Win32:malware-gen help

Hi. I got Win32:malware-gen on my machine. The infected file is marketer.exe and Avast has moved it to the chest. I have followed a topic earlier today and doen the following.
1: Run cleanmgr
2: Avast boot time scan
3: Run MBAM
4: Run root repeal
I have attach the two reports from MBAM and RR. Could you please help me rescue the infected file.

Can’t read the rootrepeal file, it is full of special characters, not that I think it is important for now as I don’t think this detection is rootkit related.

The MBAM log shows it didn’t find anything, which isn’t unusual as it can’t scan inside the avast chest as the files are encrypted.

What is the location where it was found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe

  • Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.

Is this a file that has been on your system for some time ?
Some consider it malware, http://spywarefiles.prevx.com/RRHFCF235708/MARKETER.EXE.html and hopefully that will be confirmed (one way or another) by the VT scan below.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

Hi
Thanks for help.
The location of the file is; C:\program files\email marketer business edition\marketer.exe
Yes, this is a program I use regular (4 years). Never had problem before.

This is result from VT;
Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.07 Trojan-Dropper.Agent!IK
AhnLab-V3 5.0.0.2 2009.12.07 -
AntiVir 7.9.1.102 2009.12.07 TR/Agent.973824
Antiy-AVL 2.0.3.7 2009.12.07 -
Authentium 5.2.0.5 2009.12.02 W32/D_Downloader!GSA
Avast 4.8.1351.0 2009.12.06 Win32:Malware-gen
AVG 8.5.0.426 2009.12.07 -
BitDefender 7.2 2009.12.07 -
CAT-QuickHeal 10.00 2009.12.07 -
ClamAV 0.94.1 2009.12.07 PUA.Packed.ASPack212
Comodo 3103 2009.12.01 -
DrWeb 5.0.0.12182 2009.12.07 -
eSafe 7.0.17.0 2009.12.07 -
eTrust-Vet 35.1.7162 2009.12.07 -
F-Prot 4.5.1.85 2009.12.06 W32/D_Downloader!GSA
F-Secure 9.0.15370.0 2009.12.07 DeepScan:Generic.Malware.FMHVoe.D769133B
Fortinet 4.0.14.0 2009.12.07 -
GData 19 2009.12.07 Win32:Malware-gen
Ikarus T3.1.1.74.0 2009.12.07 Trojan-Dropper.Agent
Jiangmin 13.0.900 2009.12.02 -
K7AntiVirus 7.10.913 2009.12.07 -
Kaspersky 7.0.0.125 2009.12.07 -
McAfee 5824 2009.12.06 -
McAfee+Artemis 5824 2009.12.06 Artemis!6A349FE3EEF8
McAfee-GW-Edition 6.8.5 2009.12.07 Heuristic.LooksLike.Win32.SuspiciousPE.K
Microsoft 1.5302 2009.12.07 -
NOD32 4667 2009.12.07 -
Norman 6.03.02 2009.12.07 -
nProtect 2009.1.8.0 2009.12.07 -
Panda 10.0.2.2 2009.12.06 -
PCTools 7.0.3.5 2009.12.07 -
Prevx 3.0 2009.12.07 -
Rising 22.25.00.09 2009.12.07 -
Sophos 4.48.0 2009.12.07 Mal/Generic-A
Sunbelt 3.2.1858.2 2009.12.06 -
Symantec 1.4.4.12 2009.12.07 -
TheHacker 6.5.0.2.086 2009.12.05 -
TrendMicro 9.100.0.1001 2009.12.07 -
VBA32 3.12.12.0 2009.12.07 -
ViRobot 2009.12.7.2074 2009.12.07 -
VirusBuster 5.0.21.0 2009.12.06 -
Additional information
File size: 973824 bytes
MD5…: 6a349fe3eef8b6f32ee14cf2adf61ad8
SHA1…: be26a59da365227c72e2219a40ba319382808ed7
SHA256: bdc47ce53ce6c3d26ddbd5beb8d720fcc8ebcbf3e383a9682eb58b844731b604
ssdeep: 24576:U/D46zJQLoqfCGC4s5TLiZjm47132ME6sLVX6ysdZQW:cs4yaLJ8j/QH6s
Lh6ysdZQW

PEiD…: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x31a001
timedatestamp…: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype…: 0x14c (I386)

( 10 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x20d000 0xb6600 8.00 467a5bcd50e3c90e5509455d827351a1
DATA 0x20e000 0x5000 0x1a00 7.81 811169a628a4d23a8ae168fe0705d4bd
BSS 0x213000 0x3000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x216000 0x4000 0x1400 7.92 595fca5a4abc55cf83affce3c229b10f
.tls 0x21a000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x21b000 0x1000 0x200 0.20 91aace2bd344f8ef3be1f2de6ba25f4e
.reloc 0x21c000 0x21000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x23d000 0xdd000 0x2cc00 7.90 80a45fc7b92456bf74682bb2667094c7
.aspack 0x31a000 0x8000 0x7600 4.06 28863f23eefd871a6ecb73f7a99f4cb3
.adata 0x322000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

( 22 imports )

kernel32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA
user32.dll: GetKeyboardType
advapi32.dll: RegQueryValueExA
oleaut32.dll: SysFreeString
advapi32.dll: ReportEventA
version.dll: VerQueryValueA
gdi32.dll: UnrealizeObject
user32.dll: WindowFromPoint
ole32.dll: IsEqualGUID
oleaut32.dll: SafeArrayPtrOfIndex
ole32.dll: CreateStreamOnHGlobal
oleaut32.dll: GetErrorInfo
advapi32.dll: StartServiceA
comctl32.dll: ImageList_SetIconSize
imm32.dll: ImmGetCompositionStringW
shell32.dll: Shell_NotifyIconA
wininet.dll: InternetReadFile
urlmon.dll: CreateURLMoniker
shell32.dll: SHGetSpecialFolderLocation
comdlg32.dll: ChooseFontA
libeay32.dll: PKCS7_sign
user32.dll: GetUpdateRect

( 0 exports )

RDS…: NSRL Reference Data Set

packers (Kaspersky): ASPack
packers (F-Prot): Aspack
sigcheck:
publisher…: Nesox Solutions
copyright…: Copyright (C) Nesox Solutions 2002-2009
product…: Email Marketer Business Edition
description…: Email Marketer Administrator
original name:
internal name:
file version.: 1.9.3.1
comments…:
signers…: -
signing date.: -
verified…: Unsigned

pdfid.: -
trid…: ASPack compressed Win32 Executable (generic) (90.1%)
Win32 Executable Generic (5.7%)
Win16/32 Executable Delphi generic (1.3%)
Generic Win/DOS Executable (1.3%)
DOS Executable Generic (1.3%)
packers (Authentium): Aspack

I would say that is pretty conclusive although most detections are either generic or heuristic which are more prone to false positives.

So given your knowledge of the program and it being on the system for some time, I would suggest submitting it as a possible false positive.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already in the chest) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

  • In the meantime, add it to the exclusions lists:
    Standard Shield, Customize, Advanced, Add and
    Program Settings, Exclusions (right click the avast ’ a ’ icon)
    Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

Hi
Thank you very much for the help.
I have posted the file to Avast and add it to the exclusion list.
But will I be able to use it meanwhile? This is a mailing program.
Do you have any idea how long this will take before Avast upload a solution?

If you have added the exclusion correctly (full path to the executable, etc.) then yes, that is the purpose of the exclusion lists (note the plural).

So have you added it and has the exclusion worked ?

I have no idea how it would take avast to analyse and make a decision if it is a false positive or otherwise, they are normally very quick to correct a false positive once notified and they confirm it. That is why I mentioned periodically scanning the ‘copy’ in the chest, no point scanning the one in the original location as you would have excluded it from scans.

Hi
Yes, I have add it to the exclusion list and it worked.
Sorry, your answer above was self explaining, but sending thousands of mail with virus is not what I want to do. That’s why I asked again.
Again thank you very much for your answer and help.

No problem, glad I could help.

Remember avast would still be scanning outbound email, so it would detect any virus if present.

Welcome to the forums.