Win 32: Malware-gen Avast wont get rid of it!

Yesterday after booting my computer it froze. After about 15-20 min it unfroze and believing it was a hardware problem such as dust/overheating decided i would clean it with some dustoff later. I surfed the web for a bit after it unfroze and realised my sound was not working, i checked my hardware and saw that the audio playback section was greyed out. On top of that my PC was not able to recognise a flash drive i had plugged in.

After some research on the net i realised it as a virus and ran an avast scan which found 6 items and removed all but 2. Win32:malware-gen. i think it also said the file was c:\windows\sukuolql.dll

So then i ran Malwarebytes and it found another 12 infections, again removing all but the win32:Malware-gen i think it could have said loader as well, i cant check at the moment because I’m running a bootscan with avast. I have all previous scan logs saved and will post them upon request.

If the boot scan is able to remove it, i would like to be absolutely sure that its gone and not just hiding and replicating which it seems to be doing.

Also i should mention that Avast had benn sending a lot of my driver files to the chest, is this why my computer did not detect any playback hardware? Thanks in advance!

EDIT: These are the results of the bootscan. The file c:windows\temp_avast5_\trzF.tmp was infected by win32: malware-gen. it has been moved to the chest

The file c:\windows\temp_avast5_\trz10.tmp is infected by Win:32Rootkit gen [RTK] and could not be deleted or moved to chest.

Also there is now a warning when i boot up that states sukuolql.dll cannot be found, probably because its been moved to the chest?

Hi huinstinct,

  1. What is your OS?
  2. What product and version of Avast did you install? Free, Pro, AIS / 5.0.677?

Please update MBAM and run a scan again, but this time cut and paste the MBAM log to your next post. Make sure if anything comes up positive in MBAM that you put it into quarantine.

What is sitting in your Virus Chest now? Can you give us a snapshot?

Also make sure your Avast definitions are up to date and let us know if you get any other warnings when you boot up. Thanks.

After making the MBAM log post, please check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0.

Follow the directions for obtaining OTL logs – there will be 2 logs (you already did the MBAM log part). Post the 2 OTL logs as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post). We can then analyze this in the meantime for any malware, and if any malware is found we will refer you to one of our malware experts.

Please let us know if you have any questions. Thank you.

Ive got Avast! Free Antivirus
Program version: 5.0.677
Definitions version: 100914-0

And im running on Windows XP media center edition. Here is my MBAM log:

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4612

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

9/14/2010 4:39:10 AM
mbam-log-2010-09-14 (04-39-10).txt

Scan type: Full scan (A:|C:|D:|)
Objects scanned: 177705
Time elapsed: 22 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Im still getting the warning on boot: ‘Error loading c:\windows\sukuolql.dll the specified module could not be located.’
I looked and it is indeed in the chest.

The computer doesn’t freeze anymore but the task-bar at the bottom doesn’t work for around 5 mins.

Here are the shots of my virus chest:

http://i852.photobucket.com/albums/ab81/huinstinct/btt.jpg

http://i852.photobucket.com/albums/ab81/huinstinct/btt2.jpg

http://i852.photobucket.com/albums/ab81/huinstinct/btt3.jpg

I see

Internet Explorer 6.0.2900.5512
that is very vulnerable to attack so you should upgrade to IE8.

Stay Safer Online
http://www.microsoft.com/windows/internet-explorer/features/safer.aspx
Increased performance
http://www.microsoft.com/windows/internet-explorer/features/faster.aspx

Im using Firefox and so have ignored prompts to upgrade to IE 8, you think its still a liability?

Yes, treat IE as part of your OS (because it is), keep it up to date as possible.

Just because you never use it on your PC…doesn’t mean someone else can’t try to use it.

It is essential to keep IE up to date as it is integrated into the OS, many functions use the display properties of IE behind the scenes that you wouldn’t imagine.

Try this - I notice system restore is disabled, I would recommend enabling it as it is better than no backup at all

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O4 - HKCU..\Run: [Xhohevaxi] C:\WINDOWS\sukuolql.DLL File not found O4 - HKLM..\Run: [Uyeseboyoradiyu] C:\WINDOWS\enuvijuki.DLL ()

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

@ huinstinct,

I’m going to let Essexboy take over your malware removal from here. Once done, I’ll check back in with you.

@ Essexboy, Thank you for reading my mind…I was going to PM you about this. :wink:

Heres the log from the fix. Thanks safesurf :stuck_out_tongue:

Essexboy is on UK time, so he will respond to you later in the day/eve (depending on your time zone), and give you further instructions. Thank you. :slight_smile:

I am not happy about the number of system files Avast found so I would like to run another AV - this will take a while as it is deep

I am thinking that there may be a file infector

Download Dr.Web CureIt to the desktop.

[*]Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
[*]This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
[*]Once the short scan has finished, chose the Complete Scan.
[*]Select all drives. A red dot shows which drives have been chosen.
[*]Click the green arrow
http://perplexus.geekstogo.com/drweb_green_arrow.jpg
at the right, and the scan will start.
[*]Click ‘Yes to all’ if it asks if you want to cure/move the file.
[*]When the scan has finished, look and see if you can click the following icon next to the files found:

http://perplexus.geekstogo.com/drweb_check.gif

[*]If so, click it and then click the next icon right below and select Move incurable as you’ll see in next image:

http://perplexus.geekstogo.com/drweb_move.gif

[*]This will move it to the %userprofile%\DoctorWeb\quarantine-folder if it can’t be cured. (this in case if we need samples)
[*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
[*]Save the report to your desktop. The report will be called DrWeb.csv
[*]Close Dr.Web Cureit.
[*]Reboot your computer to allow files that were in use to be moved/deleted during reboot.
[*]After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new OTL log.

NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

So i started the Dr. Web scan last night and let it run while i was sleeping. When i woke up the progress bar was 1/16th of the way filled and the speed at which it was scanning was around 45kbs. I had school (which is where im typing this) and wont be back until 10pm so i stopped the scan and shutdown my PC. Im afraid of leaving it on for more than 24hrs. Is this the normal speed at which it does a complete scan and should i just leave it on when i start it again tonight?

Did it report anything on the first part of the scan ?

Yes. The quick scan showed two infected files, one which was deleted when i hit the “Yes to all” button, the other was not deleted or cured to my knowledge, it didn’t say anything about its status while the other said ‘Deleted’ I think it was deemed as suspicious.

Also, a prompt asked me something about returning my HOSTS files (what are these?) to their original state which i clicked yes on.

When i get home i will see if there is a log of the quick scan to try and get you the name of the files i mentioned above. THANKYOU for your patience!

Does dr. web use my internet connection? Because that has slowed down greatly as well. Thanks again.

I did another quick scan when i got home, again it found the same suspicious file. This is the log, its only one line so i’ll just copy and paste it here before doing the complete again.

wbfrmwrk.exe;c:\program files\web framework;Probably DLOADER.Trojan;Incurable.Moved.;

EDIT: Again the Full scan slowed down and was only 1/16th of the way full after 12 hrs. I had to stop it because i had homework to do

Still with me?