Author Topic: Win32:Malware-gen  (Read 31176 times)

0 Members and 1 Guest are viewing this topic.

elle_97

  • Guest
Re: Win32:Malware-gen
« Reply #30 on: April 10, 2010, 05:13:00 PM »
Nooo!
It seems like the virus is back (never left?).. Although now it is in File Name:
C:\WINDOWS\Fonts\anN0oNf.com

seems like i'm gonna have to reformat my computer?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Malware-gen
« Reply #31 on: April 10, 2010, 05:18:13 PM »
When did it return ?

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

elle_97

  • Guest
Re: Win32:Malware-gen
« Reply #32 on: April 10, 2010, 05:48:08 PM »
Just now basically.. altough I have been getting complaints that the computer acts as though it has a virus (screens turn white and it's slow, etc.)... and just now the keyboard stopped working, so I changed to another tab and back, and then it worked :S

Got this message to from avast also (attached pic). pressed cancel, then got the usual virus warning and moved it to chest.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Malware-gen
« Reply #33 on: April 10, 2010, 06:25:53 PM »
What is your version of Adobe it should be 9.3

elle_97

  • Guest
Re: Win32:Malware-gen
« Reply #34 on: April 10, 2010, 06:52:57 PM »
Yeah, it's 9.3...
Attached the log also.

Thank you so much essexboy :)

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Malware-gen
« Reply #35 on: April 10, 2010, 07:19:26 PM »
Looks like Avast stopped most of it

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: [Select]
File::
c:\documents and settings\All Users\Application Data\E5LTD0b5.exe

Renv::
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\ASUS\Six Engine\SixEngine .exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Microsoft Office\Office12\GrooveMonitor .exe

NetSvc::
oybidfpv

Driver::
oybidfpv

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt .

elle_97

  • Guest
Re: Win32:Malware-gen
« Reply #36 on: April 10, 2010, 08:29:16 PM »
that was really weird :S  had to reboot like 3-4 times...

have attached log

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Malware-gen
« Reply #37 on: April 10, 2010, 08:39:07 PM »
CF had to remove a driver and a service plus it needed to locate backup files for the ones it needed to replace

Run it now for a day or so and let me know of any further problems

elle_97

  • Guest
Re: Win32:Malware-gen
« Reply #38 on: April 10, 2010, 09:01:57 PM »
Will do! Thanks! :)

elle_97

  • Guest
Re: Win32:Malware-gen
« Reply #39 on: April 15, 2010, 01:26:55 AM »
so the virus is back... it returned earlier today.
now found in C:\WINDOWS\system32\drivers\rasacd.sys
Malware name: Win32:Alureon-FZ

i keep moving it to chest, but it keeps appearing, like every second, literally. makes typing seriously annoying... :(

help me, please! :'(

elle_97

  • Guest
Re: Win32:Malware-gen
« Reply #40 on: April 15, 2010, 02:57:18 PM »
Anyone?
« Last Edit: April 15, 2010, 07:01:51 PM by elle_97 »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Malware-gen
« Reply #41 on: April 15, 2010, 08:23:58 PM »
    OK this is a new variant that has only recently been detected

GMER Rootkit Scanner - Download - Homepage
  • Download GMER
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe.

  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

    Click the image to enlarge it
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" 
  • Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.


THEN

Download OTL  to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.*
/md5start
rasacd.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90



  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

elle_97

  • Guest
Re: Win32:Malware-gen
« Reply #42 on: April 16, 2010, 12:39:08 AM »
I attached all the logs, couldn't paste the result of the GMER since it was too long.

Thank you! :)

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:Malware-gen
« Reply #43 on: April 16, 2010, 09:15:34 PM »
OK lets try the easy way first, if it fails I will have to use avenger

 Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

Code: [Select]
:Files
C:\WINDOWS\system32\drivers\rasacd.sys|C:\WINDOWS\system32\dllcache\rasacd.sys /replace

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]
  • Then click the [color="#FF0000"]Run Fix[/color] button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

elle_97

  • Guest
Re: Win32:Malware-gen
« Reply #44 on: April 17, 2010, 01:35:01 AM »
Attached log :)