Win32:Malware-gen upon Firefox startup

Hello all,

I’ve done some searching on the forums and I think I’ve found similar cases, but none quite like mine: the problem I am having is that every time I start up Firefox after the computer has turned on (either from starting up normally, waking up from sleep, etc), avast! notifies me of a threat 3 times in a row. If I try starting up Firefox again without turning off the computer in some way, I don’t get the notifications any more. Also, the second and third notifications both have the added option of “reporting it as a false-positive.” I am doubtful that it is a false-positive considering the fact that every single virus avast! has identified in association with Firefox (since this started happening about a week ago) is a Win32:Malware-gen.

My Software Updater had been in a critical state (38%) for a while and I hadn’t noticed until yesterday, so I went in and updated everything that needed updating, which brought me up to 98%. I thought that perhaps this was the issue since Firefox was one of the programs that needed updating, but since rebooting and then putting the computer on sleep several times after that, I am still having the same problem.

Here is the path of the infection: C:\Users\AppData\Local\Mozilla\Firefox\Profiles\z365md9y.default\Cache\5\4A

I have checked this particular folder and it comes up as empty. I’ve also had avast! scan Firefox itself and it has not found anything. Anyway, I would appreciate any and all help to shed some light on this matter. I will start a full scan on the computer with MBAM and post the log as soon as possible. What other logs do I need for this case? Please let me know and I will get those posted as soon as possible as well.

EDIT: Attached AdwCleaner log, MBAM log, and OTL/Extras logs. aswMBR will be attached in a second reply as I can only have 4 attachments.

-IvoryOnyx

Please attach your logs. (AdwCleaner, MBAM, OTL and aswMBR…!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0

Here’s the aswMBR log.

Could you attach a screenshot of the alert please.

Also AVG is still running on your computer, I would recommend that you use the AVG removal tool to get rid of it http://www.avg.com/gb-en/utilities

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\xhunter1.sys -- (xhunter1)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\XDva401.sys -- (XDva401)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\XDva391.sys -- (XDva391)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\XDva380.sys -- (XDva380)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\XDva375.sys -- (XDva375)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\XDva370.sys -- (XDva370)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\XDva356.sys -- (XDva356)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\XDva351.sys -- (XDva351)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\XDva332.sys -- (XDva332)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\XDva295.sys -- (XDva295)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\XDva288.sys -- (XDva288)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\XDva279.sys -- (XDva279)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\XDva275.sys -- (XDva275)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\XDva190.sys -- (XDva190)
IE - HKU\S-1-5-21-3039263285-874054487-4266135133-1001\..\URLSearchHook: *{2558d83c-097c-4cf1-9163-ce5ecc36ace2} - No CLSID value found
IE - HKU\S-1-5-21-3039263285-874054487-4266135133-1001\..\URLSearchHook: *{687578b9-7132-4a7a-80e4-30ee31099e03} - No CLSID value found
IE - HKU\S-1-5-21-3039263285-874054487-4266135133-1001\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - No CLSID value found
O2 - BHO: (no name) - {7c5c0f58-e061-457d-9033-77307f5ed00c} - No CLSID value found.
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-21-3039263285-874054487-4266135133-1001\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-3039263285-874054487-4266135133-1001\..\Toolbar\WebBrowser: (no name) - {687578B9-7132-4A7A-80E4-30EE31099E03} - No CLSID value found.
[2013/05/29 10:38:24 | 000,000,000 | ---D | M] -- C:\Users\BRANDON\AppData\Roaming\MCommon

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Thank you for pointing out AVG, I didn’t realize that. I think I’ve gotten rid of it now. So what is this big block of code for? Is it to make sure that AVG is gone or is it checking into what’s causing the Win32:Malware-gen to pop up? I’ll do it, I’m just curious.

Also, I am not sure if I can reproduce those notifications. When I got up today I started up by computer and upon Firefox startup, I got the notifications. Then I came here and did the AVG fix, after which my computer had to be rebooted twice. On the third reboot, after starting up Firefox, I got no notifications (when I should have)… so either the problem is fixed or it’s just acting weird. Anyway, I’ll post the next log as soon as I can.

There is the probability that part of AVG was being detected by Avast, hence the good rule never to have two antivirus programmes

The major part of the code was a tidy up exercise to help the system run a tad smoother, and one folder was a malware container :slight_smile:

Yeah, I thought I’d gotten rid of AVG a long time ago… I’m glad you pointed it out. And thanks for the tidying up, I appreciate that :)!

The scan finished, so here’s the log. Upon reboot I started up Firefox again, no “Threat Detected” notification… I hope it’s gone, but something tells me it might not be that simple. Just call it a gut feeling.

C:\Users\BRANDON\AppData\Roaming\MCommon folder moved successfully.
This was the culprit so I would feel that you are now clean, but use the system as normal and if all is well tomorrow let me know and I will tidy up

I see, thank you very much for your help! Feeling a lot better now, phew. So, if you don’t mind me asking, what exactly is it that a Win32:Malware-gen does to one’s system? I had gotten one before and read up on it a little bit, but that was a while ago - I mean, it’s malware so obviously it can’t be good, but if I remember correctly the severity of it isn’t very high either.

Also, I’m guessing it’s safe for me to “Delete” all of the Win32:Malware-gens that have accrued in my vault? Haha. I always get a little paranoid about “deleting” viruses. I question the ease of it I guess! :stuck_out_tongue: avast! is just so dependable.

Also, I'm guessing it's safe for me to "Delete" all of the Win32:Malware-gens that have accrued in my vault? Haha. I always get a little paranoid about "deleting" viruses. I question the ease of it I guess! avast! is just so dependable.
there is no rush to delete anything from virus chest.... that why there is a quarantine, you then have the option to restore if something goes wrong. so let it stay there for a couple of weeks, if all is ok, then delete

Clean, quarantine or delete
http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm

The intention of this was to download either fake spyware removal apps or use your computer as a click to pay zombie