Author Topic: Virus Win32:Malware-Gen, How can i get rid of it?????  (Read 10064 times)

Offline icezbox

  • Newbie
  • *
  • Posts: 16
    • Personal Message (Offline)
Virus Win32:Malware-Gen, How can i get rid of it?????
« on: November 09, 2009, 03:59:40 AM »
I scanned my Laptop and it appears that C:\Windows.old.000\users\Monskieth\AppData\Local\Temp\pavtmp & C:\Windows.old.000\Program Files\Data0.Net Software\Portable Antivirus is infected by a Win32:Malware-gen. How can i get rid of the virus? Is it safe to delete it? or is it a false positive?

Offline mikaelrask

  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1303
  • Gender: Male
    • Personal Message (Offline)
Re: Virus Win32:Malware-Gen, How can i get rid of it?????
« Reply #1 on: November 09, 2009, 05:46:58 AM »
hey i suggest you upload the file to virustotal.com and post the result here. otherwise you can try MBAB and or SAS and see what they come up with.

http://filehippo.com/download_malwarebytes_anti_malware/
http://filehippo.com/download_superantispyware/

good luck and write back if you getting problem.

and welcome to the forum.
new computer
windows 8 Intel core I-3 64 bit
6 gb ram 500 gb hardrive. avast 9 MBAM

Offline .: L' arc :.

  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1782
  • Gender: Male
  • Thinking with Portals
    • Personal Message (Offline)
Re: Virus Win32:Malware-Gen, How can i get rid of it?????
« Reply #2 on: November 09, 2009, 09:25:55 AM »
Step 1: Windows Disk Cleanup Utility ============

1   Press Windows Key + R
2   Type in: cleanmgr
3   Put a check beside: Temporary Internet Files and Temporary Files. Optionally, you may check other options too
4   Click OK

Step 2: avast! Boot Time Scan ============

1   Double click avast! antivirus desktop icon and wait for memory test to complete
2   avast GUI will appear. Right click anywhere on avast!'s window and select Schedule Boot Time Scan...
3   Click Advanced options and select Move infected file to Chest on the first dropdown list and leave the other one as it was. Click Schedule
4   You will be asked for a system restart. Click Yes to do it now or No to let avast wait for you to manually restart your PC
        NOTE: Optionally, you may enable scanning of archive files. If it is enabled, scanning would be more thorough but would take more time

Step 3: Malwarebytes Antimalware (MBAM) ============

1   Download Malwarebyes' Antimalware here
2   Proceed to installing MBAM after downloading
3   On the last dialog box, do not forget to leave Update Malwarebytes' Antimalware and Run Malwarebytes' Antimalware checked
4   Malwabytes' Antimalware GUI would appear, from there select Perform Quick Scan and click Scan
5   When scan is completed, click Show Results
6   Click Remove Selected and then, a notepad file will appear.
7   On the notepad window, click File > Save As and save it on your desktop. You may now close MBAM.

Step 4: Hijack This (HJT) ============

1   Download Trend Micro Hijack This here
2   Install HJT in C:\Program Files\Trend Micro\HijackThis (the location is already displayed by default). Click Install
3   HJT Window will appear. Click Do a system scan and save a logfile. A notepad file will pop-up once the scan is completed
5   Click on the Notepad window and click File > Save As and save the file on your desktop
6   Go back here on your topic and start a reply. On the Reply window, click Additional Options
7   Attach the two .txt files that we created and saved on your desktop (click more attachments to have more slots for attaching files)
        NOTE: Do not have HJT fix anything yet.
Windows 7 (64-bit) Home Premium SP1
avast! 9 RC1

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69233
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Virus Win32:Malware-Gen, How can i get rid of it?????
« Reply #3 on: November 09, 2009, 02:01:07 PM »
I scanned my Laptop and it appears that C:\Windows.old.000\users\Monskieth\AppData\Local\Temp\pavtmp & C:\Windows.old.000\Program Files\Data0.Net Software\Portable Antivirus is infected by a Win32:Malware-gen. How can i get rid of the virus? Is it safe to delete it? or is it a false positive?

I don't know what everyone is jumping up and down about if you look at the path to the infected file, you will see it appears to be something related to Panda AntiVirus (pavtmp) and a portable antivirus, see below. So far from being false positives, I believe the detections are good but on the unencrypted virus signatures of both.

