I have problem with win32:malware-gen

My avast found 50 thousand virus and they all are Trojan. They located c:/users/public and C:\windows\explorer.exe, c/windows/win32/. And now that virus split up to recyclebin Then i am trying to put them to chest avast write that there are no free space and avast crashes. i try to clean up with malwarebyte’ anti-malware and with OTS but it don’t works. help me some one. ps. sory for not good english

My avast found 50 thousand virus and they all are Trojan.
holy cow.....and what malware name is avast giving ? is it win32:malware-gen on all files detected ?

Hi,

I think we should give this a quick run and see what it shows. :slight_smile:

Download CKScanner by askey127 from Here & save it to your Desktop.
[*] Right-click and Run as Administrator CKScanner.exe then click Search For Files
[*] When the cursor hourglass disappears, click Save List To File
[*] A message box will verify the file saved
[*] Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply

CKScanner - Additional Security Risks - These are not necessarily bad
c:\users\admin\desktop\torrentai\rise of nations rise of legends crack only.zip.torrent
c:\users\admin\downloads\rise of nations rise of legends crack only.zip
c:\users\admin\downloads\rise.of.nations.rise.of.legends-nocd crack\rise.of.nations.rise.of.legends cd3.daa
c:\windows\system32\slmgr.vbs.removewat
c:\windows\syswow64\slmgr.vbs.removewat
scanner sequence 3.EM.11.QVNAHR
----- EOF -----

Hi,

Were you able to find out what label that avast was giving those 50K infections?

Please run theMGA Diagnostic Tool and post back the report it shall produce:[]Download MGADiag to your desktop.[]Double-click on MGADiag.exe to launch the program[]Click “Continue”[]Ensure that the “Windows” tab is selected (it should be by default).[]Click the “Copy” button to copy the MGA Diagnostic Report to the Windows clipboard.[]Paste the MGA Diagnostic Report back here in your next reply.


Then, run the following:

Please download and run WVCheck.
[]Double-click WVCheck.exe.[]As indicated by the prompt, this program can take a while depending on your hard drive space. [*]Once the program is done, copy the contents of the Notepad file as a reply.

i want to clean my computer, and i dont know how i can delete that win32:malware-gen virus

Hi,

Have you run the tools I posted for in post #4?

I cant find WVCheck.exe and dou you need that i post all what MGADiag show?

Diagnostic Report (1.9.0027.0):

Windows Validation Data–>

Validation Code: 0
Cached Online Validation Code: N/A, hr = 0xc004f012
Windows Product Key: --J8D7P-XQJJ2-GPDD4
Windows Product Key Hash: xgsndMkYdJsYmUng0qIJ/thx+HI=
Windows Product ID: 00371-868-0000007-85759
Windows Product ID Type: 1
Windows License Type: KMS Client
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {CD8501CE-5651-4D06-8E5D-94A04213B30A}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.110622-1506
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data–>
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data–>
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data–>
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data–>
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data–>
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data–>
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7600.16385], Hr = 0x800b0100

Other data–>
Office Details: {CD8501CE-5651-4D06-8E5D-94A04213B30A}1.9.0027.06.1.7601.2.00010100.1.0.048x64----GPDD400371-868-0000007-857591S-1-5-21-107350918-4025844359-37358633Dell Inc.Inspiron N5110Dell Inc.A0720110718000000.000000+0005D073607018400FE04270409FLE Standard Time(GMT+02:00)03109

Spsys.log Content: 0x80070002

Licensing Data–>
Input Error: Can not find script file “C:\Windows\system32\slmgr.vbs”.

Windows Activation Technologies–>
HrOffline: 0x00000000
HrOnline: N/A
HealthStatus: 0x0000000000000000
Event Time Stamp: N/A
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Not Registered - 0x80070005
HealthStatus Bitmask Output:

HWID Data–>
HWID Hash Current: OgAAAAMAAgABAAIAAQABAAAABAABAAEAonZi0RUndxYkUQaGKK0U0QqnnMbPDbzEGOpIPf5PaOsucw==

OEM Activation 1.0 Data–>
N/A

OEM Activation 2.0 Data–>
BIOS valid for OA 2.0: yes, but no SLIC table
Windows marker version: N/A
OEMID and OEMTableID Consistent: N/A
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC DELL WN09
FACP DELL WN09
HPET DELL WN09
MCFG DELL WN09
SSDT TrmRef PtidDevc
SSDT TrmRef PtidDevc
SSDT TrmRef PtidDevc
SSDT TrmRef PtidDevc
SSDT TrmRef PtidDevc
OSFR DELL M08

Hi,

[*]Download OTL to your desktop.
[*]Right-click and Run as Administrator on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]When the window appears, underneath Output at the top change it to Minimal Output.
[*]Check the boxes beside LOP Check and Purity Check.
[*]In the Custom Scans section put the following:
netsvcs
[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
[*]Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

OTL logfile created on: 2012.03.06 22:24:47 - Run 1
OTL by OldTimer - Version 3.2.35.1 Folder = C:\Users\Admin\Desktop
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000427 | Country: Lithuania | Language: LTH | Date Format: yyyy.MM.dd

5,91 Gb Total Physical Memory | 3,52 Gb Available Physical Memory | 59,52% Memory free
11,82 Gb Paging File | 9,46 Gb Available in Paging File | 80,04% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 97,56 Gb Total Space | 28,56 Gb Free Space | 29,28% Space Free | Partition Type: NTFS
Drive D: | 498,51 Gb Total Space | 202,97 Gb Free Space | 40,71% Space Free | Partition Type: NTFS
Drive I: | 95,43 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS

Computer Name: ADMIN-PC | User Name: Admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Admin\Desktop\OTL.exe (OldTimer Tools)
PRC - D:\hamachi\hamachi-2-ui.exe (LogMeIn Inc.)
PRC - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)
PRC - C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)
PRC - D:\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
PRC - C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe (SweetIM Technologies Ltd.)
PRC - C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe (Renesas Electronics Corporation)
PRC - C:\Program Files (x86)\PowerISO\PWRISOVM.EXE (PowerISO Computing, Inc.)

