Win32:Malware-gen Help Please! Cannot repair/move to chest

system · June 11, 2012, 8:21am

Hello,

Just created an account here cause i need some help. Ill try to describe the problem the best i can and hope someone can help me.

First of all, I didnt get any warnings from avast. i use the free version, and its version is 7.0.1426

A couple days ago i noticed a weird file on C:\ it was a .txt file called blitzerr.txt, so i scanned it and no virus was found, so i opened it to take a look and it was filled with text like this:
“Sat Jun 09 20:13:56 2012
Polled…”

So, since it seemed weird to me that that filed appeared from nowhere, i went ahead and performed a boot-time scan and it found 3 threats, the following:

C:\Windows\Installer\8a316.msi|>Data1.cab|>settings32.exe

C:\ProgramData\Win7codecs{2DEFA6D0-5D83-4ED1-BBA4-69A8482E60E2}\Win7codecs.msi|>Data1.cab|>settings32.exe

C:\Program Files\Win7codecs\Tools\settings32.exe

All Threats find were Win32:Malware-gen and Severity for all was High

Then, first I tried repairing all those files, but I got the following error message “Error: The system cannot find the specified file (2)” → I translated this to English so the actual message might be a little different, but should mean the same thing

Then I tried moving it to the chest but I got the following error message “Error: The Operation is not supported for this type of archive.(42111)”

One weird thing I found was that of those 3 files, I could only found one of those files on windows explorer(yes, I have it set to show hidden files/folders).
I could not find these two locations C:\Windows\Installer\8a316.msi|>Data1.cab|>settings32.exe and C:\Program Files\Win7codecs\Tools\settings32.exe and the other one was the only one I could actually locate the file(C:\ProgramData\Win7codecs{2DEFA6D0-5D83-4ED1-BBA4-69A8482E60E2}\Win7codecs.msi|>Data1.cab|>settings32.exe)

So I started searching for a solution or advice on the forums but couldn’t find anything too specific. I did try two different things.

First I went to virustotal.com and scanned the one file I could find that I described above, and from the about 40 scanners it used, it got detec ted only on 3 of them. Avast and GData both found Win32:Malware-gen and ANTIY-AVL found a different threat, Trojan/Win32.VBKRYPT.gen

The next thing I did(from what I got on the forums) was to download and run Malwarebytes Anti-Malware. When I performed the scan at first, it found another threat, but it wasn’t the same one as I described here. It was something else that I am pretty sure it was a false positive. Nonetheless I fixed that other issue and ran both a quick scan and a full scan, and in no instance the same Win32:Malware-gen was detected.

I will copy/paste both the mbam logs below(ill just change my name from the file for privacy)

FULL SCAN LOG:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.10.08

Windows 7 x86 NTFS
Internet Explorer 9.0.8112.16421
MYNAME :: MYPCNAME [administrator]

11/06/2012 03:18:09
mbam-log-2012-06-11 (03-18-09).txt

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

QUICK SCAN LOG:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.10.08

Windows 7 x86 NTFS
Internet Explorer 9.0.8112.16421
MYNAME :: MYPCNAME [administrator]

11/06/2012 03:12:15
mbam-log-2012-06-11 (03-12-15).txt

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

After I ran mbam the first time(when it found a different threat and after I fixed that one), I ran a boot time scan again and the problem was still there, tho this time it only found 2 threats:
C:\Windows\Installer\8a316.msi|>Data1.cab|>settings32.exe
C:\ProgramData\Win7codecs{2DEFA6D0-5D83-4ED1-BBA4-69A8482E60E2}\Win7codecs.msi|>Data1.cab|>settings32.exe
I tried again to repair and move to chest but got the same error messages.

Another thing I thought was curious, is that after I ran the first boot-time scan, I ran a full system scan and it did not find any threats but I went to C:\ProgramData\Win7codecs{2DEFA6D0-5D83-4ED1-BBA4-69A8482E60E2}\Win7codecs.msi|>Data1.cab|>settings32.exe
and scanned Win7codecs.msi alone, and it then found the Win32:Malware-gen threat and again I couldn’t repair or move to chest.

So, can anyone help me with my problem ? whats the next step ?

I thought about running again the boot-time scan and then trying to just delete the files when the threat is found and im asked what to do, but I am not sure if doing that would affect my pc, so I decided to open a forum acct here and asking for help

I see that from many of the replies, I will probably have to attach some log files, and I would prefer to do that via e-mail if I can, just so I don’t have to put my personal info on a file anyone can download. Also, I would be available for a chat on aim if that would go faster and you prefer that way.
You can e-mail me if u prefer to exchange aim info or to or use e-mail instead of the forum. My e-mail address is my username here at walla.com

Thanks a lot and sorry if the post was too long. I tried to describe everything as best as I could so u would get a better picture of the situation.

Thanks again

Milos · June 11, 2012, 8:28am

Hello,
send us (virus@avast.com) the file to analyze, please. Put “False positive” to email subject. Pack (zip or 7-zip) the file with password “virus” without quotes.

Milos

system · June 11, 2012, 8:42am

file is too big, cannot attach to e-mail …

btw, i didnt say i think this file is a false positive, i said that the other threat found that already been removed i think was a false positive

Pondus · June 11, 2012, 8:45am

you can send it using filemail.com…the reciver then get a download link

Data1.cab is a compressed archive file…malwarebytes does not scan archive file

system · June 11, 2012, 8:56am

thx … sent the file using filemail

so, what do i do about this ?

Pondus · June 11, 2012, 9:00am

let Essexboy have a look, and advice you…attach (not copy and paste) OTL and aswMBR log
http://forum.avast.com/index.php?topic=53253.0

he is usually in here late UK time…

system · June 11, 2012, 3:28pm

pondus, will he read this ? i cant send private messages, so i cant ask him to take a look at my thread … are u able to ask him ?

system · June 11, 2012, 5:23pm

ok, run OTL and logs are attached

but i could not complete the aswMBR scan, tried to run the scan twice and both times the program stopped and had to be closed

essexboy · June 11, 2012, 6:32pm

Hi nothing readilly apparent in the logs, but as aswMBR failed to run I would like to use a similar programme

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

http://dl.dropbox.com/u/73555776/TDSSFront.JPG

[*]Then click on Change parameters.

http://dl.dropbox.com/u/73555776/TDSSConfig.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://dl.dropbox.com/u/73555776/TDSSFound.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

http://dl.dropbox.com/u/73555776/TDSSEnd.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

system · June 11, 2012, 6:54pm

Ok, thanks for the reply.

Ran the scan and it found one suspicious and no malicious objects.

I could not copy/paste the report as i got this message “The message exceeds the maximum allowed length (10000 characters).”

So i saved the contents of the report on a .txt file and attached it here. Hope thats ok

also, when i ran the OTL scan i did as described on the thread about assisting in malware removal with the following settings under the Custom Scan box :

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%USERPROFILE%..|smtmp;true;true;true /FP
CREATERESTOREPOINT

maybe i should do a scan with nothing pasted there, or different settings ?

thanks again

essexboy · June 11, 2012, 7:09pm

They look to be false positives as they are legitimate win7codec files

As they have been sent to Avast then they should no longer be detected

Try a rescan to see if they have been updated and removed from a threat

system · June 11, 2012, 7:32pm

ok, will do that

Just wanted to ask one more thing before i run the boot-time scan again.

Dont u think its weird that i could not locate the file here C:\Program Files\Win7codecs\Tools\settings32.exe as it is also that location of the shortcut that shows on the list of programs on the start menu for that program.

Let me try to be more clear. I click on the start menu and go to “all programs”, i go to “Shark007 Codecs”(shows under this name, but its the same location/program from win7codecs) and the shortcut there is also for that file C:\Program Files\Win7codecs\Tools\settings32.exe
Shouldnt i be able to find that file ? isnt that suspicious ?

and also, i cant even find the folder C:\Windows\Installer from the first post where i list the threat found(C:\Windows\Installer\8a316.msi|>Data1.cab|>settings32.exe). Isnt that weird also ?

Thanks for ur help

essexboy · June 11, 2012, 8:28pm

The installer folder is hidden intentionally by windows.

If you wish I can look to see where that file really resides

Paste the following script into OTL and press quick scan

/md5start
settings32.exe
/md5stop

system · June 11, 2012, 8:42pm

Even if i have set to show hidden folders/files on windows explorer(sorry if this question is dumb …) ?

Did the new OTL scan with those custom settings, log is attached

essexboy · June 11, 2012, 8:46pm

That file is no longer on your computer… Installer folder is - to coin a phrase - super hidden
Under the show system files and folders is another checkbox “Hide system protected files” this is the bit protecting it

system · June 11, 2012, 8:50pm

ok, got it

ill run a boot-time scan now and after its done ill report the results here

btw, i dont understand this

Since the file is no longer in my computer, why is it getting detect as a threat ? how does that work ?

thx

essexboy · June 11, 2012, 8:55pm

Let me know if it is getting detected… OTL ignore all hidden settings so if it was there it would have seen it

system · June 11, 2012, 9:49pm

ran the bot-time scan and nothing was found this time … guess that was a false positive then

i still dont understand why the file that u say was no longer in my computer was getting detected as a threat(the first time around)

i just have one more thing to ask that i think is suspicious: At the beginning of my initial post, i mention i found a weird . txt file on C: that i dont know where it came from, named blitzerr.txt. I scanned it and found nothing, i checked its contents and then sent it to the recycling bin. Then next time i turned my pc on, it was there again on C:
dont u think thats suspicious ? is there a way to find how that file was created and by what program ??

ill copy/paste its contents so u can take a look and see what u think

Sat Jun 09 20:13:56 2012
Polled…

Sat Jun 09 20:13:57 2012
Polled…

Sat Jun 09 20:13:58 2012
Polled…

Sat Jun 09 20:13:59 2012
Polled…

Sat Jun 09 20:14:00 2012
Polled…

Sat Jun 09 20:14:01 2012
Polled…

Sat Jun 09 20:14:02 2012
Polled…

Sat Jun 09 20:14:03 2012
Polled…

Sat Jun 09 20:14:04 2012
Polled…

Sat Jun 09 20:14:05 2012
Polled…

Sat Jun 09 20:14:06 2012
Polled…

Sat Jun 09 20:14:07 2012
Polled…

Sat Jun 09 20:14:08 2012
Polled…

thats all there was in there

thanks again

essexboy · June 12, 2012, 1:47pm

Blitz was the codeword for "Zoom" poker on PokerStars.
It will only temporarily create this file by HoldemManager, so it enables us to log / track if the Zoom hands are imported properly.
And in a future HoldemManager update it will be removed (or you can delete it yourself) from the root folder. (or you can already delete it if you don’t play Zoom)

Ring a bell ?

system · June 12, 2012, 3:49pm

yeah …

thanks again for everything

Win32:Malware-gen Help Please! Cannot repair/move to chest

Announcements