Struggling with malware-gen

Hello,

I am afraid I am another victim of Malware-gen, as Avast likes to remind me :o(
I have followed all instructions found on other people’s posts but I guess each infection is specific so the removal parameters have to be as well…

So, instead I have followed the “Malwarebytes Anti-Malware” then “OTS” scan approach and I now hope someone can help me eradicate my unwanted visitor.

Could you guys please help my desperate self? :-[

More specifically, I have:

  1. Malwarebytes’ Anti-Malware
  • Installed mbam and downloaded the update
  • Performed a quick scan
  • Restarted my PC
  • Pasted the log file contents at the end of this post
  1. OTS
  • Downloaded OTS
  • Close all other programs (but Avast)
  • Started OTS
  • Checked the box that says Scan All Users
  • Under Additional Scans checked the following:
    • Reg - Shell Spawning
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32*.dll /lockedfiles
    %systemroot%\Tasks*.job /lockedfiles
  • Clicked “Run Scan”
  • Uploaded the resulting log file here: http://www.mediafire.com/?b9y0vhdhh83bby3

===============================

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4610

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

14/09/2010 21:50:18
mbam-log-2010-09-14 (21-50-18).txt

Scan type: Full scan (C:|D:|)
Objects scanned: 311839
Time elapsed: 1 hour(s), 30 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\z\keygen.exe (Malware.Packer.Gen) → Quarantined and deleted successfully.

===========================================================

Again, thanks in advance!

Hi NedTheSnake,

Concerning this malware,
%SysDir%\keygen.exe

Name %SysDir%\keygen.exe

Description
keygen.exe is a worm W32.Delf-LY.
keygen.exe spreads via file sharing on P2P networks.
Related files:
%System%\keygen.exe
%System%\svchost.exe
More info: http://www.sophos.com/security/analyses/viruses-and-spyware/w32delfly.html
Removal:
Kill keygen.exe process and remove keygen.exe from Windows startup.

polonus

Once this run is complete can you let me know what problems remain

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[QUOTE][Unregister Dlls]
[Registry - Safe List]
< BHO’s [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
YY → {BB902710-259F-4FA2-9A5B-12F1E8E0B8A7} [HKLM] → C:\Windows\System32\dlo5fae.dll
[Files/Folders - Created Within 30 Days]
NY → z → C:\z
NY → tmp1 → C:\tmp1
[Files/Folders - Modified Within 30 Days]
NY → T8O1x6Vak.dat → C:\ProgramData\T8O1x6Vak.dat
NY → z → C:\Users\God\z
NY → ÐøÃ → C:\Windows\ÐøÃ
[Files - No Company Name]
NY → z → C:\Users\God\z
NY → T8O1x6Vak.dat → C:\ProgramData\T8O1x6Vak.dat
[Custom Items]
:files
C:\Windows\tasks\At*.job
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[/quote]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

EssexBoy,

Thanks so much for your help.
After following your instructions, OTS said it had to reboot. After rebooting, here is the log I got: http://www.mediafire.com/?b9qa9x4xle90bli

Do I need to do anything more?

Thanks a bunch!
Ned

Lets have a quick look for orphans - what problems are apparent now ?

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Hi EssexBoy,

Following your instructions, the results look encouraging… Are they really?
I do not notice anything wrong now but the virus was not that visible before (sometimes several hours without anything wrong)

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4623

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

15/09/2010 22:21:54
mbam-log-2010-09-15 (22-21-54).txt

Scan type: Quick scan
Objects scanned: 136095
Time elapsed: 6 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Leave it run for 24 hours and if there are no further problems I will remove my tools and tidy you up ;D

Great! Is it ok if I run a deep scan of Avast, Windows Defender and MalwareBytes AntiMalware?

Is there a risk that my external hard drive, which I disconnected since the virus showed up, has been infected as well? If so, should I run a scan for it too?

Many many thanks,
Ned

Hello,
I went ahead and ran full scans on the various tools I have. Results are:

  • Malware Bytes Anti Malware - Full scan: nothing found
  • Windows Defender - Full scan: nothing found
  • OTS - Scan All Users + “All” options selected for processes, modules, etc. + all additional scans checkboxes ticked: nothing found
  • Avast Full scan: 3 Trojan-gen threats detected, as shown in screenshot http://www.mediafire.com/?7jahw2j7ha2337m :frowning: :frowning: :frowning:

I have not selected the action to perform in Avast yet.
What should I do here and then?

Many thanks,
Ned

Let Avast remove them as they are temporary files

Any further re-currence ?

Hi EssexBoy,
This worked great - thanks soooooo much! :slight_smile:
Cheers,
Ned

Actually, while all scans are negative, I have a new issue, which is that Windows Update does not work anymore and gives me an error code 88072EFE. Googling that, I see that this can be affected by viruses.
Do you think this could be related here? :s
Thx,
Ned

Try the MS fixit from here http://support.microsoft.com/kb/971058 as that is an unusual error