I’ve been trying to get rid of this thing for two days now with no luck. Every once in a while, avast prompts that the Win32:Malware-gen has been found. I’ve tried moving it to the chest, no luck - it just keeps coming back. I’ve already scanned my comp with avast and with MBAM.

Here is my log of what avast reported in the last two days:

2/9/2010 5:05:32 PM	Mike	1448	Sign of "Win32:Malware-gen" has been found in "C:\DOCUME~1\Mike\LOCALS~1\Temp\mweznfsm.exe" file.  
2/9/2010 5:05:43 PM	Mike	1448	Sign of "Win32:Small-DKF [Trj]" has been found in "C:\DOCUME~1\Mike\LOCALS~1\Temp\vuewdunq.exe\[UPX]\[Embedded_I#4010]" file.  
2/9/2010 5:05:59 PM	Mike	1448	Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\696443.exe" file.  
2/9/2010 5:33:53 PM	Mike	1448	Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\561955.exe" file.  
2/9/2010 5:38:19 PM	Mike	1448	Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\764948.exe" file.  
2/9/2010 5:40:51 PM	Mike	1448	Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\556215.exe" file.  
2/9/2010 5:47:37 PM	Mike	1448	Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\204692.exe" file.  
2/9/2010 5:51:33 PM	Mike	1448	Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\331217.exe" file.  
2/9/2010 5:58:05 PM	Mike	1448	Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\68999.exe" file.  
2/9/2010 5:59:38 PM	Mike	1448	Sign of "Win32:Adware-gen [Adw]" has been found in "D:\Program Files\popupwithcast\Cast.dll" file.  
2/9/2010 6:06:02 PM	Mike	1448	Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\152750.exe" file.  
2/9/2010 6:10:04 PM	Mike	1448	Sign of "Win32:Adware-gen [Adw]" has been found in "D:\System Volume Information\_restore{8E5CACF8-79B5-44C2-9657-8D538229B1DD}\RP386\A0110354.dll" file.  
2/9/2010 6:13:21 PM	Mike	1448	Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\684030.exe" file.  
2/9/2010 6:26:47 PM	Mike	1576	Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\669868.exe" file.  
2/9/2010 6:59:11 PM	Mike	1564	Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\16493.exe" file.  
2/10/2010 11:52:24 AM	Mike	1508	Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\913681.exe" file.  
2/10/2010 1:19:32 PM	Mike	1584	Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\945552.exe" file.  
2/10/2010 1:28:21 PM	Mike	1584	Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\583016.exe" file.  
2/10/2010 1:40:40 PM	Mike	1584	Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\system32\337756.exe" file.  

More might pop up. Help please?

Follow this guide from Essexboy and post the logs here, then he will take a look at it
http://forum.avast.com/index.php?topic=53253.msg451454#msg451454

MBAM Log

Malwarebytes' Anti-Malware 1.35
Database version: 1927
Windows 5.1.2600 Service Pack 3, v.5857

2/10/2010 2:04:46 PM
mbam-log-2010-02-10 (14-04-46).txt

Scan type: Quick Scan
Objects scanned: 76428
Time elapsed: 7 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\msa.exe (Trojan.FakeAlert) -> Delete on reboot.

OTL.txt log & Extras.txt log are attached. Avast is still popping up those messages as I post this.

your MBAM is way out of date V.1.35 database 1927
Latest is V.1.44 database 3721
so update and scan again, MBAM is updated several times a day, always update before scan

Ah, I knew I forgot to update the thing.

Ok, I updated and got this log:

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3, v.5857
Internet Explorer 8.0.6001.18702

2/10/2010 3:50:02 PM
mbam-log-2010-02-10 (15-50-02).txt

Scan type: Quick Scan
Objects scanned: 120073
Time elapsed: 10 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ErrorSmart (Rogue.ErrorSmart) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Mike\fjwak.exe \s,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Mike\Application Data\ErrorSmart (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\ErrorSmart\Log (Rogue.ErrorSmart) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Mike\Application Data\ErrorSmart\Log\2008 Jun 16 - 05_08_43 PM_906.log (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\ErrorSmart\Log\2008 Jun 16 - 05_36_06 PM_375.log (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\0000005b.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00005bca.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

well you are getting better, you have now updatet the program to 1.44
but the datafile is 3510 and latest is 3721…so you are almost there… ;D

Well, when I tried to update, I got an error message

Error code: 732 (12007, 0)

And is it me, or is malwarebytes.org down for some reason?

http://forums.malwarebytes.org/index.php?showtopic=10138&st=0&p=162097&#entry162097

www.malwarebytes.org is working here

It won’t show up for me.

I’m going to try accessing it from my other computer and then go back and forth, and see if that helps.

can be malware that is blocking, anyway essexboy is online so he will look at the logs soon

Hi lets do this first

Run OTL.exe

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O4 - HKLM..\Run: [hhiis] C:\WINDOWS\System32\hhiis.exe ()
O4 - HKCU..\Run: [F5JMWNZTHI] C:\DOCUME~1\Mike\LOCALS~1\Temp\Nxw.exe File not found
O20 - AppInit_DLLs: (C:\WINDOWS\system32\0034.DLL) - C:\WINDOWS\system32\0034.DLL ()
O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\Mike\fjwak.exe \s) - C:\Documents and Settings\Mike\fjwak.exe ()
[2010/02/10 14:07:13 | 000,000,278 | -H-- | M] () -- C:\WINDOWS\tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
[2010/02/10 14:07:13 | 000,000,238 | -H-- | M] () -- C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
[2010/02/10 14:07:13 | 000,000,232 | ---- | M] () -- C:\WINDOWS\tasks\SpeedOptimizer Startup.job
[2010/02/09 17:05:08 | 000,058,880 | -H-- | M] () -- C:\Documents and Settings\Mike\fjwak.exe
[2010/02/09 17:05:08 | 000,058,880 | ---- | M] () -- C:\WINDOWS\System32\hhiis.exe
[2009/06/16 02:30:00 | 000,000,400 | ---- | M] () -- C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job

:Commands
[purity]
[emptytemp]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

THEN

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

Caution
These types of scans can produce false positives. Do NOT take any action on any “<— ROOKIT” entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
[*]Click NO
[*]In the right panel, you will see a bunch of boxes that have been checked … leave everything checked and ensure the Show all box is un-checked.
[*]Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
[]Click OK.
[]GMER will produce a log. Click on the [Save…] button, and in the File name area, type in “GMER.txt”
[*]Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Ok, I did as you said and after a couple of hours, here’s what I got:

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\hhiis deleted successfully.
C:\WINDOWS\system32\hhiis.exe moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\F5JMWNZTHI deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:C:\WINDOWS\system32\0034.DLL deleted successfully.
C:\WINDOWS\system32\0034.DLL moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\Documents and Settings\Mike\fjwak.exe \s deleted successfully.
C:\Documents and Settings\Mike\fjwak.exe moved successfully.
File C:\WINDOWS\tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job not found.
File C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job not found.
C:\WINDOWS\tasks\SpeedOptimizer Startup.job moved successfully.
File C:\Documents and Settings\Mike\fjwak.exe not found.
File C:\WINDOWS\System32\hhiis.exe not found.
File C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job not found.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: Mike
->Temp folder emptied: 1273702 bytes
->Temporary Internet Files folder emptied: 238050586 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 39208174 bytes
->Google Chrome cache emptied: 345565938 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16384 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 595.00 mb
 
 
OTL by OldTimer - Version 3.1.28.0 log created on 02102010_162916

Files\Folders moved on Reboot...
C:\Documents and Settings\Mike\Local Settings\Temp\~DFDC9.tmp moved successfully.
File\Folder C:\WINDOWS\temp\_avast4_\Webshlock.txt not found!
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_61c.dat not found!

