Every 5 minutes, I keep getting an alert about Avast detecting Win32:Malware-gen

I’ve tried the boot-time scan, delete, move\rename, repair as well as Move to chest options. I’m a novice to this and trying to get rid of this virus. Avast gives me this report:

File name: C:\WINDOWS\TEMP\mxuh.tmp\svchost.exe
Malware Name : Win32:Malware-gen
Malware Type : Virus/Worm
VPS Version : 100101-0, 01/01/2010

Please help!

Hi meghavee,

If avast! isn’t catching it with a boot time scan…

Try a scan with DrWeb CureIT!

Try one or more of the the usual free adware/spyware scanners.

SUPERAntiSpyware Free
Malwarebytes’ Anti-Malware
a-Squared Free
Spybot Search & Destroy

Download, install and update the programs.
Always select the option to quarantine any malware found rather than delete it, then you will be able to restore files or registry entries wrongly identified as malware- a rare but not unknown event for any malware scanner.

Hi! I’m new here.

Since yesterday evening, I’ve been experiencing quite the same as meghavee:
Every 5-6 minutes, a new subfolder is created in the C:\Windows\Temp\ folder (always named [four random characters].tmp), and inside this, a new svchost.exe file is created, immediately identified by Avast as being Win32:Malware-gen. I can delete it (and its folder) alright, but it comes back in the next 5 minutes and it starts all over again.

The freaky thing is that is keeps happening even when I run Win XP in safe mode without network connection, and even though in my Task Manager, I see no active process other than the usual minimum ones. At all times, I have three svchost.exe processes running, two of them which I cannot shut down without rebooting the system automatically, and a third one which I can shut down, but which comes back almost immediately. I guess that’s where my problem is. But I have no idea how to fix it. Could you please help? Thanks!

I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Clean your Hosts file (replacing it) with HostsMan tool.
7. Disable System Restore and then reenable it again.
8. Immunize your system with SpywareBlaster.
9. Check if you have insecure applications with Secunia Software Inspector.

Hi!

Thanks for the advice so far. I just completed step 5 - so far loads of crap removed from the system (both from files and from the registry), and the last reboot was still totally successful, but the warning keeps popping up every 10 minutes or so, so Win32:Malware-gen is still around my system (even though Avast removed it already once during the boot time scanning). CureIt found some additional stuff which was removed, MBAM yet some others, also safely out of the way now, and then no rootkits were found at all. However, the virus is still here. Grrrrrrr!

Anyway, here goes the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:19:18, on 12/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Fichiers communs\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Fichiers communs\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\IsabelleAliceZoltan\Mes documents\Téléchargements\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Programme d’aide de l’Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM..\Run: [StartCCC] “C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe”
O4 - HKLM..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [HP Component Manager] “C:\Program Files\HP\hpcoretech\hpcmpmgr.exe”
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [LogitechQuickCamRibbon] “C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe” /hide
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start
O4 - HKCU..\Run: [Google Update] “C:\Documents and Settings\IsabelleAliceZoltan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe” /c
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SERVICE LOCAL’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SERVICE RÉSEAU’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - S-1-5-18 Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE (User ‘SYSTEM’)
O4 - S-1-5-18 Startup: Logitech . Enregistrement du produit.lnk = C:\Program Files\Logitech\Logitech WebCam Software\eReg.exe (User ‘SYSTEM’)
O4 - .DEFAULT Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE (User ‘Default user’)
O4 - .DEFAULT Startup: Logitech . Enregistrement du produit.lnk = C:\Program Files\Logitech\Logitech WebCam Software\eReg.exe (User ‘Default user’)
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: Logitech . Enregistrement du produit.lnk = C:\Program Files\Logitech\Logitech WebCam Software\eReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Fichiers communs\LogiShrd\LVMVFM\LVPrcSrv.exe

–
End of file - 7354 bytes

Should I procede further with step 6?

You can… but seems it won’t clean.
I suggest a full computer on-line scanning:
BitDefender
ESET NOD32
F-Secure

Ok, thanks.

• BitDefender online scan found nothing (in spite of the fact that during the scan, the Avast warning popped up again, and a new occurrence of the corrupt svchost.exe was created in the Temp folder at the very moment).
• I didn’t have time for a thorough ESET NOD32 online scan, but I’ll do that as soon as possible.

One interesting thing - still needing confirmation: it seems that after a reboot, the first warning is not automatic: it only starts once Internet Explorer is launched (but not if I only use Firefox). Maybe I should look into this direction.

I may be wrong , but I think you may have a rootkit that infects atapi.sys. Try running rootrepeal, open the program, tick on report > scan > tick all the boxes >ok > choose C drive. Post the log as an attachment only. I doubt it can remove any threat , but it may show hidden files. http://rootrepeal.googlepages.com/

If I am correct you will have to replace the sys file with a clean copy

Thanks for the tip. The RootRepeal log is attached - it doesn’t tell me much to be honest.

Replacing atapi.sys? Would be glad to. How is it done? (where can I find a clean one suitable for my system, and what’s the process to replace it? I guess it’s not so easy when the system is up and running).

Oh dear SORRY, I meant do not post as an attachment, it always comes out garbled. Either copy/paste or upload to mediafire http://www.mediafire.com/ and post the url. I may be way of the mark so don’t go replacing any files.
Hopefully Essexboy may see this thread, he is the resident genius, trouble is he’s very busy.
You could also go to virustotal http://www.virustotal.com/ and upload atapi.sys for analysis.

I can view it using editpad lite, the only driver/s mentioned is the avast self protection, aswSP.sys. So in that regard things look OK.

I would suggest you try this one.
GMER - Rootkit Detector and Remover, see http://www.gmer.net/

Sorry, here goes (not long at all):

ROOTREPEAL (c) AD, 2007-2009

Scan Start Time: 2010/01/13 19:17
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3

Drivers

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x95EC8000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT

#: 025 Function Name: NtClose
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xa45a76b8

#: 041 Function Name: NtCreateKey
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xa45a7574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xa45a7a52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xa45a714c

#: 119 Function Name: NtOpenKey
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xa45a764e

#: 122 Function Name: NtOpenProcess
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xa45a708c

#: 128 Function Name: NtOpenThread
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xa45a70f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xa45a776e

#: 204 Function Name: NtRestoreKey
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xa45a772e

#: 247 Function Name: NtSetValueKey
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xa45a78ae

==EOF==

In the meantime, a really funny thing happened. Avast warnings kept popping up every 5 minutes, as new folders with new svchost.exe files kept appearing in the Windows\Temp folder. To pursue on a piece of advice above, I restarted an ESET NOD32 online scan. Before it started, it invited me to suspend my antivirus not to disturb the process, so I turned off the Avast Resident Protection. And guess what: of course I haven’t received any warning since then. But more importantly: for the past two hours, no new folder or file appeared in the Temp folder!

Besides, NOD32 found three rogue files which it quarantined, then removed upon successful reboot. So I guess that the bloody virus had infected, well, Avast itself! At this point, I bet it’s worth a shot, so I uninstalled Avast to download it from new and re-install it. I’m giving it its first re-start right away and will keep you posted.

Well the RR log looks ok. Not sure what you meant about Avast being infected. Without logs to look at its difficult. As well as what your already doing, please try two more things.As well as Gmer suggested by David Try Hitmanpro, its a program you download, that uses multiple online cloud scanners.It will not remove anything, unless you activate the trial.http://www.surfright.nl/en/hitmanpro It also uses Nod with others.Post the results ( a scan is very quick )

Lastly in case Essexboy sees this ( he spends a lot of time here ) follow his instructions in this link .

http://forum.avast.com/index.php?topic=53050.msg450158#msg450158
Read only the instructions for the OTS program and upload to mediafire. Then post the url. Hopefully he may respond, and see you right

Thanks for everything. For the time being, everything is back to normal. I removed Avast and installed it back from a new download. No alerts since then, startup normal, no threats detected, browsers work okay… So far so good!

Fingers crossed. I know you must be sick of scanning etc, but if you get time, it would do no harm to post the OTS log. Hoping your ok now