avast showing WIN 32: MALWARE GEN infection,not able to delete it

Avast Free Antivirus / Premium Security
1

I have been using Avast Free for the last four years(with mixed kind of emotions)and recently switched to AVAST 5 FREE.While downloading and installing some app Avast went crazy and gave alarms about WIN 32:malware gen(quite sad because while downloading and prior to install that app ,I had repeatedly scanned it with Avast but nothing was flagged as malware at that time.The trouble started after installation of that downloaded app )As Avast Was unable to delete the infection(file being offline or read only,as informed by Avast)I did reinstall of C drive but the trouble prevails.Dependable utilities (i have been using for years like CCLEANER uTORRENT,Malwre bytes etc) are being flagged troublesome and it is just annoying to say the least.Repeated uninstall and reinstall of AVAST 5 have not resolved the issue and as a last resort,I wanted to scan the PC in safe mode but sadly again,AVAST CANNOT SCAN IN SAFE MODE:ERROR MESSAGE BEING-UNABLE TO START SCAN THERE ARE NO MORE END POINTS AVAILABLE FROM THE END POINT MAPPER

while right click scanning of c drive ,Avast shows signs of WIN32:malware genbut not able to delete these or move to chest.Same is the case with boottime scan also

So You Can imagine ,I am feeling helpless and irritated-doubting whether these are false alarms(PC is working Reasonably Ok,no issues of slow or crashes)because at start of any app,AVAST starts flagging these as malware but unable to do anything about these infection-MILLION DOLLAR QUESTION-WHAT IS THE POINT IN KEEPON USING AVAST IF IT CANNOT PROTECT FROM MALWARE OR DELETE IT IF DETECTED

Any suggestions as to how to resolve this issue are most welcome and appreciated

q2na

2

No security program have 100% detection or removal, that is why you should have moore than one (only one antivirus )

Check your computer for Malware with

Malwarebytes Antimalware http://filehippo.com/download_malwarebytes_anti_malware/
after install click UPDATE and run cuick scan, click on REMOVE SELECTED to quarantine anything found

SUPERAntiSpyware http://filehippo.com/download_superantispyware/
Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26

If anything is found come back and post the scan logs here

3

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

Why can’t avast delete it, e.g. what error is given ?
Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.

  • If you have Win2k, XP, vista or Win7 (all 32bit), you could enable a boot time scan. From the avast UI, Scan Computer, Boot-time Scan, Schedule Now button and reboot.

Look in the C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\report\aswBoot.txt file, check this file using notepad for info on the scan/detections, etc.

4

Thks For your quick reply

I had Done Complete and full scan with MALWARE BYTE(Avast Flagged It too) Prior to posting this problem in this forum.Whatever Was pointed out by MALWARE BYTES scan results ,I got it deleted with malware bytes and restarted PC ,But sadly the problem still persists,that is one reason for feeling helpless and frustrated.

I have portable version of SUPER ANTISPYWARE and can do the scan with that also

Any suggestions are still most welcome(can these be false alarms)

q2na

5

Could you post the MBAM log please and then

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:
[*]Reg - Shell Spawning
[*]File - Lop Check
[*]File - Purity Scan
[*]Evnt - EvtViewer (last 10)
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32*.dll /lockedfiles
%systemroot%\Tasks*.job /lockedfiles
%systemroot%\system32\drivers*.sys /lockedfiles
%systemroot%\System32\config*.sav

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

6

THKS for your reply

THE SCAN REPORTS (AVAST 5 FREE)

03/04/2010 07:44
Scan of C:

Scan of C:*

File C:\WINDOWS\system32\ole32.dll is infected by Win32:Malware-gen, Delete: Error 0xC0000121 {An attempt has been made to remove a file or directory that cannot be deleted.}, Delete: Error 0xC0000121 {An attempt has been made to remove a file or directory that cannot be deleted.}, Delete: Error 0xC0000121 {An attempt has been made to remove a file or directory that cannot be deleted.}, Delete: Error 0xC0000121 {An attempt has been made to remove a file or directory that cannot be deleted.}, Delete: Error 0xC0000121 {An attempt has been made to remove a file or directory that cannot be deleted.}, Move to chest: Error 0xC0000121 {An attempt has been made to remove a file or directory that cannot be deleted.}, Move to chest: Error 0xC0000121 {An attempt has been made to remove a file or directory that cannot be deleted.}, Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}
Number of searched folders: 939
Number of tested files: 54344
Number of infected files: 1

Another scan done with avast 5 free

  • avast! Real-time Shield Scan Report
  • This file is generated automatically
  • Started on: Thursday, March 04, 2010 7:33:58 AM

3/4/2010 7:34:12 AM C:\WINDOWS\SYSTEM32\OLE32.DLL [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only
3/4/2010 7:43:15 AM C:\WINDOWS\SYSTEM32\OLE32.DLL [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only
*

  • avast! Real-time Shield Scan Report
  • This file is generated automatically
  • Started on: Thursday, March 04, 2010 7:57:10 AM

3/4/2010 7:57:32 AM C:\WINDOWS\SYSTEM32\OLE32.DLL [L] Win32:Malware-gen (0)
3/4/2010 7:57:32 AM C:\WINDOWS\SYSTEM32\OLE32.DLL [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only
While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only
3/4/2010 8:00:29 AM C:\Documents and Settings\Daksh\Local Settings\Temporary Internet Files\Content.IE5\U7RGV9WY\f[1].exe [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The process cannot access the file because it is being used by another process
During the file delete, error occurred: The process cannot access the file because it is being used by another process
3/4/2010 8:00:30 AM C:\DOCUME~1\Daksh\LOCALS~1\Temp\yyyyy [L] Win32:Malware-gen (0)
File was successfully moved to chest…
3/4/2010 8:18:12 AM C:\WINDOWS\SYSTEM32\OLE32.DLL [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only
3/4/2010 8:21:06 AM C:\WINDOWS\SYSTEM32\OLE32.DLL [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only
3/4/2010 3:13:49 PM C:\WINDOWS\SYSTEM32\OLE32.DLL [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only
3/4/2010 5:48:07 PM C:\WINDOWS\SYSTEM32\OLE32.DLL [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only
3/4/2010 5:49:22 PM C:\Documents and Settings\Daksh\Local Settings\Temporary Internet Files\Content.IE5\U7RGV9WY\f[1].exe [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The process cannot access the file because it is being used by another process
During the file delete, error occurred: The process cannot access the file because it is being used by another process
3/4/2010 5:49:24 PM C:\DOCUME~1\Daksh\LOCALS~1\Temp\ttttt [L] Win32:Malware-gen (0)
File was successfully moved to chest…
*

  • avast! Real-time Shield Scan Report
  • This file is generated automatically
  • Started on: Thursday, March 04, 2010 7:24:07 PM

3/4/2010 7:25:14 PM C:\WINDOWS\SYSTEM32\OLE32.DLL [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only
3/4/2010 7:27:21 PM C:\Documents and Settings\Daksh\Local Settings\Temporary Internet Files\Content.IE5\48Q0UBAF\f[1].exe [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The process cannot access the file because it is being used by another process
During the file delete, error occurred: The process cannot access the file because it is being used by another process
3/4/2010 7:27:22 PM C:\DOCUME~1\Daksh\LOCALS~1\Temp\yyyyy [L] Win32:Malware-gen (0)
File was successfully moved to chest…
*

  • avast! Real-time Shield Scan Report
  • This file is generated automatically
  • Started on: Thursday, March 04, 2010 9:31:58 PM

3/4/2010 9:42:03 PM C:\Documents and Settings\Daksh\Local Settings\Temporary Internet Files\Content.IE5\48Q0UBAF\f[1].exe [L] Win32:Malware-gen (0)
File was successfully moved to chest…
3/4/2010 9:42:05 PM C:\Documents and Settings\Daksh\Local Settings\Temporary Internet Files\Content.IE5\U7RGV9WY\f[1].exe [L] Win32:Malware-gen (0)
File was successfully moved to chest…
3/4/2010 10:22:18 PM E:\SETUPS DOWNLOADED\Morpheus.Photo.Animation.Suite.v3.11\MorpheusPhotoAnimationSuite-311.exe [L] Win32:CabMod [Drp] (0)
File was successfully moved to chest…
3/4/2010 10:22:31 PM E:\SETUPS DOWNLOADED\Farmatech Radmin 3.4\Radmin Viewer 3.4 Portable.exe [L] Win32:Malware-gen (0)
File was successfully moved to chest…
3/4/2010 10:24:08 PM E:\SETUPS DOWNLOADED\MP3 RESIZER EDITOR-MADE PORTABLE$TEMP\EULA.exe|>wibb32.exe|>$TEMP\nvvscv.exe|>nsis.hdr [L] NSIS:Downloader-T [Trj] (0)
File was successfully moved to chest…
3/4/2010 10:24:09 PM E:\SETUPS DOWNLOADED\MP3 RESIZER EDITOR-MADE PORTABLE$TEMP\EULA.exe|>wibb32.exe|>$TEMP\nvscv.exe|>nsis.hdr [L] NSIS:Downloader-T [Trj] (0)
While moving file to chest, error occurred: The system cannot find the file specified
During the file delete, error occurred: The system cannot find the file specified
3/4/2010 10:27:10 PM E:\System Volume Information_restore{A12F6E18-3525-4DAA-8A1C-4568EE3DE2D8}\RP1\A0000113.exe [L] Win32:CabMod [Drp] (0)
File was successfully moved to chest…
3/4/2010 10:27:13 PM E:\System Volume Information_restore{A12F6E18-3525-4DAA-8A1C-4568EE3DE2D8}\RP1\A0000114.exe [L] Win32:Malware-gen (0)
File was successfully moved to chest…
3/4/2010 10:27:14 PM E:\System Volume Information_restore{A12F6E18-3525-4DAA-8A1C-4568EE3DE2D8}\RP1\A0000115.exe|>wibb32.exe|>$TEMP\nvvscv.exe|>nsis.hdr [L] NSIS:Downloader-T [Trj] (0)
File was successfully moved to chest…
3/4/2010 10:27:14 PM E:\System Volume Information_restore{A12F6E18-3525-4DAA-8A1C-4568EE3DE2D8}\RP1\A0000115.exe|>wibb32.exe|>$TEMP\nvscv.exe|>nsis.hdr [L] NSIS:Downloader-T [Trj] (0)
While moving file to chest, error occurred: The system cannot find the file specified
During the file delete, error occurred: The system cannot find the file specified
3/4/2010 10:27:41 PM E:\TEST DOWNLOADS\MEDIA -Video Splitter-SOLVEIGMM-portable v1.2.705.4\Stubs\5283da368222ccee720a9482cb6c6788524b080\wmplayer.exe [L] Win32:Trojan-gen (0)
File was successfully moved to chest…
3/4/2010 10:36:09 PM E:\TEST DOWNLOADS\AutoRun Typhoon 4.3.0 Portable\patch\autorun.typhoon.pro.4.3.0-patch.exe [L] Win32:Malware-gen (0)
File was successfully moved to chest…
3/4/2010 10:38:07 PM E:\USEFUL CRUCIAL UTILITIES FOLDER\FOXIT READER-UTILITY SUITE\Infix PDF Editor 4.0.4 Portable.exe [L] Win32:Agent-AJGY [Trj] (0)
File was successfully moved to chest…
3/4/2010 10:52:50 PM C:\WINDOWS\SYSTEM32\OLE32.DLL [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only
*

  • avast! Real-time Shield Scan Report
  • This file is generated automatically
  • Started on: Thursday, March 04, 2010 10:54:15 PM

3/4/2010 10:56:05 PM C:\WINDOWS\SYSTEM32\OLE32.DLL [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only
3/4/2010 10:56:39 PM C:\Documents and Settings\Daksh\Local Settings\Temporary Internet Files\Content.IE5\48Q0UBAF\f[1].exe [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The process cannot access the file because it is being used by another process
During the file delete, error occurred: The process cannot access the file because it is being used by another process
3/4/2010 10:56:40 PM C:\DOCUME~1\Daksh\LOCALS~1\Temp\yyyyy [L] Win32:Malware-gen (0)
File was successfully moved to chest…

