Win32:adware-gen (please help)

[jcb1981]

Hi, a while back (November), I was surfing the web and the dreaded popup for "Antivirus 2009" was across my screen.  I did not install it.  I simply closed the window and investigated for a while.  I found that the most unanimous advice for the issue was to scan with Malwarebytes' Anti-Malware.  After both an in-depth scan and a quick scan, the rogue software was not found on my machine. 

Yesterday, however, I started to experience a problem when organizing my favortites on Firefox.  I clicked on a favorite to see what it was (part of the site www.guitarsland.com) and got a HTML:Iframe-gen issue.  I couldn't find any assistance with that.  While investigating THAT, the following unearthed: "Win32:Adware-gen [Adw]."

The following is my log:

12/4/2008 11:03:34 PM   Compaq_Owner   4000   Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP374\A0053525.dll" file. 
12/4/2008 6:24:45 PM   Compaq_Owner   4000   Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Program Files\Compaq Connections\5577497\Program\Interop.SHDocVw.dll" file. 
12/4/2008 12:52:33 PM   SYSTEM   1360   Sign of "HTML:Iframe-gen" has been found in "C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ha1fsy7y.default\Cache\EAA0461Bd01" file. 
12/4/2008 12:52:20 PM   SYSTEM   1360   Sign of "HTML:Iframe-gen" has been found in "http://www.guitarsland.com/favicon.ico" file. 
12/4/2008 12:52:19 PM   SYSTEM   1360   Sign of "HTML:Iframe-gen" has been found in "http://www.guitarsland.com/favicon.ico" file. 
10/28/2008 8:44:46 PM   SYSTEM   1240   Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142. 
9/22/2008 4:21:33 PM   Compaq_Owner   1508   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP314\A0047567.exe" file. 
9/22/2008 3:51:13 PM   Compaq_Owner   1508   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Program Files\Keyfinder Advanced 2007 (Trial Version)\Crack\keyfinder.exe" file. 
9/21/2008 3:47:44 PM   SYSTEM   1368   Sign of "SWF:Downloader [trj]" has been found in "http://122.141.78.2/ff.swf" file. 

THE FOLLOWING IS WHAT'S LISTED UNDER "ALL CHEST FILES" IN MY VIRUS CHEST:

A0053525.dll
Interop.ShDocV.dll
kernel32.dll
winsock.dll
wsock32.dll

After scanning the last 3 .dll files, no virus was found.  When I selected all 5 files and scanned, the following text was displayed:

In the "Resume" tab:

Scanning of selected files

Action was completed successfully!

Virus has been detected!
File Name: Interop.SHDocVw.dll
FileID: 7
Virus Description: Win32:Adware-gen [Adw]

Virus has been detected!
File Name: A0053525.dll
FileID: 8
Virus Description: Win32:Adware-gen [Adw]

In the "Detailed Information" tab:

Scanning of selected files
------------------------------------------------------------------------------------------
Program will try to scan 5 selected file(s) in the Chest

Move files to temporary folder: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_avast4_\unp97551445.tmp
FileID: 0000000008  Original file name: C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP374\A0053525.dll  New folder: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_avast4_\unp97551445.tmp\8.dll
FileID: 0000000007  Original file name: C:\Program Files\Compaq Connections\5577497\Program\Interop.SHDocVw.dll  New folder: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_avast4_\unp97551445.tmp\7.dll
FileID: 0000000001  Original file name: C:\WINDOWS\system32\kernel32.dll  New folder: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_avast4_\unp97551445.tmp\1.dll
FileID: 0000000002  Original file name: C:\WINDOWS\system32\winsock.dll  New folder: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_avast4_\unp97551445.tmp\2.dll
FileID: 0000000003  Original file name: C:\WINDOWS\system32\wsock32.dll  New folder: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_avast4_\unp97551445.tmp\3.dll

Scan files in the temporary folder: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_avast4_\unp97551445.tmp
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_avast4_\unp97551445.tmp\1.dll  -- no virus --
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_avast4_\unp97551445.tmp\2.dll  -- no virus --
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_avast4_\unp97551445.tmp\3.dll  -- no virus --
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_avast4_\unp97551445.tmp\7.dll  Win32:Adware-gen [Adw]
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_avast4_\unp97551445.tmp\8.dll  Win32:Adware-gen [Adw]
------------------------------------------------------------------------------------------

Here are my stats, per your FAQ:

Avast! Version 4.8 Home Edition (VPS 081204-0)
Build 4.8.1296
Xtreme Toolkit Version 1.9.4.0
Windows XP Home Edition Version 2002 Service Pack 3
Mozilla Firefox 3.0.4
Firewall: Went to Security Center, and it says that the Windows Firewall is ON

In advance, thanks for any and all help.  I really appreciate this resource.

