Win32: Malware-gen; how to remove?

Viruses and worms
1

Ez all,
I recently got me this trojan, avast places it in his chest, but i keep on getting the detection popup agian and again and again, and I have the impression it changes from directory the whole time (the ****.tmp always changes)

Object: C:\Windows\Temp\rpml.tmp\svchost.exe
Infection: Win32:Malware-gen

I already read another topic about this one, and I already did a scan with “Malwarebys” which tells me that there ain’t no viruses/worms/trojans floating around…
So then I did a scan with OTS, the result is attached in this post!

Tnx in advance!

2

welcome to the forum. i suggest you do a bootsan with avast and see it can solve it that way.

http://www.schmahl.net/avastbootscan.php version 5

http://www.techiecorner.com/166/avast-how-to-schedule-boot-time-scan-before-window-start/ version 4.8

you could also scan with superantispyware to get a second opition and see if that program can solve it if not the bootscan does.

http://filehippo.com/download_superantispyware/

i let someone else check your otl scan you posted also, im not that good of reading thoose

good luck and write back on your progress or if you get problems.

3

Not a lot showing - so I will just empty the temp file area

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.


[Unregister Dlls]
[Files/Folders - Modified Within 30 Days]
NY ->  31 C:\Users\Piefpoefpaf\AppData\Local\Temp\*.tmp files -> C:\Users\Piefpoefpaf\AppData\Local\Temp\*.tmp
NY ->  31 C:\Users\Piefpoefpaf\AppData\Local\Temp\*.tmp files -> C:\Users\Piefpoefpaf\AppData\Local\Temp\*.tmp
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

4

I also did boot scan, and 2 viruses were find, which i removed, and it were the files that i guess caused the trojan.
However, avast was still showing the popup window of the malware that was been found,
After that i did the fix you suggested, and this is what the result is.
As I’m writing this message (5 min after reboot) I still didn’t get any new report.

//edit// I just received the message that the virus was been found

OTS log after the fix:

All Processes Killed
[Files/Folders - Modified Within 30 Days]
C:\Users\Piefpoefpaf\AppData\Local\Temp\CR_DECB.tmp\SETUP_PATCH.PACKED.7Z deleted successfully.
C:\Users\Piefpoefpaf\AppData\Local\Temp\CR_DECB.tmp folder deleted successfully.
C:\Users\Piefpoefpaf\AppData\Local\Temp\DMI1104.tmp deleted successfully.
C:\Users\Piefpoefpaf\AppData\Local\Temp\DMI14B.tmp deleted successfully.
C:\Users\Piefpoefpaf\AppData\Local\Temp\DMI18A4.tmp deleted successfully.
C:\Users\Piefpoefpaf\AppData\Local\Temp\DMI4858.tmp deleted successfully.
C:\Users\Piefpoefpaf\AppData\Local\Temp\DMI513B.tmp deleted successfully.
C:\Users\Piefpoefpaf\AppData\Local\Temp\DMI62CB.tmp deleted successfully.
C:\Users\Piefpoefpaf\AppData\Local\Temp\DMI7479.tmp deleted successfully.
C:\Users\Piefpoefpaf\AppData\Local\Temp\IEC7686.tmp deleted successfully.
C:\Users\Piefpoefpaf\AppData\Local\Temp\ispD329.tmp_Setup.dll deleted successfully.
C:\Users\Piefpoefpaf\AppData\Local\Temp\ispD329.tmp folder deleted successfully.
C:\Users\Piefpoefpaf\AppData\Local\Temp\RWI57C4.tmp deleted successfully.
C:\Users\Piefpoefpaf\AppData\Local\Temp\RWI6C8D.tmp deleted successfully.
C:\Users\Piefpoefpaf\AppData\Local\Temp\setBFB5.tmp deleted successfully.
C:\Users\Piefpoefpaf\AppData\Local\Temp~8D21.tmp deleted successfully.
File delete failed. C:\Users\Piefpoefpaf\AppData\Local\Temp~DF08A617C7FB04B95B.TMP scheduled to be deleted on reboot.
File delete failed. C:\Users\Piefpoefpaf\AppData\Local\Temp~DF0CD27516BFF428EC.TMP scheduled to be deleted on reboot.
File delete failed. C:\Users\Piefpoefpaf\AppData\Local\Temp~DF0FE5944F36A33AE1.TMP scheduled to be deleted on reboot.
C:\Users\Piefpoefpaf\AppData\Local\Temp~DF265843042B576C52.TMP deleted successfully.
File delete failed. C:\Users\Piefpoefpaf\AppData\Local\Temp~DF2E670874CE96F983.TMP scheduled to be deleted on reboot.
C:\Users\Piefpoefpaf\AppData\Local\Temp~DF36DF3AB6A5E9E86C.TMP deleted successfully.
C:\Users\Piefpoefpaf\AppData\Local\Temp~DF3BDA5E4F406B0D56.TMP deleted successfully.
C:\Users\Piefpoefpaf\AppData\Local\Temp~DF50D1140DEB902FF8.TMP deleted successfully.
C:\Users\Piefpoefpaf\AppData\Local\Temp~DF510CFEEB4E6F5A17.TMP deleted successfully.
C:\Users\Piefpoefpaf\AppData\Local\Temp~DF6D2E09D8F84D4AEE.TMP deleted successfully.
File delete failed. C:\Users\Piefpoefpaf\AppData\Local\Temp~DF784A1C3D41CA2A65.TMP scheduled to be deleted on reboot.
C:\Users\Piefpoefpaf\AppData\Local\Temp~DF8EB4FB0545052F2B.TMP deleted successfully.
C:\Users\Piefpoefpaf\AppData\Local\Temp~DF976276B7A9C89B2D.TMP deleted successfully.
C:\Users\Piefpoefpaf\AppData\Local\Temp~DFAF240BA485733F3B.TMP deleted successfully.
C:\Users\Piefpoefpaf\AppData\Local\Temp~DFB1B746BC48BEDF82.TMP deleted successfully.
C:\Users\Piefpoefpaf\AppData\Local\Temp~DFB2B2ABBC1DEF2C4D.TMP deleted successfully.
C:\Users\Piefpoefpaf\AppData\Local\Temp~DFC33B978881F9F561.TMP deleted successfully.
File delete failed. C:\Users\Piefpoefpaf\AppData\Local\Temp~DFC746C4C908D4A680.TMP scheduled to be deleted on reboot.
C:\Users\Piefpoefpaf\AppData\Local\Temp~DFD58EF0536E05848E.TMP deleted successfully.
C:\Users\Piefpoefpaf\AppData\Local\Temp~DFDB515F9F8A1DFA0E.TMP deleted successfully.
File delete failed. C:\Users\Piefpoefpaf\AppData\Local\Temp~DF08A617C7FB04B95B.TMP scheduled to be deleted on reboot.
File delete failed. C:\Users\Piefpoefpaf\AppData\Local\Temp~DF0CD27516BFF428EC.TMP scheduled to be deleted on reboot.
File delete failed. C:\Users\Piefpoefpaf\AppData\Local\Temp~DF0FE5944F36A33AE1.TMP scheduled to be deleted on reboot.
File delete failed. C:\Users\Piefpoefpaf\AppData\Local\Temp~DF2E670874CE96F983.TMP scheduled to be deleted on reboot.
C:\Users\Piefpoefpaf\AppData\Local\Temp~DF36DF3AB6A5E9E86C.TMP deleted successfully.
C:\Users\Piefpoefpaf\AppData\Local\Temp~DF50D1140DEB902FF8.TMP deleted successfully.
C:\Users\Piefpoefpaf\AppData\Local\Temp~DF6D2E09D8F84D4AEE.TMP deleted successfully.
File delete failed. C:\Users\Piefpoefpaf\AppData\Local\Temp~DF784A1C3D41CA2A65.TMP scheduled to be deleted on reboot.
C:\Users\Piefpoefpaf\AppData\Local\Temp~DF976276B7A9C89B2D.TMP deleted successfully.
C:\Users\Piefpoefpaf\AppData\Local\Temp~DFC33B978881F9F561.TMP deleted successfully.
File delete failed. C:\Users\Piefpoefpaf\AppData\Local\Temp~DFC746C4C908D4A680.TMP scheduled to be deleted on reboot.
[Empty Temp Folders]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Piefpoefpaf
->Temp folder emptied: 13672830 bytes
->Temporary Internet Files folder emptied: 30095945 bytes
->Google Chrome cache emptied: 355488634 bytes
->Flash cache emptied: 3792 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 10674419 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 391,00 mb

< End of fix log >
OTS by OldTimer - Version 3.1.27.1 fix logfile created on 03212010_153237

Files\Folders moved on Reboot…
File\Folder C:\Users\Piefpoefpaf\AppData\Local\Temp~DF08A617C7FB04B95B.TMP not found!
File\Folder C:\Users\Piefpoefpaf\AppData\Local\Temp~DF0CD27516BFF428EC.TMP not found!
File\Folder C:\Users\Piefpoefpaf\AppData\Local\Temp~DF0FE5944F36A33AE1.TMP not found!
File\Folder C:\Users\Piefpoefpaf\AppData\Local\Temp~DF2E670874CE96F983.TMP not found!
File\Folder C:\Users\Piefpoefpaf\AppData\Local\Temp~DF784A1C3D41CA2A65.TMP not found!
File\Folder C:\Users\Piefpoefpaf\AppData\Local\Temp~DFC746C4C908D4A680.TMP not found!
C:\Users\Piefpoefpaf\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NG7LNC1M\ads[2].htm moved successfully.
C:\Users\Piefpoefpaf\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NG7LNC1M\ads[3].htm moved successfully.
C:\Users\Piefpoefpaf\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NG7LNC1M\ad_zone_1[1].htm moved successfully.
C:\Users\Piefpoefpaf\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L8H8WPMB\p-01-0VIaSjnOLg[1].gif moved successfully.
C:\Users\Piefpoefpaf\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JAU9B79L\63002-steam-could-not-connect-steam-network[1].html moved successfully.
C:\Users\Piefpoefpaf\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JAU9B79L\ad_zone_14[1].htm moved successfully.
C:\Users\Piefpoefpaf\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JAU9B79L\index[7].htm moved successfully.
C:\Users\Piefpoefpaf\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JAU9B79L\kb_article[1].htm moved successfully.
C:\Users\Piefpoefpaf\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JAU9B79L\kb_article[2].htm moved successfully.
File move failed. C:\Windows\temp_avast5_\Webshlock.txt scheduled to be moved on reboot.
File\Folder C:\Windows\temp\mxts.tmp\svchost.exe not found!

Registry entries deleted on Reboot…

5
File\Folder C:\Windows\temp\mxts.tmp\svchost.exe not found!
Looks like Avast got it

If you get the alert again I will run a stronger tool

6

I just received the message that the virus was been found again :frowning:

7

OK hammer time

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

8

Thanks for the quick replys!

9

OK lets give this a whirl

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:


Folder::
c:\temp\dvmexp
c:\temp\tmpdvmexp
C:\Windows\temp\mxts.tmp

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt .
10

I had no question to reboot, but before the scan started & afterwards i got a error with as header “TIBA”, saying: " Access is denied".
The scan itself happend without any difficulties.

The log file is attached to my reply!

11

try an antirootkit

http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

Read the report at the end what it says about hidden files and follow advice - do not delete