CONTD. IN THE NEXT POST
*

7

CONTINUED FROM PREVIOUS

  • avast! Real-time Shield Scan Report

  • This file is generated automatically

  • Started on: Thursday, March 04, 2010 7:33:58 AM

  • avast! Real-time Shield Scan Report

  • This file is generated automatically

  • Started on: Thursday, March 04, 2010 7:57:10 AM

  • avast! Real-time Shield Scan Report

  • This file is generated automatically

  • Started on: Thursday, March 04, 2010 7:24:07 PM

3/4/2010 7:33:42 PM http://www.ebookslib.org/the-global-money-markets.html [L] JS:Small-C [Trj] (0)
3/4/2010 7:33:45 PM http://www.ebookslib.org/favicon.ico [L] JS:Small-C [Trj] (0)
3/4/2010 7:34:01 PM http://www.ebookslib.org/the-global-money-markets.html [L] JS:Small-C [Trj] (0)
3/4/2010 7:34:05 PM http://www.ebookslib.org/favicon.ico [L] JS:Small-C [Trj] (0)
3/4/2010 7:34:32 PM http://www.ebookslib.org/cellular-mobile-radio-systems-designing-systems-for-capacity-optimization.html [L] JS:Small-C [Trj] (0)
3/4/2010 7:34:34 PM http://www.ebookslib.org/favicon.ico [L] JS:Small-C [Trj] (0)
*

  • avast! Real-time Shield Scan Report

  • This file is generated automatically

  • Started on: Thursday, March 04, 2010 9:31:58 PM

  • avast! Real-time Shield Scan Report

  • This file is generated automatically

  • Started on: Thursday, March 04, 2010 10:54:15 PM

THKS FOR YOUR REPLIES-IWANT TO GET TO THE BOTTOM OF IT BEFORE I THINK OF UNINSTALLING AVAST
*

8

STRANGELY WHY AVAST 5 FREE NOT ABLE TO SCAN IN SAFE MODE-THE ERROR IT SHOWS IN SAFE MODE SCAN IS:

UNABLE TO START SCAN THERE ARE NO MORE END POINTS AVAILABLE FROM THE END POINT MAPPER

ANY IDEA WHAT THAT MEANS ?

Thanks Once again

Q2na

9

Thanks Once again ESSEXBOY

Here is the malware byte scan report-apparently all what was flagged bad has been quarentined and deleted by MALWARE BYTE

Malwarebytes’ Anti-Malware 1.44
Database version: 3824
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

3/4/2010 10:52:49 PM
mbam-log-2010-03-04 (22-52-49).txt

Scan type: Full Scan (C:|D:|E:|F:|)
Objects scanned: 235366
Time elapsed: 1 hour(s), 10 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) → Bad: (0) Good: (1) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
D:\SOFTWARE FOLDER JUMBO-SETUPS\SETUPS DOWNLOADED\WINDOWS SIMULATOR FOR INSTALLTION-SETUP-\winxp_simulator.exe (Trojan.Logger) → Quarantined and deleted successfully.
D:\SOFTWARE FOLDER JUMBO-SETUPS\SETUPS DOWNLOADED\tcp ip patcher\EvID4226Patch.exe (Malware.Tool) → Quarantined and deleted successfully.
D:\SOFTWARE FOLDER JUMBO-SETUPS\SETUPS DOWNLOADED\REG ERROR REPAIR-SETUP\erpsetup.exe (Rogue.Installer) → Quarantined and deleted successfully.
D:\SOFTWARE FOLDER JUMBO-SETUPS\SETUPS DOWNLOADED\ERROR REPAIR UTILITY-PORTABLE\erpsetup.exe (Rogue.Installer) → Quarantined and deleted successfully.
D:\SOFTWARE FOLDER JUMBO-SETUPS\SETUPS DOWNLOADED\Ebooster 3 build 491 plus patch\patch\eBoostr 3.0 build 491 Patch.exe (Trojan.Agent) → Quarantined and deleted successfully.
E:\NOT IN ACTIVE USE UTILITIES\xp key changer\update_xp_cd_key.exe (Backdoor.IRCbot) → Quarantined and deleted successfully.
E:\SETUPS DOWNLOADED\tcp ip patcher\EvID4226Patch.exe (Malware.Tool) → Quarantined and deleted successfully.
E:\SETUPS DOWNLOADED\FLV Direct Player-SETUP\FLVDirect.exe (Adware.MediaPass) → Quarantined and deleted successfully.
E:\SETUPS DOWNLOADED\PDF UTILITY-Nitro PDF PRO-Setup\keygen\kg_nitro_pdf_professional.exe (Malware.Packer.Gen) → Quarantined and deleted successfully.
E:\SETUPS DOWNLOADED\Sandboxie.v3.42.WinAll.Incl.Keygen-CRD\keygen\kg.exe (Trojan.Agent) → Quarantined and deleted successfully.
E:\SETUPS DOWNLOADED\exe dll files extractor-PE EXPLORER-SETUP\crack.exe (Trojan.Dropper) → Quarantined and deleted successfully.
E:\TEST DOWNLOADS\WORD PROCESSOR-ATLANTIS-PORTABLE\AtlantisPortable\App\Atlantis\unicows.dll (Malware.Packer.Gen) → Quarantined and deleted successfully.
E:\Z-CRUCIAL SETUPS FOR REINSTALL\FOXIT READER-UTILITY SUITE SETUPS\Foxit Reader Pro 2.3.2008.2825 - Olexijl\patch.exe (Trojan.Bancos) → Quarantined and deleted successfully.

10
:\NOT IN ACTIVE USE UTILITIES\xp key changer[b]\update_xp_cd_key.exe [/b] (Backdoor.IRCbot) -> Quarantined and deleted successfully. E:\SETUPS DOWNLOADED\tcp ip patcher\EvID4226Patch.exe (Malware.Tool) -> Quarantined and deleted successfully. E:\SETUPS DOWNLOADED\FLV Direct Player-SETUP\FLVDirect.exe (Adware.MediaPass) -> Quarantined and deleted successfully. E:\SETUPS DOWNLOADED\PDF UTILITY-Nitro PDF PRO-Setup\[b]keygen[/b]\kg_nitro_pdf_professional.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully. E:\SETUPS DOWNLOADED\Sandboxie.v3.42.WinAll.Incl.Keygen-CRD\[b]keygen[/b]\kg.exe (Trojan.Agent) -> Quarantined and deleted successfully. E:\SETUPS DOWNLOADED\exe dll files extractor-PE EXPLORER-SETUP\[b]crack.exe [/b] (Trojan.Dropper) -> Quarantined and deleted successfully. E:\TEST DOWNLOADS\WORD PROCESSOR-ATLANTIS-PORTABLE\AtlantisPortable\App\Atlantis\unicows.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully. E:\Z-CRUCIAL SETUPS FOR REINSTALL\FOXIT READER-UTILITY SUITE SETUPS\Foxit Reader Pro 2.3.2008.2825 - Olexijl\patch.exe (Trojan.Bancos) -> Quarantined and deleted successfully.
Well that is where it came from

If you could run and then post OTS I will see what remains

11

Thanks Once Again ESSEXBOY

here is the link for OTS scan report

http://www.mediafire.com/download.php?wwvyk0wwomh

http://www.mediafire.com/download.php?wwvyk0wwomh

Thks for your help

12

You have set it to private - could you unlock and post the sharing link - or attach the OTS log to your post

13

hi ESSEXBOY

Sorry for messing up with mediafire link-it is first time I have uploaded.Anyway The file is public for download

Meanwhile I have done couple of scans with AVAST 5 FREE and the report is as follows:

avast! Real-time Shield Scan Report

  • This file is generated automatically
  • Started on: Friday, March 05, 2010 5:33:53 AM

3/5/2010 5:40:45 AM C:\WINDOWS\SYSTEM32\OLE32.DLL [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only
3/5/2010 5:40:48 AM C:\WINDOWS\system32\core.dll [L] Win32:Malware-gen (0)
File was successfully moved to chest…
*

  • avast! Real-time Shield Scan Report
  • This file is generated automatically
  • Started on: Friday, March 05, 2010 5:52:23 AM

3/5/2010 5:56:35 AM C:\WINDOWS\SYSTEM32\OLE32.DLL [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only
*

  • avast! Real-time Shield Scan Report
  • This file is generated automatically
  • Started on: Friday, March 05, 2010 6:25:55 AM

As you can see Avast is detecting the infection but is not able to remove it

C:\WINDOWS\winstart.bat
Error:File is offline-it is currently not available(ERROR 42006)

C:\WINDOWS\SYS32\ole32.dll
threat high Win32:Malware-gen
The Specified file is read only(Error 6009)

I hope this new info helps you to help me in this lousy situation

Funny thing is I canot do the scan in SAFE MODE-The error message from AVAST is

UNABLE TO START SCAN.THERE ARE NO MORE END POINTS AVAILABLE FROM THE END POINT MAPPER

Any idea what it implies?

