Author Topic: avast showing WIN 32: MALWARE GEN infection,not able to delete it  (Read 30421 times)

0 Members and 1 Guest are viewing this topic.

Offline qrius2noall

  • Jr. Member
  • **
  • Posts: 39
Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
« Reply #15 on: March 05, 2010, 08:27:06 PM »
Thanks ESSEXBOY for your help extended in this painful episode

Yesterday after posting this,I did a scan with sunbelt-vipre in safe mode(as AVAST IS NOT ABLE TO SCAN IN SAFE MODE(AS POSTED ABOVE-QUITE STRANGE THOUGH)and deleted whatever it posted as troublesome-the result was another tragedy-I could no longer boot the PC-the error being OLE32.dll cannot be located(another nightmarish situation),so I did a repair install of windows XPand and again reinstalled AVAST 5 FREE,did boottime scan with it and again-it detects infection but cannnot quarantine or delete it-with error message :While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only

After PC boots,as soon as i start any app AVAST starts going nuts with notification about infection with win32:malware-gen

I might mention here that except these notifications from AVAST,the system seems to be working okay-I mean there are no unusual processes in the task manager,no issue with slowdown or crash etc-SO COULD THIS WHOLE SCENARIO MIGHT BE A PART OF FALSE POSITIVES-? I have already submitted the false positive report(after start of utorrent.ccleaner,task manager etc)to avast and hopefully something may come out of this

Anyway,I have run the script fix with OTS and rebooted the pc about 5 minutes ago
-the app STATBAR(quite useful and have been using for last 3-4 years without any issues)is no more starting-so you want me to put a stop to its start with windows or not to use it at all-Personally I like Using it and it has been very helpful

AND AGAINST ALL HOPES ,AVAST IS STILL GOING NUTS AS SOON AS I STARTED UTORRENT,SO THE ISSUE STILL REMAINS....
OTS  scan reportis being posted in the next post

Till then thanks once again

q2na

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40632
  • Dragons by Sasha
    • Malware fixes
Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
« Reply #16 on: March 05, 2010, 08:40:13 PM »
That was infected - I don't know if you noticed but there was a space between STATBAR  .exe  that was an old Renv/vundo infection 

If you run OTS I will see if there is a spare copy that I can replace it with - see the bottom of post 13

Or we can use a bigger hammer

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Offline qrius2noall

  • Jr. Member
  • **
  • Posts: 39
Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
« Reply #17 on: March 05, 2010, 09:07:10 PM »
Thanks ESSEXBOY for your help and patience-Iam not all that bright with computers ,so you might have to bear with me please

here is the text file after the fix script

All Processes Killed
[Processes - Safe List]
No active process named statbar  .exe was found!
E:\USEFUL CRUCIAL UTILITIES FOLDER\statbar  .exe moved successfully.
[Registry - Safe List]
Registry value HKEY_USERS\S-1-5-21-1078081533-1682526488-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\StatBar deleted successfully.
File E:\USEFUL CRUCIAL UTILITIES FOLDER\statbar  .exe not found.
[Files - No Company Name]
C:\WINDOWS\winstart.bat moved successfully.
[Empty Temp Folders]
 
 
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: All Users
 
User: Daksh
->Temp folder emptied: 32768 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 2525625 bytes
->Flash cache emptied: 405 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 6428142 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 25221561 bytes
 
Total Files Cleaned = 33.00 mb
 
< End of fix log >
OTS by OldTimer - Version 3.1.25.0 fix logfile created on 03062010_001154

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\_avast5_\Webshlock.txt not found!

Registry entries deleted on Reboot...


due to some confusion I guess(nervousness) I ran the scriptfix again and after the reboot the text file has the following report

All Processes Killed
[Processes - Safe List]
No active process named statbar  .exe was found!
E:\USEFUL CRUCIAL UTILITIES FOLDER\statbar  .exe moved successfully.
[Registry - Safe List]
Registry value HKEY_USERS\S-1-5-21-1078081533-1682526488-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\StatBar deleted successfully.
File E:\USEFUL CRUCIAL UTILITIES FOLDER\statbar  .exe not found.
[Files - No Company Name]
C:\WINDOWS\winstart.bat moved successfully.
[Empty Temp Folders]
 
 
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: All Users
 
User: Daksh
->Temp folder emptied: 32768 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 2525625 bytes
->Flash cache emptied: 405 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 6428142 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 25221561 bytes
 
Total Files Cleaned = 33.00 mb
 
< End of fix log >
OTS by OldTimer - Version 3.1.25.0 fix logfile created on 03062010_001154

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\_avast5_\Webshlock.txt not found!

Registry entries deleted on Reboot...


Also on C DRIVE there is a folder _OTS with two subfolders named   C_WINDOWS (empty folder) and E_USEFUL CRUCIAL UTILITIES FOLDER(contains the moved STATBAR  app file

meanwhile I will do the next OTS scan and then COMBOFIX one-  As i said I want to get to the bottom of it before I give up on AVAST-I have been using it for the last 4 years and had been recommending it to lot of people here-so it is kind of hard to adnit that it is giving troubles.....

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40632
  • Dragons by Sasha
    • Malware fixes
Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
« Reply #18 on: March 05, 2010, 09:10:18 PM »
No problem  ;D

Offline qrius2noall

  • Jr. Member
  • **
  • Posts: 39
Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
« Reply #19 on: March 05, 2010, 09:28:46 PM »
Here It Come ESSEXBOY  ,COMBOFIX report I will post it in two three posts if it seems very big

part-1

ComboFix 10-03-04.06 - Daksh 03/06/2010   1:50.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.503.317 [GMT 5.5:30]
Running from: c:\documents and settings\Daksh\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ole32.dll . . . is infected!!

.
(((((((((((((((((((((((((   Files Created from 2010-02-05 to 2010-03-05  )))))))))))))))))))))))))))))))
.

2010-03-05 18:41 . 2010-03-05 18:41   --------   d-----w-   C:\_OTS
2010-03-05 16:15 . 2010-01-07 10:37   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-05 16:15 . 2010-01-07 10:37   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-03-05 14:02 . 2010-03-05 15:08   --------   d-----w-   c:\program files\Panda Security
2010-03-05 13:28 . 2010-03-05 13:28   --------   d-----w-   c:\documents and settings\Daksh\DoctorWeb
2010-03-05 11:27 . 2010-03-05 11:27   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\400000b00002i\Ras.exe
2010-03-05 11:27 . 2010-03-05 11:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\Rising
2010-03-05 11:27 . 2009-04-16 20:43   629360   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\Rsaupd.exe
2010-03-05 11:27 . 2010-03-05 11:27   518808   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\Ntlib.dll
2010-03-05 11:27 . 2010-03-05 11:25   637592   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%SystemSystem%\kmon.dll
2010-03-05 11:24 . 2010-03-05 11:24   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\4000009c00002i\Rsaupd.exe
2010-03-05 11:23 . 2010-03-05 11:23   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\4000007200002i\knownsvr.exe
2010-03-05 11:23 . 2010-03-05 11:23   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\4000008000002i\Splash Screen.exe
2010-03-05 01:58 . 2010-03-05 01:58   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Runscanner.net
2010-03-05 01:53 . 2010-03-05 01:53   160272   ----a-w-   c:\windows\system32\drivers\tmcomm.sys
2010-03-05 00:03 . 2010-02-11 18:42   162512   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-03-05 00:03 . 2010-02-11 18:38   19024   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-03-05 00:03 . 2010-02-11 18:42   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-03-05 00:03 . 2010-02-11 18:39   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-03-05 00:03 . 2010-02-11 18:38   100432   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2010-03-05 00:03 . 2010-02-11 18:38   94800   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2010-03-05 00:03 . 2010-02-11 18:38   28880   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2010-03-05 00:03 . 2010-02-11 18:53   38848   ----a-w-   c:\windows\system32\avastSS.scr
2010-03-05 00:03 . 2010-02-11 18:53   153184   ----a-w-   c:\windows\system32\aswBoot.exe
2010-03-04 23:25 . 2004-08-03 17:31   70144   -c--a-w-   c:\windows\system32\dllcache\pintlphr.exe
2010-03-04 23:24 . 2001-08-23 11:30   10096640   -c--a-w-   c:\windows\system32\dllcache\hwxcht.dll
2010-03-04 23:23 . 2004-05-12 19:09   598071   -c--a-w-   c:\windows\system32\dllcache\fpmmc.dll
2010-03-04 23:17 . 2004-08-03 17:01   20992   ----a-w-   c:\windows\system32\drivers\RTL8139.sys
2010-03-04 23:15 . 2001-08-23 11:30   24661   -c--a-w-   c:\windows\system32\dllcache\spxcoins.dll
2010-03-04 23:15 . 2001-08-23 11:30   24661   ----a-w-   c:\windows\system32\spxcoins.dll
2010-03-04 23:15 . 2001-08-23 11:30   13312   -c--a-w-   c:\windows\system32\dllcache\irclass.dll
2010-03-04 23:15 . 2001-08-23 11:30   13312   ----a-w-   c:\windows\system32\irclass.dll
2010-03-04 20:50 . 2010-03-04 20:50   --------   d-----w-   c:\documents and settings\All Users\Application Data\Sunbelt
2010-03-04 16:07 . 2010-03-04 16:07   --------   d-----w-   c:\documents and settings\Daksh\Application Data\Malwarebytes
2010-03-04 16:07 . 2010-03-04 16:07   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-04 14:20 . 2010-03-04 14:20   --------   d-----w-   c:\documents and settings\Daksh\Application Data\FILEminimizerPictures
2010-03-04 14:19 . 2010-03-04 14:20   --------   d-----w-   c:\documents and settings\Daksh\Application Data\FILEminimizer
2010-03-02 12:46 . 2010-03-02 12:46   --------   d--h--w-   c:\windows\PIF
2010-03-02 06:24 . 2010-03-02 06:24   --------   d-----w-   c:\windows\Sun
2010-02-27 06:37 . 2010-02-27 06:37   --------   d-----w-   c:\program files\NCH Swift Sound
2010-02-26 20:09 . 2010-02-26 20:16   --------   d-----w-   c:\documents and settings\Daksh\Application Data\FreeFixer
2010-02-26 20:09 . 2010-02-26 20:09   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\FreeFixer
2010-02-26 18:41 . 2010-02-26 18:41   --------   d-----w-   c:\program files\FoxPlayer
2010-02-26 15:27 . 2010-02-26 15:27   --------   d-----w-   c:\documents and settings\Daksh\Application Data\PolyEdit Lite
2010-02-26 14:57 . 2010-02-26 14:57   --------   d-----w-   c:\documents and settings\Daksh\Application Data\SAIG
2010-02-26 14:41 . 2010-02-26 14:41   --------   d-----w-   c:\documents and settings\Daksh\Application Data\Apago
2010-02-25 06:01 . 2010-02-25 06:01   --------   d-----r-   C:\Sandbox
2010-02-24 19:38 . 2010-02-24 19:38   --------   d--h--r-   c:\documents and settings\Daksh\Application Data\JAM Software
2010-02-24 11:52 . 2010-02-24 11:52   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Identities
2010-02-24 08:17 . 2008-01-01 01:30   78848   ----a-w-   c:\windows\system32\VISCDRTL.DLL
2010-02-24 08:17 . 2008-01-01 01:30   152064   ----a-w-   c:\windows\system32\VISCDUNR.DLL
2010-02-24 08:17 . 2008-01-01 01:30   143360   ----a-w-   c:\windows\system32\VISCDUNZ.DLL
2010-02-23 19:57 . 2010-02-23 19:57   0   ----a-w-   c:\windows\nsreg.dat
2010-02-23 19:56 . 2010-02-23 19:56   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Mozilla
2010-02-23 19:33 . 2010-03-05 11:23   --------   d-----w-   c:\documents and settings\Daksh\Application Data\Thinstall
2010-02-23 19:33 . 2010-02-23 19:33   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Thinstall
2010-02-23 18:15 . 2010-02-23 18:15   --------   d--h--w-   c:\windows\system32\GroupPolicy


Offline qrius2noall

  • Jr. Member
  • **
  • Posts: 39
Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
« Reply #20 on: March 05, 2010, 09:31:17 PM »
part-2

2010-02-23 14:55 . 2004-08-03 19:56   221184   ----a-w-   c:\windows\system32\wmpns.dll
2010-02-23 13:21 . 2003-03-18 20:20   1060864   ----a-w-   c:\windows\system32\MFC71.dll
2010-02-23 13:21 . 2003-03-18 19:14   499712   ----a-w-   c:\windows\system32\MSVCP71.dll
2010-02-23 13:21 . 2003-02-21 03:42   348160   ----a-w-   c:\windows\system32\MSVCR71.dll
2010-02-23 10:56 . 2010-02-23 17:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-02-23 10:56 . 2010-02-23 10:56   --------   d-----w-   c:\program files\NCH Software
2010-02-23 10:56 . 2010-03-01 13:53   --------   d-----w-   c:\documents and settings\Daksh\Application Data\NCH Swift Sound
2010-02-23 10:49 . 2010-02-23 10:49   1078   ----a-r-   c:\documents and settings\Daksh\Application Data\Microsoft\Installer\{76EFAC4F-1712-401F-B2AE-590B170C9BCE}\_60c11ac7.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-05 20:13 . 2010-02-23 00:59   --------   d-----w-   c:\documents and settings\Daksh\Application Data\uTorrent
2010-03-05 11:26 . 2009-04-16 20:43   84632   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\UrlRule.dll
2010-03-05 11:26 . 2009-04-16 20:43   125592   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\SecScan.dll
2010-03-05 11:26 . 2009-04-16 20:43   92824   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\SecEx.dll
2010-03-05 11:26 . 2009-04-16 20:43   424560   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\runiep.dll
2010-03-05 11:26 . 2009-04-16 20:43   207512   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\rsdialog.dll
2010-03-05 11:26 . 2009-04-16 20:43   215704   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\pweb.dll
2010-03-05 11:26 . 2009-04-16 20:43   744088   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\ptools.dll
2010-03-05 11:26 . 2009-04-16 20:43   809624   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\pscan.dll
2010-03-05 11:25 . 2009-04-16 20:43   297584   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\KakaMgr.dll
2010-03-05 09:09 . 2010-02-23 00:14   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-03-04 23:55 . 2004-08-03 19:56   1281536   ----a-w-   c:\windows\system32\ole32.dll
2010-03-04 23:34 . 2010-02-23 03:59   12328   ----a-w-   c:\documents and settings\Daksh\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-04 23:21 . 2010-02-22 22:35   22748   ----a-w-   c:\windows\system32\emptyregdb.dat
2010-02-25 06:48 . 2010-02-22 22:38   86327   ----a-w-   c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-23 11:13 . 2010-02-23 11:13   32768   ----a-w-   c:\windows\Help\ItzilzIm.dll
2010-02-23 03:44 . 2010-02-23 03:44   --------   d-----w-   c:\program files\Common Files\InstallShield
2010-02-23 03:43 . 2010-02-23 03:43   --------   d-----w-   c:\program files\C-Media 3D Audio
2010-02-23 02:23 . 2010-02-23 02:23   --------   d-----w-   c:\documents and settings\Daksh\Application Data\SUPERAntiSpyware.com
2010-02-23 02:23 . 2010-02-23 02:23   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-23 00:14 . 2010-02-23 00:14   10134   ----a-r-   c:\documents and settings\Daksh\Application Data\Microsoft\Installer\{4C933A3B-6201-4C90-AB28-598561131C06}\_05672270EB30CCA6FD3838.exe
2010-02-23 00:14 . 2010-02-23 00:14   16958   ----a-r-   c:\documents and settings\Daksh\Application Data\Microsoft\Installer\{4C933A3B-6201-4C90-AB28-598561131C06}\_8C792585F69A42291AD1A1.exe
2010-02-23 00:14 . 2010-02-23 00:14   16958   ----a-r-   c:\documents and settings\Daksh\Application Data\Microsoft\Installer\{4C933A3B-6201-4C90-AB28-598561131C06}\_6FEFF9B68218417F98F549.exe
2010-02-23 00:14 . 2010-02-23 00:14   16958   ----a-r-   c:\documents and settings\Daksh\Application Data\Microsoft\Installer\{4C933A3B-6201-4C90-AB28-598561131C06}\_15D66DCE894BB3F91E0E6F.exe
2010-02-22 23:50 . 2010-02-22 23:50   411368   ----a-w-   c:\windows\system32\deploytk.dll
2010-02-22 23:50 . 2010-02-22 23:50   --------   d-----w-   c:\program files\Java
2010-02-22 23:50 . 2010-02-22 23:50   152576   ----a-w-   c:\documents and settings\Daksh\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-02-22 22:54 . 2010-02-22 22:54   --------   d-----w-   c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-22 22:39 . 2010-02-22 22:39   --------   d-----w-   c:\program files\microsoft frontpage
.
Code: [Select]
<pre>
c:\program files\Java\jre6\bin\jusched .exe
</pre>

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 86016]
"avast5"="e:\useful~1\ANTIVI~2\avastUI.exe" [2010-02-11 2756488]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
cmicnfg.cpl [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\ACTIVE DOWNLOADS\\uTORRENTS\\uTorrent.exe"=
"c:\\ODIN\\Diet\\DietOdin.exe"=
"e:\\TEST DOWNLOADS\\ANTI VIRUS MALWARE-REMOVEIT-\\Program Files\\InCode Solutions\\RemoveIT Pro v4 - SE\\removeit.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/5/2010 5:33 AM 162512]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/5/2010 5:33 AM 19024]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\12.tmp --> c:\windows\system32\12.tmp [?]
S3 SASENUM;SASENUM;

S3 SbieDrv;SbieDrv;e:\useful crucial utilities folder\SANDBOXIE\SbieDrv.sys [2/3/2010 4:10 PM 115432]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.freeware365.com/desktop/folderguide.htm
TCP: {66A4DF95-55B1-4AC1-9006-CE521313193D} = 202.56.215.6,202.56.230.6
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 01:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\12.tmp"
.
Completion time: 2010-03-06  01:54:14
ComboFix-quarantined-files.txt  2010-03-05 20:24

Pre-Run: 37,365,747,712 bytes free
Post-Run: 37,338,963,968 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 0E934A1A39777670895CC9D914CA9547

Offline qrius2noall

  • Jr. Member
  • **
  • Posts: 39
Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
« Reply #21 on: March 05, 2010, 09:38:03 PM »
Hi ESSEXBOY

Combofix scan says  c:\windows\system32\ole32.dll . . . is infected!!  the only thing I could easily Understand

So is it hard to fix or we might have to go for a Reinstall ? (which I personally dread to do)

So waiting for your further counsel

Thanks and cheers

Q2NA

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40632
  • Dragons by Sasha
    • Malware fixes
Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
« Reply #22 on: March 05, 2010, 10:01:13 PM »
First we will see if combofix can find a spare copy - and one more renv file

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: [Select]
MIA::
c:\windows\system32\ole32.dll

Renv::
c:\program files\Java\jre6\bin\jusched .exe
</pre>

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt .

Offline qrius2noall

  • Jr. Member
  • **
  • Posts: 39
Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
« Reply #23 on: March 05, 2010, 10:16:35 PM »
COMBOFIX REPORT  part-1

ComboFix 10-03-04.06 - Daksh 03/06/2010   2:37.2.1 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.503.282 [GMT 5.5:30]
Running from: c:\documents and settings\Daksh\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Daksh\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ole32.dll . . . is infected!!

.
(((((((((((((((((((((((((   Files Created from 2010-02-05 to 2010-03-05  )))))))))))))))))))))))))))))))
.

2010-03-05 18:41 . 2010-03-05 18:41   --------   d-----w-   C:\_OTS
2010-03-05 16:15 . 2010-01-07 10:37   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-05 16:15 . 2010-01-07 10:37   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-03-05 14:02 . 2010-03-05 15:08   --------   d-----w-   c:\program files\Panda Security
2010-03-05 13:28 . 2010-03-05 13:28   --------   d-----w-   c:\documents and settings\Daksh\DoctorWeb
2010-03-05 11:27 . 2010-03-05 11:27   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\400000b00002i\Ras.exe
2010-03-05 11:27 . 2010-03-05 11:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\Rising
2010-03-05 11:27 . 2009-04-16 20:43   629360   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\Rsaupd.exe
2010-03-05 11:27 . 2010-03-05 11:27   518808   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\Ntlib.dll
2010-03-05 11:27 . 2010-03-05 11:25   637592   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%SystemSystem%\kmon.dll
2010-03-05 11:24 . 2010-03-05 11:24   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\4000009c00002i\Rsaupd.exe
2010-03-05 11:23 . 2010-03-05 11:23   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\4000007200002i\knownsvr.exe
2010-03-05 11:23 . 2010-03-05 11:23   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\4000008000002i\Splash Screen.exe
2010-03-05 01:58 . 2010-03-05 01:58   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Runscanner.net
2010-03-05 01:53 . 2010-03-05 01:53   160272   ----a-w-   c:\windows\system32\drivers\tmcomm.sys
2010-03-05 00:03 . 2010-02-11 18:42   162512   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-03-05 00:03 . 2010-02-11 18:38   19024   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-03-05 00:03 . 2010-02-11 18:42   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-03-05 00:03 . 2010-02-11 18:39   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-03-05 00:03 . 2010-02-11 18:38   100432   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2010-03-05 00:03 . 2010-02-11 18:38   94800   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2010-03-05 00:03 . 2010-02-11 18:38   28880   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2010-03-05 00:03 . 2010-02-11 18:53   38848   ----a-w-   c:\windows\system32\avastSS.scr
2010-03-05 00:03 . 2010-02-11 18:53   153184   ----a-w-   c:\windows\system32\aswBoot.exe
2010-03-04 23:25 . 2004-08-03 17:31   70144   -c--a-w-   c:\windows\system32\dllcache\pintlphr.exe
2010-03-04 23:24 . 2001-08-23 11:30   10096640   -c--a-w-   c:\windows\system32\dllcache\hwxcht.dll
2010-03-04 23:23 . 2004-05-12 19:09   598071   -c--a-w-   c:\windows\system32\dllcache\fpmmc.dll
2010-03-04 23:17 . 2004-08-03 17:01   20992   ----a-w-   c:\windows\system32\drivers\RTL8139.sys
2010-03-04 23:15 . 2001-08-23 11:30   24661   -c--a-w-   c:\windows\system32\dllcache\spxcoins.dll
2010-03-04 23:15 . 2001-08-23 11:30   24661   ----a-w-   c:\windows\system32\spxcoins.dll
2010-03-04 23:15 . 2001-08-23 11:30   13312   -c--a-w-   c:\windows\system32\dllcache\irclass.dll
2010-03-04 23:15 . 2001-08-23 11:30   13312   ----a-w-   c:\windows\system32\irclass.dll
2010-03-04 20:50 . 2010-03-04 20:50   --------   d-----w-   c:\documents and settings\All Users\Application Data\Sunbelt
2010-03-04 16:07 . 2010-03-04 16:07   --------   d-----w-   c:\documents and settings\Daksh\Application Data\Malwarebytes
2010-03-04 16:07 . 2010-03-04 16:07   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-04 14:20 . 2010-03-04 14:20   --------   d-----w-   c:\documents and settings\Daksh\Application Data\FILEminimizerPictures
2010-03-04 14:19 . 2010-03-04 14:20   --------   d-----w-   c:\documents and settings\Daksh\Application Data\FILEminimizer
2010-03-02 12:46 . 2010-03-02 12:46   --------   d--h--w-   c:\windows\PIF
2010-03-02 06:24 . 2010-03-02 06:24   --------   d-----w-   c:\windows\Sun
2010-02-27 06:37 . 2010-02-27 06:37   --------   d-----w-   c:\program files\NCH Swift Sound
2010-02-26 20:09 . 2010-02-26 20:16   --------   d-----w-   c:\documents and settings\Daksh\Application Data\FreeFixer
2010-02-26 20:09 . 2010-02-26 20:09   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\FreeFixer
2010-02-26 18:41 . 2010-02-26 18:41   --------   d-----w-   c:\program files\FoxPlayer
2010-02-26 15:27 . 2010-02-26 15:27   --------   d-----w-   c:\documents and settings\Daksh\Application Data\PolyEdit Lite
2010-02-26 14:57 . 2010-02-26 14:57   --------   d-----w-   c:\documents and settings\Daksh\Application Data\SAIG
2010-02-26 14:41 . 2010-02-26 14:41   --------   d-----w-   c:\documents and settings\Daksh\Application Data\Apago
2010-02-25 06:01 . 2010-02-25 06:01   --------   d-----r-   C:\Sandbox
2010-02-24 19:38 . 2010-02-24 19:38   --------   d--h--r-   c:\documents and settings\Daksh\Application Data\JAM Software
2010-02-24 11:52 . 2010-02-24 11:52   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Identities
2010-02-24 08:17 . 2008-01-01 01:30   78848   ----a-w-   c:\windows\system32\VISCDRTL.DLL
2010-02-24 08:17 . 2008-01-01 01:30   152064   ----a-w-   c:\windows\system32\VISCDUNR.DLL
2010-02-24 08:17 . 2008-01-01 01:30   143360   ----a-w-   c:\windows\system32\VISCDUNZ.DLL
2010-02-23 19:57 . 2010-02-23 19:57   0   ----a-w-   c:\windows\nsreg.dat
2010-02-23 19:56 . 2010-02-23 19:56   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Mozilla
2010-02-23 19:33 . 2010-03-05 11:23   --------   d-----w-   c:\documents and settings\Daksh\Application Data\Thinstall
2010-02-23 19:33 . 2010-02-23 19:33   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Thinstall
2010-02-23 18:15 . 2010-02-23 18:15   --------   d--h--w-   c:\windows\system32\GroupPolicy
2010-02-23 14:55 . 2004-08-03 19:56   221184   ----a-w-   c:\windows\system32\wmpns.dll
2010-02-23 13:21 . 2003-03-18 20:20   1060864   ----a-w-   c:\windows\system32\MFC71.dll
2010-02-23 13:21 . 2003-03-18 19:14   499712   ----a-w-   c:\windows\system32\MSVCP71.dll
2010-02-23 13:21 . 2003-02-21 03:42   348160   ----a-w-   c:\windows\system32\MSVCR71.dll
2010-02-23 10:56 . 2010-02-23 17:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-02-23 10:56 . 2010-02-23 10:56   --------   d-----w-   c:\program files\NCH Software
2010-02-23 10:56 . 2010-03-01 13:53   --------   d-----w-   c:\documents and settings\Daksh\Application Data\NCH Swift Sound
2010-02-23 10:49 . 2010-02-23 10:49   1078   ----a-r-   c:\documents and settings\Daksh\Application Data\Microsoft\Installer\{76EFAC4F-1712-401F-B2AE-590B170C9BCE}\_60c11ac7.exe