{C:\Windows.old.000\users\Monskieth\AppData\Local\Temp\pavtmp
&
C:\Windows.old.000\Program Files\Data0.Net Software\Portable Antivirus}

So the questions are:
Have you installed a a portable antivirus (if so uninstall it as the signatures should be encrypted to prevent detection) ?

Have you used any Panda AntiVirus products ?
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline domdom63

  • Newbie
  • *
  • Posts: 15
    • Personal Message (Offline)
Re: Virus Win32:Malware-Gen, How can i get rid of it?????
« Reply #4 on: November 14, 2009, 09:39:44 PM »
Hi, Im a newbie.  :-[... and I did what you wrote down here. And  I have 2 attachments here. So, what I do next?  :'(

1   Press Windows Key + R
2   Type in: cleanmgr
3   Put a check beside: Temporary Internet Files and Temporary Files. Optionally, you may check other options too
4   Click OK

Step 2: avast! Boot Time Scan ============

1   Double click avast! antivirus desktop icon and wait for memory test to complete
2   avast GUI will appear. Right click anywhere on avast!'s window and select Schedule Boot Time Scan...
3   Click Advanced options and select Move infected file to Chest on the first dropdown list and leave the other one as it was. Click Schedule
4   You will be asked for a system restart. Click Yes to do it now or No to let avast wait for you to manually restart your PC
        NOTE: Optionally, you may enable scanning of archive files. If it is enabled, scanning would be more thorough but would take more time

Step 3: Malwarebytes Antimalware (MBAM) ============

1   Download Malwarebyes' Antimalware here
2   Proceed to installing MBAM after downloading
3   On the last dialog box, do not forget to leave Update Malwarebytes' Antimalware and Run Malwarebytes' Antimalware checked
4   Malwabytes' Antimalware GUI would appear, from there select Perform Quick Scan and click Scan
5   When scan is completed, click Show Results
6   Click Remove Selected and then, a notepad file will appear.
7   On the notepad window, click File > Save As and save it on your desktop. You may now close MBAM.

Step 4: Hijack This (HJT) ============

1   Download Trend Micro Hijack This here
2   Install HJT in C:\Program Files\Trend Micro\HijackThis (the location is already displayed by default). Click Install
3   HJT Window will appear. Click Do a system scan and save a logfile. A notepad file will pop-up once the scan is completed
5   Click on the Notepad window and click File > Save As and save the file on your desktop
6   Go back here on your topic and start a reply. On the Reply window, click Additional Options
7   Attach the two .txt files that we created and saved on your desktop (click more attachments to have more slots for attaching files)
        NOTE: Do not have HJT fix anything yet.
[/quote]

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20161
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: Virus Win32:Malware-Gen, How can i get rid of it?????
« Reply #5 on: November 14, 2009, 10:47:33 PM »

This is what you should fix with HJT:

C:\WINDOWS\system32\FastNetSrv.exe
The filename is associated with these malware groups:
Banking Info Stealer
Rootkit
System Back Door
Malicious Software Trojan
Nasty


R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb128\SearchSettings.dll

This entry is classified as malware, spyware, adware, or other potentially unwanted software
Should be fixed.

F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe tapi.nfo beforeglav
Nasty Fix

O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb128\SearchSettings.dll

Nasty
Must be fixed! SearchSettings.dll - Vendio "Search Settings" foistware - reportedly installed without notice - see here, http://groups.google.com/group/mozilla.s upport.firefox/browse_thread/thread/dcc6 bd1e6009abe8 and here, http://www.tutorials-win.com/SupportXP/

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

Vendio "Search Settings" foistware, bundled with its Dealio toolbar, which is in turn bundled with numerous third party applications
Nasty

O20 - AppInit_DLLs: C:\WINDOWS\TEMP\42844kou.dll c:\windows\system32\dukotova.dll,pehuraba.dll

 Use Windows Command Prompt to Unregister dukotova.dll & pehuraba.dll Files

To open the Windows Command Prompt, go to Start > Run > type cmd and then click the "OK" button.
Type "cd" in order to change the current directory, press the "space" button, enter the full path to where you believe the pehuraba.dll DLL file is located and press the "Enter" button on your keyboard. If don't know where pehuraba.dll DLL file is located, use the "dir" command to display the directory's contents.
To unregister "pehuraba.dll" DLL file, type in the exact directory path + "regsvr32 /u" + [DLL_NAME] (for example, :C\Spyware-folder\> regsvr32 /u pehuraba.dll.dll) and press the "Enter" button. A message will pop up that says you successfully unregistered the file. Do the same for the other file.
 
O21 - SSODL: pirumotan - {0c9c9d08-e0a2-4303-b396-2c7596487748} - (no file)
Fix
 
O22 - SharedTaskScheduler: gahurihor - {0c9c9d08-e0a2-4303-b396-2c7596487748} - (no file)
Fix

O23 - Service: fastnetsrv Service (fastnetsrv) - Netopsystems A - C:\WINDOWS\system32\FastNetSrv.exe
Nasty (2.17 / 5.00)
Fix


polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline domdom63

  • Newbie
  • *
  • Posts: 15
    • Personal Message (Offline)
Re: Virus Win32:Malware-Gen, How can i get rid of it?????
« Reply #6 on: November 14, 2009, 11:48:33 PM »
... Seriously, Ím not familiar with Windows Command Prompt and also,... English. Can you please show me little more details? Thank you very much

This is what you should fix with HJT:

C:\WINDOWS\system32\FastNetSrv.exe
The filename is associated with these malware groups:
Banking Info Stealer
Rootkit
System Back Door
Malicious Software Trojan
Nasty


R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb128\SearchSettings.dll

This entry is classified as malware, spyware, adware, or other potentially unwanted software
Should be fixed.

F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe tapi.nfo beforeglav
Nasty Fix

O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb128\SearchSettings.dll

Nasty
Must be fixed! SearchSettings.dll - Vendio "Search Settings" foistware - reportedly installed without notice - see here, http://groups.google.com/group/mozilla.s upport.firefox/browse_thread/thread/dcc6 bd1e6009abe8 and here, http://www.tutorials-win.com/SupportXP/

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

Vendio "Search Settings" foistware, bundled with its Dealio toolbar, which is in turn bundled with numerous third party applications
Nasty

O20 - AppInit_DLLs: C:\WINDOWS\TEMP\42844kou.dll c:\windows\system32\dukotova.dll,pehuraba.dll

 Use Windows Command Prompt to Unregister dukotova.dll & pehuraba.dll Files

To open the Windows Command Prompt, go to Start > Run > type cmd and then click the "OK" button.
Type "cd" in order to change the current directory, press the "space" button, enter the full path to where you believe the pehuraba.dll DLL file is located and press the "Enter" button on your keyboard. If don't know where pehuraba.dll DLL file is located, use the "dir" command to display the directory's contents.
To unregister "pehuraba.dll" DLL file, type in the exact directory path + "regsvr32 /u" + [DLL_NAME] (for example, :C\Spyware-folder\> regsvr32 /u pehuraba.dll.dll) and press the "Enter" button. A message will pop up that says you successfully unregistered the file. Do the same for the other file.
 
O21 - SSODL: pirumotan - {0c9c9d08-e0a2-4303-b396-2c7596487748} - (no file)
Fix
 
O22 - SharedTaskScheduler: gahurihor - {0c9c9d08-e0a2-4303-b396-2c7596487748} - (no file)
Fix

O23 - Service: fastnetsrv Service (fastnetsrv) - Netopsystems A - C:\WINDOWS\system32\FastNetSrv.exe
Nasty (2.17 / 5.00)
Fix


polonus
[/quote]

Offline micky77

  • avast! Evangelist
  • Advanced Poster
  • ***
  • Posts: 1049
  • Trust no program
    • Personal Message (Offline)
Re: Virus Win32:Malware-Gen, How can i get rid of it?????
« Reply #7 on: November 14, 2009, 11:54:08 PM »
You have serious rootkit infection, HJT is no use to you. From your MBAM log C:\WINDOWS\system32\drivers\kbiwkmbpbpfqxy.sys (Rootkit.TDSS) -> No action taken.

You  should run Combofix and post the log. Follow all instructions carefully
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
I Sandboxie

Offline domdom63

  • Newbie
  • *
  • Posts: 15
    • Personal Message (Offline)
Re: Virus Win32:Malware-Gen, How can i get rid of it?????
« Reply #8 on: November 15, 2009, 12:39:10 AM »
Here is it the log file.
Thank you for helping me



You have serious rootkit infection, HJT is no use to you. From your MBAM log C:\WINDOWS\system32\drivers\kbiwkmbpbpfqxy.sys (Rootkit.TDSS) -> No action taken.

You  should run Combofix and post the log. Follow all instructions carefully
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
[/quote]
« Last Edit: November 15, 2009, 04:26:03 AM by domdom63 »

Offline micky77

  • avast! Evangelist
  • Advanced Poster
  • ***
  • Posts: 1049
  • Trust no program
    • Personal Message (Offline)
Re: Virus Win32:Malware-Gen, How can i get rid of it?????
« Reply #9 on: November 15, 2009, 12:30:39 PM »
Combofix has removed the rootkit. Your pc has many infections.I would uninstall combofix now http://www.bleepingcomputer.com/forums/index.php?s=eab68518186b64fb0677524792426b02&showtopic=114269&view=findpost&p=650524
You should now run a full scan with MBAM, this time have it remove the threats it finds and post the log.
I would then reboot and run another scan with MBAM and see if anything removed first time, returns. Your pc is so infected, I am hoping Essexboy will look at your logs and comment,
I Sandboxie

Offline domdom63

  • Newbie
  • *
  • Posts: 15
    • Personal Message (Offline)
Re: Virus Win32:Malware-Gen, How can i get rid of it?????
« Reply #10 on: November 15, 2009, 07:47:59 PM »
I've tried it but, first, I accident installed combofix into desktop\Downloads. And I can't uninstall the program. Then I type

CMD (enter)
C:\Documents and Settings\Dominic Nguyen>cd Desktop\Downloads
Desktop\Downloads\Combofix /u
enter

... And the combofix started to run scan and give me the log again

Please help

Offline oldman

  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 4165
  • Some days..... MOS...this bug's for you
    • Personal Message (Offline)
Re: Virus Win32:Malware-Gen, How can i get rid of it?????
« Reply #11 on: November 16, 2009, 04:53:55 AM »
Hi

Let's see if I can help a bit here. You still have some nasty infections.

We'll use combofix again, but run it differently.

First locate combofix.exe on your desktop, right click it and select delete.

Download a new copy from one of these links and save it directly to your desktop. DO NOT run it yet.

It must be on your desktop, not in a folder on your desktop.

Link 1
Link 2

Please follow all previous instructions regarding security programs.

Open a new Notepad session
  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.

  • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
Code: [Select]
File::
c:\windows\system32\FastNetSrv.exe
C:\jlkdtrnv.exe
C:\tfwhkfp.exe
C:\mwoqywsu.exe
c:\windows\system32\netskt.sys

Driver::
fastnetsrv
BtwSrv
netskt

NetSvcs::
BtwSrv


In the notepad
  • Click File, Save as..., and set the Save in to your Desktop
  • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  • Click save
Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close  all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**



Please post the combofix log in your next reply.

Thanks

Offline domdom63

  • Newbie
  • *
  • Posts: 15
    • Personal Message (Offline)
Re: Virus Win32:Malware-Gen, How can i get rid of it?????
« Reply #12 on: November 16, 2009, 06:28:14 AM »
Here is my log file. BTW, thank you

Offline oldman

  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 4165
  • Some days..... MOS...this bug's for you
    • Personal Message (Offline)
Re: Virus Win32:Malware-Gen, How can i get rid of it?????
« Reply #13 on: November 16, 2009, 04:12:42 PM »
Hi

That looks much better. Did you run MBAM before running the fix I posted?

Please make an uninstall list
  • Start HijackThis
  • Click the Config button     
  • Click the Misc Tools button     
  • Click the Open Uninstall Manager button.     
  • Click the Save list button and save it to your desktop.
When you press Save, a notepad will open with the contents. Copy/paste the contents of the notepad file in your next reply.

Please post the uninstall list and a new HJT log.

Thanks


Offline domdom63

  • Newbie
  • *
  • Posts: 15
    • Personal Message (Offline)
Re: Virus Win32:Malware-Gen, How can i get rid of it?????
« Reply #14 on: November 16, 2009, 06:03:53 PM »
Thanks for replied,
Yes, I did run MBAM, because I've wait too long for someone reply my post. LOL



 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now