downloaded exe files infected by win32:malware-gen - OTL logs attached

I don’t know what triggers but since last Saturday, all exe files downloaded are reported as win32:malware-gen by Avast 6.0, the downloading itself turns quite wired, is slow at first, timeouts at some point.

I tried to scan w/ avast 6.0, in normal mode as well as safe mode. Nothing found.

I tried mbam, but it can’t find any virus/malware.

I also can’t download otl.exe but can download otl.com successfully. The OTL.txt is attached. There are some Chinese characters but doesn’t matter.

I even suspect something wrong w/ my wireless router, but I reinstalled the firmware and nothing improved.

Thanks a lot. I am really annoying.

David

Hi the OTL log looks clear which means it is a deeper problem

Download aswMBR.exe ( 567KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the “Scan” button to start scan

http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply

http://public.avast.com/~gmerek/aswMBR2.png

thank you, essexboy.

I followed your instruction. Since this computer can’t download .exe file, I downloaded w/ another windows box and copy to this one via USB disk.

The log is quite simple, as below:

aswMBR version 0.9.6.399 Copyright(c) 2011 AVAST Software
Run date: 2011-06-19 14:24:48

14:24:48.779 OS Version: Windows 6.1.7600
14:24:48.779 Number of processors: 4 586 0x2505
14:24:48.779 ComputerName: PEARLZH-THINK UserName: Pearlzh
14:24:50.885 AVAST engine 6.0.1125 defs: 11061801
14:24:50.885 Initialize success
14:25:33.520 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-0
14:25:33.520 Disk 0 Vendor: WDC_WD32 02.0 Size: 305245MB BusType: 3
14:25:33.551 Disk 0 MBR read successfully
14:25:33.551 Disk 0 MBR scan
14:25:33.566 Disk 0 unknown MBR code
14:25:33.582 Disk 0 scanning sectors +625139712
14:25:33.629 Disk 0 scanning C:\Windows\system32\drivers
14:26:03.012 Service scanning
14:26:04.010 Disk 0 trace - called modules:
14:26:04.026 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll iaStor.sys
14:26:04.026 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x88a18948]
14:26:04.026 3 CLASSPNP.SYS[8a1b759e] → nt!IofCallDriver → [0x86ebcb70]
14:26:04.041 5 ACPI.sys[89a333b2] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-0[0x86e86028]
14:26:04.556 AVAST engine scan C:\Windows\system32
14:27:43.757 Scan finished successfully
14:28:18.794 Disk 0 MBR has been saved successfully to “C:\Users\Pearlzh\Documents\MBR.dat”
14:28:18.794 The log file has been saved successfully to “C:\Users\Pearlzh\Documents\aswMBR.txt”

Download Combofix from any of the links below. You must rename it before saving rename it to Gotcha.com before saving it to your desktop.

Link 1
Link 2

==================================

http://www.hdrcgb.org.uk/g2g/Cfix_Gotcha.com.jpg

Double click on the renamed ComboFix.exe & follow the prompts.

When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt so we can continue cleaning the system.

Here is the ComboFix.txt. It automatically chose the Chinese version so there are Chinese characters.

Thanks,

David

That cleared a few minor elements - do you still have a problems with exe files ?

If so download this zip file, extract the reg file and then click to merge with your registry http://www.sevenforums.com/attachments/tutorials/123734d1292473157-default-file-type-associations-restore-default_exe.reg

Thanks, essexboy.

The issue is still there after I merged the reg file.

BTW, now my avast is not auto start.

-David

When you try to start an exe file what is the exact error you get please. Does this occur on all logins or just one

It is difficult to say whether it is the same error. The symptom is quite similar: start downloading at first, then pause or very slow, it timeouts finally and identified as virus by Avast.

I only have one login in the box. will try setup a new one later.

Thanks,

David

OK could you do me a favour and download this exe file and let em know what happens
http://fileforum.betanews.com/detail/McAfee-AVERT-Stinger/1040919764/1

This is a small malware removal tool - no need to run it just try to download it

essexboy,

This file can be downloaded normally.

I get the point. Something is monitoring my http connection and filter .exe download. What’s it?

I am using ADSL at home. Several my home computers share w/ a router.

Thanks,

David

OK we will now try a similar download but from an AV site - again let me know if this downloads OK. Again no need to run it

http://www.symantec.com/business/security_response/writeup.jsp?docid=2011-042105-0220-99

Do any other computers using the router suffer the same symptoms ?

essexboy,

I can’t download the new link.

The whole thing turns out very wired. I have three computers at home, two windows 7 and one windows xp, all three computers have similar problem. However, the windows xp box is also installed w/ ubuntu. When I switch to ubuntu, the download is quite smooth, above link or any other exe file. I guessed the virus infected all my windows boxes.

Thanks,

David

Have you tried resetting the router ?

Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled “reset” located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).

Could you then go to this website and let me know what you see http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

As I said, I tried to update the router w/ cleaning firmware, resetting it. I reloaded a saved router configuration. Nothing changed.

I can see all six pictures in the eye chart.

thanks,

David

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan
On the first tab select all elements down to Computer and then select start scan
Once it has finished select report and post that.

http://i1224.photobucket.com/albums/ee362/Essexboy3/avpfront-1.jpg

Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop

Now an analysis scan
Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder then then upload to Mediafire and post the sharing link.The zip file is located at C:\Users[i]your name[/i]\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip

http://i1224.photobucket.com/albums/ee362/Essexboy3/avpmanual.jpg

the scan log is empty.

Autoscan: completed 10 minutes ago (events: 2, objects: 375941, time: 00:48:36)
2011/6/29 20:29:36 Task completed
2011/6/29 19:41:00 Task started

The manual disinfection zip is uploaded at

http://www.mediafire.com/file/5s385jim87cy9av/avptool_sysinfo.zip

Thanks,

David

The whole thing is very weird.

I am a network engineer. So, w/ my knowledge, I don’t think somebody could inject a virus daemon in the ADSL access router side of ISP.

Thanks,

David

OK really weird as that download was from the Kaspersky site, no malware is showing within the log or the ports

Did this programme download OK

Yes, I can download the file.

thanks,

David