Win32:Maleware-gen Help?

I use Avast! Free Antivirus and lately it has detected files infected with Maleware-gen on my computer.
Right now its in the Avast Virus Chest.
Originally there were only two files detected, however after a few days these files were found again in the same location and was placed into Virus Chest.

Files Detected:
BdeUISrvb.exe - located at C:\Windows\Temp

pls22[1].exe - located at C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5(some code here)

Can anyone help me with removing this virus from my computer?

Clean all your temp files with
TFC - Temp File Cleaner by OldTimer http://www.geekstogo.com/forum/TFC-Temp-File-Cleaner-OldTimer-file187.html
OBS: The program will reboot the computer

Check your computer for Malware with

Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
after install click update so you have latest database before scan
click the remove selected button to quarantine anything found
you may post the scan log here if anything is found

1.clear your temp files:http://www.piriform.com/ccleaner
2.do a dr.web cure it scan:http://www.freedrweb.com/cureit/?lng=en
3.scan your system for rootkits:http://www.usec.at/rootkit.html
4.scan with mbam:http://www.malwarebytes.org/mbam.php
5.post a Hijack Hunter log in this topic:http://www.novirusthanks.org/products/hijack-hunter/
6.we will provide a cleaning script,you should run it with Threat Killer:
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Using Hijack Hunter:
1.after downloading install the program
2.from the gui press scan
3.post the log here or attach it
4.the restorer page contain helpful resources to fix policies related problems.
Using Threat Killer:
1.from the main gui browse for the clean script file then press excute!
2.post the log on the forum

Attached: Hijack Hunter Log

I couldnt find ThreatKiller as you mentioned.

Nothing was detected by Dr.Web CureIt nor did MBAM find anything.
Everytime i did the scan for rootkits, the system shut down on me.

Upload the following file to virustotal - http://www.virustotal.com/ - and post result here
C:\Windows\TEMP\Gpr.exe

check out this link
http://htlogs.com/

This infection may be fixed using HijackThis - for starters anyway
click here – (will take direct to download)
http://www.filehippo.com/download_hijackthis/download/8571e06e5eb8ab03c649f3b5d647c599/

Download and run.
Then do scan and save a log file.
Post the log file here as you have done with Hunter

The malware entry will be an 04 entry corresponding to the following
Value: EWABQAF7KL
Data: C:\Windows\TEMP\Gpr.exe
Key: HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

Solution - put a check in the box next to the entry and go down left corner and click Fix Checked

Then run Malwarebytes again and see what comes up

hijackthis log attached.

the only values that i found in the log that was related to your reply was:

O4 - HKUS\S-1-5-18..\Run: [EWABQAF7KL] C:\Windows\TEMP\Gpr.exe (User ‘SYSTEM’)

and

O4 - HKUS.DEFAULT..\Run: [EWABQAF7KL] C:\Windows\TEMP\Gpr.exe (User ‘Default user’)

but it wasn’t completely identical to the location/values you posted.
so i was not sure whether i should fix check it as you said.

Okay wait some hours"or less"and i will make you the clean script to excute it in the Threat Killer
http://www.novirusthanks.org/products/threat-killer/

@ Bandaids

Yes the entry needs to be Fix Checked

My values come from yr Hijack Hunter log

@mkis

i fix checked the values like you said and ran a scan on MalwareBytes.
Nothing was found.

okay you should be fine

  • I think do yr regular tune up stuff and keep running mbam now and then to see if completely clean

@mkis

Thanks.
But is there a way to completely make sure that the virus is no longer there?

As the files are still in Avast Virus Chest.
i also did a hijackthis scan again and those values you mentioned were still there.

hey you got problems more than the GPR.EXE PROBLEM,wait some time until the clean script is done

I attatch two files:clean.txt and reg_fix.txt
1.from threat killer gui browse for clean.txt"after downloading from my post",then Excute! it
2.post log here
3.show file extensions,from folder options.
4.rename reg_fix.txt to reg_fix.reg
5.run the reg_fix.reg file then press ok
6.restart your system.

Threat Killer Log:

Threat Killer - Scriptable Malware Remover 1.7.2.0
http://www.novirusthanks.org
Log started on 7/10/2010 at 1:00:38 AM
32-bit OS

[+] Script Executer Log:

(kill process) C:\Windows\TEMP\Gpr.exe → Error: Process does not exist
Backup of C:\Windows\TEMP\Gpr.exe failed.
(delete files) C:\Windows\TEMP\Gpr.exe → Error: The system cannot find the file specified
(empty folders) C:\Users\irene\AppData\Local\Temp\ → Is empty
There are no more files

did you scan immediately after Fix Checked and see if it was gone

  • if not then need more than HjT
  • if so, then we know it regenerated

can you follow these instructions -

Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“EWABQAF7KL”=-

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes.
When the tool is finished, it will produce a report for you.

deleted

I believe the file has regenerated.
I have attached the report OTM produced in this post.

okay

is it still regenerating?
does everything seem to be running okay?

use ccleaner to clear the temporary internet cache http://www.piriform.com/ccleaner

also make sure that Windows is always kept up to date - you may have a necessary security update missing

Microsoft report

I believe the file is still regenerating as the value is still appearing in HijackThis.
I have fix checked it again, just to make sure.
But after i immediately redo the scan, the file shows up again.

Also it seems that ‘gpr.exe’ cannot be found in my Temp Folder.

make sure that you are disconnected from the internet

boot into Safe Mode

  • turn computer off
  • lightly tap F8 key as computer is turned on
  • this should take you to page with Safe Mode option (you may first be asked what to boot - choose yr hard drive)

run HijackThis in Safe Mode and you should be able to remove the entry

then see how doing