Greetings folks,

I have been troubled by similar issues to some people in the past day or so with the Win:32Malware-gen / Win32:Trojan-gen
I didnt want to follow too closely to someone elses fix just in case due to different system specs etc so am making this seperate post.

I followed the “Logs to assist…” topics instructions and have attached said logs.
I wrote up a reporty thing too but might as well just paste that here and now.

The following have been detected -

C:\Windows\Installer{20e98f54-5cde-88-08ce-03b6cbd5276d}\U\80000000.@

as a Win32:Malware-gen

and

C:\Windows\Installer{20e98f54-5cde-88-08ce-03b6cbd5276d}\U\800000cb.@

as a Win32:Trojan-gen

In answer to the questions:

1. It is repeatedly detected and reported by Avasts back-ground scanner I believe.
   It is detected around every 5-10 minutes.
   I had just finished browsing some websites searching for a new computer - scan.co.uk, apples store and the dell store.
   I was then reading articles on the BBC news website when this began to occur.
   IT has happened multiple times since while doing nothing so doesnt seem to be triggered by anything obvious.

   I have the image captures of the two alerts which happen in quick succession.

   After reading up on the forums of this particular issue I was reminded of an adobe flash player update installer like someone else mentioned and thought nothing of it but now it has been mentioned it was at a rather unusual stage.

2. I do not know the source of the file.

3. As i cannot access the file I cannot specify when it was downloaded or recieved other than the evening of 3rd August.
   It was late on that day so I waited till the next day to perform the suggested scans to generate the logs needed said on these forums.
   I was hopeful that it would perhaps remove the threat but it hasnt so now I am appealing to you.

4. The filenames and extentions or lack there of are up there with the dected.

THats all the questions that require answers I Believe.

Thanks,
Oliver

If any body could help it would be appreciated muchly!
Please tell me if any other information is needed!

Thanks,

Hello again here are screenshots of the alerts as they appear.

A malware removal specialist has been informed of your topic.

Thankyou Very much!

I also forgot to add the mbam log so it is now attached.

Monitoring.

Hi

step1

1. Please download TFC by OldTimer to your desktop

[*]Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

step2

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

Hi there,
I ran TFC successfully and disabled avast as directed.
Combi fix ran fine through and I left it be but it switched its self off which I presume it meant to but it has not left a log any where.
Should I run it again? I thought I’d better check as It is usually advised to report back before “rerunning” anything.

I had a more detailed look through the combofix guide and realised it didnt get to any blue screen and do any of those things, just the small black one with green writing. Is that just how it looks these days or has it stopped itself before doing the important bit?
Doesnt really say whether it is safe to rerun though so sorry for any delay but just want to make sure I’m doing everything correctly.

Again shall run it again? Sorry for the double post nature of this…

thanks

If log does not there, then delete current Combofix, download fresh one and re-run Combofix.

On it! Shall report back soon.

Right, So I tried it once more after redownloading it. It gets caught for a while on telling me its output which is a folder with the computer symbol with 32788R22FWJFW though I doubt its too relevant. It hasnt given me a combofix.txt at any destination.
I tried to screen shot what it was actually doing but it blanks the output screen so.
I have also redownloaded it from the said guides link too but obviously it is the same file.
Still no output file.
Please advise as to what to do next.
Also thanks for helping so far by the way i’ts much appreciated.

Thanks,

[*]Download FRST64 to a USB flash drive.
[*]Plug the USB drive into the infected machine.

Boot your computer into Recovery Environment

[*]Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
[*]Select Repair your computer.
[*]Select Language and click Next
[*]Enter password (if necessary) and click OK, you should now see the screen below …

http://i1090.photobucket.com/albums/i366/garyr56/W7InstallDisk2.png

[*]Select the Command Prompt option.
[*]A command window will open.

[*]Type notepad then hit Enter.
[]Notepad will open.
[list]
[*]Click File > Open then select Computer.
[*]Note down the drive letter for your USB Drive.
[]Close Notepad.[/list]
[*]Back in the command window …

[*]Type e:/frst64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
[*]FRST will start to run.
[list]
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]When finished scanning it will make a log FRST.txt on the flash drive.[/list]
[*]Next

[*]Type Explorer.exe;Services.exe into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt on the flash drive.
[*]Exit FRST.
[*]Close the command window.
[*]Boot back into normal mode and post me the FRST.txt and Search.txt logs please.

Hello again,
That went ok.
Here are the logs attached.

Open notepad.

[*]Click Start
[*] Type notepad.exe in the search programs and files box and click Enter.
[] A blank Notepad page should open.
[] Copy/Paste the contents of the code box below into Notepad.

Start
ZeroAccess:
C:\Windows\Installer\{20e98f54-5cde-88fd-08ce-03b6cbd5276d}
C:\Windows\Installer\{20e98f54-5cde-88fd-08ce-03b6cbd5276d}\L
C:\Windows\Installer\{20e98f54-5cde-88fd-08ce-03b6cbd5276d}\U
C:\Windows\Installer\{20e98f54-5cde-88fd-08ce-03b6cbd5276d}\U\00000001.@
C:\Windows\Installer\{20e98f54-5cde-88fd-08ce-03b6cbd5276d}\U\80000000.@
C:\Windows\Installer\{20e98f54-5cde-88fd-08ce-03b6cbd5276d}\U\800000cb.@
ZeroAccess:
C:\Users\aOliver\AppData\Local\{20e98f54-5cde-88fd-08ce-03b6cbd5276d}
C:\Users\aOliver\AppData\Local\{20e98f54-5cde-88fd-08ce-03b6cbd5276d}\@
C:\Users\aOliver\AppData\Local\{20e98f54-5cde-88fd-08ce-03b6cbd5276d}\L
C:\Users\aOliver\AppData\Local\{20e98f54-5cde-88fd-08ce-03b6cbd5276d}\U
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
end

[*] Save it to your USB flashdrive as fixlist.txt

Boot into Recovery Environment

Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens …

[*] Press the Fix button once and wait.
[*] FRST will process fixlist.txt
[*] When finished, it will produce a log fixlog.txt on your USB flashdrive.

Exit out of Recovery Environment and post me the log please.

Step2

Delete current Combofix and download a fresh copy and run it. Attach here fresh Combofix log.

So i performed the action you just gave me and will attach the requested logs. however i have had to switch to my girlfreinds laptop to use the forums as not a single program on my computer but explorer will open now as

“Illegal operation attempted on a registry key that has been marked for deletion.”

which is interesting.

here are the combifix log and the fix log from frst

"Illegal operation attempted on a registry key that has been marked for deletion."

No problem

Open notepad and copy/paste the text present inside the code box below:

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)

RegNull::
[HKEY_USERS\S-1-5-21-309087443-1577245462-1764918168-1006\Software\SecuROM\License information*]
"datasecu"=hex:1c,ce,ca,9f,c8,1e,50,b7,d6,b8,d7,ba,85,aa,0e,91,51,6c,b0,3b,ec,
   eb,7b,b6,a1,1d,8e,17,33,49,0a,0e,d1,e1,64,3e,75,53,1b,59,00,76,80,60,42,76,\
"rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

How is your computer running now?

So we have this slight issue that NO program will open including combo fix other than explorer in which I have to navigate via clicking computer rather than explorer which doesn’t work due to the same error.
I tried creating the notepad file on here ( my girlfriends computer ) and when it wouldn’t just drag on we tried putting a fresh version of combofix on the on the usb and putting that on the infected computers desktop but when that had the script dragged on it it it still wouldnt work.

So I am in the situation of not actually being able to run any programs.
Any suggestions to get me into a situation where I can?

Just restart your PC and the same error will gone. Then , follow guide for CFScript to finish cleaning PC

Hello again!
I restarted my computer. everything worked fine again, dragged on the script. That ran fine. Restarted. Restarted again to access my programs. Reactivated my Avast, and so far no problems.

I think you may have cracked it!
I shall of course report back with any further problems.

Thank you so much!

It is necessary to uninstall the ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

Run OTL and hit the cleanup button.

Cheers.