Offline qrius2noall

  • Jr. Member
  • **
  • Posts: 39
Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
« Reply #24 on: March 05, 2010, 10:17:54 PM »
part-2

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-05 20:13 . 2010-02-23 00:59   --------   d-----w-   c:\documents and settings\Daksh\Application Data\uTorrent
2010-03-05 11:26 . 2009-04-16 20:43   84632   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\UrlRule.dll
2010-03-05 11:26 . 2009-04-16 20:43   125592   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\SecScan.dll
2010-03-05 11:26 . 2009-04-16 20:43   92824   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\SecEx.dll
2010-03-05 11:26 . 2009-04-16 20:43   424560   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\runiep.dll
2010-03-05 11:26 . 2009-04-16 20:43   207512   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\rsdialog.dll
2010-03-05 11:26 . 2009-04-16 20:43   215704   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\pweb.dll
2010-03-05 11:26 . 2009-04-16 20:43   744088   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\ptools.dll
2010-03-05 11:26 . 2009-04-16 20:43   809624   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\pscan.dll
2010-03-05 11:25 . 2009-04-16 20:43   297584   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\KakaMgr.dll
2010-03-05 09:09 . 2010-02-23 00:14   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-03-04 23:55 . 2004-08-03 19:56   1281536   ----a-w-   c:\windows\system32\ole32.dll
2010-03-04 23:34 . 2010-02-23 03:59   12328   ----a-w-   c:\documents and settings\Daksh\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-04 23:21 . 2010-02-22 22:35   22748   ----a-w-   c:\windows\system32\emptyregdb.dat
2010-02-25 06:48 . 2010-02-22 22:38   86327   ----a-w-   c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-23 11:13 . 2010-02-23 11:13   32768   ----a-w-   c:\windows\Help\ItzilzIm.dll
2010-02-23 03:44 . 2010-02-23 03:44   --------   d-----w-   c:\program files\Common Files\InstallShield
2010-02-23 03:43 . 2010-02-23 03:43   --------   d-----w-   c:\program files\C-Media 3D Audio
2010-02-23 02:23 . 2010-02-23 02:23   --------   d-----w-   c:\documents and settings\Daksh\Application Data\SUPERAntiSpyware.com
2010-02-23 02:23 . 2010-02-23 02:23   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-23 00:14 . 2010-02-23 00:14   10134   ----a-r-   c:\documents and settings\Daksh\Application Data\Microsoft\Installer\{4C933A3B-6201-4C90-AB28-598561131C06}\_05672270EB30CCA6FD3838.exe
2010-02-23 00:14 . 2010-02-23 00:14   16958   ----a-r-   c:\documents and settings\Daksh\Application Data\Microsoft\Installer\{4C933A3B-6201-4C90-AB28-598561131C06}\_8C792585F69A42291AD1A1.exe
2010-02-23 00:14 . 2010-02-23 00:14   16958   ----a-r-   c:\documents and settings\Daksh\Application Data\Microsoft\Installer\{4C933A3B-6201-4C90-AB28-598561131C06}\_6FEFF9B68218417F98F549.exe
2010-02-23 00:14 . 2010-02-23 00:14   16958   ----a-r-   c:\documents and settings\Daksh\Application Data\Microsoft\Installer\{4C933A3B-6201-4C90-AB28-598561131C06}\_15D66DCE894BB3F91E0E6F.exe
2010-02-22 23:50 . 2010-02-22 23:50   411368   ----a-w-   c:\windows\system32\deploytk.dll
2010-02-22 23:50 . 2010-02-22 23:50   --------   d-----w-   c:\program files\Java
2010-02-22 23:50 . 2010-02-22 23:50   152576   ----a-w-   c:\documents and settings\Daksh\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-02-22 22:54 . 2010-02-22 22:54   --------   d-----w-   c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-22 22:39 . 2010-02-22 22:39   --------   d-----w-   c:\program files\microsoft frontpage
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 86016]
"avast5"="e:\useful~1\ANTIVI~2\avastUI.exe" [2010-02-11 2756488]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\ACTIVE DOWNLOADS\\uTORRENTS\\uTorrent.exe"=
"c:\\ODIN\\Diet\\DietOdin.exe"=
"e:\\TEST DOWNLOADS\\ANTI VIRUS MALWARE-REMOVEIT-\\Program Files\\InCode Solutions\\RemoveIT Pro v4 - SE\\removeit.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/5/2010 5:33 AM 162512]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/5/2010 5:33 AM 19024]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\12.tmp --> c:\windows\system32\12.tmp [?]
S3 SASENUM;SASENUM;

S3 SbieDrv;SbieDrv;e:\useful crucial utilities folder\SANDBOXIE\SbieDrv.sys [2/3/2010 4:10 PM 115432]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.freeware365.com/desktop/folderguide.htm
TCP: {66A4DF95-55B1-4AC1-9006-CE521313193D} = 202.56.215.6,202.56.230.6
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Cmaudio - cmicnfg.cpl



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 02:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\12.tmp"
.
Completion time: 2010-03-06  02:40:36
ComboFix-quarantined-files.txt  2010-03-05 21:10
ComboFix2.txt  2010-03-05 20:24

Pre-Run: 37,344,792,576 bytes free
Post-Run: 37,337,743,360 bytes free

- - End Of File - - 9C637272C82A61E136A181D27FD96A9B

Offline qrius2noall

  • Jr. Member
  • **
  • Posts: 39
Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
« Reply #25 on: March 05, 2010, 10:25:11 PM »
Thks ESSEXBOY for your effeorts and helping hand

I have posted the latest combofix log(after running the script).

Also here is the media fire link for the OTS scan log (done after MD5 check)

http://www.mediafire.com/download.php?jfmlmkezjtk

Looking forward for your furhter advice

Q2NA

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40632
  • Dragons by Sasha
    • Malware fixes
Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
« Reply #26 on: March 05, 2010, 10:31:03 PM »
OK I have a spare copy of the file download it from here http://cid-32d8666f4048075b.skydrive.live.com/self.aspx/Malware%20files/ole32.dll?lc=2057

Place it on your c drive i.e c:\ole32.dll

If you are unsure about what to do then shout


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: [Select]
Fcopy::
c:\ole32.dll | c:\windows\system32\ole32.dll


3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt .

Offline qrius2noall

  • Jr. Member
  • **
  • Posts: 39
Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
« Reply #27 on: March 05, 2010, 11:15:04 PM »
hERE IS THE LATEST COMBOFIX LOG

PART-1

ComboFix 10-03-04.06 - Daksh 03/06/2010   3:39.4.1 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.503.312 [GMT 5.5:30]
Running from: c:\documents and settings\Daksh\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Daksh\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\ole32.dll --> c:\windows\system32\ole32.dll
.
(((((((((((((((((((((((((   Files Created from 2010-02-05 to 2010-03-05  )))))))))))))))))))))))))))))))
.

