win32 malware-gen

Hi
I have read a number of logs/topics in regard to the above (there is quite a few), many suggest downloading various software (on some links are provided to now trojan infected webpages).

Avast is telling me I have 4 instances of this malware, and cannot action 3 of them. Each scan it gives me similar message.

Malwarebytes does not remove or even detect it…same for Iobit security 360, stinger or Immunet protect cloud.

Is this a false positive? (can I provide attach a log here? not sure).

I have or are considering downloading and running OTL (?), or superantispyware…both recommended in the various Avast forums/threads.
BTW why isn’t there a link to these forums from the avast home site?

Anyhow not sure which I should do next, run any/all of these in safe mode…go down the OTKL or superantispyware path or keep researching.

Any up to date advise/links would be greatly appreciated.

Lethal

Enjoy Life!

malware-gen (for GENeric) is the least reliable of detections…

If the item is not in quarantine, you can submit the file to VirusTotal for analysis by over 40 anti-virus engines: http://www.virustotal.com/

go to virus total, hit the BROWSE button to navigate your way to the allegedly “bad” file, and SEND it to them for their analysis . they will provide a link to their results, which you can then include here.


if the item is in avast’s quarantine/vault, you can open up the vault, RIGHT-click on the item, and then choose SEND IT TO AVAST for analysis as a possible false positive. It will be sent the next time avast tries to update — to expedite matters, you should MANUALLY search for updates immediately (to send the file to avast).

Follow this guide from Essexboy and post the logs here
http://forum.avast.com/index.php?topic=53253.0

lower left corner: + Additional Options > Attach > ( MBAM scan log / OTL.Txt and Extras.Txt. )

Malwarebytes does not remove or even detect it....same for Iobit security 360, stinger or Immunet protect cloud.

IObit info
http://www.malwarebytes.org/forums/index.php?showtopic=29681
http://www.malwarebytes.org/forums/index.php?showtopic=30989
http://www.malwarebytes.org/forums/index.php?showtopic=33217

There is a tool for removal of IObit software, If you decide to do that
you will find it on the right side of the page
http://uninstallers.blogspot.com/ Bitremover 1.4.1

Before we start running round like the proverbial headless chickens. The win32:malware-gen on its own is not worth much at all we need more information.

@ lethal
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

Is this something that installed and has been on your system for some time, etc. ?

Why can’t it action the detection, what error message do you get ?

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect*
That will stop the File System Shield scanning any file you put in that folder.

Hi Guys,

Many thanks for your responses though I found some a little confusing.
Apologies for delay in responding to all.

The instances of the malware have reduced to almost nil in subsequent scans. Though scans from the suite off antispyware apps mentioned continue to pick up malware of sorts.

In answer to the queries raised:

Ky331:
I have submitted the quarantined instance to avast.
The repetition of the malware was an issue, however, which made me think it was being missed in some scans (?).

Pondus:
Not really sure if I should remove any scanners at the moment, though as they seem to pick adaware at each scan, it is strange that does not remove it. Is this to be expected?

I am less confident in ‘Iobit security 360’ product and ‘Immunet’, than I am in ‘super antispyware’…due to this.

Though, is it dangerous to have multiple apps here?

DavidR:
Not sure how long it has been on my system. I would think that a couple of weeks would be minimum though approximate.

I will rescan, and confirm the message I get when I try to delete the quartantined/non-quaratined file with this malware.

I will run the online scanner recommended, and try to follow your instructions as to how to attach.

Once again, thanks for the responses

Lethal

Not really sure if I should remove any scanners at the moment, though as they seem to pick adaware at each scan, it is strange that does not remove it. Is this to be expected?
what do they pic up......cookies ?

Are cookies really spyware and are they dangerous?
http://superantispyware.com/supportfaqdisplay.html?faq=26

I am less confident in 'Iobit security 360' product and 'Immunet', than I am in 'super antispyware'...due to this.
I would replace IObit 360 with Malwarebytes

Hi Pondus,

Thanks for for the prompt post. I understand now why superantipyware keeps bringing these items up…they must simply be cookies.

I was using only Malwarebytes and Avast for months, before noticing the win32 malware-gen issue.
I will continue to use them, and will remove iobits product (thanks for the advise).

As a addendum to my last post, I will submit any issue of the win32 malware to VT, if and when avast identifies them going forward.

Of course the VT does not offer an on line scan, as it now appears

regards

Lethal

Virus Total online scanner: http://www.virustotal.com/.

Thanks SafeSurf.

Am I again missing something, the site appears to offer analysis of uploaded files, NOT a scanner.

The three links all go to the same page detailing this.

However please tell me where, if, I am mistaken

thanks

You enter the suspected link or url in the box in the center of the page for VT. Do you see it?

Yes, I can see it… as explained earlier by DavidR, a file or url is uploaded…for anaylsis.

This is not a ‘scanner’.

I acknowledge that most online scanners have their own ‘issues’ these days. Microsoft have one (windows live), and Tend have one (housecall) though not sure if this still exists.

VT does not appear to offer a scanner.

cheers

You can try the following for online scanners:

Trend: http://housecall.trendmicro.com/housecall/start_corp.asp
RAV: http://www.ravantivirus.com/scan/indexie.php (use with IE & ActiveX enabled)
KAV: http://www.kaspersky.com/remoteviruschk.html
URL Void: http://www.urlvoid.com/
Unmask Parasites: http://www.unmaskparasites.com/security-report/?page=servepics.com

thanks for these.

The first is the one I mentioned…I will try it anyhoo.

The second link doesnt work (The website declined to show this webpage), and the others are (again) file scanners.
Kaspersky is working on a online scanner (so it says)

cheers

Lethal