Virus Win32:Malware-Gen, How can i get rid of it?????

I scanned my Laptop and it appears that C:\Windows.old.000\users\Monskieth\AppData\Local\Temp\pavtmp & C:\Windows.old.000\Program Files\Data0.Net Software\Portable Antivirus is infected by a Win32:Malware-gen. How can i get rid of the virus? Is it safe to delete it? or is it a false positive?

hey i suggest you upload the file to virustotal.com and post the result here. otherwise you can try MBAB and or SAS and see what they come up with.

http://filehippo.com/download_malwarebytes_anti_malware/
http://filehippo.com/download_superantispyware/

good luck and write back if you getting problem.

and welcome to the forum.

[font=Segoe UI]Step 1: Windows Disk Cleanup Utility ============

1 Press Windows Key + R
2 Type in: cleanmgr
3 Put a check beside: Temporary Internet Files and Temporary Files. Optionally, you may check other options too
4 Click OK

Step 2: avast! Boot Time Scan ============

1 Double click avast! antivirus desktop icon and wait for memory test to complete
2 avast GUI will appear. Right click anywhere on avast!'s window and select Schedule Boot Time Scan…
3 Click Advanced options and select Move infected file to Chest on the first dropdown list and leave the other one as it was. Click Schedule
4 You will be asked for a system restart. Click Yes to do it now or No to let avast wait for you to manually restart your PC
NOTE: Optionally, you may enable scanning of archive files. If it is enabled, scanning would be more thorough but would take more time

Step 3: Malwarebytes Antimalware (MBAM) ============

1 Download Malwarebyes’ Antimalware here
2 Proceed to installing MBAM after downloading
3 On the last dialog box, do not forget to leave Update Malwarebytes’ Antimalware and Run Malwarebytes’ Antimalware checked
4 Malwabytes’ Antimalware GUI would appear, from there select Perform Quick Scan and click Scan
5 When scan is completed, click Show Results
6 Click Remove Selected and then, a notepad file will appear.
7 On the notepad window, click File > Save As and save it on your desktop. You may now close MBAM.

Step 4: Hijack This (HJT) ============

1 Download Trend Micro Hijack This here
2 Install HJT in C:\Program Files\Trend Micro\HijackThis (the location is already displayed by default). Click Install
3 HJT Window will appear. Click Do a system scan and save a logfile. A notepad file will pop-up once the scan is completed
5 Click on the Notepad window and click File > Save As and save the file on your desktop
6 Go back here on your topic and start a reply. On the Reply window, click Additional Options
7 Attach the two .txt files that we created and saved on your desktop (click more attachments to have more slots for attaching files)
NOTE: Do not have HJT fix anything yet.

I don’t know what everyone is jumping up and down about if you look at the path to the infected file, you will see it appears to be something related to Panda AntiVirus (pavtmp) and a portable antivirus, see below. So far from being false positives, I believe the detections are good but on the unencrypted virus signatures of both.

{C:\Windows.old.000\users\Monskieth\AppData\Local\Temp\pavtmp
&
C:\Windows.old.000\Program Files\Data0.Net Software\Portable Antivirus}

So the questions are:
Have you installed a a portable antivirus (if so uninstall it as the signatures should be encrypted to prevent detection) ?

Have you used any Panda AntiVirus products ?

Hi, Im a newbie. :-[… and I did what you wrote down here. And I have 2 attachments here. So, what I do next? :cry:

1 Press Windows Key + R
2 Type in: cleanmgr
3 Put a check beside: Temporary Internet Files and Temporary Files. Optionally, you may check other options too
4 Click OK

Step 2: avast! Boot Time Scan ============

1 Double click avast! antivirus desktop icon and wait for memory test to complete
2 avast GUI will appear. Right click anywhere on avast!'s window and select Schedule Boot Time Scan…
3 Click Advanced options and select Move infected file to Chest on the first dropdown list and leave the other one as it was. Click Schedule
4 You will be asked for a system restart. Click Yes to do it now or No to let avast wait for you to manually restart your PC
NOTE: Optionally, you may enable scanning of archive files. If it is enabled, scanning would be more thorough but would take more time

Step 3: Malwarebytes Antimalware (MBAM) ============

1 Download Malwarebyes’ Antimalware here
2 Proceed to installing MBAM after downloading
3 On the last dialog box, do not forget to leave Update Malwarebytes’ Antimalware and Run Malwarebytes’ Antimalware checked
4 Malwabytes’ Antimalware GUI would appear, from there select Perform Quick Scan and click Scan
5 When scan is completed, click Show Results
6 Click Remove Selected and then, a notepad file will appear.
7 On the notepad window, click File > Save As and save it on your desktop. You may now close MBAM.

Step 4: Hijack This (HJT) ============

1 Download Trend Micro Hijack This here
2 Install HJT in C:\Program Files\Trend Micro\HijackThis (the location is already displayed by default). Click Install
3 HJT Window will appear. Click Do a system scan and save a logfile. A notepad file will pop-up once the scan is completed
5 Click on the Notepad window and click File > Save As and save the file on your desktop
6 Go back here on your topic and start a reply. On the Reply window, click Additional Options
7 Attach the two .txt files that we created and saved on your desktop (click more attachments to have more slots for attaching files)
NOTE: Do not have HJT fix anything yet.
[/quote]

This is what you should fix with HJT:

C:\WINDOWS\system32\FastNetSrv.exe
The filename is associated with these malware groups:
Banking Info Stealer
Rootkit
System Back Door
Malicious Software Trojan
Nasty

R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb128\SearchSettings.dll

This entry is classified as malware, spyware, adware, or other potentially unwanted software
Should be fixed.

F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe tapi.nfo beforeglav
Nasty Fix

O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb128\SearchSettings.dll

Nasty
Must be fixed! SearchSettings.dll - Vendio “Search Settings” foistware - reportedly installed without notice - see here, http://groups.google.com/group/mozilla.s upport.firefox/browse_thread/thread/dcc6 bd1e6009abe8 and here, http://www.tutorials-win.com/SupportXP/

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

Vendio “Search Settings” foistware, bundled with its Dealio toolbar, which is in turn bundled with numerous third party applications
Nasty

O20 - AppInit_DLLs: C:\WINDOWS\TEMP\42844kou.dll c:\windows\system32\dukotova.dll,pehuraba.dll

Use Windows Command Prompt to Unregister dukotova.dll & pehuraba.dll Files

To open the Windows Command Prompt, go to Start > Run > type cmd and then click the “OK” button.
Type “cd” in order to change the current directory, press the “space” button, enter the full path to where you believe the pehuraba.dll DLL file is located and press the “Enter” button on your keyboard. If don’t know where pehuraba.dll DLL file is located, use the “dir” command to display the directory’s contents.
To unregister “pehuraba.dll” DLL file, type in the exact directory path + “regsvr32 /u” + [DLL_NAME] (for example, :C\Spyware-folder> regsvr32 /u pehuraba.dll.dll) and press the “Enter” button. A message will pop up that says you successfully unregistered the file. Do the same for the other file.

O21 - SSODL: pirumotan - {0c9c9d08-e0a2-4303-b396-2c7596487748} - (no file)
Fix

O22 - SharedTaskScheduler: gahurihor - {0c9c9d08-e0a2-4303-b396-2c7596487748} - (no file)
Fix

O23 - Service: fastnetsrv Service (fastnetsrv) - Netopsystems A - C:\WINDOWS\system32\FastNetSrv.exe
Nasty (2.17 / 5.00)
Fix

polonus

… Seriously, Ím not familiar with Windows Command Prompt and also,… English. Can you please show me little more details? Thank you very much

This is what you should fix with HJT:

C:\WINDOWS\system32\FastNetSrv.exe
The filename is associated with these malware groups:
Banking Info Stealer
Rootkit
System Back Door
Malicious Software Trojan
Nasty

R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb128\SearchSettings.dll

This entry is classified as malware, spyware, adware, or other potentially unwanted software
Should be fixed.

F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe tapi.nfo beforeglav
Nasty Fix

O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb128\SearchSettings.dll

Nasty
Must be fixed! SearchSettings.dll - Vendio “Search Settings” foistware - reportedly installed without notice - see here, http://groups.google.com/group/mozilla.s upport.firefox/browse_thread/thread/dcc6 bd1e6009abe8 and here, http://www.tutorials-win.com/SupportXP/

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

Vendio “Search Settings” foistware, bundled with its Dealio toolbar, which is in turn bundled with numerous third party applications
Nasty

O20 - AppInit_DLLs: C:\WINDOWS\TEMP\42844kou.dll c:\windows\system32\dukotova.dll,pehuraba.dll

Use Windows Command Prompt to Unregister dukotova.dll & pehuraba.dll Files

To open the Windows Command Prompt, go to Start > Run > type cmd and then click the “OK” button.
Type “cd” in order to change the current directory, press the “space” button, enter the full path to where you believe the pehuraba.dll DLL file is located and press the “Enter” button on your keyboard. If don’t know where pehuraba.dll DLL file is located, use the “dir” command to display the directory’s contents.
To unregister “pehuraba.dll” DLL file, type in the exact directory path + “regsvr32 /u” + [DLL_NAME] (for example, :C\Spyware-folder> regsvr32 /u pehuraba.dll.dll) and press the “Enter” button. A message will pop up that says you successfully unregistered the file. Do the same for the other file.

O21 - SSODL: pirumotan - {0c9c9d08-e0a2-4303-b396-2c7596487748} - (no file)
Fix

O22 - SharedTaskScheduler: gahurihor - {0c9c9d08-e0a2-4303-b396-2c7596487748} - (no file)
Fix

O23 - Service: fastnetsrv Service (fastnetsrv) - Netopsystems A - C:\WINDOWS\system32\FastNetSrv.exe
Nasty (2.17 / 5.00)
Fix

polonus
[/quote]

You have serious rootkit infection, HJT is no use to you. From your MBAM log C:\WINDOWS\system32\drivers\kbiwkmbpbpfqxy.sys (Rootkit.TDSS) → No action taken.