2010-03-05 22:05 . 2010-03-05 21:54   1169920   ------w-   C:\ole32.dll
2010-03-05 21:34 . 2010-03-05 21:34   --------   d-s---w-   c:\windows\Cookies
2010-03-05 18:41 . 2010-03-05 18:41   --------   d-----w-   C:\_OTS
2010-03-05 16:15 . 2010-01-07 10:37   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-05 16:15 . 2010-01-07 10:37   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-03-05 14:02 . 2010-03-05 15:08   --------   d-----w-   c:\program files\Panda Security
2010-03-05 13:28 . 2010-03-05 13:28   --------   d-----w-   c:\documents and settings\Daksh\DoctorWeb
2010-03-05 11:27 . 2010-03-05 11:27   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\400000b00002i\Ras.exe
2010-03-05 11:27 . 2010-03-05 11:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\Rising
2010-03-05 11:27 . 2009-04-16 20:43   629360   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\Rsaupd.exe
2010-03-05 11:27 . 2010-03-05 11:27   518808   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\Ntlib.dll
2010-03-05 11:27 . 2010-03-05 11:25   637592   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%SystemSystem%\kmon.dll
2010-03-05 11:24 . 2010-03-05 11:24   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\4000009c00002i\Rsaupd.exe
2010-03-05 11:23 . 2010-03-05 11:23   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\4000007200002i\knownsvr.exe
2010-03-05 11:23 . 2010-03-05 11:23   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\4000008000002i\Splash Screen.exe
2010-03-05 01:58 . 2010-03-05 01:58   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Runscanner.net
2010-03-05 01:53 . 2010-03-05 01:53   160272   ----a-w-   c:\windows\system32\drivers\tmcomm.sys
2010-03-05 00:03 . 2010-02-11 18:42   162512   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-03-05 00:03 . 2010-02-11 18:38   19024   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-03-05 00:03 . 2010-02-11 18:42   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-03-05 00:03 . 2010-02-11 18:39   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-03-05 00:03 . 2010-02-11 18:38   100432   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2010-03-05 00:03 . 2010-02-11 18:38   94800   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2010-03-05 00:03 . 2010-02-11 18:38   28880   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2010-03-05 00:03 . 2010-02-11 18:53   38848   ----a-w-   c:\windows\system32\avastSS.scr
2010-03-05 00:03 . 2010-02-11 18:53   153184   ----a-w-   c:\windows\system32\aswBoot.exe
2010-03-04 23:25 . 2004-08-03 17:31   70144   -c--a-w-   c:\windows\system32\dllcache\pintlphr.exe
2010-03-04 23:24 . 2001-08-23 11:30   10096640   -c--a-w-   c:\windows\system32\dllcache\hwxcht.dll
2010-03-04 23:23 . 2004-05-12 19:09   598071   -c--a-w-   c:\windows\system32\dllcache\fpmmc.dll
2010-03-04 23:17 . 2004-08-03 17:01   20992   ----a-w-   c:\windows\system32\drivers\RTL8139.sys
2010-03-04 23:15 . 2001-08-23 11:30   24661   -c--a-w-   c:\windows\system32\dllcache\spxcoins.dll
2010-03-04 23:15 . 2001-08-23 11:30   24661   ----a-w-   c:\windows\system32\spxcoins.dll
2010-03-04 23:15 . 2001-08-23 11:30   13312   -c--a-w-   c:\windows\system32\dllcache\irclass.dll
2010-03-04 23:15 . 2001-08-23 11:30   13312   ----a-w-   c:\windows\system32\irclass.dll
2010-03-04 20:50 . 2010-03-04 20:50   --------   d-----w-   c:\documents and settings\All Users\Application Data\Sunbelt
2010-03-04 16:07 . 2010-03-04 16:07   --------   d-----w-   c:\documents and settings\Daksh\Application Data\Malwarebytes
2010-03-04 16:07 . 2010-03-04 16:07   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-04 14:20 . 2010-03-04 14:20   --------   d-----w-   c:\documents and settings\Daksh\Application Data\FILEminimizerPictures
2010-03-04 14:19 . 2010-03-04 14:20   --------   d-----w-   c:\documents and settings\Daksh\Application Data\FILEminimizer
2010-03-02 12:46 . 2010-03-02 12:46   --------   d--h--w-   c:\windows\PIF
2010-03-02 06:24 . 2010-03-02 06:24   --------   d-----w-   c:\windows\Sun
2010-02-27 06:37 . 2010-02-27 06:37   --------   d-----w-   c:\program files\NCH Swift Sound
2010-02-26 20:09 . 2010-02-26 20:16   --------   d-----w-   c:\documents and settings\Daksh\Application Data\FreeFixer
2010-02-26 20:09 . 2010-02-26 20:09   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\FreeFixer
2010-02-26 18:41 . 2010-02-26 18:41   --------   d-----w-   c:\program files\FoxPlayer
2010-02-26 15:27 . 2010-02-26 15:27   --------   d-----w-   c:\documents and settings\Daksh\Application Data\PolyEdit Lite
2010-02-26 14:57 . 2010-02-26 14:57   --------   d-----w-   c:\documents and settings\Daksh\Application Data\SAIG
2010-02-26 14:41 . 2010-02-26 14:41   --------   d-----w-   c:\documents and settings\Daksh\Application Data\Apago
2010-02-25 06:01 . 2010-02-25 06:01   --------   d-----r-   C:\Sandbox
2010-02-24 19:38 . 2010-02-24 19:38   --------   d--h--r-   c:\documents and settings\Daksh\Application Data\JAM Software
2010-02-24 11:52 . 2010-02-24 11:52   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Identities
2010-02-24 08:17 . 2008-01-01 01:30   78848   ----a-w-   c:\windows\system32\VISCDRTL.DLL
2010-02-24 08:17 . 2008-01-01 01:30   152064   ----a-w-   c:\windows\system32\VISCDUNR.DLL
2010-02-24 08:17 . 2008-01-01 01:30   143360   ----a-w-   c:\windows\system32\VISCDUNZ.DLL
2010-02-23 19:57 . 2010-02-23 19:57   0   ----a-w-   c:\windows\nsreg.dat
2010-02-23 19:56 . 2010-02-23 19:56   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Mozilla
2010-02-23 19:33 . 2010-03-05 11:23   --------   d-----w-   c:\documents and settings\Daksh\Application Data\Thinstall
2010-02-23 19:33 . 2010-02-23 19:33   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Thinstall
2010-02-23 18:15 . 2010-02-23 18:15   --------   d--h--w-   c:\windows\system32\GroupPolicy
2010-02-23 14:55 . 2004-08-03 19:56   221184   ----a-w-   c:\windows\system32\wmpns.dll
2010-02-23 13:21 . 2003-03-18 20:20   1060864   ----a-w-   c:\windows\system32\MFC71.dll
2010-02-23 13:21 . 2003-03-18 19:14   499712   ----a-w-   c:\windows\system32\MSVCP71.dll
2010-02-23 13:21 . 2003-02-21 03:42   348160   ----a-w-   c:\windows\system32\MSVCR71.dll
2010-02-23 10:56 . 2010-02-23 17:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-02-23 10:56 . 2010-02-23 10:56   --------   d-----w-   c:\program files\NCH Software
2010-02-23 10:56 . 2010-03-01 13:53   --------   d-----w-   c:\documents and settings\Daksh\Application Data\NCH Swift Sound
2010-02-23 10:49 . 2010-02-23 10:49   1078   ----a-r-   c:\documents and settings\Daksh\Application Data\Microsoft\Installer\{76EFAC4F-1712-401F-B2AE-590B170C9BCE}\_60c11ac7.exe

.

Offline qrius2noall

  • Jr. Member
  • **
  • Posts: 39
Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
« Reply #28 on: March 05, 2010, 11:16:03 PM »
ComboFix 10-03-04.06 - Daksh 03/06/2010   3:39.4.1 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.503.312 [GMT 5.5:30]
Running from: c:\documents and settings\Daksh\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Daksh\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\ole32.dll --> c:\windows\system32\ole32.dll
.
(((((((((((((((((((((((((   Files Created from 2010-02-05 to 2010-03-05  )))))))))))))))))))))))))))))))
.

2010-03-05 22:05 . 2010-03-05 21:54   1169920   ------w-   C:\ole32.dll
2010-03-05 21:34 . 2010-03-05 21:34   --------   d-s---w-   c:\windows\Cookies
2010-03-05 18:41 . 2010-03-05 18:41   --------   d-----w-   C:\_OTS
2010-03-05 16:15 . 2010-01-07 10:37   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-05 16:15 . 2010-01-07 10:37   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-03-05 14:02 . 2010-03-05 15:08   --------   d-----w-   c:\program files\Panda Security
2010-03-05 13:28 . 2010-03-05 13:28   --------   d-----w-   c:\documents and settings\Daksh\DoctorWeb
2010-03-05 11:27 . 2010-03-05 11:27   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\400000b00002i\Ras.exe
2010-03-05 11:27 . 2010-03-05 11:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\Rising
2010-03-05 11:27 . 2009-04-16 20:43   629360   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\Rsaupd.exe
2010-03-05 11:27 . 2010-03-05 11:27   518808   ------w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%ProgramFilesDir%\Rising\AntiSpyware\Ntlib.dll
2010-03-05 11:27 . 2010-03-05 11:25   637592   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\%SystemSystem%\kmon.dll
2010-03-05 11:24 . 2010-03-05 11:24   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\4000009c00002i\Rsaupd.exe
2010-03-05 11:23 . 2010-03-05 11:23   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\4000007200002i\knownsvr.exe
2010-03-05 11:23 . 2010-03-05 11:23   32256   ----a-w-   c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\4000008000002i\Splash Screen.exe
2010-03-05 01:58 . 2010-03-05 01:58   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Runscanner.net
2010-03-05 01:53 . 2010-03-05 01:53   160272   ----a-w-   c:\windows\system32\drivers\tmcomm.sys
2010-03-05 00:03 . 2010-02-11 18:42   162512   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-03-05 00:03 . 2010-02-11 18:38   19024   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-03-05 00:03 . 2010-02-11 18:42   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-03-05 00:03 . 2010-02-11 18:39   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-03-05 00:03 . 2010-02-11 18:38   100432   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2010-03-05 00:03 . 2010-02-11 18:38   94800   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2010-03-05 00:03 . 2010-02-11 18:38   28880   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2010-03-05 00:03 . 2010-02-11 18:53   38848   ----a-w-   c:\windows\system32\avastSS.scr
2010-03-05 00:03 . 2010-02-11 18:53   153184   ----a-w-   c:\windows\system32\aswBoot.exe
2010-03-04 23:25 . 2004-08-03 17:31   70144   -c--a-w-   c:\windows\system32\dllcache\pintlphr.exe
2010-03-04 23:24 . 2001-08-23 11:30   10096640   -c--a-w-   c:\windows\system32\dllcache\hwxcht.dll
2010-03-04 23:23 . 2004-05-12 19:09   598071   -c--a-w-   c:\windows\system32\dllcache\fpmmc.dll
2010-03-04 23:17 . 2004-08-03 17:01   20992   ----a-w-   c:\windows\system32\drivers\RTL8139.sys
2010-03-04 23:15 . 2001-08-23 11:30   24661   -c--a-w-   c:\windows\system32\dllcache\spxcoins.dll
2010-03-04 23:15 . 2001-08-23 11:30   24661   ----a-w-   c:\windows\system32\spxcoins.dll
2010-03-04 23:15 . 2001-08-23 11:30   13312   -c--a-w-   c:\windows\system32\dllcache\irclass.dll
2010-03-04 23:15 . 2001-08-23 11:30   13312   ----a-w-   c:\windows\system32\irclass.dll
2010-03-04 20:50 . 2010-03-04 20:50   --------   d-----w-   c:\documents and settings\All Users\Application Data\Sunbelt
2010-03-04 16:07 . 2010-03-04 16:07   --------   d-----w-   c:\documents and settings\Daksh\Application Data\Malwarebytes
2010-03-04 16:07 . 2010-03-04 16:07   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-04 14:20 . 2010-03-04 14:20   --------   d-----w-   c:\documents and settings\Daksh\Application Data\FILEminimizerPictures
2010-03-04 14:19 . 2010-03-04 14:20   --------   d-----w-   c:\documents and settings\Daksh\Application Data\FILEminimizer
2010-03-02 12:46 . 2010-03-02 12:46   --------   d--h--w-   c:\windows\PIF
2010-03-02 06:24 . 2010-03-02 06:24   --------   d-----w-   c:\windows\Sun
2010-02-27 06:37 . 2010-02-27 06:37   --------   d-----w-   c:\program files\NCH Swift Sound
2010-02-26 20:09 . 2010-02-26 20:16   --------   d-----w-   c:\documents and settings\Daksh\Application Data\FreeFixer
2010-02-26 20:09 . 2010-02-26 20:09   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\FreeFixer
2010-02-26 18:41 . 2010-02-26 18:41   --------   d-----w-   c:\program files\FoxPlayer
2010-02-26 15:27 . 2010-02-26 15:27   --------   d-----w-   c:\documents and settings\Daksh\Application Data\PolyEdit Lite
2010-02-26 14:57 . 2010-02-26 14:57   --------   d-----w-   c:\documents and settings\Daksh\Application Data\SAIG
2010-02-26 14:41 . 2010-02-26 14:41   --------   d-----w-   c:\documents and settings\Daksh\Application Data\Apago
2010-02-25 06:01 . 2010-02-25 06:01   --------   d-----r-   C:\Sandbox
2010-02-24 19:38 . 2010-02-24 19:38   --------   d--h--r-   c:\documents and settings\Daksh\Application Data\JAM Software
2010-02-24 11:52 . 2010-02-24 11:52   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Identities
2010-02-24 08:17 . 2008-01-01 01:30   78848   ----a-w-   c:\windows\system32\VISCDRTL.DLL
2010-02-24 08:17 . 2008-01-01 01:30   152064   ----a-w-   c:\windows\system32\VISCDUNR.DLL
2010-02-24 08:17 . 2008-01-01 01:30   143360   ----a-w-   c:\windows\system32\VISCDUNZ.DLL
2010-02-23 19:57 . 2010-02-23 19:57   0   ----a-w-   c:\windows\nsreg.dat
2010-02-23 19:56 . 2010-02-23 19:56   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Mozilla
2010-02-23 19:33 . 2010-03-05 11:23   --------   d-----w-   c:\documents and settings\Daksh\Application Data\Thinstall
2010-02-23 19:33 . 2010-02-23 19:33   --------   d-----w-   c:\documents and settings\Daksh\Local Settings\Application Data\Thinstall
2010-02-23 18:15 . 2010-02-23 18:15   --------   d--h--w-   c:\windows\system32\GroupPolicy
2010-02-23 14:55 . 2004-08-03 19:56   221184   ----a-w-   c:\windows\system32\wmpns.dll
2010-02-23 13:21 . 2003-03-18 20:20   1060864   ----a-w-   c:\windows\system32\MFC71.dll
2010-02-23 13:21 . 2003-03-18 19:14   499712   ----a-w-   c:\windows\system32\MSVCP71.dll
2010-02-23 13:21 . 2003-02-21 03:42   348160   ----a-w-   c:\windows\system32\MSVCR71.dll
2010-02-23 10:56 . 2010-02-23 17:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-02-23 10:56 . 2010-02-23 10:56   --------   d-----w-   c:\program files\NCH Software
2010-02-23 10:56 . 2010-03-01 13:53   --------   d-----w-   c:\documents and settings\Daksh\Application Data\NCH Swift Sound
2010-02-23 10:49 . 2010-02-23 10:49   1078   ----a-r-   c:\documents and settings\Daksh\Application Data\Microsoft\Installer\{76EFAC4F-1712-401F-B2AE-590B170C9BCE}\_60c11ac7.exe

.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40632
  • Dragons by Sasha
    • Malware fixes
Re: avast showing WIN 32: MALWARE GEN infection,not able to delete it
« Reply #29 on: March 05, 2010, 11:17:31 PM »
Now have a quick scan with Avast and I believe you will come up clean  ;D