Win32:Malware-gen removal help

Viruses and worms
1

A few days ago, Avast’s “Malware Blocked” pop up window started reporting;

Object: C:\Windows\Installer{d5674564-e073-592e-f8ad-a5655cda434d}\U\800000cb.@
Infection: Win32:Malware-gen
Action: Moved to chest
Process: C:\Windows\System32\services.exe

When I first saw the message in the Avast pop up, I updated and ran Malwarebytes, which originally found and deleted the virus. But it’s obviously not completly gone as the Avast “Malware Blocked” pop up window keeps showing the same message about every 2-3 minutes with the “Object” file name changing slightly.

Per the instructions found at; http://forum.avast.com/index.php?topic=53253.0,

I have attached my MBAM, OTL logs, I tried to run aswMBR, but soon after it started I got a blue screen,

Thanks

2

Whilst the alerts are a pain, avast is preventing the underlying infection (which MBAM can’t deal with either) from getting worse.

There may be some delay due to differing time zones and availability of the volunteer malware removal specialists.

3

Monitoring :wink:

4

Thanks for the quick reply, will wait for further instructions…

5

Hello,
I will be working on your Malware issues :slight_smile:

Create a batch file:

Note: You will need to save any work before double clicking the fix.bat file because it will automatically restart your computer

Please copy and paste the following text in the Code box exactly as written into notepad (not wordpad or any other text editor):

@echo off
taskkill /IM iexplore.exe /F 
RMDIR /S /Q "C:\Windows\Installer\{d5674564-e073-592e-f8ad-a5655cda434d}"
RMDIR /S /Q "C:\Users\BMMEDIA\AppData\Local\{d5674564-e073-592e-f8ad-a5655cda434d}"
COPY C:\WINDOWS\SYSTEM32\DRIVERS\etc\HOSTS %userprofile%\desktop\hostsbackup.txt

Once you've done that click on File and select Save As...
In the Save dialogue box click on the drop down menu next to Save as type and select All Files
Name the file [b]fix.bat[/b] (the .bat extension is very important)
Save the file to your desktop and double click it to run it.
Once it runs it will automatically restart your computer
Once your computer boots again, check to see if your internet is back

On the desktop should appear notepad with the name hostsbackup.txt. Attach it here.

1. Please download TFC by OldTimer to your desktop

[*]Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

If you have problems running ComboFix, run it from safe mode :wink:

6

Thanks for joining the topic magna86.

7

Hi magna86,
Thanks for your reply, I followed your batch file directions *exactly, when I double clicked the fix.bat file, my computer did not restart, but did produce the hostsbackup.txt file (which I have attached). Should I proceed with TFC and ComboFix?

8

Yes, just run TFC and then Combofix. :wink:

9

Hi magna86,
…whew!!!
I ran TFC and it restarted my machine when finished, so no problem.
Then I ran ComboFix, in normal mode first…it ran for a few minutes (black background w/ green text) and disappeared and no log to be found?
So, then I ran it in safe mode (black background w/ green text) and a few minutes in I got a “system shutting down”, not sure if this was Windows or ComboFix?

The machine rebooted in normal mode and ComboFix (blue background) gave me the message to disable Avant before proceeding, problem is I couldn’t right click to disable shields as the icon would not respond and the actual program would not open. So, ComboFix gave me the “at your on risk” message, but I was committed, what else could I do?
A few minutes in, I got a “The application was unable to complete an operation” widow but ComboFix was still running, so I let it go…

So, attached is the ComboFix log and so far no Avast pop ups and as an added *extra bonus, Windows Firewall is now enabled.

10

Hi magna86,
Just wanted to check back in…
It’s been a few hours now and so far no pop ups from Avast and all security that *was disabled is now enabled :wink:

I’ll ping back in if I notice any problems, but just wanted to say thank you very much for your help and thanks to all those that are apart of this forum helping others!!!

11

[]Download AdwCleaner (by Xplode) on your desktop.
[*]Launch it, click on [Search] and wait for the scan.
[]When the scan ends, a report appears.

[*] Click on the [Delete] Wait for the programme ends.
The program will close all active programs and out the window with the warning. Click OK to confirm.
On the next two windows that open ( Informations and Restart required ) click OK
[] The computer will restart.
[] Will open a notepad with the report.
[*] Attachthe contents of that report in the subject.

Note: The report will also be stored on C:\AdwCleaner[S1].txt

Open notepad and copy/paste the text present inside the code box below:

ClearJavaCache::

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:87,ff,c9,34,4b,a1,38,e8,7b,1b,8a,40,d2,13,29,dc,b8,71,67,42,5d,
   2e,f7,5e,d5,37,a3,a3,aa,21,78,06,a1,87,b7,2a,ea,7b,1d,6a,a6,32,de,06,12,91,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)

Save this as CFScript.txt

http://img213.imageshack.us/img213/1218/cfscript1.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )