Win32: Malware-gen problem

[Otabo]

I've been trying to get rid of this thing for two days now with no luck. Every once in a while, avast prompts that the Win32:Malware-gen has been found. I've tried moving it to the chest, no luck - it just keeps coming back. I've already scanned my comp with avast and with MBAM.

Here is my log of what avast reported in the last two days:

Code: [Select]

2/9/2010 5:05:32 PM Mike 1448 Sign of "Win32:Malware-gen" has been found in "C:\DOCUME~1\Mike\LOCALS~1\Temp\mweznfsm.exe" file. 
2/9/2010 5:05:43 PM Mike 1448 Sign of "Win32:Small-DKF [Trj]" has been found in "C:\DOCUME~1\Mike\LOCALS~1\Temp\vuewdunq.exe\[UPX]\[Embedded_I#4010]" file. 
2/9/2010 5:05:59 PM Mike 1448 Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\696443.exe" file. 
2/9/2010 5:33:53 PM Mike 1448 Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\561955.exe" file. 
2/9/2010 5:38:19 PM Mike 1448 Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\764948.exe" file. 
2/9/2010 5:40:51 PM Mike 1448 Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\556215.exe" file. 
2/9/2010 5:47:37 PM Mike 1448 Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\204692.exe" file. 
2/9/2010 5:51:33 PM Mike 1448 Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\331217.exe" file. 
2/9/2010 5:58:05 PM Mike 1448 Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\68999.exe" file. 
2/9/2010 5:59:38 PM Mike 1448 Sign of "Win32:Adware-gen [Adw]" has been found in "D:\Program Files\popupwithcast\Cast.dll" file. 
2/9/2010 6:06:02 PM Mike 1448 Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\152750.exe" file. 
2/9/2010 6:10:04 PM Mike 1448 Sign of "Win32:Adware-gen [Adw]" has been found in "D:\System Volume Information\_restore{8E5CACF8-79B5-44C2-9657-8D538229B1DD}\RP386\A0110354.dll" file. 
2/9/2010 6:13:21 PM Mike 1448 Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\684030.exe" file. 
2/9/2010 6:26:47 PM Mike 1576 Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\669868.exe" file. 
2/9/2010 6:59:11 PM Mike 1564 Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\16493.exe" file. 
2/10/2010 11:52:24 AM Mike 1508 Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\913681.exe" file. 
2/10/2010 1:19:32 PM Mike 1584 Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\945552.exe" file. 
2/10/2010 1:28:21 PM Mike 1584 Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\583016.exe" file. 
2/10/2010 1:40:40 PM Mike 1584 Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\337756.exe" file. 

More might pop up. Help please?

[Pondus]

Follow this guide from Essexboy and post the logs here, then he will take a look at it
http://forum.avast.com/index.php?topic=53253.msg451454#msg451454

[Otabo]

MBAM Log

Code: [Select]

Malwarebytes' Anti-Malware 1.35
Database version: 1927
Windows 5.1.2600 Service Pack 3, v.5857

2/10/2010 2:04:46 PM
mbam-log-2010-02-10 (14-04-46).txt

Scan type: Quick Scan
Objects scanned: 76428
Time elapsed: 7 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\msa.exe (Trojan.FakeAlert) -> Delete on reboot.

OTL.txt log & Extras.txt log are attached. Avast is still popping up those messages as I post this.

[Pondus]

your MBAM is way out of date V.1.35 database 1927
Latest is V.1.44 database 3721
so update and scan again, MBAM is updated several times a day, always update before scan

[Otabo]

Ah, I knew I forgot to update the thing.

Ok, I updated and got this log:

Code: [Select]

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3, v.5857
Internet Explorer 8.0.6001.18702

2/10/2010 3:50:02 PM
mbam-log-2010-02-10 (15-50-02).txt

Scan type: Quick Scan
Objects scanned: 120073
Time elapsed: 10 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ErrorSmart (Rogue.ErrorSmart) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Mike\fjwak.exe \s,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Mike\Application Data\ErrorSmart (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\ErrorSmart\Log (Rogue.ErrorSmart) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Mike\Application Data\ErrorSmart\Log\2008 Jun 16 - 05_08_43 PM_906.log (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\ErrorSmart\Log\2008 Jun 16 - 05_36_06 PM_375.log (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\0000005b.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00005bca.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.


[Pondus]

well you are getting better, you have now updatet the program to 1.44
but the datafile is 3510 and latest is 3721......so you are almost there....

[Otabo]

Well, when I tried to update, I got an error message

Code: [Select]

Error code: 732 (12007, 0)
And is it me, or is malwarebytes.org down for some reason?

[Pondus]

http://forums.malwarebytes.org/index.php?showtopic=10138&st=0&p=162097&#entry162097

www.malwarebytes.org  is working here

[Otabo]

It won't show up for me.

I'm going to try accessing it from my other computer and then go back and forth, and see if that helps.

[Pondus]

can be malware that is blocking, anyway essexboy is online so he will look at the logs soon

[essexboy]

Hi lets do this first

Run OTL.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

Code: [Select]

:OTL
O4 - HKLM..\Run: [hhiis] C:\WINDOWS\System32\hhiis.exe ()
O4 - HKCU..\Run: [F5JMWNZTHI] C:\DOCUME~1\Mike\LOCALS~1\Temp\Nxw.exe File not found
O20 - AppInit_DLLs: (C:\WINDOWS\system32\0034.DLL) - C:\WINDOWS\system32\0034.DLL ()
O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\Mike\fjwak.exe \s) - C:\Documents and Settings\Mike\fjwak.exe ()
[2010/02/10 14:07:13 | 000,000,278 | -H-- | M] () -- C:\WINDOWS\tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
[2010/02/10 14:07:13 | 000,000,238 | -H-- | M] () -- C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
[2010/02/10 14:07:13 | 000,000,232 | ---- | M] () -- C:\WINDOWS\tasks\SpeedOptimizer Startup.job
[2010/02/09 17:05:08 | 000,058,880 | -H-- | M] () -- C:\Documents and Settings\Mike\fjwak.exe
[2010/02/09 17:05:08 | 000,058,880 | ---- | M] () -- C:\WINDOWS\System32\hhiis.exe
[2009/06/16 02:30:00 | 000,000,400 | ---- | M] () -- C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job

:Commands
[purity]
[emptytemp]


• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
• Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

THEN

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.

Once the scan is complete, you may receive another notice about rootkit activity.

• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

[Otabo]

Ok, I did as you said and after a couple of hours, here's what I got:

Code: [Select]

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\hhiis deleted successfully.
C:\WINDOWS\system32\hhiis.exe moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\F5JMWNZTHI deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:C:\WINDOWS\system32\0034.DLL deleted successfully.
C:\WINDOWS\system32\0034.DLL moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\Documents and Settings\Mike\fjwak.exe \s deleted successfully.
C:\Documents and Settings\Mike\fjwak.exe moved successfully.
File C:\WINDOWS\tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job not found.
File C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job not found.
C:\WINDOWS\tasks\SpeedOptimizer Startup.job moved successfully.
File C:\Documents and Settings\Mike\fjwak.exe not found.
File C:\WINDOWS\System32\hhiis.exe not found.
File C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job not found.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: Mike
->Temp folder emptied: 1273702 bytes
->Temporary Internet Files folder emptied: 238050586 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 39208174 bytes
->Google Chrome cache emptied: 345565938 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16384 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 595.00 mb
 
 
OTL by OldTimer - Version 3.1.28.0 log created on 02102010_162916

Files\Folders moved on Reboot...
C:\Documents and Settings\Mike\Local Settings\Temp\~DFDC9.tmp moved successfully.
File\Folder C:\WINDOWS\temp\_avast4_\Webshlock.txt not found!
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_61c.dat not found!

Registry entries deleted on Reboot...

and...

Code: [Select]

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-10 18:57:46
Windows 5.1.2600 Service Pack 3, v.5857
Running: gmer.exe; Driver: C:\DOCUME~1\Mike\LOCALS~1\Temp\kgnyqaog.sys


---- System - GMER 1.0.15 ----

SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                                 ZwClose [0xF420B6B8]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                                 ZwCreateKey [0xF420B574]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                                 ZwDeleteValueKey [0xF420BA52]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                                 ZwDuplicateObject [0xF420B14C]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                                 ZwOpenKey [0xF420B64E]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                                 ZwOpenProcess [0xF420B08C]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                                 ZwOpenThread [0xF420B0F0]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                                 ZwQueryValueKey [0xF420B76E]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                                 ZwRestoreKey [0xF420B72E]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                                 ZwSetValueKey [0xF420B8AE]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc           C:\WINDOWS\system32\drivers\atapi.sys                                                                                                                 entry point in ".rsrc" section [0xF7395700]
.text           C:\WINDOWS\system32\DRIVERS\nv4_mini.sys                                                                                                              section is writeable [0xF6BD9360, 0x372FAD, 0xE8000020]

---- User IAT/EAT - GMER 1.0.15 ----

IAT             C:\WINDOWS\system32\services.exe[728] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW]                                          00380002
IAT             C:\WINDOWS\system32\services.exe[728] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW]                                                00380000

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                                                                aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                                                              aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                                             aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device          \Driver\atapi \Device\Ide\IdePort0                                                                                                                    [F7388AFE] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device          \Driver\atapi \Device\Ide\IdePort1                                                                                                                    [F7388AFE] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device          \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4                                                                                                           [F7388AFE] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device          \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c                                                                                                           [F7388AFE] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device          \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17                                                                                                          [F7388AFE] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                                             aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                                           aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6DC3C846-0B5F-C563-E3AA-F97B4D739911}                                      
Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6DC3C846-0B5F-C563-E3AA-F97B4D739911}@abdcmojglddhhceffmlnpfaoebmallapog    0x61 0x61 0x00 0x00
Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6DC3C846-0B5F-C563-E3AA-F97B4D739911}@bbdcmojglddhhceffmingfbjpaaboffkbkpe  0x61 0x61 0x00 0x00

---- Files - GMER 1.0.15 ----

File            C:\WINDOWS\system32\drivers\atapi.sys                                                                                                                 suspicious modification

---- EOF - GMER 1.0.15 ----

So, now what do I do? By the way, avast didn't complain since I did this, but I'm still not sure if the malware is gone.

[emantoyaks]

hmm,.. try to use combofix... or System Restore. 

[essexboy]

Nope your Atapi.sys appears to be infected, lose this and you will not be able to boot

 Download TDSSKiller and save it to your Desktop.

• Extract the file and run it.
• Once completed it will create a log in your C:\ drive
  
• Please post the contents of that log

[Otabo]

I attached the log.