Win32:Malware-gen infected please help!

Viruses and worms
1

I too am having problems with Win32:malware - gen. I noticed my PC slowing down significantly while browsing and the hard drive firing far longer. Screens refreshing slowly, google chrome giving me the wait or kill pages option. I ran Avast and MalwareBytes, neither detected anything. Then ran Avast in boot scan and it found several instances of Win32:malware-gen. It could not be moved to the chest, deleted or repaired. I tried running both in Safe Mode and it also did not pick up anything.

Can you assist in getting rid of this very hard to kill thing? I have already downloaded Combofix and have it on my desktop. Thanks for any help you can provide.
Here is the MBAM log and I have also attached the OTL, extras and aswmbr logs. ( I did not get the option to save as ANSI - only “all files” was displayed)

Thank you for your help!

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.08.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
John Marrone :: D4BD0391 [administrator]

7/8/2012 11:40:37 AM
mbam-log-2012-07-08 (11-40-37).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 219194
Time elapsed: 7 minute(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

2

I see that you have run combofix - could you post the log please

3

I aborted after a few seconds, I will run fully.

4

Here is the combofix log, attached. It said I was running Mcafee, however I have long since "attempted " to delete it. I can’t find any files relating to Mcafee. I probably deleted it incorrectly. Thank you for your help.

5

Hay guy’s what going on with avast, was just running malwarebytes when avast poped up to say it found the Win32 malware-gen and moved it to the chest. Ok so it’s in the chest but when malwarebytes finished it did not show any issue’s nor has my computer been showing anything other than avast web rep going on and off all day. Is this a fales positive? what I’m reading if it’s real the chest won’t help? how do I check

6

@puter illit

if you have a problem…start your own topic

7

@nfpowercat I can see no sign of any infection there what is Avast reporting ?

8

It is only caught when I run a boot time scan with Avast. I found no way of copying that log. The location is very long on the screen when it is running and in the boot logs there is no way to even print it. I’ll type it out, character by character if it would help.

It found 6 instances of win32:malware-gen. (severity:high) It cannot move it to chest, delete or repair it. I tried all.

If you have a way for me to save the log that is generated or the screen output from the scan, I would be grateful!

Please advise and much appreciated, thanks!

9

The results of the boot time scan can be found in the ‘Scan Logs’ section of ‘Scan Computer, or if you need to copy the results, the text file report can be found here:
XP –> C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report\aswBoot.txt file
Vista/7 –>C:\ProgramData\AVAST Software\Avast\report\aswBoot.txt
NOTE: in newer installations, it will be AVAST Software, as the company name has changed.

10

Thank you. Here is the copy and paste of the latest scan as well as the bootscan file attached…

07/09/2012 21:41
Scan of all local drives

File C:\Documents and Settings\John Marrone\Local Settings\Application Data\Identities{4E3254D7-522A-412A-9296-3F4767B3A2CB}\Microsoft\Outlook Express\Inbox.dbx|>March Classics Schedule-.eml#62134412|>Copy_of_march_classic_2012ver2_(3)(1).xls#981471324|>5_SummaryInformation Error 42144 {OLE archive is corrupted.}
File C:\Documents and Settings\John Marrone\Local Settings\Application Data\Identities{4E3254D7-522A-412A-9296-3F4767B3A2CB}\Microsoft\Outlook Express\Inbox.dbx|>March Classics Schedule-.eml#62134412|>Copy_of_march_classic_2012ver2(3)(1).xls#981471324|>5_DocumentSummaryInformation Error 42144 {OLE archive is corrupted.}
File C:\Documents and Settings\John Marrone\My Documents\Hockey\Southtowns Hockey 2011-12 Bantam\Copy_of_march_classic_2012ver2(3)(1).xls|>5_SummaryInformation Error 42144 {OLE archive is corrupted.}
File C:\Documents and Settings\John Marrone\My Documents\Hockey\Southtowns Hockey 2011-12 Bantam\Copy_of_march_classic_2012ver2(3)(1).xls|>_5_DocumentSummaryInformation Error 42144 {OLE archive is corrupted.}
File C:\System Volume Information_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP190\A0029904.msi|>Data1.cab|>ElShowSpyAbout.exe|>[UPX] is infected by Win32:Malware-gen, Move to chest: Error 42111 {The operation is not supported for this type of archive.}
File C:\System Volume Information_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP190\A0029904.msi|>Data1.cab|>SpywareBlocker.exe|>[UPX] is infected by Win32:Malware-gen, Move to chest: Error 42111 {The operation is not supported for this type of archive.}
File C:\System Volume Information_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP190\A0029982.msi|>Data1.cab|>ElShowSpyAbout.exe|>[UPX] is infected by Win32:Malware-gen, Move to chest: Error 42111 {The operation is not supported for this type of archive.}
File C:\System Volume Information_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP190\A0029982.msi|>Data1.cab|>SpywareBlocker.exe|>[UPX] is infected by Win32:Malware-gen, Move to chest: Error 42111 {The operation is not supported for this type of archive.}
File C:\System Volume Information_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP192\A0030169.rbf|>Data1.cab|>ElShowSpyAbout.exe|>[UPX] is infected by Win32:Malware-gen, Move to chest: Error 42111 {The operation is not supported for this type of archive.}
File C:\System Volume Information_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP192\A0030169.rbf|>Data1.cab|>SpywareBlocker.exe|>[UPX] is infected by Win32:Malware-gen, Move to chest: Error 42111 {The operation is not supported for this type of archive.}
Number of searched folders: 7758
Number of tested files: 363768
Number of infected files: 6

11

Ah OK they are corrupted archives and files within system restore. Lets make a new restore point and kill the old ones

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:Commands [resethosts] [emptytemp] [CLEARALLRESTOREPOINTS] [Reboot]
[*]Then click the [b]Run Fix[/b] button at the top [*]Let the program run unhindered, reboot the PC when it is done
12

I ran OTL and have attached and posted the log. OTL requested a reboot, I agreed. When it rebooted, the OTL log came up, then closed on it’s own, then I just got a blank screen. After 30 minutes of nothing happening I ctrl-alt-del rebooted through task manager and all icons came back. Didn’t do anything else. What should I do now? Thanks!

All processes killed
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->Google Chrome cache emptied: 131598268 bytes
->Flash cache emptied: 1021 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: John Marrone
->Temp folder emptied: 25216 bytes
->Temporary Internet Files folder emptied: 4476801 bytes
->Java cache emptied: 14780 bytes
->Google Chrome cache emptied: 325501765 bytes
->Flash cache emptied: 94590 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1479596 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 9318 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 442.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.53.1 log created on 07122012_171854

13

How is the computer behaving ?

14

All is working fine and boot time scan clean. no slow screen refreshing. Thank you for your help!

15

Run OTL and hit the cleanup button to remove it