scan details, click the details link.
Copy and paste the data in your next post (or attach if too big)

7.To exit Kaspersky Virus Removal Tool 2015, click the Close button or the cross button in the upper-right corner of the utility window.

[Blue.Ant]

I could not get the logs from AVP. After a click on details it sais Not enough memory. Very strange. But at least it didn't find any thread.

So what's your next idea?

[essexboy]

OK methinks we can now say that there is no apparent malware on the system

So next would be to run Chkdsk to see if there are any errors on the hard drive

http://www.microsofttranslator.com/bv.aspx?from=&to=de&a=http%3A%2F%2Fwww.howtogeek.com%2Fhowto%2Fwindows-vista%2Fguide-to-using-check-disk-in-windows-vista%2F


http://www.howtogeek.com/howto/windows-vista/guide-to-using-check-disk-in-windows-vista/

[Blue.Ant]

Happy monday! 

chkdsk is done (over night). Do I find a result somewhere or is everything ok, when there is no message?

I let roll chkdsk over night. This morning, I had a message from mbam on the scrren. Since I used the program, it is still active. And it showed me a note, saying that it found one or more objects. I opend the program and it shows me 4 objects. But in the log, there is nothing mentioned.

As I checked the starting time this morning with Ereignisanzeige, it says 339278 ms = 5,65 min. That's a record...

The PCs activities still remains, no improvement.

[essexboy]

Those are just registry entries that will have no affect on the system as they are orphans

OK there is a way to improve the start but it will take 30 minutes or more to run this. We will use the MS developer kit

Based on the improvement that chkdsk has gained you I will be optimistic and hope for at least a 70% improvment on boot time after this

Download the SDK web installer from here
Run the installer and select the following:

Leave the location to default


Windows Performance Toolkit 


You must reboot on completion of the install

After reboot set aside about 30 minutes when you will not need the computer

When ready start an elevated command prompt :

Go Start > All Programs > Accessories
Right click Command Prompt and select Run as Administrator

Then copy and paste the following command into the black box :

xbootmgr -trace boot -prepSystem -verboseReadyBoot



Now your PC will be restarted 6 times. With a two minute pause before the tool runs after the desktop loads
After the second reboot the MS defragmentation program is running and is placing the files into an optimized layout, so that Windows will boot up faster
This is the longest part of the process as you have already done a chkdsk it should take no longer than 20 minutes
The last Reboots are training of readyBoot. After the training is finished, you'll notice a huge improvement in startup.

Readyboot

The logical prefetching described above is used when the system has less than 512MB of memory. If the system has 700MB or more then an in-RAM cache is used to further optimize the boot process (it’s not clear from the book whether or not this ReadyBoot cache completely replaces the logical prefetching approach or just builds on it, my assumption is that both work together).
After each boot the system generates a boot caching plan for the next boot using file trace information from up to the five previous boots which contains details of which files were accessed and where on the disk they were located. These traces are stored as .fx files in the

[Blue.Ant]

The PC restarted a few times, I did not count how many. But after 2:37 hours the program gave up with this message from Microsoft Windows Performance Analyzer:

Gave up waiting for Win7RTM physical prefetcher after 300 seconds. Could not wait for prefetcher.

What does it mean and what should I do now?

Appart from optimising starting time, do you have another idea about the PCs activity? It is still there.

[essexboy]

That would suggest that the prefetcher is not working

Control Panel > Administrative Tools > Services
Superfetch should be running and on auto


The continual drive access would suggest a lot of disc swapping however, you have 12Gb of RAM so that should not be a problem unless the drive is badly fragmented

I will have a little rummage around on that one, I do not believe at this stage that it is malware

[Blue.Ant]

The Superfetch Service was running. I restarted it but don't think that was the problem.

Does the prtscr tells you something?

[essexboy]

Could you run a clean boot and then let me know how the disc is behaving

In the search box type Msconfig and select the programme that appears at the top

1.In the System Configuration Utility dialog box, click Selective Startup on the General tab.

2.Click to clear the Load Startup Items check box.
NoteThe Use Original Boot.ini check box is unavailable.
3.Click the Services tab.
4.Click to select the Hide All Microsoft Services check box.

5.Click Disable All, and then click Apply followed by OK.
6.When you are prompted, click Restart.

[Blue.Ant]

I would say, the disc behaves very badly...

18:12 Shut down and clean reboot
18:16 See start screen and clock again, working not possible, activity LED ON permanently
18:24 LED starts flickering slightly
18:29 LED still ON, somethimes flickering. Open TaskManager -> ressourcenmonitor3.jpg
18:34 LED back to missbehaving blinking -> ressourcenmonitor4.jpg

Should I be worried?

This morning, I downloaded MBAM on my PC (in this thread here we are talking about my husbands PC) and it detected problems with Firefox (something outbound). I try to resolve this in the Trojaner-Board.de. Since we have a network here, it might be a problem of the to PCs? Usually we are very carefull when we download something. We follow every advices and read every letter during the install process. We both are quite suspicious and buy software instead of hacking or getting it from friends. We believe that someone who developes a software deserves to be paid. So what the heck happens to us?

[essexboy]

With all other services off it appears that search indexer may be the problem

Could you turn off search indexer as per the steps here http://www.howtogeek.com/howto/10246/how-to-disable-search-in-windows-7/

Then reboot and check again