Win32:adware-gen (please help)

Viruses and worms
1

Hi, a while back (November), I was surfing the web and the dreaded popup for “Antivirus 2009” was across my screen. I did not install it. I simply closed the window and investigated for a while. I found that the most unanimous advice for the issue was to scan with Malwarebytes’ Anti-Malware. After both an in-depth scan and a quick scan, the rogue software was not found on my machine.

Yesterday, however, I started to experience a problem when organizing my favortites on Firefox. I clicked on a favorite to see what it was (part of the site www.guitarsland.com) and got a HTML:Iframe-gen issue. I couldn’t find any assistance with that. While investigating THAT, the following unearthed: “Win32:Adware-gen [Adw].”

The following is my log:

12/4/2008 11:03:34 PM Compaq_Owner 4000 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\System Volume Information_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP374\A0053525.dll” file.
12/4/2008 6:24:45 PM Compaq_Owner 4000 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\Program Files\Compaq Connections\5577497\Program\Interop.SHDocVw.dll” file.
12/4/2008 12:52:33 PM SYSTEM 1360 Sign of “HTML:Iframe-gen” has been found in “C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ha1fsy7y.default\Cache\EAA0461Bd01” file.
12/4/2008 12:52:20 PM SYSTEM 1360 Sign of “HTML:Iframe-gen” has been found in “http://www.guitarsland.com/favicon.ico” file.
12/4/2008 12:52:19 PM SYSTEM 1360 Sign of “HTML:Iframe-gen” has been found in “http://www.guitarsland.com/favicon.ico” file.
10/28/2008 8:44:46 PM SYSTEM 1240 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
9/22/2008 4:21:33 PM Compaq_Owner 1508 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\System Volume Information_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP314\A0047567.exe” file.
9/22/2008 3:51:13 PM Compaq_Owner 1508 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Program Files\Keyfinder Advanced 2007 (Trial Version)\Crack\keyfinder.exe” file.
9/21/2008 3:47:44 PM SYSTEM 1368 Sign of “SWF:Downloader [trj]” has been found in “http://122.141.78.2/ff.swf” file.

THE FOLLOWING IS WHAT’S LISTED UNDER “ALL CHEST FILES” IN MY VIRUS CHEST:

A0053525.dll
Interop.ShDocV.dll
kernel32.dll
winsock.dll
wsock32.dll

After scanning the last 3 .dll files, no virus was found. When I selected all 5 files and scanned, the following text was displayed:

In the “Resume” tab:

Scanning of selected files

Action was completed successfully!

Virus has been detected!
File Name: Interop.SHDocVw.dll
FileID: 7
Virus Description: Win32:Adware-gen [Adw]

Virus has been detected!
File Name: A0053525.dll
FileID: 8
Virus Description: Win32:Adware-gen [Adw]

In the “Detailed Information” tab:

Scanning of selected files

Program will try to scan 5 selected file(s) in the Chest

Move files to temporary folder: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp_avast4_\unp97551445.tmp
FileID: 0000000008 Original file name: C:\System Volume Information_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP374\A0053525.dll New folder: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp_avast4_\unp97551445.tmp\8.dll
FileID: 0000000007 Original file name: C:\Program Files\Compaq Connections\5577497\Program\Interop.SHDocVw.dll New folder: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp_avast4_\unp97551445.tmp\7.dll
FileID: 0000000001 Original file name: C:\WINDOWS\system32\kernel32.dll New folder: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp_avast4_\unp97551445.tmp\1.dll
FileID: 0000000002 Original file name: C:\WINDOWS\system32\winsock.dll New folder: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp_avast4_\unp97551445.tmp\2.dll
FileID: 0000000003 Original file name: C:\WINDOWS\system32\wsock32.dll New folder: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp_avast4_\unp97551445.tmp\3.dll

Scan files in the temporary folder: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp_avast4_\unp97551445.tmp
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp_avast4_\unp97551445.tmp\1.dll – no virus –
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp_avast4_\unp97551445.tmp\2.dll – no virus –
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp_avast4_\unp97551445.tmp\3.dll – no virus –
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp_avast4_\unp97551445.tmp\7.dll Win32:Adware-gen [Adw]
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp_avast4_\unp97551445.tmp\8.dll Win32:Adware-gen [Adw]

Here are my stats, per your FAQ:

Avast! Version 4.8 Home Edition (VPS 081204-0)
Build 4.8.1296
Xtreme Toolkit Version 1.9.4.0
Windows XP Home Edition Version 2002 Service Pack 3
Mozilla Firefox 3.0.4
Firewall: Went to Security Center, and it says that the Windows Firewall is ON

In advance, thanks for any and all help. I really appreciate this resource.

2

The three clean files are in Chest for backup purposes. So they’re clean.
The other two seems infected. You can let them into Chest (it’s safe) or delete them.
The iFrame detected seems to be a part of that webpage that seems infected or hacked.

3

Posting multiple topics for the same question just duplicates the effort for those trying to help.

I answered about the system file back-ups in your other topic http://forum.avast.com/index.php?topic=40706.msg341242#msg341242.

4

Didn’t mean to do that. When I initially posted the topic, it wouldn’t show up in the forum. Then I checked to see if it is moderated first, and I didn’t see any indication of that. So, after about five minutes, I thought I had just pressed the wrong button and simply previewed it, so that’s why it was entered twice. My bad! I appreciate your help, though.

5

You’re welcome, normally the post is displayed right away. Though on occasion the forum gets slow or reports an error but you would normally notice that.