Win32:Malware-gen

[exmachina00]

Hello, extremely helpful and patient avast! forum staff!

I've been dealing with a persistent infection or attempted infection by Win32:Malware-gen since 10/24/10. While I dismissed it as an irritant for almost a month, I've gotten to the point where I'm both worried about it and tired of dealing with it.

Whenever I boot my computer each morning, I get a notice from avast! about a detected threat, which is usually a gibberish .exe name that has attempted to infect vbc.exe in C:\Windows\winsxs.

I've run avast! and gotten numerous hits, but it didn't seem to solve the problem. I've also run Malwarebytes, which was unable to find any source.

Enclosed are the logs from both Malwarebytes and OTL. Please let me know if I need to provide further information or take further steps to assist with the diagnosis.

Thank you in advance for your help and time.

EDIT: The virus' actual target appears to be vbc.exe in some Microsoft.NET folder, but avast!'s warning closed too quickly for me to write it down properly and there doesn't seem to be any log of it.

[Pondus]

but avast!'s warning closed too quickly for me to write it down

if you right click the orange ball down by the clock. There is an option: show last popup message


Essexboy have been notified, and will look at the log`s when he arrives

[mikaelrask]

i would suggest you try superantispyware as an second opion sometimes it detcets things malwarebytes misses and vice verse

http://www.superantispyware.com/

have you update malwarebytes before scanning? for usually malwarebytes usually is good with dealing with those kind of infections.
good luck

[essexboy]

Hmm this is a mystery as there is no apparent malware showing

But lets dig a bit deeper

Download avz4.zip from here

• Unzip it to your desktop to a folder named avz4
  
• Double click on AVZ.exe to run it.
  
• Run an update by clicking the Auto Update button on the Right of the Log window:
  
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• Start AVZ.
• Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with Malware removal mode enabled " check box.

• Click on the “Execute selected scripts”.
• Automatic scanning, healing and system check will be executed.
• A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
  
• It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
• All applications will work properly after the system restart.

When restarted

• Start AVZ.
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis " check box.

• Click on the "Execute selected scripts".
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

[exmachina00]

My apologies; I went away for the holidays and neglected to check this topic.

I tried clicking the avz4 link and it resulted in a 404 message. Is there somewhere else I can download this utility?

[essexboy]

Yep it was pulled and integrated into the standalone AV  a few days ago
New destructions

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

On the first tab select all elements down to Computer and then select start scan
Once it has finished select report and post that.



Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop

Now an analysis scan

Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder  then attach the zip file to your next post zip or upload to Mediafire and post the sharing link.
The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip

[exmachina00]

The report is attached.

The sysinfo zip is here: http://www.mediafire.com/?99lbmenanb91w97

Thanks for the help!

[essexboy]

That killed a couple in the java cahce but that is all

Is Avast still reporting malware ?

[exmachina00]

Hm, not yet. I'll keep a lookout over the next few days to see.

[essexboy]

When you are happy let me know and I will remove my tools

[exmachina00]

I'm still getting the popup.

Object: C:\Users\Will\AppData\Local\Temp\l6edsxoj.exe (this changes; it's always some random combination of letters and numbers)
Infection: Win32:Malware-gen
Action: Moved to chest
Process: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

[essexboy]

Being in your temporary file would lead me to suspect it is coming from online as opposed to your system

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[DavidR]

Yes, but the Process responsible for that file in temp appears to be .net related (vbc.exe) unless that file and .net version are bogus.

So something is using .net framework v2...\vbc.exe and that has placed that file in temp, surely that all can't be happening from outside ?

[essexboy]

It is actually trying to use the dotnet framework as opposed to dotnet being infected, well thats my reading anyway    But using CF will show me any hidden drivers or reg entries to confirm one way or the other

[DavidR]

OK, thanks.