Willbe waiting fot replies from YOU, David and PONDUS

Thank you All

q2na

14

Avast is not in its default folder which may be part of the problem

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.


[Unregister Dlls]
[Processes - Safe List]
YY -> statbar  .exe -> E:\USEFUL CRUCIAL UTILITIES FOLDER\statbar  .exe
[Registry - Safe List]
< Run [HKEY_USERS\S-1-5-21-1078081533-1682526488-839522115-1003\] > -> HKEY_USERS\S-1-5-21-1078081533-1682526488-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "StatBar" -> E:\USEFUL CRUCIAL UTILITIES FOLDER\statbar  .exe [E:\USEFUL CRUCIAL UTILITIES FOLDER\statbar  .exe]
[Files - No Company Name]
NY ->  winstart.bat -> C:\WINDOWS\winstart.bat
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

I will review the information when it comes back in.

I can see no indication that ole32.dll has been modified. However, I will search for a spare copy and do a replace

Run OTS

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under the Custom Scan box paste this in

/md5start
OLE32.DLL
/md5stop

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

15

Did you just format C: ?.
Could be a boot sector virus! on your multiple partitions?. Deleting the C: & multipartitions and recreate new other partitions using a DOS win 98 start up disk via floppydrive A: is only cure to get rid of boot sector viruses or use XP cd rom and del partition! and do a clean install of xp. Rather drastic though. This is what i do if anyone has widespread virus problems on their PCs to repair on large disks i create 2 partitions C: & D: depending how big the drive is in the first place.

16

Thanks ESSEXBOY for your help extended in this painful episode

Yesterday after posting this,I did a scan with sunbelt-vipre in safe mode(as AVAST IS NOT ABLE TO SCAN IN SAFE MODE(AS POSTED ABOVE-QUITE STRANGE THOUGH)and deleted whatever it posted as troublesome-the result was another tragedy-I could no longer boot the PC-the error being OLE32.dll cannot be located(another nightmarish situation),so I did a repair install of windows XPand and again reinstalled AVAST 5 FREE,did boottime scan with it and again-it detects infection but cannnot quarantine or delete it-with error message :While moving file to chest, error occurred: The specified file is read only
During the file delete, error occurred: The specified file is read only

After PC boots,as soon as i start any app AVAST starts going nuts with notification about infection with win32:malware-gen

I might mention here that except these notifications from AVAST,the system seems to be working okay-I mean there are no unusual processes in the task manager,no issue with slowdown or crash etc-SO COULD THIS WHOLE SCENARIO MIGHT BE A PART OF FALSE POSITIVES-? I have already submitted the false positive report(after start of utorrent.ccleaner,task manager etc)to avast and hopefully something may come out of this

Anyway,I have run the script fix with OTS and rebooted the pc about 5 minutes ago
-the app STATBAR(quite useful and have been using for last 3-4 years without any issues)is no more starting-so you want me to put a stop to its start with windows or not to use it at all-Personally I like Using it and it has been very helpful

AND AGAINST ALL HOPES ,AVAST IS STILL GOING NUTS AS SOON AS I STARTED UTORRENT,SO THE ISSUE STILL REMAINS…
OTS scan reportis being posted in the next post

Till then thanks once again

q2na

17

That was infected - I don’t know if you noticed but there was a space between STATBAR .exe that was an old Renv/vundo infection

If you run OTS I will see if there is a spare copy that I can replace it with - see the bottom of post 13

Or we can use a bigger hammer

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

18

Thanks ESSEXBOY for your help and patience-Iam not all that bright with computers ,so you might have to bear with me please

here is the text file after the fix script

All Processes Killed
[Processes - Safe List]
No active process named statbar .exe was found!
E:\USEFUL CRUCIAL UTILITIES FOLDER\statbar .exe moved successfully.
[Registry - Safe List]
Registry value HKEY_USERS\S-1-5-21-1078081533-1682526488-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StatBar deleted successfully.
File E:\USEFUL CRUCIAL UTILITIES FOLDER\statbar .exe not found.
[Files - No Company Name]
C:\WINDOWS\winstart.bat moved successfully.
[Empty Temp Folders]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: Daksh
->Temp folder emptied: 32768 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 2525625 bytes
->Flash cache emptied: 405 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 6428142 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 25221561 bytes

Total Files Cleaned = 33.00 mb

< End of fix log >
OTS by OldTimer - Version 3.1.25.0 fix logfile created on 03062010_001154

Files\Folders moved on Reboot…
File\Folder C:\WINDOWS\temp_avast5_\Webshlock.txt not found!

Registry entries deleted on Reboot…

due to some confusion I guess(nervousness) I ran the scriptfix again and after the reboot the text file has the following report

All Processes Killed
[Processes - Safe List]
No active process named statbar .exe was found!
E:\USEFUL CRUCIAL UTILITIES FOLDER\statbar .exe moved successfully.
[Registry - Safe List]
Registry value HKEY_USERS\S-1-5-21-1078081533-1682526488-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StatBar deleted successfully.
File E:\USEFUL CRUCIAL UTILITIES FOLDER\statbar .exe not found.
[Files - No Company Name]
C:\WINDOWS\winstart.bat moved successfully.
[Empty Temp Folders]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: Daksh
->Temp folder emptied: 32768 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 2525625 bytes
->Flash cache emptied: 405 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 6428142 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 25221561 bytes

Total Files Cleaned = 33.00 mb

< End of fix log >
OTS by OldTimer - Version 3.1.25.0 fix logfile created on 03062010_001154

Files\Folders moved on Reboot…
File\Folder C:\WINDOWS\temp_avast5_\Webshlock.txt not found!

Registry entries deleted on Reboot…

Also on C DRIVE there is a folder _OTS with two subfolders named C_WINDOWS (empty folder) and E_USEFUL CRUCIAL UTILITIES FOLDER(contains the moved STATBAR app file

meanwhile I will do the next OTS scan and then COMBOFIX one- As i said I want to get to the bottom of it before I give up on AVAST-I have been using it for the last 4 years and had been recommending it to lot of people here-so it is kind of hard to adnit that it is giving troubles…

19

No problem ;D

20

Here It Come ESSEXBOY ,COMBOFIX report I will post it in two three posts if it seems very big

part-1

ComboFix 10-03-04.06 - Daksh 03/06/2010 1:50.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.317 [GMT 5.5:30]
Running from: c:\documents and settings\Daksh\Desktop\ComboFix.exe
AV: avast! Antivirus On-access scanning disabled (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ole32.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))
.

2010-03-05 18:41 . 2010-03-05 18:41 -------- d-----w- C:_OTS
2010-03-05 16:15 . 2010-01-07 10:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-05 16:15 . 2010-01-07 10:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-05 14:02 . 2010-03-05 15:08 -------- d-----w- c:\program files\Panda Security
2010-03-05 13:28 . 2010-03-05 13:28 -------- d-----w- c:\documents and settings\Daksh\DoctorWeb
2010-03-05 11:27 . 2010-03-05 11:27 32256 ----a-w- c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\400000b00002i\Ras.exe
2010-03-05 11:27 . 2010-03-05 11:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Rising
2010-03-05 11:27 . 2009-04-16 20:43 629360 ----a-w- c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor%ProgramFilesDir%\Rising\AntiSpyware\Rsaupd.exe
2010-03-05 11:27 . 2010-03-05 11:27 518808 ------w- c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor%ProgramFilesDir%\Rising\AntiSpyware\Ntlib.dll
2010-03-05 11:27 . 2010-03-05 11:25 637592 ----a-w- c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor%SystemSystem%\kmon.dll
2010-03-05 11:24 . 2010-03-05 11:24 32256 ----a-w- c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\4000009c00002i\Rsaupd.exe
2010-03-05 11:23 . 2010-03-05 11:23 32256 ----a-w- c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\4000007200002i\knownsvr.exe
2010-03-05 11:23 . 2010-03-05 11:23 32256 ----a-w- c:\documents and settings\Daksh\Application Data\Thinstall\Rising PC Doctor\4000008000002i\Splash Screen.exe
2010-03-05 01:58 . 2010-03-05 01:58 -------- d-----w- c:\documents and settings\Daksh\Local Settings\Application Data\Runscanner.net
2010-03-05 01:53 . 2010-03-05 01:53 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-03-05 00:03 . 2010-02-11 18:42 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-05 00:03 . 2010-02-11 18:38 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-05 00:03 . 2010-02-11 18:42 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-05 00:03 . 2010-02-11 18:39 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-05 00:03 . 2010-02-11 18:38 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-05 00:03 . 2010-02-11 18:38 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-05 00:03 . 2010-02-11 18:38 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-05 00:03 . 2010-02-11 18:53 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-05 00:03 . 2010-02-11 18:53 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-04 23:25 . 2004-08-03 17:31 70144 -c–a-w- c:\windows\system32\dllcache\pintlphr.exe
2010-03-04 23:24 . 2001-08-23 11:30 10096640 -c–a-w- c:\windows\system32\dllcache\hwxcht.dll
2010-03-04 23:23 . 2004-05-12 19:09 598071 -c–a-w- c:\windows\system32\dllcache\fpmmc.dll
2010-03-04 23:17 . 2004-08-03 17:01 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
2010-03-04 23:15 . 2001-08-23 11:30 24661 -c–a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-03-04 23:15 . 2001-08-23 11:30 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-03-04 23:15 . 2001-08-23 11:30 13312 -c–a-w- c:\windows\system32\dllcache\irclass.dll
2010-03-04 23:15 . 2001-08-23 11:30 13312 ----a-w- c:\windows\system32\irclass.dll
2010-03-04 20:50 . 2010-03-04 20:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2010-03-04 16:07 . 2010-03-04 16:07 -------- d-----w- c:\documents and settings\Daksh\Application Data\Malwarebytes
2010-03-04 16:07 . 2010-03-04 16:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-04 14:20 . 2010-03-04 14:20 -------- d-----w- c:\documents and settings\Daksh\Application Data\FILEminimizerPictures
2010-03-04 14:19 . 2010-03-04 14:20 -------- d-----w- c:\documents and settings\Daksh\Application Data\FILEminimizer
2010-03-02 12:46 . 2010-03-02 12:46 -------- d–h–w- c:\windows\PIF
2010-03-02 06:24 . 2010-03-02 06:24 -------- d-----w- c:\windows\Sun
2010-02-27 06:37 . 2010-02-27 06:37 -------- d-----w- c:\program files\NCH Swift Sound
2010-02-26 20:09 . 2010-02-26 20:16 -------- d-----w- c:\documents and settings\Daksh\Application Data\FreeFixer
2010-02-26 20:09 . 2010-02-26 20:09 -------- d-----w- c:\documents and settings\Daksh\Local Settings\Application Data\FreeFixer
2010-02-26 18:41 . 2010-02-26 18:41 -------- d-----w- c:\program files\FoxPlayer
2010-02-26 15:27 . 2010-02-26 15:27 -------- d-----w- c:\documents and settings\Daksh\Application Data\PolyEdit Lite
2010-02-26 14:57 . 2010-02-26 14:57 -------- d-----w- c:\documents and settings\Daksh\Application Data\SAIG
2010-02-26 14:41 . 2010-02-26 14:41 -------- d-----w- c:\documents and settings\Daksh\Application Data\Apago
2010-02-25 06:01 . 2010-02-25 06:01 -------- d-----r- C:\Sandbox
2010-02-24 19:38 . 2010-02-24 19:38 -------- d–h–r- c:\documents and settings\Daksh\Application Data\JAM Software
2010-02-24 11:52 . 2010-02-24 11:52 -------- d-----w- c:\documents and settings\Daksh\Local Settings\Application Data\Identities
2010-02-24 08:17 . 2008-01-01 01:30 78848 ----a-w- c:\windows\system32\VISCDRTL.DLL
2010-02-24 08:17 . 2008-01-01 01:30 152064 ----a-w- c:\windows\system32\VISCDUNR.DLL
2010-02-24 08:17 . 2008-01-01 01:30 143360 ----a-w- c:\windows\system32\VISCDUNZ.DLL
2010-02-23 19:57 . 2010-02-23 19:57 0 ----a-w- c:\windows\nsreg.dat
2010-02-23 19:56 . 2010-02-23 19:56 -------- d-----w- c:\documents and settings\Daksh\Local Settings\Application Data\Mozilla
2010-02-23 19:33 . 2010-03-05 11:23 -------- d-----w- c:\documents and settings\Daksh\Application Data\Thinstall
2010-02-23 19:33 . 2010-02-23 19:33 -------- d-----w- c:\documents and settings\Daksh\Local Settings\Application Data\Thinstall
2010-02-23 18:15 . 2010-02-23 18:15 -------- d–h–w- c:\windows\system32\GroupPolicy