Author Topic: Win32:Malware-gen and other issues  (Read 6755 times)

0 Members and 1 Guest are viewing this topic.

Offline Orrin777

  • Newbie
  • *
  • Posts: 10
Win32:Malware-gen and other issues
« on: January 17, 2011, 09:04:43 AM »
Hello avast! team!

I have been running avast! for several months and am very happy with it. My PC was recently infected however, and any help to fix would be greatly appreciated.

Symptoms:
I started receiving the Win32:Malware-gen pop-up from avast! a couple days ago. Around the same time, I started getting redirects to ad pages from Google search result links - but only in Firefox. IE still worked fine.

I ran a couple things to scan / try to clean:
SpyBot S&D
MalwareBytes Anti-Malware (after updating) (ran multiple times)

MBAM found and removed a number of things, but the issue did not go away. Also the problem has now gotten worse. When I boot normally, I get a blank screen after logging in. The only thing I can bring up is Task Manager using Ctrl-Alt-Delete. I can boot in Safe mode, but can't access the internet while in Safe mode. Fortunately I have a backup PC (from which I am writing this), and can download any needed tools and transfer them with a flash drive. I don't think I will be able to run any online scans (like Kaspersky) at the moment though.

Will wait to hear back from someone before uploading anything to this thread or running anything else.

Am running XP SP3 BTW.

Thanks in advance for any help!!

Offline Yanto.Chiang

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1369
  • Soli Deo Gloria
Re: Win32:Malware-gen and other issues
« Reply #1 on: January 17, 2011, 09:15:06 AM »
Hi Orrin777,

Welcome to the avast forum,

Anyway, have you try :

1. Turn off your System Restore?
2. Have you try to scan with boot-time scan with avast antivirus?


cheers,
Yanto Chiang | IT Security Consultants | AVAST Premium Security | Soli Deo Gloria

Offline argus

  • Malware Removal Expert ASAP
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2064
Re: Win32:Malware-gen and other issues
« Reply #2 on: January 17, 2011, 09:23:31 AM »
Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds.scr to run the tool.

    * When done, DDS will open two (2) logs:
         1. DDS.txt
         2. Attach.txt

# Save both reports to your desktop. Post DDS.txt back to topic. (as attachment)

I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.   DONATE

Offline Orrin777

  • Newbie
  • *
  • Posts: 10
Re: Win32:Malware-gen and other issues
« Reply #3 on: January 17, 2011, 09:43:16 AM »
Thanks Yanto and argus for the quick responses!

Turning off System Restore allowed me to boot normally again. That is a relief since it will be much easier to clean if I can download/upload directly from the infected PC.

When I listed S&D and MBAM earlier, I forgot to mention I also tried avast boot time scan. I think that is actually when it started to boot to a blank screen (went to blank screen after logging in).

Should I run avast boot-time scan again now that I'm back out of Safe Mode, or run DDS?

(and if I run the avast scan, should the heuristics sensitivity be set to Normal or High, or does it matter?)

Thanks!

Offline Orrin777

  • Newbie
  • *
  • Posts: 10
Re: Win32:Malware-gen and other issues
« Reply #4 on: January 17, 2011, 09:50:47 AM »
Meant to add - I am still getting the Google redirect in FF. Here is an example (sanitized):

hxxp://www.infomash.org/100/7181/search.php?k=services%20transcription&sid=be85a7162840ac1f2b2650730a0e6971

I am also still getting the Win32:Malware-gen infection error from avast when starting FF. The Object is C:\WINDOWS\system32\winlogon.exe.

Offline Yanto.Chiang

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1369
  • Soli Deo Gloria
Re: Win32:Malware-gen and other issues
« Reply #5 on: January 17, 2011, 10:08:06 AM »
Thanks Yanto and argus for the quick responses!

Turning off System Restore allowed me to boot normally again. That is a relief since it will be much easier to clean if I can download/upload directly from the infected PC.

When I listed S&D and MBAM earlier, I forgot to mention I also tried avast boot time scan. I think that is actually when it started to boot to a blank screen (went to blank screen after logging in).

Should I run avast boot-time scan again now that I'm back out of Safe Mode, or run DDS?

(and if I run the avast scan, should the heuristics sensitivity be set to Normal or High, or does it matter?)

Thanks!

Hi Orrin777,

Is back to you which's more easy you will to do first..

Basically i more recommended you to set in high level of heuristics sensitivity and please don't forget to tick those two checkboxes at below and afterthat you may start to do boot-time scan again...

cheers,
 
Yanto Chiang | IT Security Consultants | AVAST Premium Security | Soli Deo Gloria

Offline argus

  • Malware Removal Expert ASAP
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2064
Re: Win32:Malware-gen and other issues
« Reply #6 on: January 17, 2011, 10:11:05 AM »
 Orrin777 Run DDS It is a diagnostic tool
I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.   DONATE

Offline Orrin777

  • Newbie
  • *
  • Posts: 10
Re: Win32:Malware-gen and other issues
« Reply #7 on: January 17, 2011, 10:27:04 AM »
Thanks. Ran DDS. File is attached.

Offline argus

  • Malware Removal Expert ASAP
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2064
Re: Win32:Malware-gen and other issues
« Reply #8 on: January 17, 2011, 10:51:27 AM »
DDS log is clean. To see deeper

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully.



1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix:
http://www.bleepingcomputer.com/forums/topic114351.html

Remember to re-enable them afterwards.


2. Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt

I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.   DONATE

Offline Orrin777

  • Newbie
  • *
  • Posts: 10
Re: Win32:Malware-gen and other issues
« Reply #9 on: January 17, 2011, 10:57:09 AM »
Thanks argus. Gotta get some sleep... I will run ComboFix tomorrow and post the results.

Offline argus

  • Malware Removal Expert ASAP
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2064
Re: Win32:Malware-gen and other issues
« Reply #10 on: January 17, 2011, 11:07:22 AM »
Ok  :)
« Last Edit: January 17, 2011, 11:16:45 AM by argus »
I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.   DONATE

Offline Orrin777

  • Newbie
  • *
  • Posts: 10
Re: Win32:Malware-gen and other issues
« Reply #11 on: January 18, 2011, 12:00:26 AM »
ComboFix ran successfully. Looks like it found and fixed a couple things. :)

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Infected copy of c:\windows\explorer.exe was found and disinfected

Attaching the log. Haven't tried anything else yet (like running FF to see if the redirect issue and Win32:Malware-gen issues are gone) - will wait for further instructions.

Offline argus

  • Malware Removal Expert ASAP
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2064
Re: Win32:Malware-gen and other issues
« Reply #12 on: January 18, 2011, 09:57:26 AM »
Open notepad and copy/paste the text in the quotebox below into it:

Code: [Select]
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

DDS::
uInternet Connection Wizard,ShellNext = hxxp://www.symantec.com/techsupp/servlet/ProductMessages?product=LU&version=1.90&language=English&module=LU&error=1827&build=Symantec



Save this as CFScript to desktop



Close all browser windows and refering to the picture above, drag CFScript into Combofix.exe
Then post the resultant log
I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.   DONATE

Offline Orrin777

  • Newbie
  • *
  • Posts: 10
Re: Win32:Malware-gen and other issues
« Reply #13 on: January 18, 2011, 10:21:46 AM »
thanks for the reply. Before I do that, could you explain what that will do? (pardon my lack of knowledge for not knowing simply by reading the instructions.)
 Just curious since it references Symantec, but I am not currently running anything from Symantec that I am aware of.

Thanks for your patience.

Offline argus

  • Malware Removal Expert ASAP
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2064
Re: Win32:Malware-gen and other issues
« Reply #14 on: January 18, 2011, 11:17:04 AM »
You head Symantec before Avast but you did not uninstall well.

This script will remove the remains from the registry and IExplorera.
« Last Edit: January 18, 2011, 12:32:20 PM by argus »
I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.   DONATE