Win32:Malware-gen

Anyone?

OK this is a new variant that has only recently been detected

http://www.geekstogo.com/misc/guide_icons/gmer.png
GMER Rootkit Scanner - Download - Homepage
[] Download GMER
[
] Extract the contents of the zipped file to desktop.
[*] Double click GMER.exe.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif

[*] If it gives you a warning about rootkit activity and asks if you want to run a full scan…click on NO, then use the following settings for a more complete scan…
[*] In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
[] IAT/EAT
[
] Drives/Partition other than Systemdrive (typically C:)
[*] Show All (don’t miss this one)

http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg

Click the image to enlarge it

[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save…] button, and in the File name area, type in “ark.txt”
[*]Save the log where you can easily find it, such as your desktop.
Caution
Rootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries

Please copy and paste the report into your Post.

THEN

Download OTL to your Desktop

[]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[
]Under the Custom Scan box paste this in

[b]netsvcs
%SYSTEMDRIVE%*.*
/md5start
rasacd.sys
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32*.dll /lockedfiles
%systemroot%\Tasks*.job /lockedfiles
%systemroot%\system32\drivers*.sys /lockedfiles
%systemroot%\System32\config*.sav
%systemroot%\system32\drivers*.sys /90

[/b]

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

I attached all the logs, couldn’t paste the result of the GMER since it was too long.

Thank you! :slight_smile:

OK lets try the easy way first, if it fails I will have to use avenger

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following


:Files
C:\WINDOWS\system32\drivers\rasacd.sys|C:\WINDOWS\system32\dllcache\rasacd.sys /replace

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Attached log :slight_smile:

Could you now re-run Combofix and allow it to update if it asks to

Is Avast still alerting ?

Done.

No, Avast isn’t alerting anymore, you think that’s it?

Well normally OTL is not strong enough to move that sort of file - but hey I won’t argue

Did you re-run Combofix ?

Yeah, I did, but I forgot to save the log :-[ and now I can’t find it :frowning:

Should be at C:\Combofix

Got an alert!
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\E5LTD0b5.exe.vir
Win32:Malware-gen

moved it to chest

Edit:
attached log

avast found more viruses:

C:\System Volume Information_restore{BA9F4A2F-E990-4D4A-9024-E38A6921616B}\RP240\A0135210.sys
&
C:\System Volume Information_restore{BA9F4A2F-E990-4D4A-9024-E38A6921616B}\RP239\A0134807.sys
Win32:Alureon-FZ

C:\System Volume Information_restore{BA9F4A2F-E990-4D4A-9024-E38A6921616B}\RP240\A0135218.exe
&
C:\System Volume Information_restore{BA9F4A2F-E990-4D4A-9024-E38A6921616B}\RP240\A0135165.exe
Win32:Malware-gen

C:\System Volume Information_restore{BA9F4A2F-E990-4D4A-9024-E38A6921616B}\RP240\A0135672.exe
&
C:\System Volume Information_restore{BA9F4A2F-E990-4D4A-9024-E38A6921616B}\RP240\A0135673.exe
&
C:\System Volume Information_restore{BA9F4A2F-E990-4D4A-9024-E38A6921616B}\RP240\A0135293.exe
&
C:\System Volume Information_restore{BA9F4A2F-E990-4D4A-9024-E38A6921616B}\RP240\A0135270.com
well basically they won’t stop
Win32:Trojan-gen

the warnings just keep popping up and i keep moving them to the chest

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\E5LTD0b5.exe.vir
C:\System Volume Information[b]_restore[/b]

They are either in your restore point or quarantine

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

done.

I wonder why Avast started finding them all of a sudden ?

I ran an avast virus scan… and then it found loads of them :confused:
but we made a clean restore point last time just like a week ago, and I don’t have any other ones…

Well the restore points have been reset - is avast still alerting ?

no, I’m running another scan now just to see what happens…

edit:
should I do something else after?

Run MBAM to see if that says anything

Seems like it can’t find anything, but I have a feeling there is something on the computer which causes the problem.

What is it that makes you feel that ?