Avast Detects Win32:Malware-gen in Every Scan

Hey guys,

Avast is detecting files that are infected with “Win32:Malware-gen” in every full system scan I perform. I currently have 5 files that were moved to the Virus Chest. They are:

  1. A0178454.exe
  2. A0178461.EXE
  3. AVManagerUnified.dll
  4. HPZipm12.exe
  5. HPZIPM12.EXE

and are found in each of the following locations respectively:

  1. C:\System Volume Information_restore{D23C07B9-BFC1-4BB3-B5DC-ECE3174F16B6}\RP765
  2. C:\System Volume Information_restore{D23C07B9-BFC1-4BB3-B5DC-ECE3174F16B6}\RP765
  3. C:\Program Files\Common Files\Pure Networks Shared\Platform
  4. C:\WINDOWS\system32
  5. C:\WINDOWS\system32\spool\drivers\w32x86\3

#3 was actually detected and moved to the virus chest while I was not at my computer yesterday, so I didn’t know about it until I rebooted my computer today, and Avast detected #4 immediately after the reboot. #1 and #5 were detected during a full system scan with Avast, while #2 was detected in a second full system scan.

I have also scanned with OTL and have attached the logs.

Any help will be greatly appreciated! Thanks!

Have you tried scanning with Malwarebytes ?

Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
always run update before you scan so you have the latest database
click the remove selected button to quarantine anything found
you may post the scan log here

Hello,
try to rescan that files, IIRC “HPZipm12.exe”, “AVManagerUnified.dll” was false positive and is fixed now. Others fileNames looks like from system restore.

Milos

Hi,

I have scanned my computer with MBAM, and found 3 infected files.
Here is the log:

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4770

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

Oct 7, 2010 13:32:02
mbam-log-2010-10-07 (13-32-02).txt

Scan type: Full scan (C:|D:|)
Objects scanned: 295151
Time elapsed: 1 hour(s), 4 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{e596df5f-4239-4d40-8367-ebadf0165917} (Rogue.Installer) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) → Bad: (0) Good: (1) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Master\Local Settings\Temporary Internet Files\ijjistarter2FxB.exe (Trojan.Agent) → Quarantined and deleted successfully.

It says that these 3 files have been deleted, but what if they were important files (especially the one in the registry? Should I be concerned?

Thanks!

If they were important files, you can restore them with MBAM. It quarantines everything it removes.

They don’t look like they were good files though.

Is there anything else I should be doing? How can I tell if I am still infected or not? I am currently scanning with MBAM again, but no infections so far.

Also, what should I do with the 3 files quarantined by MBAM, and the 5 files in the Avast Virus Chest (from reading other posts, the HPZipm12.exe file seems to be a false positive, and is used for my HP printer, but I seem to have two of those files in different locations…)? Permanently delete them…?

Thanks!

If your computer is running normally, and nothing is found by Avast or MBAM, then I’d say you’re pretty good.

As for the two files, don’t permanently delete them until you absolutely know that you don’t need them.

Just leave them in quarantine until you are comfortable with removing them.

Files in the quarantine can do no harm.

Your logs looked clean - I believe the two HP files are false positives, as for the system restore detections just reset your restore points Or I can do it for you

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Hi,

I ran the OTL fix to delete my system restore points. I also notice a new folder in my C:\ directory after running the fix. There are two files in the folder; a log file, and a file called “hosts”, which doesn’t seem to have a file extension. This file is located in:

C:_OTL\MovedFiles\10072010_221347\C_WINDOWS\System32\drivers\etc\

Is it fine to delete the entire C:_OTL folder?

I have also restored the two HP files, along with AVManagerUnified.dll from the Avast Virus Chest. I also deleted the other two files from the Virus Chest, so my Virus Chest is empty now.

I rescanned using Avast and then MBAM, with no detections.

I still have the three infections quarantined in MBAM, and I want to delete them permanently. Two of them are registry files though, so I’m not too sure I want to delete those. I don’t like keeping things in quarantine; I’d rather just restore them if they’re safe, or delete them, so would deleting these three files be a bad idea?

Thanks!

Yes you can delete the MBAM quarantine files - I will remove all the OTL stuff

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures:

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

SPRING CLEAN

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave: