Win32 Malware.gen

Yesterday Avast thrrew up a box with a warning that it had found a virus. I did not read the box too carefully and ended up pressing the button to Abort The box came up again sometime later and I did the same. It happened on or two more times, but these times I sent the file to the Chest.

Befoe going to bed I started MalawareBytes on a full scan. This morning I found it paused with the Avast box on top! Again I sent it to the Chest. MaleawareBytes did not find anything. Next I did an Avast Boot scan which also did not find anything. Then, I scanned with BitDefender; it found two problems which it, apparently, deleted. I have since stopped SysemRestore, restarted and activated it again. I have also scanned with SpyBot which returned a clean sheet.

I have now done also an Avast RootKit check and it found problems which I list:

avast! Antirootkit, version 0.9.6
Scan started: Friday, 30 July 2010 19:47:14

Scan finished: Friday, 30 July 2010 19:47:55
Hidden files found: 0
Hidden registry items found: 0
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0


avast! Antirootkit, version 0.9.6
Scan started: Friday, 30 July 2010 19:49:50

Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore] Count=45570 HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore] LoadTime=25 HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{5CA3D70E-1895-11CF-8E15-001234567890}\iexplore] Count=86413 HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{5CA3D70E-1895-11CF-8E15-001234567890}\iexplore] Blocked=63740 HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{85D1F590-48F4-11D9-9669-0800200C9A66}\iexplore] Count=15773 HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{85D1F590-48F4-11D9-9669-0800200C9A66}\iexplore] Blocked=15772 HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{92780B25-18CC-41C8-B9BE-3C9C571A8263}\iexplore] Count=68694 HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{92780B25-18CC-41C8-B9BE-3C9C571A8263}\iexplore] Blocked=68693 HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore] Count=43308 HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore] LoadTime=872 HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\iexplore] Count=43303 HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\iexplore] LoadTime=6 HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore] Count=52303 HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore] Blocked=52303 HIDDEN

Scan finished: Friday, 30 July 2010 19:54:14
Hidden files found: 0
Hidden registry items found: 14
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0


Nevethel I am worried something is still lurking and I would be very grateful if you could look at the attached logs:

Many thanks

I do not believe the standalone ARK by Avast is updated any more. The registry keys are legitimate. Was the warning generated by webshield ?

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:80
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:80

:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Thanks

I will run it again.

Thanks

Ok, I am afraid I made a mistake and pressed RunScan instead of RunFix. I tried to abort it and it ended up restarting and deleting files. I ran it again as you asked and I am attaching the two logs.

Thank you

qim

OK that worked - are you experiencing any problems ?

I never really experienced problems. I am just worried about the virus tha kept coming back with Avast and the ones found by BitDfender.

Did you have alook at the BitDefender and Avast logs?

Thanks

qim

Bit defender was in your Java cache - so emptying that should work

OTL emptied your temp folders - so again no real concern

No files were marked to run as either services or startup that were not legitimate

Thanks!

qim