Hey everyone! I’ve been working on curing my girlfriend’s computer of a virus for two months now. I’m normally really excellent at this but every time we boot up her computer, Avast detects a Win32:Malware.gen infection. I’ve tried everything. I’ve run MBAM, SAS, Avast and Microsoft Security Essentials in Safe Mode and regular. Sometimes when I scan the computer even goes blue and restarts, and this happened most recently with a Gmer scan. I really appreciate any help you can give me. Gmer logs attached. OTL in the following posts (due to maximum file size). Thank you in advance!

OTL Log part 1

Aaaand part 2. Thanks again!

You missed the most important bit associated with the avast alert, the file name and its location.
Also is this the same file name and location on each detection ?

Presumably this is sent file to the chest and it is being recreated ?

I’m not familiar with these logs but GMER is usually very up front with anything it considers a rootkit, but it isn’t to clear in this case.

I don’t know what this driver is awryqpod.sys, presumably a randomly named driver file created by gmer for its scan.

The .dll file keeps changing but it’s always in the same folder: C:\Windows\System32\spool\prtprocs\w32x86
The most recent filename was “AA179317g.dll”.

I press Delete when the Avast warning comes up.

Just wanted to say that I installed a number of Windows security updates with Windows Update, and ran another MBAM scan. It found exactly one thing, which I removed, and then restarted. Avast did not pop up with anything for the first time since we can remember. I’ll post my MBAM log now, but the system otherwise appears clean. Thank you, by the way, for taking my case!

Is this the 64 bit version of Vista ?
If not you could try scheduling an avast boot-time and see if this might be able to find the source that is recreating the randomly named file (zero hits on a google search other than this topic).

Other than this detection are you experiencing any other strange symptoms ?

I have had a look at the OTL attachments, but as I said I’m not familiar with them, though I didn’t see anything obvious in the first part.

I don’t know how MSE works, but it is a resident anti-virus application and that could lead to conflict between two resident AVs (not recommended). So at the least you could do is disable the resident element.

I see you have several .job (Tasks), are they familiar, did you create these as some appear randomly named and this can be a way to recreate stuff ?

[2010/08/26 19:29:11 | 000,000,246 | -H-- | M] () -- C:\Windows\tasks\b3adf3bf.job [2010/08/26 14:00:00 | 000,000,382 | ---- | M] () -- C:\Windows\tasks\At5.job [2010/08/26 14:00:00 | 000,000,382 | ---- | M] () -- C:\Windows\tasks\At174.job [2010/08/26 14:00:00 | 000,000,382 | ---- | M] () -- C:\Windows\tasks\At132.job [2010/08/25 00:45:38 | 000,000,860 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-242565984-880690439-13910684-1001Core.job

[2010/07/19 21:33:39 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At99.job [2010/07/19 21:33:39 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At86.job [2010/07/19 21:33:39 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At83.job [2010/07/19 21:33:39 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At7.job [2010/07/19 21:33:39 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At61.job [2010/07/19 21:33:39 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At32.job [2010/07/19 21:33:39 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At27.job [2010/07/19 21:33:39 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At26.job [2010/07/19 21:33:39 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At20.job [2010/07/19 21:33:39 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At18.job [2010/07/19 21:33:39 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At177.job [2010/07/19 21:33:39 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At165.job [2010/07/19 21:33:39 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At159.job [2010/07/19 16:02:29 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At144.job [2010/07/19 16:02:29 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At142.job [2010/07/19 16:02:29 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At141.job [2010/07/19 16:02:29 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At140.job [2010/07/19 16:02:29 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At14.job [2010/07/19 16:02:29 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At139.job [2010/07/19 16:02:29 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At138.job [2010/07/19 16:02:29 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At135.job [2010/07/19 16:02:29 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At134.job [2010/07/19 16:02:29 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At131.job [2010/07/19 16:02:29 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At128.job [2010/07/19 16:02:29 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At126.job [2010/07/19 16:02:29 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At124.job [2010/07/19 16:02:29 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At122.job [2010/07/19 16:02:29 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At114.job [2010/07/19 16:02:29 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At11.job [2010/07/19 16:02:29 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At108.job [2010/07/19 16:02:29 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At107.job [2010/07/19 16:02:29 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At106.job [2010/07/19 16:02:29 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At101.job [2010/07/19 16:02:29 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\At10.job

You have many, many more and I think this could well be a part of your problem, especially if you didn’t creates these jobs or don’t know what did. From a quick look they were mostly created at the same time on 2010/08/26, 2010/07/19, 2010/06/23 and 2010/06/27, etc. etc.

Many of these if not all are in the LOP Check section of the log, so I’m guessing that these may be considered infected with LOP

So this is my cursory inspection of the OTL files you attached, but they really need to be looked at by someone with more experience than I. But to me these .job entries smell.

Unfortunately that's me for the night, almost 4a.m. here.

You’re welcome.

Hopefully, MBAM has done a little, but I think there may well be more to do, in the forum of those .job entries. If you can find them try looking inside a few and see what they are up to. Be careful not to run them.

It’s 32bit Windows7. I opened up some of the .job files in Notepad and they were empty except for this

"

Ê9zyAlE‚Œ`,žPè8F 
< s   $! . C : \ U s e r s \ S a l i n a \ A p p D a t a \ L o c a l \ T e m p \ t b m a i n . e x e a S Y S T E M  C r e a t e d b y N e t S c h e d u l e J o b A d d .  
0 Úa   


×Êä º’ª;"‚*Ë­©–¡ñ}–zj÷·šiÍHÛ †æŸCþvÏey\gæ P³I·cÄ+¾(m"

I assume this means it was trying to run “tbmain.exe”. I searched for tbmain.exe and the only thing it came up with was a MBAM log from a while ago that said Trojan.Downloader was removed in a file called tbmain.exe. The most recent MBAM scan does not mention clearing tbmain.exe, so I’m guessing it’s been totally eliminated and these .job files aren’t pointing to anything.

Just rebooted to double-check. Avast DID pop up with another Win32:Malware.gen infection in the same location but with a different DLL.

Hi i dont like OTL "i think it is old"so i can help if you follow those steps:
1.clear your temp files:http://www.piriform.com/ccleaner
2.do a dr.web cure it scan:http://www.freedrweb.com/cureit/?lng=en
3.post a Hijack Hunter log in this topic:http://www.novirusthanks.org/products/hijack-hunter/
4.we will provide a cleaning script,you should run it with Threat Killer

CCleaner provides a Slim version available as well at http://www.piriform.com/ccleaner/builds with no toolbar (adware).

Thank SafeSurf, i add it to my menu

No problem…otherwise they accidentally install the Yahoo toolbar if they don’t look carefully by doing a Custom install.

You should be able to run a boot-time scan then and hopefully that may be able to find something which might otherwise be hidden in windows normal mode.

When I see windows tasks that obfuscate what it is that they are doing in this way it gives me the creeps as there should be no need to do that other than to hide intent.

So if you didn’t create these tasks (.job) I would start removing them (but that is me), but there is a risk that not all are suspect/malicious. Those that follow the same sort of naming convention, at101, at102, etc. etc. (presumably those with this obfuscated data inside have that type of name), I would be sorely tempted to remove, but that has to be your decision.

Hi i dont like OTL "i think it is old"so i can help if you follow those steps:

On what do you base this ? This programme is continually updated and flexible. I am running Hijackhunter now to see what data it shows and how easy it is to use, ahh not compatible with 64bit. You should also add windows/tasks folder to the scan areas as a lot of malware hides there as well

Meanwhile lets clear this poor fellow up. The AT*.job files are all Vundo related and and download additional malware.

C:\Windows\System32\spool\prtprocs\w32x86
The most recent filename was “AA179317g.dll”.

This is generally related to TDSS malware - but GMER shows no sign of that

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL [2008/09/16 14:03:30 | 000,000,878 | ---- | M] ()(C:\Users\Salina\Application Data\Microsoft\Internet Explorer\Quick Launch\?? Internet Explorer ???.lnk) -- C:\Users\Salina\Application Data\Microsoft\Internet Explorer\Quick Launch\?? Internet Explorer ???.lnk [2008/09/16 14:03:16 | 000,000,878 | ---- | C] ()(C:\Users\Salina\Application Data\Microsoft\Internet Explorer\Quick Launch\?? Internet Explorer ???.lnk) -- C:\Users\Salina\Application Data\Microsoft\Internet Explorer\Quick Launch\?? Internet Explorer ???.lnk [2010/08/26 19:29:11 | 000,000,246 | -H-- | M] () -- C:\Windows\Tasks\b3adf3bf.job [2005/11/19 20:00:00 | 000,045,056 | ---- | C] () -- C:\Users\Salina\AppData\Roaming\b3adf3bf.exe [2010/08/08 22:20:52 | 000,000,120 | ---- | C] () -- C:\Users\Salina\AppData\Local\Qcavamane.dat [2010/08/08 22:20:52 | 000,000,000 | ---- | C] () -- C:\Users\Salina\AppData\Local\Sxuqula.bin [2010/08/11 11:30:56 | 000,000,000 | ---- | M] () -- C:\Users\Salina\AppData\Local\Sxuqula.bin [2010/08/11 13:40:34 | 000,000,120 | ---- | M] () -- C:\Users\Salina\AppData\Local\Qcavamane.dat [2010/06/25 23:25:30 | 000,000,000 | ---D | C] -- C:\Windows\System32\Wat

:Files
ipconfig /flushdns /c
C:\Windows\Tasks\At*.job

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

On what do you base this ? This programme is continually updated and flexible. I am running Hijackhunter now to see what data it shows and how easy it is to use, ahh not compatible with 64bit. You should also add windows/tasks folder to the scan areas as a lot of malware hides there as well

I mean could they better the GUI and make it easier"not to me to others",and thanks for suggestion it is in my mind but now it see the light thanks again. :)

OK with you - OT thinks that a functional GUI but a strong search system is a lot better than the other way round.

Additionally with the flexible nature of the programme you can alter the search areas as the malware changes, the basic functions remain but additional ones can be added or subtracted dependant on the current climate (if you look at my pinned topic you will notice that the scans change almost weekly). Reference the windows/tasks very few anti-malware tools look in that area as it is impossible to automate the reading and file dicovery, this is where the human eye comes in. And to be honest this is really an analysts tool rather than for your average user as if used incorrectly it can damage the system, system files are protected though by a whitelist so no permanaent damage can be done

Yes it is for advanced user and really i like generated report by it but i dont use it coz you use it and i dont like to be "hijacker"to others tools ;D

Why not once you get the hang of it it is quite easy to use… There is a tutorial (basic) for it here http://www.geekstogo.com/forum/topic/277391-otl-tutorial-how-to-use-oldtimer-listit/