SOS! Win32 Malware gen Emergency!

Hello there. I’m new here… So here’s the problem. Avast detected a trojan, Win32 Malware Gen and other bunch of trojans starting with the name Win32. I use avast and malwarebytes anti-malware to detect and remove them. I even used boot time scan. But after rebooting, avast detected the trojan again… and again… and again. I scanned and deleted the trojans for X number of times now. the name is x.exe or hnm5.exe… the location is C:\WINDOWS\system32… the viruses include Win32:Malware-gen, Win32:Neeris-B [wrm], Win32:Sality, Win32:Vitro, Win32:IRCBot-DLM [trj], and Win32:Virut-Nu… Please! Can somebody help me! My OS is Windows XP SP3…

What’s weird is that MBAM does not detect it anymore when I scan… but avast keeps on notifying that the trojan have been blocked. As far as I know, no damage in my computer have been observed…so far…

Oh, wow…that reads like a “Anti-Malware’s Most Wanted” list (or least wanted, for the infectee).

Sorry, but this is likely a total loss. You will most likely have to reformat.

See here for advice on what is safe to backup beforehand,
if you still can.>>http://forum.avast.com/index.php?topic=77967.msg644867#msg644867

Hmmmmm… really? what kind of trojan is this??? it’s like Satan of all viruses!

Virut, Sality, Vitro…those are file infectors. Straight killer virus, that infect crucial parts of the system. Cleaning/quarantining them can simply render the system inoperable.

Thanks for the reply dude… Uhm, although my p.c “looks” normal… no issues so far…

try this…

Download Dr.Web Cure It Live CD from another clean computer, and burn as ISO
http://www.freedrweb.com/livecd/?lng=en

it will probably clean up the infection but if the virus infects too many files on system
it can get system to fall from boot.

Reformat and reinstall is the best solution but on fresh system it is important to do not to start any application
or other executable file.

On fresh system ASAP download fresh avast AntiVirus and use boottime scan. avast will remove any infected trase of malware if is there and stop reinfection of your system.

I tried the boot time scan already… to no avail. I’ll your other suggestion. Thanks! So far, i still dont notice the damages… all may exe files are intact and working.

I did not say to you to do scan with avast now. :wink:

probably will solve your problem:

http://www.mycity.rs/images/smiles/icon_arrow.gif
beckup your data

http://www.mycity.rs/images/smiles/icon_arrow.gif
run Dr.Web Cure It Live CD

this will solve your problem:

http://www.mycity.rs/images/smiles/icon_arrow.gif
beckup your data

http://www.mycity.rs/images/smiles/icon_arrow.gif
format system root ( C: ) install fresh OS

http://www.mycity.rs/images/smiles/icon_arrow.gif
On fresh system ASAP download fresh avast AntiVirus and use boottime scan. avast will remove any infected trase of malware if is there and stop reinfection of your system.

:wink:

Thanks! i’ll definitely try that!

Sality+virut=deadly combo :frowning:

Do i need to give up now? sigh… will this be the new wave of killer malwares? i hope avast can keep up… it’ll be cool if avast can just delete these bastards off.

Virut and other File infectors - Throwing in the Towel? ( miekiemoes - Assistant Director of Research @ Malwarebytes )
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html

And even though an Antivirus is able to disinfect the files, in a lot of cases, many files will be corrupted anyway > result > many programs won't work > loads of errors > corrupted Windows + there's still no guarantee that the Virus is really gone. So why bother to clean this if a format and reinstall is the fastest and especially the safest solution?

You will have to read a bit. This is not a file which can be deleted the virus is gone. This virus appends code in files, modifies files etc. So the only way to get rid of this virus is to backup files excluding the ones mentioned by essexboy here: http://forum.avast.com/index.php?topic=77967.msg644867#msg644867 and install your OS by formatting your hdd.

A few times I managed to dizinfect Virut with Dr. Web, but these viruses has not been active long on these computers.
If the virus did not spread to much, Dr Web will it disinfect.

bat…

:smiley:

edit:
In the beginning Virut was changed its binary code at the start of each sistma
and thus avoid detection of anti-virus program.

Virut today is much improved, fortunately not as much as he could be :smiley:

I’m suspecting something else here if your system looks normal or is otherwise OK, another security application with unencrypted virus signatures. What other security software do or did you have installed ?

What is the full path and file name of these detections, just come of the common ones (e.g. folders they are in and file name/s) ?

Do you happen to have used Panda’s on=line scanner as that has a nasty habit of dumping its unencrypted signatures in a sub-folder of system32 ?

Well… my computer is really ok. I mean, i can use anything in may computer without problems. no slowdown also. the only thing that bugs me is the constant alert of antivirus programs. i have MBAM, and avast 5 free.

What seems to be the problem with my computer? i havent use panda.

Oh, yes… it’s in system32…all of them, according to the virus chest info of avast. usual names are x.exe or hnm.exe. Hmmmm… i think i went to panda’s website. but i didnt use the scan. i went to panda AFTER having these viruses. Actually, my pc is just newly reformatted. the anti virus installed right after reformatting is eset nod32. but i uninstalled it since i like avast more.

We really do need more information, some examples of malware name, file name and full location.

The Malware-Gen detection is generic, and since avast detects Virut if it were that a) avast should detect as such and b) it would run rampant through your system infecting every exe file.

So we need the full path as Panda stores its c**p in a sub-folder of system32 and we need to find out exactly what is being found and where.

Check the C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report (XP) or C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report (Vista, win7) folder for whichever scan that you ran for a listing of any detections, see image example (click to expand).

This will give is more information, you can either copy and paste the contents of the file which could be quite large (just some general examples of the various folders and files effected) or you can attach the .txt file to your next post.

These are all the things that i found that have the records of the detections… Thank you.I’m also able to use any .exe file.

The File System Shield report is of more concern as you have something restoring this C:\WINDOWS\System32\84.exe Win32:Rootkit-gen, so there is something undetected/hidden on your system that is a) locking/protecting it or b) restoring it.

With boot-time scan and the stuff in the \Temporary Internet Files\Content.IE5\ is somewhat strange, I would have expected the web shield to have alerted when these were downloaded unless they were old files. They could also be signature updates for another security application. 

I also see that you have not done a boot-time scan recently as there are a lot of infected files picked up by the file system shield after your last boot-tome scan and you should run it again and post the log.

It pays to periodically clear your browser cache and is something I normally do before scans.

What do you know about this file/program, e.g. do you have some sort of startup manager program, etc. ?

I'm also wondering why these are in the  C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\ area and not in a normal User account location ? 

####
The slightly good news is that you don't appear to have a Virus infection or the logs would be full of it in the .exe files across your system.

But it looks like there might be a rootkit at work hiding what is a trojan downloader and protecting/restoring these files.

I'm no malware removal specialist, so you will need more help and I will try to contact someone to help, but they won't be on the forums for a few hours yet.

^^^^
First we will try to clear all your Temp locations:
TFC - Temp File Cleaner by OldTimer 
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

Next we will see if you have an MBR rootkit.

[quote="essexboy"]
Download [url=http://public.avast.com/~gmerek/aswMBR.exe]aswMBR.exe[/url] ( 511KB ) to your desktop. 

Double click the aswMBR.exe to run it 

Click the "Scan" button to start scan 

http://public.avast.com/~gmerek/aswMBR1.png
 
 
On completion of the scan click save log, save it to your desktop and post in your next reply 

http://public.avast.com/~gmerek/aswMBR2.png
[/quote]
After that we can figure out what is next, whilst waiting specialist help.