Win32:Malware-gen and Win32:Evo-gen [Susp] Infection Found

Viruses and worms
1

Hello all,

Earlier this morning I ran a virus scan using Avast! Free Antivirus. It turned up once instance of Win32:Malware-gen, and it put the infected file in the Virus Chest since it could not fix the file automatically. I found two other files in the Virus Chest that had not been turned up by any scans but were in the chest anyway. These were both listed as being infected by Win32:Evo-gen [Susp].

The Win32:Malware-gen infected file was:

C:\Documents and Settings\Dan Popp\Local Settings\temp\CmdLineExt03.dll

The Win32:Evo-gen [Susp] infected files were:

C:\System Volume Information_restore{D806B665-44B9-4F1C-BD2A-8E1333720957}\RP174\A0030445.dll

and

C:\Program Files\Common Files\SureThingShared\mvmcc.dll

I hadn’t noticed any of these problems before, and according to the Virus Chest, the files were just put there this week - Jan. 26 for the Win32:Evo-gen [Susp] infections, and today, Jan. 28 for the Win32:Malware-gen infection.

I scanned the CmdLineExt03.dll file, and I received a pop-up message in a little grey box saying:

Scan Complete

CmdLineExt03.dll Win32:Malware-gen

When I scanned the A0030445.dll file, I received a pop-up message in a little grey box saying:

Scan Complete

A0030445.dll – no virus –

and for the mvmcc.dll file,

Scan Complete

mvmcc.dll – no virus –

I then proceeded to the “Logs to assist in cleaning malware” thread, ran the recommended scans (Malwarebytes, Farbar Recovery Scan Tool, and aswMBR) and received the logs, which I have attached below.

If there is any other information I can give to help remove these viruses, please let me know!

2
These were both listed as being infected by Win32:Evo-gen [Susp].
it is not a actuall infection, it is a suspicious warning Win32:Evo-gen [[b]Susp[/b]] = suspicious
If there is any other information I can give to help remove these viruses, please let me know!
if moved to chest, then they are removed, unless you get repeted detections on these

a malware expert will check your logs later today

3

The detection is in system restore, we will clear those at the end

What problems are you experiencing

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-2000478354-651377827-839522115-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION ProxyEnable: [S-1-5-21-2000478354-651377827-839522115-1003] => Internet Explorer proxy is enabled. ProxyServer: [S-1-5-21-2000478354-651377827-839522115-1003] => localhost:21320 FF NetworkProxy: "type", 1 EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

4

Well, so far, I haven’t noticed anything out of the ordinary except for general sluggishness with my browser (Firefox). It’s slow to open, and then slow to load pages but that might not necessarily have anything to do with the infection.

The only real problem that I’ve had is that the scan I ran yesterday turned up an infection of Win32:Malware-gen, and upon scanning the infected file by itself, Avast maintained that it was infected with Win32:Malware-gen. Other than that, I wouldn’t have known anything was wrong.

I just ran the Fix now, and I’ve attached the Fixlog below:

5

This will now purge the restore points so that you will not get the alert again

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme :wink:

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

6

Thank you for helping me out, Essexboy :slight_smile:

I do have some questions though.

Out of curiosity, what did my logs reveal? Was there truly a malware infection, or false positives? Is the Win32:Malware-gen totally gone now?

Also, come to think of it there has been a couple of problems I didn’t think of before. Sometimes when loading a web page, my browser would just stop - it wouldn’t complete loading the page, and I’d have to refresh and try again. In addition to that, I received some emails from Microsoft a while ago about suspicious login activity for my Hotmail account. I wonder if either of these issues are at all connected to my recent malware problem.

Can I now delete the files that are in the Virus Chest, that were marked as infected?

And is it now safe to do things again like entering my social security number and other personal information to apply to jobs online, or to make online purchases with a credit or debit card again?

I dowloaded the programs you recommended (CryptoProtect and Unchecky) and I’m already using the following anti-malware measures:

-Avast! free antivirus
-Windows Firewall
-Malwarebytes free version
-Malwarebytes Anti-Rootkit (beta)
-Malwarebytes Anti-Exploit
-NoScript

and I was thinking of downloading a keyscrambler as well.

7

There was no malware as such, you did have a proxy set on IE which has now been reset

The detection was on an old Norton definition file, maybe or whatever your previous AV was

You can empty the virus chest

Have you changed your Hotmail password, if not then do it now

As far as I can see there is no malware present

8

I just ran a virus scan this morning, and my machine turned up clean!

Then I went ahead and deleted all the files in the Virus Chest. Everything seems to be fine.

Thanks again for helping me, it’s much appreciated.

9

My pleasure :slight_smile: