Help: Win32:Malware-gen

Hello

I have recently received warnings from Avast! regarding the above virus (Pop-up attached). I have deleted the two files displayed in the pop-up but they keep returning when I restart the system (internet connection?). The virus tries to disable Avast! on each start up (notification pop-up) which I choose “No” of course and I have attached the OTL, aswMRB, and SuperAntiSpyware logs.
I have downloaded ComboFix onto my desktop as well in preparation that I may need it but reading through some of the other posts it looks as though it is quite powerful so I don’t think I want to be using it without some expert guidance.
All help is greatly appreciated!

Regards
Nick

And the SuperAntiSpyware scan log.
Edit: I have also attached the Malwarebytes Anti-Malware log (yesterday after infection).

removal specialists are notified. it may take hours before one arrive so be patient

Let me know if this stops the alerts

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
O4 - HKCU..\Run: [JwvDfaej] C:\Users\Nick\AppData\Local\bqhquaye\jwvdfaej.exe File not found
O20 - HKLM Winlogon: UserInit - (C:\Users\Nick\AppData\Local\bqhquaye\jwvdfaej.exe) - C:\Users\Nick\AppData\Local\bqhquaye\jwvdfaej.exe File not found

:Files
C:\Users\Nick\AppData\Local\bqhquaye

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Sorry for the delay, here is the Quick Scan and Run Fix logs. When the system restarted the Avast! alert with the blocked file was displayed again. Would the next step involve using ComboFix?

I am loth to use combofix unless really necessary

Could you attach a screenshot of the latest alert please

I am removing the steam crack from startup as that may be the root of the problem

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\searchpredict@speedbit.com:
O4 - HKCU..\Run: [JwvDfaej] C:\Users\Nick\AppData\Local\bqhquaye\jwvdfaej.exe File not found
O20 - HKLM Winlogon: UserInit - (C:\Users\Nick\AppData\Local\bqhquaye\jwvdfaej.exe) - C:\Users\Nick\AppData\Local\bqhquaye\jwvdfaej.exe File not found
[2012-11-29 11:33:47 | 000,102,464 | ---- | C] () -- C:\Users\Nick\AppData\Roaming\LVx6d96.exe
[2012-11-27 20:24:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cracked Steam

:Files
c:\Users\Nick\AppData\Local\bqhquaye

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

I have attached screenshots of both pop-ups (virus attempt to shutdown avast and blocked virus files). I doubt that cracked steam is the problem since it has been installed for several months, but I have run the code as you have requested and the program seems to freeze when processing the first Firefox Extension - maybe it’s because I don’t have Firefox installed?

Regards
Nick

OK lets continue with Combofix although the data appears to be in the temp files

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

I have tried to run ComboFix (as administrator) but it disappears without warning and the process is not present in task manager. This eratic program closing behaviour seems to also affect Google Chrome. Do you want me to try run ComboFix in safemode with or without networking?

Try safe mode with networking, also rename combofix to Gotcha

Renaming ComboFix to Gotcha has allowed it to run under normal system settings. I have attached the log as requested.

OK lets now manually kill it

  1. Close any open browsers.

  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  3. Open notepad and copy/paste the text in the quotebox below into it:

File:: c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jwvdfaej.exe

Folder::
c:\users\Nick\AppData\Local\bqhquaye

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“JwvDfaej”=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
“Userinit”="c:\windows\system32\userinit.exe,

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Here is the log as requested. I hope we are close to removing this stubborn infection.

OK I will need to work outside of windows for this one

Could you reboot the computer and press F8
On the safe mode menu is the option “Repair my Computer” ?

If so do you have access to a USB drive

Yes, I have rebooted the computer into “Repair my Computer” mode and I’m at the dialog box “System Recovery Options”. I happen to have a USB right next to me.

Excellent

Download the following following programme to your USB :

Farbar Recovery Scan Tool x64

Insert the USB into the sick computer and start the computer.

Reboot to the safe mode menu
Click repair my computer
(You may not see all the following screen shots)

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg

Select your operating system

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg

Select Command prompt

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg

At the command prompt type the following :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.

https://dl.dropbox.com/u/73555776/FRST%20Start%20scan.gif

Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

The log is attached as requested :slight_smile:

Download the attached fixlist.txt to the USB drive with the FRST file

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemOn Vista or Windows 7

Now please enter System Recovery Options.

Run FRST and press the Fix button just once and wait. The tool will make a log on the flashdrive (Fixlog.txt) please post it in your next reply.

Fixlog attached.

Could you now reboot to normal windows and run an OTL quickscan please