Win32:Malware-gen Removal

Hi there, I believe my system is infected with the Win32:Malware-gen virus (as Avast! informs me). Every few minutes a new .tmp file is quarantined by Avast! and the pop-up message from avast informs me that it is related to a ‘Win32:Malware-gen’ infection. I’ve run a boot time scan with avast but no threats were found. I’ve also downloaded Malwarebytes and run a scan, but no threats were found with that either. It seems as though the system is in fact infected though as I’ve never had the issue of new tmp files appearing (and as the avast pop-up messages denote the win32:Malware-gen infection).

I’ve read through the thread “Logs to assist in cleaning malware” and tried to install both the Farbar and the aswMBR tools but am unable to download them, I just get this notification:

"C:\Users(my name)__~1\AppData\Local\Temp\fSkQZMW_.exe.part could not be saved, because the source file could not be read.

Try again later, or contact the server administrator."

You guys seem to have been very helpful in other similar cases, really hoping you can help me this time! :cry:

Every few minutes a new .tmp file is quarantined by Avast!
try clear your temp folders

TFC cleaner http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/

when done

follow instructions here https://forum.avast.com/index.php?topic=53253.0
we need Malwarebytes and Farbar Recovery Scan Tool logs, attach the logs, 3 logs total

see below the box you write in … Attachments and other options

Hi Pondus, thank you so much for your response!

I ran the Malwarebytes scan which now has turned up 2 ‘Trojan:Banker’ files. I quarantined the offending files and rebooted the machine as prompted.

I then ran the FRST scan (I was able to download the FRST and aswMBR tools by using Internet Explorer instead of Firefox).

I’ll post all three logs here now.

One curious thing is that immediately after quarantining the trojan:banker files a new shortcut appeared on my desktop “Home Network Group”, it disappeared a few minutes later. Would this indicate that the virus remains on the machine despite the files having been quarantined?

Again thank you very much for your help!

Oh I had also run the TFC cleaner prior to running the Malwarebytes scan by the way. It cleared out about 300bytes of files (if I recall correctly) but did not require that I restart my machine.

Thanks

Check back tomorrow, removal team seems to be in bed now :wink:

No prob, will do! :slight_smile:

Thanks.

Just finished running the aswMBR scan so I’ll leave the log for that here too now in case it’s relevant.

Let me know if the alerts cease
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: URLSearchHook: [S-1-5-21-3981354836-3465985663-449714611-1001] ATTENTION => Default URLSearchHook is missing CHR Extension: (No Name) - C:\Users\ferg__000\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2016-01-19] 2016-01-19 15:46 - 2016-01-20 21:21 - 00000000 ____D C:\ProgramData\RoyJilm AlternateDataStreams: C:\ProgramData\Microsoft:VtyTemfi0vo0tmQ73BUcimq AlternateDataStreams: C:\ProgramData\Microsoft:wuxl2UTdUrloGyGi15VZWFf6mHd AlternateDataStreams: C:\Users\ferg__000\Cookies:EfZ0davdwYhx57tcIFu3noQh AlternateDataStreams: C:\Users\ferg__000\Cookies:UquWv5ZZWDLxdYHUpMje9U1 AlternateDataStreams: C:\Users\ferg__000\Local Settings:DsBYc8nKj16UChg4Gq7rNwZC9s AlternateDataStreams: C:\Users\ferg__000\AppData\Local:DsBYc8nKj16UChg4Gq7rNwZC9s AlternateDataStreams: C:\Users\ferg__000\AppData\Local\Application Data:DsBYc8nKj16UChg4Gq7rNwZC9s AlternateDataStreams: C:\Users\ferg__000\AppData\Local\Temp:e79218A7lA1hQyzYBqnvpS AlternateDataStreams: C:\Users\ferg__000\AppData\Local\Temp:orf1o2KsgyUL5RJImsn4BWQ1mwSm Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Hi Essexboy, thanks for your response, hugely appreciated!!

I ran the fix as instructed, I’ll attach the resulting log now.

The alerts about the random temp files had ceased after quarantining the two trojan:banker files with Malwarebytes actually. I did however catch sight of the ‘Homegroup Network’ shortcut very briefly following the restart (after running the fixlist.txt file in FRST) so I’m still suspicious that something might be on the system as the shortcut has never appeared on the desktop prior to the virus.

MBAM left the malware folder behind that is what I removed plus I also reset some proxy options

Any further problems ?

Ah brilliant, thank you so much!

No further avast alerts or buggish behavior from the system anyway, are there any other precautions or further checks I can make or do you think that the system is probably fully clean again?

All the best :slight_smile:

All looks good :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix
Select the options as shown

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme :wink:

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

Amazing, you are saints and scholars the lot of you, can’t thank you enough!

I’ve run installed and run those tools now so should be covered in future too.

All the best! :slight_smile: 8)