Win32 Malware-gen and Win32 Trojan-gen

Avast has detected both Win32 Malware-gen and Win32 Trojan-gen. I have run full scan, quick scan, boot scan, and Avast can’t seem to remove. Sometimes it is able to remove (delete or move to chest) infected files, but sometimes not. Also, I have found that as long as I am connected to the internet, something is downloading more viruses on my computer. In the last few days I have only connected long enough to download updates to virus removal tools. I am unsure as to whether MBAM has removed the problem, but I don’t really want to reconnect to the internet and contract more viruses.

I am hoping someone can read the logs and tell me what I still need to do.

MBAM:

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4277

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/5/2010 9:55:18 AM
mbam-log-2010-07-05 (09-55-18).txt

Scan type: Quick scan
Objects scanned: 129457
Time elapsed: 10 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\BILEVSE (Rogue.RegTidy) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Malware.Trace) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Malware.Trace) → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
F:\Documents and Settings\Bryan\Application Data\BILEVSE (Rogue.RegTidy) → Quarantined and deleted successfully.
F:\Documents and Settings\Bryan\Application Data\BILEVSE\RegistryConvoy2009 (Rogue.RegTidy) → Quarantined and deleted successfully.
F:\Documents and Settings\Bryan\Application Data\BILEVSE\RegistryConvoy2009\Backup (Rogue.RegTidy) → Quarantined and deleted successfully.
F:\Documents and Settings\Bryan\Application Data\BILEVSE\RegistryConvoy2009\Backup\Registry (Rogue.RegTidy) → Quarantined and deleted successfully.

Files Infected:
F:\RECYCLER\S-1-5-21-448539723-796845957-839522115-1004\Df108.exe (Rogue.RegTidy) → Quarantined and deleted successfully.
F:\Documents and Settings\Bryan\Local Settings\Temp~nsu.tmp\Au_.exe (Rogue.RegTidy) → Quarantined and deleted successfully.
F:\Documents and Settings\Bryan\Application Data\BILEVSE\RegistryConvoy2009\Backup\Registry\20100610203524.reg (Rogue.RegTidy) → Quarantined and deleted successfully.
F:\Documents and Settings\Bryan\Application Data\avdrn.dat (Malware.Trace) → Quarantined and deleted successfully.

I also have OTL Logs but character length is greater than maximum allowed in a post

Have you tried to attach

down left corner: additional options > attach

do you get CLEAN if you scan again with MBAM ?

Okay OTL log and OTL Extras log attached

Essexboy will look at your log when he arrives…

Rogue RegTidy/RegistryConvoy: Would you let him do your marketing?
http://hphosts.blogspot.com/2009/07/rogue-regtidyregistryconvoy-would-you.html
http://www.mywot.com/en/forum/4013-regtidy-2009?comment=17912

I do not like the reader_s detection as that usually comes with Virut

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
MOD - [2010/05/31 08:21:13 | 000,040,960 | -H-- | M] () -- F:\WINDOWS\system32\msfepsrv.dll
O4 - HKLM..\Run: [Jdoja] F:\WINDOWS\uyiseciyopubopit.DLL File not found
O4 - HKU\S-1-5-21-448539723-796845957-839522115-1004..\Run: [Qkugejivulu] F:\WINDOWS\cpname.DLL (Open Source Software community project)
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O33 - MountPoints2\{7480e0ba-d708-11db-9598-806d6172696f}\Shell\AutoRun\command - "" = E:\madden06.exe -- [2005/07/11 20:15:42 | 000,180,224 | R--- | M] ()
O36 - AppCertDlls: cscrCCTL - (F:\WINDOWS\system32\msfepsrv.dll) - F:\WINDOWS\system32\msfepsrv.dll ()
[2010/06/07 22:57:45 | 000,000,000 | ---- | M] () -- F:\WINDOWS\Ddeditefesufiya.bin

:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

I have attached both OTL and Combofix logs

Thanks for the help thus far!

I see that Norton still has four or five drivers still running. Download and run the Norton removal tool from here to clear them http://service1.symantec.com/support/tsgeninfo.nsf/docid/2005033108162039

After this run can you let me know what problems remain

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
FF - prefs.js..extensions.enabledItems: {48B5D70A-7488-4F98-AE68-67ABB20A10C0}:1.9.1
FF - HKLM\software\mozilla\Firefox\extensions\\{48B5D70A-7488-4F98-AE68-67ABB20A10C0}: F:\Documents and Settings\Bryan\Local Settings\Application Data\{48B5D70A-7488-4F98-AE68-67ABB20A10C0} [2010/05/31 08:24:03 | 000,000,000 | ---D | M]
O4 - HKLM..\Run: [vptray] F:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKCU..\Run: [Aim6] File not found
O4 - HKCU..\Run: [Qkugejivulu] F:\WINDOWS\cpname.DLL File not found
O33 - MountPoints2\{7480e0ba-d708-11db-9598-806d6172696f}\Shell\AutoRun\command - "" = E:\madden06.exe -- [2005/07/11 20:15:42 | 000,180,224 | R--- | M] ()
[2010/05/31 08:24:15 | 000,000,120 | ---- | M] () -- F:\WINDOWS\Oqeme.dat
[2010/06/06 08:51:11 | 000,000,000 | ---D | M] -- F:\Documents and Settings\All Users\Application Data\Avg7

:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

It seems the problems have been fixed. I left it connected to the internet for some time, then performed a boot scan with Avast to see if anything showed up. Nothing showed up on that scan, and things seem to be operating fairly normally…

Hopefully the log can confirm what I am experiencing?

Thanks again!

Looks good ;D

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following


:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS] 
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

[*]Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 20.
[*]Click the “Download” button to the right.
[*]Select your Platform and check the box that says: “I agree to the Java SE Runtime Environment 6 License Agreement.”.
[*]Click on Continue.
[*]Click on the link to download Windows Offline Installation (jre-6u20-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager…
[*]Close any programs you may have running - especially your web browser.
[*]Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
[*]Check any item with Java Runtime Environment (JRE or J2SE) in the name.
[*]Click the Remove or Change/Remove button.
[*]Repeat as many times as necessary to remove each Java version.
[*]Reboot your computer once all Java components are removed.
[*]Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u20-windows-i586-p.exe and select “Run as an Administrator.”)

SPRING CLEAN

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave:

@ rfhone,

While we appreciate your comment, this will not work for this OP. The OP is working with a Certified Malware Removal expert.

You are welcome to browse the forum or post in a New Topic, of your own as this will just confuse the current thread. Go to this link, http://forum.avast.com/index.php, click the New Topic button at the top of the list and post in the appropriate forum.

uhh that rfhone looks like spammer, especially since that registryfix thing is red on WOT

Yes and they are history now.

Yeah, I reported him last night. Sorry about the post.