Win32:Malware-gen and other issues

Viruses and worms
1

Hello avast! team!

I have been running avast! for several months and am very happy with it. My PC was recently infected however, and any help to fix would be greatly appreciated.

Symptoms:
I started receiving the Win32:Malware-gen pop-up from avast! a couple days ago. Around the same time, I started getting redirects to ad pages from Google search result links - but only in Firefox. IE still worked fine.

I ran a couple things to scan / try to clean:
SpyBot S&D
MalwareBytes Anti-Malware (after updating) (ran multiple times)

MBAM found and removed a number of things, but the issue did not go away. Also the problem has now gotten worse. When I boot normally, I get a blank screen after logging in. The only thing I can bring up is Task Manager using Ctrl-Alt-Delete. I can boot in Safe mode, but can’t access the internet while in Safe mode. Fortunately I have a backup PC (from which I am writing this), and can download any needed tools and transfer them with a flash drive. I don’t think I will be able to run any online scans (like Kaspersky) at the moment though.

Will wait to hear back from someone before uploading anything to this thread or running anything else.

Am running XP SP3 BTW.

Thanks in advance for any help!!

2

Hi Orrin777,

Welcome to the avast forum,

Anyway, have you try :

  1. Turn off your System Restore?
  2. Have you try to scan with boot-time scan with avast antivirus?

cheers,

3

Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:
     1. DDS.txt
     2. Attach.txt

Save both reports to your desktop. Post DDS.txt back to topic. (as attachment)


http://img688.imageshack.us/img688/126/20110116103748.png

4

Thanks Yanto and argus for the quick responses!

Turning off System Restore allowed me to boot normally again. That is a relief since it will be much easier to clean if I can download/upload directly from the infected PC.

When I listed S&D and MBAM earlier, I forgot to mention I also tried avast boot time scan. I think that is actually when it started to boot to a blank screen (went to blank screen after logging in).

Should I run avast boot-time scan again now that I’m back out of Safe Mode, or run DDS?

(and if I run the avast scan, should the heuristics sensitivity be set to Normal or High, or does it matter?)

Thanks!

5

Meant to add - I am still getting the Google redirect in FF. Here is an example (sanitized):

hxxp://www.infomash.org/100/7181/search.php?k=services%20transcription&sid=be85a7162840ac1f2b2650730a0e6971

I am also still getting the Win32:Malware-gen infection error from avast when starting FF. The Object is C:\WINDOWS\system32\winlogon.exe.

6

Hi Orrin777,

Is back to you which’s more easy you will to do first…

Basically i more recommended you to set in high level of heuristics sensitivity and please don’t forget to tick those two checkboxes at below and afterthat you may start to do boot-time scan again…

cheers,

7

Orrin777 Run DDS It is a diagnostic tool

8

Thanks. Ran DDS. File is attached.

9

DDS log is clean. To see deeper

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully.

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix:
    http://www.bleepingcomputer.com/forums/topic114351.html

Remember to re-enable them afterwards.

  1. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt

10

Thanks argus. Gotta get some sleep… I will run ComboFix tomorrow and post the results.

11

Ok :slight_smile:

12

ComboFix ran successfully. Looks like it found and fixed a couple things. :slight_smile:

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Infected copy of c:\windows\explorer.exe was found and disinfected

Attaching the log. Haven’t tried anything else yet (like running FF to see if the redirect issue and Win32:Malware-gen issues are gone) - will wait for further instructions.

13

Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

DDS::
uInternet Connection Wizard,ShellNext = hxxp://www.symantec.com/techsupp/servlet/ProductMessages?product=LU&version=1.90&language=English&module=LU&error=1827&build=Symantec

Save this as CFScript to desktop


http://img213.imageshack.us/img213/1218/cfscript1.gif

Close all browser windows and refering to the picture above, drag CFScript into Combofix.exe
Then post the resultant log

14

thanks for the reply. Before I do that, could you explain what that will do? (pardon my lack of knowledge for not knowing simply by reading the instructions.)
Just curious since it references Symantec, but I am not currently running anything from Symantec that I am aware of.

Thanks for your patience.

15

You head Symantec before Avast but you did not uninstall well.

This script will remove the remains from the registry and IExplorera.

16

Thanks for the explanation. Sorry for the delay - busy work schedule. ComboFix ran successfully - log attached.

17

Excellent :slight_smile:

  1. Click Start then run.

  2. In run, type in the following code (note the space between the x and the /).

ComboFix /Uninstall enter

Cao…

18

Thanks for the help! - everything seems to be working fine. :smiley:

Anything else I should do?

19

I don’t know if this type of uninstallation method is reliable or not.But i always saw Essexboy recommend the user to download OTL and run the “CLEAN UP”.

20

I do not know what is controversial?

This command uninstalls Combofix

Everyone has their own way of working :wink:

@Orrin777

The recommendation that you install this program. MCShield
It will prevent infection by computer via USB flash drive, mobile phone or any memory card.
And not only will prevent infection, but will immediately clean Memory card or external HDD

The program is very good

Currently on the internet there is no better program for that purpose
The program is free