Can't get rid of Win32 Malware Gen

Viruses and worms
1

Hey there,

I’ve run several full system scans using Avast (the free version). Everything I’ve detected lately, I’ve moved to the chest, and did the boot scans when prompted to. I even ran a full Malwarebytes scan, which failed to detect anything. My virus database is up to date.

In the last boot scan, there seems to be even more of this win32 malware-gen on my computer. I’d greatly appreciate any help in permanently getting rid of this piece of malware.

2

follow this guide and attach the log`s here in your next reply

http://forum.avast.com/index.php?topic=53253.0

3

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

For a boot-time scan check the C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report\aswBoot.txt (XP) or C:\ProgramData\AVAST Software\Avast\report\aswBoot.txt (Vista, win7).

4

That is quite important as |Avast picks up some things that my scans will not detect - yet

5

Here are the logs.

6

I’ve attached the aswBoot.txt document if that helps.

7

OK that one showed me what it is - dotnet

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O3:64bit: - HKLM\..\Toolbar: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found. O3 - HKU\S-1-5-21-838314728-2261307429-335318591-1000\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found. O3 - HKU\S-1-5-21-838314728-2261307429-335318591-1000\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found. O4 - HKU\S-1-5-21-838314728-2261307429-335318591-1000..\Run: [NetLimiter] File not found

:Files
ipconfig /flushdns /c
C:\Windows\assembly\tmp

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

8

Here’s the new OLT log after running the fix.

9

This one detected by the boot-time scan is nothing to worry about as it is an HP tool, which like all tools can be used for good or evil, this KillApp file is used to end processes (if using the HP recovery console) in that location isn’t a problem, but is considered a PUP (Potentially Unwanted Program), in this case it isn’t unwanted.

10

After running the fix, Avast still seems to be occasionally detecting a win32 malware gen infection. Should I just ignore it at this point?

11

The same question applies really, file name, location and what scan ?
Also if you elect to scan for PUPs you will get surprises.

12

It was just randomly detected while I was using the computer. Here’s what it says in the log:

05/09/2011 5:48:52 PM C:\Windows\assembly\tmp\U\800000cb.@ [L] Win32:Malware-gen (0)
File was successfully moved to chest…
05/09/2011 5:48:56 PM C:\Windows\assembly\tmp\U\800000cf.@ [L] Win32:Malware-gen (0)
File was successfully moved to chest…

And it happened again. Here’s a picture of the pop-up I got from Avast. Every time I get this message, it prompts be to do a boot scan after.

13

OK, this is, a relatively new one and will need further investigation by essexboy. Unfortunately he may be off-line now as it is 11:50pm in the UK.

The main thing currently avast is keeping it in check, e.g. not allowing the malware to run, but what is responsible for the use of the csrss.exe file to create/try to run this malware is undetected/hidden.

He has dealt with one of these recently, so I will see if I can find that topic. I suspect a boot-time scan won’t find anything either, but did you run one ?

14
He has dealt with one of these recently, so I will see if I can find that topic.

here http://forum.avast.com/index.php?topic=84156.0

15

I’ve ran 2 boot-time scans within the last 3 days, and whatever was detected, I either deleted or moved to the chest. Neither scans remedy the problem.

On thing I noticed since getting those warnings of blocked malware from Avast is that when I google things and click on links, it takes a while to load and ends up taking me somewhere else unless I click on the address bar and repeatedly press enter. I’m not sure if this is related to the issue at hand.

16

I just went through that topic. I’m not really knowledgeable in this area, so is it correct to say I shouldn’t use the fix in that topic, despite it being a similar issue?

17

Thanks for that, had I looked further back in this topic, I would have seen that essexboy also did try a fix in this topic for that.

:Files ipconfig /flushdns /c c:\windows\assembly\tmp

But for whatever reason these are back.

18

See my last post as that area was in an earlier fix that essexboy gave in Reply #6, so I have no idea why that didn’t work.

You shouldn’t run other peoples Fixes as they are specific to their system and problem/s.

19

Could you run a fresh OTL scan please as I would like to see what is in that folder

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
C:\Windows\assembly\tmp\U /s
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

20

Sorry, I was away for the last week or so, but the problem hasn’t resurfaced since I got back. Thank you very much for helping me. :slight_smile: