Win32:malware.gen?

[PhoenixWolf]

Starting Today, Said Malware/Virus is appearing every time I run a scan for some reason or another, If i remove the file it's supposedly infecting, it appears elsewhere

I've done full scans with Malwarebytes Anti-Malware and SuperAntiSpyware, and they don't show any threats whatsoever, I'm not entirely sure what to make of the situation, the worst I got out of SuperAnti was two tracking cookies.

Is Avast finding something that isn't there or are the other two simply not catching it at all? This really has me worried.

[DavidR]

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

You say it reappears elsewhere (so give a couple of examples), does it retain the same file name or does that change also (if so give a couple of examples) ?

Are you experiencing any adverse/strange occurrences ?

[PhoenixWolf]

I can't give a direct location now, All I can currently state is it being in random Folders of my C:Drive, I just ran another full scan and nothing came up this time, It was a different file each time though. I'm running another scan to see if it shows face again.

As for adverse/strange occurrences, Nothing really unusual has happened other than suddenly getting claims of Win32 Malware.

[DavidR]

Check the C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\report (winXP) location for the type of scan name Full System Scan, etc. this is where all report files are located. For Vista, win7 the path is C:\ProgramData\Alwil Software\Avast5\report.

This folder may be hidden.

[PhoenixWolf]

Not sure if this helps but...

- <aswObject>
  <NewId>0000000A</NewId>
  <Size>4418852</Size>
- <ChestEntry>
  <ChestId>00000006</ChestId>
  <FileTime>1180250280</FileTime>
  <OrigFileName>JP_BB_FIX.exe</OrigFileName>
  <OrigFolder>C:\Program Files\SEGA\PHANTASY STAR ONLINE Blue Burst</OrigFolder>
  <Comment />
  <Virus>Win32:Trojan-gen</Virus>
  <Category>Vir</Category>
  <Restore>yes</Restore>
  <TransferTime>1277245229</TransferTime>
  <FileSize>1914135</FileSize>
  </ChestEntry>
- <ChestEntry>
  <ChestId>00000007</ChestId>
  <FileTime>1180250280</FileTime>
  <OrigFileName>JP_BB_FIX.exe</OrigFileName>
  <OrigFolder>C:\Program Files\SEGA\PHANTASY STAR ONLINE Blue Burst</OrigFolder>
  <Comment />
  <Virus>Win32:Trojan-gen</Virus>
  <Category>Vir</Category>
  <Restore>yes</Restore>
  <TransferTime>1278087967</TransferTime>
  <FileSize>1914135</FileSize>
  </ChestEntry>
- <ChestEntry>
  <ChestId>00000008</ChestId>
  <FileTime>1256503257</FileTime>
  <OrigFileName>uninst.exe</OrigFileName>
  <OrigFolder>C:\Program Files\Pando Networks\Media Booster</OrigFolder>
  <Comment />
  <Virus>Win32:Malware-gen</Virus>
  <Category>Vir</Category>
  <Restore>yes</Restore>
  <TransferTime>1278956406</TransferTime>
  <FileSize>295295</FileSize>
  </ChestEntry>
- <ChestEntry>
  <ChestId>00000009</ChestId>
  <FileTime>1256503257</FileTime>
  <OrigFileName>A0136100.exe</OrigFileName>
  <OrigFolder>C:\System Volume Information\_restore{75B24976-4861-4D19-A118-8E17509FA1C6}\RP181</OrigFolder>
  <Comment />
  <Virus>Win32:Malware-gen</Virus>
  <Category>Vir</Category>
  <Restore>yes</Restore>
  <TransferTime>1278968163</TransferTime>
  <FileSize>295295</FileSize>
  </ChestEntry>
  </aswObject>


Those are the infected files, found them in the Chest.

Also After another scan, nothing has come up.

[DavidR]

This one was mentioned in another topic, try a forum search for the file name. Does the program Pando Networks\Media Booster not ring any bells ?
 <OrigFileName>uninst.exe</OrigFileName>
 <OrigFolder>C:\Program Files\Pando Networks\Media Booster</OrigFolder>

This one doesn't appear random to me, presumably you have this game installed ?
 <OrigFileName>JP_BB_FIX.exe</OrigFileName>
 <OrigFolder>C:\Program Files\SEGA\PHANTASY STAR ONLINE Blue Burst</OrigFolder>

This one I wouldn't worry about:
 <OrigFileName>A0136100.exe</OrigFileName>
 <OrigFolder>C:\System Volume Information\_restore{75B24976-4861-4D19-A118-8E17509FA1C6}\RP181</OrigFolder>

- Infected Restore Points - There really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore.
 
- Worst case scenario it isn't infected and you delete it, you can't use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.
 
- So if there is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.

[PhoenixWolf]

So I can probably delete these all together? Or no.

I THINK those are the only infected files, I've run a third full scan now and come up empty for threats.

[DavidR]

With exception of the suspect restore point, Deletion is never a good idea without full investigation. That is why I gave you the info about searching the forum on that first file name and why I asked if these programs rang a bell with you.

I have no idea what you have installed on your system, that is why I asked the questions, so I can't answer that question.