Registry entries deleted on Reboot...

and…

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-10 18:57:46
Windows 5.1.2600 Service Pack 3, v.5857
Running: gmer.exe; Driver: C:\DOCUME~1\Mike\LOCALS~1\Temp\kgnyqaog.sys


---- System - GMER 1.0.15 ----

SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                                 ZwClose [0xF420B6B8]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                                 ZwCreateKey [0xF420B574]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                                 ZwDeleteValueKey [0xF420BA52]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                                 ZwDuplicateObject [0xF420B14C]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                                 ZwOpenKey [0xF420B64E]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                                 ZwOpenProcess [0xF420B08C]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                                 ZwOpenThread [0xF420B0F0]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                                 ZwQueryValueKey [0xF420B76E]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                                 ZwRestoreKey [0xF420B72E]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                                 ZwSetValueKey [0xF420B8AE]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc           C:\WINDOWS\system32\drivers\atapi.sys                                                                                                                 entry point in ".rsrc" section [0xF7395700]
.text           C:\WINDOWS\system32\DRIVERS\nv4_mini.sys                                                                                                              section is writeable [0xF6BD9360, 0x372FAD, 0xE8000020]

---- User IAT/EAT - GMER 1.0.15 ----

IAT             C:\WINDOWS\system32\services.exe[728] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW]                                          00380002
IAT             C:\WINDOWS\system32\services.exe[728] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW]                                                00380000

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                                                                aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                                                              aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                                             aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device          \Driver\atapi \Device\Ide\IdePort0                                                                                                                    [F7388AFE] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device          \Driver\atapi \Device\Ide\IdePort1                                                                                                                    [F7388AFE] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device          \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4                                                                                                           [F7388AFE] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device          \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c                                                                                                           [F7388AFE] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device          \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17                                                                                                          [F7388AFE] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                                             aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                                           aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6DC3C846-0B5F-C563-E3AA-F97B4D739911}                                       
Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6DC3C846-0B5F-C563-E3AA-F97B4D739911}@abdcmojglddhhceffmlnpfaoebmallapog    0x61 0x61 0x00 0x00 
Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6DC3C846-0B5F-C563-E3AA-F97B4D739911}@bbdcmojglddhhceffmingfbjpaaboffkbkpe  0x61 0x61 0x00 0x00 

---- Files - GMER 1.0.15 ----

File            C:\WINDOWS\system32\drivers\atapi.sys                                                                                                                 suspicious modification

---- EOF - GMER 1.0.15 ----

So, now what do I do? By the way, avast didn’t complain since I did this, but I’m still not sure if the malware is gone.

hmm,… try to use combofix… or System Restore. 8)

Nope your Atapi.sys appears to be infected, lose this and you will not be able to boot

Download TDSSKiller and save it to your Desktop.

[*]Extract the file and run it.
[*]Once completed it will create a log in your [b]C:[/b] drive
[*]Please post the contents of that log

I attached the log.

OK that has cured the Atapi problem

Is you system running slow now ?

What other problems do you have ?

If you could now update and then re-run MBAM we shall see what is revealed

Yeah, everything is fine now. Thanks so much!

Although, my MBAM still gives me that error I noted earlier everytime I try to update it.

Uninstall MBAM and then download a fresh copy - that should cure the problem

Hi There… Can you help me with the same problem… I am quite bothered with it too… Thanks

neverheard could you start your own topic and post the following logs for me please

If the logs are to big to attach then use the following

To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

Download OTL to your Desktop

[]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[]Under the Custom Scan box paste this in

[b]netsvcs
%SYSTEMDRIVE%*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32*.dll /lockedfiles
%systemroot%\Tasks*.job /lockedfiles
%systemroot%\system32\drivers*.sys /lockedfiles
%systemroot%\System32\config*.sav

[/b]

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

THEN

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

Caution
These types of scans can produce false positives. Do NOT take any action on any “<— ROOKIT” entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
[*]Click NO
[*]In the right panel, you will see a bunch of boxes that have been checked … leave everything checked and ensure the Show all box is un-checked.
[*]Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
[]Click OK.
[]GMER will produce a log. Click on the [Save…] button, and in the File name area, type in “GMER.txt”
[*]Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.