========== Modules (No Company Name) ==========

MOD - C:\Program Files (x86)\Google\Chrome\Application\17.0.963.56\ppgooglenaclpluginchrome.dll ()
MOD - C:\Program Files (x86)\Google\Chrome\Application\17.0.963.56\pdf.dll ()
MOD - C:\Program Files (x86)\Google\Chrome\Application\17.0.963.56\avutil-51.dll ()
MOD - C:\Program Files (x86)\Google\Chrome\Application\17.0.963.56\avformat-53.dll ()
MOD - C:\Program Files (x86)\Google\Chrome\Application\17.0.963.56\avcodec-53.dll ()
MOD - C:\Program Files (x86)\Google\Chrome\Application\17.0.963.56\gcswf32.dll ()
MOD - C:\Program Files (x86)\NVIDIA Corporation\coprocmanager\detoured.dll ()
MOD - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF ()
MOD - C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveIntlResource.dll ()

========== Win32 Services (SafeList) ==========

SRV:64bit: - (avast! Antivirus) – C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
SRV:64bit: - (FLEXnet Licensing Service 64) – C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe (Flexera Software, Inc.)
SRV:64bit: - (STacSV) – C:\Program Files\IDT\WDM\stacsv64.exe (IDT, Inc.)
SRV:64bit: - (WinDefend) – C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV:64bit: - (AppMgmt) – C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV:64bit: - (AESTFilters) – C:\Program Files\IDT\WDM\AESTSr64.exe (Andrea Electronics Corporation)
SRV - (Hamachi2Svc) – D:\hamachi\hamachi-2.exe (LogMeIn Inc.)
SRV - (MBAMService) – C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (AdobeARMservice) – C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (Atheros Bt&Wlan Coex Agent) – C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\Ath_CoexAgent.exe (Atheros)
SRV - (AtherosSvc) – C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AdminService.exe (Atheros Commnucations)
SRV - (nvUpdatusService) – C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe (NVIDIA Corporation)
SRV - (Stereo Service) – C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
SRV - (npggsvc) – C:\Windows\SysWow64\GameMon.des (INCA Internet Co., Ltd.)
SRV - (Autodesk Content Service) – C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe ()
SRV - (clr_optimization_v4.0.30319_32) – C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32) – C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)

QNtas you can attach the log to save doing multiple posts ;D

Hey in that notepad file there is to many characters. and i need 4-5 posts to post one of them, so post it or do something else?

There are instructions on how to attach the log file about a quarter of the way down in this thread http://forum.avast.com/index.php?topic=53253.0

And there is function how to fix my problem or just how to attach log?

Hi,

This is how to attach a log to your post

To attach : Press Reply Attachments and other options Attach: Choose File Locate the OTL log Select the OTL log

Here it is

Hi QNtas,

Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL


:Services

:OTL
PRC - C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe (SweetIM Technologies Ltd.)
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
IE - HKLM\..\SearchScopes,DefaultScope = {EEE6C360-6118-11DC-9C72-001320C79847}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&st=1&q={searchTerms}&barid={1AC2C624-E9E9-11E0-80EA-CCAF785422B8}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
IE - HKCU\..\URLSearchHook: {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgHelper.dll (SweetIM Technologies Ltd.)
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&st=1&q={searchTerms}&barid={1AC2C624-E9E9-11E0-80EA-CCAF785422B8}
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
O2 - BHO: (SweetIM Toolbar Helper) - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O3 - HKLM\..\Toolbar: (SweetIM Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (SweetIM Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O4 - HKLM..\Run: [SweetIM] C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe (SweetIM Technologies Ltd.)
O4 - HKCU..\Run: [TorrentRatioKeeper] "D:\Ratio\Torrent Ratio Keeper\TorrentRatioKeeper.exe" /s File not found
O8:[b]64bit:[/b] - Extra context menu item: Search the Web - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\resources\MenuExt.html ()
O8 - Extra context menu item: Search the Web - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\resources\MenuExt.html ()
O33 - MountPoints2\{f31eef06-223f-11e1-81b5-ccaf785422b8}\Shell - "" = AutoRun
O33 - MountPoints2\{f31eef06-223f-11e1-81b5-ccaf785422b8}\Shell\AutoRun\command - "" = J:\AutoRun.exe
O33 - MountPoints2\{f31eef13-223f-11e1-81b5-ccaf785422b8}\Shell - "" = AutoRun
O33 - MountPoints2\{f31eef13-223f-11e1-81b5-ccaf785422b8}\Shell\AutoRun\command - "" = J:\AutoRun.exe
O33 - MountPoints2\{f6ebead5-1390-11e1-8277-ccaf785422b8}\Shell - "" = AutoRun
O33 - MountPoints2\{f6ebead5-1390-11e1-8277-ccaf785422b8}\Shell\AutoRun\command - "" = G:\INSTALL.EXE
[65442 C:\Users\Public\Documents\*.tmp files -> C:\Users\Public\Documents\*.tmp -> ]

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[createrestorepoint]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )


In your next reply please post both of the logs that will be created by OTL when you are finished. :slight_smile:

Is it also for windows 7? and 8? just incase if he has one of those

i have windows 7