Un-deletable Threat, Win32: Malware-gen

[HookedOnRice]

So recently I got struck by one of those "Vista Home Security 2012" rogue malwares and went through hours of trying to fix it. Being fed up with how nothing seemed to work, I decided to system restore to yesterday. The Vista Home Security 2012 threat is gone, but I have been experiencing consistent "Malicious URL Blocked" warnings from avast for the past few days.

I ran Malwarebytes and Avast on quick and full scans. Malwarebytes didn't seem to pick up anything but Avast came across 4 infected files.



Again, problems arose and the virus chest server apparently was not working. I searched for some solutions, most recommending to reinstall but I didn't want to risk being unprotected given how much these attacks have already put me through. In the end I decided to delete the files, but one of them appears to be un-deletable as seen in the screenshot above.

Should I try system restoring to a week back or so? Any other fixes or help with this is greatly appreciated. Sick of the crap these viruses will put you though 

[Left123]

Some rogue anti viruses(Fake av's)download and install rootkits on the infected machine.
Let's have a look.
Download aswMBR from here http://public.avast.com/~gmerek/aswMBR.htm
Run it
Scan
Post the log

OT:Glad to see a lol player
EU or US?
Lvl?

[harryjamesuk]

You Might Have A Rootkit, A REALLY Bad Rootkit.

Now Lets See If This Works...

Open The Avast Interface.
Click Scan.
Click Boot-Time Scan.
Schedule A Boot-Time Scan (Make Sure In Settings It Checks: All Harddisks, System Drive And Auto-Start Programs (All Users).

Optionally, You Can Change The Sensitivity To Full Where You Will Possibly Get More Results But Some May Be False Positives (Anyway, I Have Mine On Full.)

So Good Luck!

[HookedOnRice]

Some rogue anti viruses(Fake av's)download and install rootkits on the infected machine.
Let's have a look.
Download aswMBR from here http://public.avast.com/~gmerek/aswMBR.htm
Run it
Scan
Post the log

OT:Glad to see a lol player
EU or US?
Lvl?

aswMBR's been running for almost 2 hours now. Do you want me to post the log as is now or wait until its finished?

Oh, and I'm in the US and level 30 Been playing for a around a year now I guess. You play often? ^^

[Left123]

Some rogue anti viruses(Fake av's)download and install rootkits on the infected machine.
Let's have a look.
Download aswMBR from here http://public.avast.com/~gmerek/aswMBR.htm
Run it
Scan
Post the log

OT:Glad to see a lol player
EU or US?
Lvl?

aswMBR's been running for almost 2 hours now. Do you want me to post the log as is now or wait until its finished?

Oh, and I'm in the US and level 30 Been playing for a around a year now I guess. You play often? ^^

When it finish the scan please,choose save log and attach it here.Something is wrong,2 hours is really weird(?)

EU-30 lvl>Almost 700 wins

[HookedOnRice]

Some rogue anti viruses(Fake av's)download and install rootkits on the infected machine.
Let's have a look.
Download aswMBR from here http://public.avast.com/~gmerek/aswMBR.htm
Run it
Scan
Post the log

OT:Glad to see a lol player
EU or US?
Lvl?

aswMBR's been running for almost 2 hours now. Do you want me to post the log as is now or wait until its finished?

Oh, and I'm in the US and level 30 Been playing for a around a year now I guess. You play often? ^^

When it finish the scan please,choose save log and attach it here.Something is wrong,2 hours is really weird(?)

EU-30 lvl>Almost 700 wins

Edit: Scratch that not working. Just needed to open it with notepad d'oh. Anyways heres the log:

aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-06-23 11:26:53
-----------------------------
11:26:53.793    OS Version: Windows 6.0.6002 Service Pack 2
11:26:53.793    Number of processors: 2 586 0x1706
11:26:53.794    ComputerName: AARON-PC  UserName: Aaron
11:26:55.395    Initialize success
11:26:55.597    AVAST engine defs: 11062300
11:27:00.566    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
11:27:00.568    Disk 0 Vendor: SAMSUNG_HD502IJ 1AA01113 Size: 476940MB BusType: 3
11:27:02.605    Disk 0 MBR read successfully
11:27:02.607    Disk 0 MBR scan
11:27:02.611    Disk 0 unknown MBR code
11:27:04.631    Disk 0 scanning sectors +976771120
11:27:04.666    Disk 0 scanning C:\Windows\system32\drivers
11:27:12.542    Service scanning
11:27:14.574    Disk 0 trace - called modules:
11:27:14.578   
11:27:15.862    AVAST engine scan C:\Windows
13:28:02.859    AVAST engine scan C:\Users\Aaron
14:17:05.726    AVAST engine scan C:\ProgramData
14:38:24.748    Scan finished successfully
17:06:48.461    Disk 0 MBR has been saved successfully to "C:\Users\Aaron\Desktop\MBR.dat"
17:06:48.467    The log file has been saved successfully to "C:\Users\Aaron\Desktop\aswMBR1.txt"


And nice, I'm only at 450ish wins. From what I've been hearing Yorick is total weaksauce 

[DavidR]

Second opinion now

Please read carefully and follow these steps. 

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
   
  
   
   
  
• If an infected file is detected, the default action will be Cure, click on Continue.
   
  
   
   
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
   
  
   
   
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
   
  
   
   
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

[HookedOnRice]

the tdsskiller.zip file isnt opening after saving it for some reason. Any clues?

[DavidR]

How are you trying to open it ?

Do you have a zip program ?
If you haven't got one try 7zip, http://www.7-zip.org/

[HookedOnRice]

Ah, looks like i just needed a reboot. WinRAR was acting up for some reason. Got rid of some pesky "This copy of Windows is not genuine" warning in the lower right hand corner of the screen even though it's legit. Gonna try running tdsskiller now.

[HookedOnRice]

Tdsskiller didn't pick up anything so I suppose all is well?

[DavidR]

Rather depends on if you are still getting avast alerts or other suspicious activity ?

[HookedOnRice]

Haven't got an alert from Avast all day and none of the false AV messages are appearing.

[DavidR]

Well it is certainly encouraging, monitor you system over the next couple of days for any alerts or strange occurrences and get back to us if you do.

One thing I notice going over your topic again, is that you chose delete as the action in your scan results image.

Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest (a protected area) and investigate.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.