[DavidR]

I really do wish Alwil would get rid of this All Chest Files collation of the three sections.
- The only area you should be interested in is the Infected Files section, this is where the files detected by avast and selected by you to move to the chest are placed.
- The User Files section is where the user can add files they suspect of being malware but not detected by avast.
- The System Files section is where avast keeps back-up copies of important system files in case the original becomes infected (leave them alone).

[Tarq57]

I think, in a nutshell, you have nothing to worry about.
This seems unrelated to the dreaded "win antivirus pro"  you experienced earlier.
It is related to an exploit, either real or possibly a FP, lurking in the guitar site. It would be advisable to temporarily disable system restore (turn it off, reboot, turn it on) to clear it from your restore points. This is not critical, and be aware that if you do this you will loose all restore points.
It would also pay to contact the webmaster at the guitar site and inform him the site may be compromised, with the details.
Avast has done its job, here.

[jcb1981]

So, your advice would be simply to leave everything in the chest, delete it, or upload files for more testing?  Thanks for responding.

[Tarq57]

What I would probably do is upload the samples, zipped and password protected to virus@avast.com for their analysis, (I've done this a couple of times, and although not expecting one, actually got a reply), and notify the guitar webmaster.
I'd probably also run a scan with MBAM antimalware or SAS also (or Avast, but I think you've done that?) just to be sure.
There is no hurry to delete the infected files in the chest. They ain't getting out. In a couple of weeks, rescan them. If still indicating infected, might as well delete them.

What is the program you have in "C:\Program Files\Keyfinder Advanced 2007 (Trial Version)\Crack\keyfinder.exe"

That doesn't sound like too good an idea to have on board, if it is as the name suggests.

[DavidR]

So, your advice would be simply to leave everything in the chest, delete it, or upload files for more testing?  Thanks for responding.

Before you upload for further analysis, you should really confirm if the detection is good or bad, rather than simply upload everything that is detected. It would simply swamp the system and lead to longer delays to correct files considered to be false positives which is bad for all avast users.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

There really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore.
- Worst case scenario it isn't infected and you delete it, you can't use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.
- So if there is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.

[jcb1981]

OK, I uploaded the files to VT like you told me, and it said that I had previously uploaded those same two files before (I guess this was when I was battling that Antivirus 2009 fiasco), so I told the site to reanalyze them.  Below are the links to the results.

Also, when these files were on my system last time I just deleted them after investigating them and everything has worked just fine ever since.  I will, of course, wait and see what you say, but more than likely I should probably just delete them again, right?  Or, should I take a more direct approach in figuring out why they are on my system for a second time?  Must the the guitar site, I guess.  I tried to find a webmaster for that site and couldn't find any links offering to contact anyone related to the site.  After that, I just blocked the site with Firefox's BlockSite add-on.

While in the "Suspect" folder, I scanned the first file (.dll) with Malwarebytes' Anti-Malware and it reported no malware.  Then, I started to think, "Wait, he didn't tell me I could scan the file while it was out of the chest," so then I got kinda' scared thinking that I shouldn't do that.  Needless to say, I didn't scan the second file.  I hope just deleting the files straight out of the "Suspect" folder is the right way to dispose of them.  When I deleted them, Avast! caught them and then I deleted them through Avast.

Really appreciate all your help.

Analysis of A0053525.dll:

http://www.virustotal.com/analisis/2745ee329de22bdfb487950dd156ee3a


Analysis of Interop.SHDocVw.dll:


http://www.virustotal.com/analisis/727293b3b2eca7eef8f3535963d8c399

[DavidR]

Well the first file name looks like it came from an infected restore point in the system volume information folder and the VT results I would say warrant it being in the chest rather than as a restore point that could bite you in the rear at some point in the future if you use system restore.

The second looks like it was the original detection that triggered the placement of the copy in the system volume information folder as the MD5s are identical, which means that although the file names are different the files are identical, so this too looks like a good detection.