can't get rid of Win32:Malware-gen Avast alerts

Viruses and worms
1

Hi,

I keep getting Avast alerts on Win32:Malware-gen on file C:\DOCUME~1\6425~1\LOCALS~1\Temp~temp\mlp75\mdm.exe
I move it to chest but it comes back.
Sometimes is also complains of file smss.exe.

I’ve ran Avast boot-time scan but it found nothing.

I’m attaching MBAM and hijackthis logs.

Any help would be much appreciated.

Thanks!

2

In your HJT log, The only ones (besides the google entries… which SHOULD be safe… i still dont like them though) I see are these.

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O15 - Trusted Zone: .ordernet.co.il
O15 - Trusted Zone: http://.ordernet.co.il

I pretty sure the O2 entry can and should be removed safely. Though I recommend waiting for others input just incase. That and I may have missed a few =)

Also, This one is kind of strange… C:\WINDOWS\system32\nvsvc32.exe . usually its for Nvidia drivers, but look at this

Note: Any malware can be named anything - so you should check where the files of the running processes are located on your disk. If a “non-Microsoft” .exe file is located in the C:\Windows or C:\Windows\System32 folder, then there is a high risk for a virus, spyware, trojan or worm infection! Check it out!

From Here

And,

C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE

You have two… I see some differences…

Anyway, Im just pointing some stuff out. DON’T take action just yet on the ones I pointed out. As I may be very wrong. Wait for some more responses.

P.S. The location of this one raised my suspicion too. F3 - REG:win.ini: load=C:\DOCUME~1\6425~1\LOCALS~1\APPLIC~1\MICROS~1\rsvp.exe

3

Run HJT, choose scan only, then fix

F3 - REG:win.ini: load=C:\DOCUME~1\6425~1\LOCALS~1\APPLIC~1\MICROS~1\rsvp.exe

O4 - HKUS\S-1-5-18..\Policies\Explorer\Run: [CmSTP] C:\DOCUME~1\6425~1\LOCALS~1\APPLIC~1\cmstp.exe /waitservice (User ‘SYSTEM’)

O4 - HKUS.DEFAULT..\Policies\Explorer\Run: [CmSTP] C:\DOCUME~1\6425~1\LOCALS~1\APPLIC~1\cmstp.exe /waitservice (User ‘Default user’)

Reboot

Then run MBAM again, run SAS http://filehippo.com/download_superantispyware/

Post new logs from HJT,MBAM and SAS

4

Many thanks for you help.

I fixed the 3 items you specified in HJT,
then ran MBAM and SAS and fixed the items they’ve found and then ran HJT again.
Attached are the MBAM, SAS and HJT logs.

I’ll be happy to get further instructions… :slight_smile:

5

Did you have SAS remove what it found ? Are new MBAM and SAS scans now showing clear of malware ? or is anything returning

6

MBAM and SAS are clean now and Avast didn’t complain so far.

Thanks so much!