Repeated Win32:Malware-gen files found

We’re getting many instances of the following message with random file names. It continues to happen despite moving them to the chest. I’m not able to determine what’s putting these files in the temp directory.

17/12/2009 6:41:40 PM SYSTEM 1148 Sign of “Win32:Malware-gen” has been found in “C:\WINDOWS\TEMP\1034fd05338f83c5e8a14e96586f724f.exe” file.
17/12/2009 6:35:50 PM SYSTEM 1160 Sign of “Win32:Malware-gen” has been found in “C:\WINDOWS\TEMP\14b10a32c6ac18ac4e5db74dd5c1520e.exe” file.
17/12/2009 6:30:43 PM SYSTEM 1160 Sign of “Win32:Malware-gen” has been found in “C:\WINDOWS\TEMP\211f74e30e60e4919512ef303c863800.exe” file.
17/12/2009 6:25:13 PM SYSTEM 1160 Sign of “Win32:Malware-gen” has been found in “C:\WINDOWS\TEMP\eb4577a6fd28097cbac1f8201b131378.exe” file.
17/12/2009 6:20:02 PM SYSTEM 1160 Sign of “Win32:Malware-gen” has been found in “C:\WINDOWS\TEMP\6a20a71e44745646dbe001792b2bd98f.exe” file.
17/12/2009 6:17:53 PM SYSTEM 1160 Sign of “Win32:Malware-gen” has been found in “C:\WINDOWS\Temp\8d54fd38af38df54d558f075ff5b34ce.exe” file.
17/12/2009 6:17:50 PM SYSTEM 1160 Sign of “Win32:Malware-gen” has been found in “C:\WINDOWS\Temp\88b0717aef5765c07719fde940a144ba.exe” file.
17/12/2009 6:17:45 PM SYSTEM 1160 Sign of “Win32:Malware-gen” has been found in “C:\WINDOWS\Temp\76a5ac7e650b13d3585e3e1d39e4289a.exe” file.
17/12/2009 6:14:53 PM SYSTEM 1160 Sign of “Win32:Malware-gen” has been found in “C:\WINDOWS\TEMP\9b0f32fc681daebc241a6f341518b896.exe” file.
17/12/2009 6:09:26 PM SYSTEM 1160 Sign of “Win32:Malware-gen” has been found in “C:\WINDOWS\TEMP\cb5197525004204d4ad83529c0dcc006.exe” file.
17/12/2009 6:04:24 PM SYSTEM 1264 Sign of “Win32:Malware-gen” has been found in “C:\WINDOWS\TEMP\8d54fd38af38df54d558f075ff5b34ce.exe” file.
17/12/2009 6:01:57 PM SYSTEM 1264 Sign of “Win32:Malware-gen” has been found in “C:\WINDOWS\TEMP\8d54fd38af38df54d558f075ff5b34ce.exe” file.
17/12/2009 5:56:54 PM SYSTEM 1144 Sign of “Win32:Malware-gen” has been found in “C:\WINDOWS\TEMP\88b0717aef5765c07719fde940a144ba.exe” file.
17/12/2009 5:56:54 PM SYSTEM 1144 Sign of “Win32:Malware-gen” has been found in “C:\WINDOWS\TEMP\88b0717aef5765c07719fde940a144ba.exe” file.
17/12/2009 12:53:37 PM SYSTEM 1152 Sign of “Win32:Malware-gen” has been found in “C:\WINDOWS\TEMP\249d4932fd5e7cb8f577e727a4074a2a.exe” file.
17/12/2009 12:48:16 PM SYSTEM 1152 Sign of “Win32:Malware-gen” has been found in “C:\WINDOWS\TEMP\73c038d35f7099b4c803f21db9c1ee3f.exe” file.

  1. How was it detected? What was scanning, you yourself or the back-ground scanner? When did the message occur on a download, unzipping, opening a file, mail or mail-attachment, etc.?

This message comes up when doing a large number of things, sometimes nothing

  1. What was the source of the file, where did the file come from?.: e.g. address, URL, source.

Unsure.

  1. When was it downloaded or received?

Dec 16th

  1. What is the exact file name with extension.

See above

  1. What was the exact wording of the message that the AV program came up with? This is important for later.

See above

  1. Now go back and do nothing yet. Scan the particular file once again with your AV product.
    A. The message is in the same wording: maybe positive alert

Scanning of selected files

Program will try to scan 1 selected file(s) in the Chest

Move files to temporary folder: C:\DOCUME~1\Owner\LOCALS~1\Temp_avast4_\unp72168339.tmp
FileID: 0000000037 Original file name: C:\WINDOWS\TEMP\1034fd05338f83c5e8a14e96586f724f.exe New folder: C:\DOCUME~1\Owner\LOCALS~1\Temp_avast4_\unp72168339.tmp\37.exe

Scan files in the temporary folder: C:\DOCUME~1\Owner\LOCALS~1\Temp_avast4_\unp72168339.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp_avast4_\unp72168339.tmp\37.exe Win32:Malware-gen

Action was completed successfully!

Jotti scan of one of the files

Additional info
File size: 209952 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 20fa5c747f9bb892910942af1098e5fb
SHA1: eddd95cd739eb251948f978f6c55353e93afd84f

Jotti’s malware scan
Filename: 1034fd05338f83c5e8a14e96586f724f.exe
Status: Scanning file…
Scan taken on: Thu 17 Dec 2009 23:24:40 (CET)
Permalink - http://virusscan.jotti.org/en/scanresult/54b94d02f091691e1f1530ff5137fea6e6808df4

There was a variety of results
Worm.Agent.RENS
Found nothing
Win32/Swimnag.A worm
SHeur2.BVQC
Worm.Win32.Swimnag!IK
etc…

I suggest you use MBAM.

Hi turnonthejets,

Have you been using torrentdownload, because of the 37.exe find (74% malicious)? -
Some malware camouflage themselves as 37.exe, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the 37.exe process on your pc whether it is pest.
Re: http://www.superantispyware.com/malwarefiles/37.EXE.html
SAS can be downloaded from here: http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

polonus

Thanks for the help, I searched on this forum before posting and that led me to try both SAS and MBAM. Neither found anything with quick scans but I can do a full scan to see if that picks it up. I’ll also search for the 37.exe manually. I know the PC owner has used torrents in the past.

Its always good to run CCleaner before MBAM to clean out Windows Temp Folders:
CCleaner v2.26.1050 - Slim

I keep cleaning out the location that these exe files are getting put in but they keep coming back. It’s as if something else is putting them there that isn’t getting picked up by any of these scanners. Any other options?

Have you tried the options already suggested, MBAM and SAS programs ?

If not do so, if you have then post the results of the scans.

I had and they didn’t pick up anything at all. Just ran MBAM again…

Malwarebytes’ Anti-Malware 1.42
Database version: 3382
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

21/12/2009 5:49:53 PM
mbam-log-2009-12-21 (17-49-53).txt

Scan type: Quick Scan
Objects scanned: 117372
Time elapsed: 10 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Deleted

Nothing found with the full MBAM scan either

Malwarebytes’ Anti-Malware 1.42
Database version: 3382
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

21/12/2009 7:01:47 PM
mbam-log-2009-12-21 (19-01-47).txt

Scan type: Full Scan (C:|)
Objects scanned: 202633
Time elapsed: 1 hour(s), 4 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)