You should run Combofix and post the log. Follow all instructions carefully
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Here is it the log file.
Thank you for helping me

You have serious rootkit infection, HJT is no use to you. From your MBAM log C:\WINDOWS\system32\drivers\kbiwkmbpbpfqxy.sys (Rootkit.TDSS) → No action taken.

You should run Combofix and post the log. Follow all instructions carefully
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
[/quote]

Combofix has removed the rootkit. Your pc has many infections.I would uninstall combofix now http://www.bleepingcomputer.com/forums/index.php?s=eab68518186b64fb0677524792426b02&showtopic=114269&view=findpost&p=650524
You should now run a full scan with MBAM, this time have it remove the threats it finds and post the log.
I would then reboot and run another scan with MBAM and see if anything removed first time, returns. Your pc is so infected, I am hoping Essexboy will look at your logs and comment,

I’ve tried it but, first, I accident installed combofix into desktop\Downloads. And I can’t uninstall the program. Then I type

CMD (enter)
C:\Documents and Settings\Dominic Nguyen>cd Desktop\Downloads
Desktop\Downloads\Combofix /u
enter

… And the combofix started to run scan and give me the log again

Please help

Hi

Let’s see if I can help a bit here. You still have some nasty infections.

We’ll use combofix again, but run it differently.

First locate combofix.exe on your desktop, right click it and select delete.

Download a new copy from one of these links and save it directly to your desktop. DO NOT run it yet.

It must be on your desktop, not in a folder on your desktop.

Link 1
Link 2

Please follow all previous instructions regarding security programs.

Open a new Notepad session
[*]Click the Start button, click run
[*]in the run box type notepad
[*]click ok
[*]In the notepad, Click “Format” and be certain that Word Wrap is not checked.

[*]Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

File::
c:\windows\system32\FastNetSrv.exe
C:\jlkdtrnv.exe
C:\tfwhkfp.exe
C:\mwoqywsu.exe
c:\windows\system32\netskt.sys

Driver::
fastnetsrv
BtwSrv
netskt

NetSvcs::
BtwSrv


In the notepad
[*]Click File, Save as…, and set the Save in to your Desktop
[*]In the filename box, type (including quotation marks) as the filename: “CFScript.txt”
[*]Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Please post the combofix log in your next reply.

Thanks

Here is my log file. BTW, thank you

Hi

That looks much better. Did you run MBAM before running the fix I posted?

Please make an uninstall list
[*] Start HijackThis
[*] Click the Config button
[*] Click the Misc Tools button
[*] Click the Open Uninstall Manager button.
[*] Click the Save list button and save it to your desktop.
When you press Save, a notepad will open with the contents. Copy/paste the contents of the notepad file in your next reply.

Please post the uninstall list and a new HJT log.

Thanks

Thanks for replied,
Yes, I did run MBAM, because I’ve wait too long for someone reply my post. LOL

Hi

Ok, that explains what happene to some of those entries I had in the CFScript.

Let’s see if anything is left.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don’t go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

Please go to Kaspersky website and perform an online antivirus scan.

[*]Read through the requirements and privacy statement and click on Accept button.
[*]It will start downloading and installing the scanner and virus definitions.
[*]You will be prompted to install an application from Kaspersky. Click Run.
[*]When the downloads have finished, click on Settings.
[*]Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button

[*]Spyware, Adware, Dialers, and other potentially dangerous programs
[]Archives
[
]Mail databases

[*]Click on My Computerr under Scan.
[*]Once the scan is complete, it will display the results. Click on View Scan Report.
[*]You will see a list of infected items there. Click on Save Report As
[*]Change the Files of type to Text file (.txt)
[*]Set the Save In to Desktop
[]click the Save button.
[
]Please post this log in your next reply.

Thanks for waiting … I ran the Scan last night. And the electric shortage when about finish, LOL. So, I have to run it again this morning.
BTW, here is the file
… And… Uhm, do I have to uninstall combofix, now?

I have the same problem with my ISP installation sofware…so I delete it re-download to my desktop and verify it, it still show as a Virus Win:32:Malware-gen!
I am not a PC literate but need to connect is it dangerous for me to log with this file, remember I cannot do so without it!
Thanks for anyhelp here.

Mr. Oldman please help me :cry:

Thank you

Hi domdom63,

My apologies, I missed your post. We will remove combofix shortly.

One bad detection, the other 2 are in restore points and will be removed when we remove combofix.

Please follow all previous instructions regarding security programs.

Open a new Notepad session
[*]Click the Start button, click run
[*]in the run box type notepad
[*]click ok
[*]In the notepad, Click “Format” and be certain that Word Wrap is not checked.

[*]Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

File::
C:\WINDOWS\tepie\install.48143.exe

Dirlook::
C:\WINDOWS\tepie


In the notepad
[*]Click File, Save as…, and set the Save in to your Desktop
[*]In the filename box, type (including quotation marks) as the filename: “CFScript.txt”
[*]Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Please post back with he combofix log.

Thanks