Win32:Malware-gen

Viruses and worms
1

Hi, avast has been detecting this Win32:Malware-gen. After to move it to the viruses box every was ok for few days. now its agin and avastdetected and move to the box again.
The quiestion is what happend? This means that avast doesnt clean 100% or what?
The other question is, why can I not eliminate from theis box, because you can select an accion (eliminate, repair, don do anithing, etc.) but the button “Aply” ist not aciveited…
Thank you!!!

2

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

If you are looking at the report file, it is showing what already may have been done, e.g. check and see if it has already been sent to the chest.

When it comes back, is it the same file name and location ?

If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again. What is your firewall ?

If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

3

thank you for the help!!

The file was located in C:\Program Files\TuneUp Utilities 2009\patch.exe

and the time before, this was detected; (C:\Users\me\AppData\Local\Temp\SearchWithGoogleUpdate.exe|>[UPX]

I have already intalled Malwarebytes Anti Malware and when Im runing it nothing is detected.

Shall I install SuperAntispyware (SAS) too??

One more time, thanks!!

4

It is certainly worth running SAS for further confirmation.

Do you have tuneup utilities 2009 installed (and where was it obtained) ?
Was it updating at or about the time of the detections ?

Do you Google Update Notifier as that appears to be related ?
http://www.online-armor.com/oasis2/file/google_inc/unspecified_product/searchwithgoogleupdate_exe/94492

I would suggest checking these two files out at virustotal:
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect*
That will stop the File System Shield scanning any file you put in that folder.

5

My Tunes Up Utilities is not an original version, may be the problem is related with this.

Actually the files were detected only during the “Start-up analysis” of Avast, when I did this “complete system analysis” or the “quick analysis” nothing was detected.

I will install and run ths SAS and folow your instructions.

6

Wow Oh my gosh I just posted this, not knowing there was one already here!

Object: C:\WINDOWS\system32\Windows\server.exe

That’s my object…
What’s yours?

7

Please start a New Topic of your own whilst your detection may have the same malware name the file is different and may be a totally different variant to the original subject and will just confuse the topic and we will try to help.

You can in the meantime do what has been suggested of the original poster (OP) and report your findings in your own topic.

8

There is every chance that this could be the issue as there are a number of google hits relating to hacked/cracked versions of tuneup utilities 2009, so confirmation at virustotal is still essential (for both files).

9

Ok i did it and this was the result;

File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:
MD5: daf8b3ceaafbd9a910baa045a57252d6
Date first seen: 2008-11-14 22:25:21 (UTC)
Date last seen: 2010-10-21 20:04:46 (UTC)
Detection ratio: 11/43

And now?

Shall I delete this Suspect folder now?

10

Allso;

Antivirus Version Last Update Result
AhnLab-V3 2010.11.17.01 2010.11.17 -
AntiVir 7.10.14.31 2010.11.17 -
Antiy-AVL 2.0.3.7 2010.11.17 -
Avast 4.8.1351.0 2010.11.17 Win32:Malware-gen
Avast5 5.0.594.0 2010.11.17 Win32:Malware-gen
AVG 9.0.0.851 2010.11.17 -
BitDefender 7.2 2010.11.17 Trojan.Generic.5025054
CAT-QuickHeal 11.00 2010.11.09 HackTool.Patcher.A
ClamAV 0.96.4.0 2010.11.17 -
Command 5.2.11.5 2010.11.17 -
Comodo 6749 2010.11.17 -
DrWeb 5.0.2.03300 2010.11.17 -
Emsisoft 5.0.0.50 2010.11.17 Riskware.Patch.TuneUP!IK
eSafe 7.0.17.0 2010.11.16 -
eTrust-Vet 36.1.7982 2010.11.17 -
F-Prot 4.6.2.117 2010.11.17 -
F-Secure 9.0.16160.0 2010.11.17 Trojan.Generic.5025054
Fortinet 4.2.254.0 2010.11.17 -
GData 21 2010.11.17 Trojan.Generic.5025054
Ikarus T3.1.1.90.0 2010.11.17 not-a-virus.Patch.TuneUP
Jiangmin 13.0.900 2010.11.17 -
K7AntiVirus 9.68.3011 2010.11.17 -
Kaspersky 7.0.0.125 2010.11.17 -
McAfee 5.400.0.1158 2010.11.17 Generic.dx!the
McAfee-GW-Edition 2010.1C 2010.11.17 Heuristic.BehavesLike.Win32.Spyware.H
Microsoft 1.6402 2010.11.17 -
NOD32 5626 2010.11.17 probably a variant of Win32/HackTool.Patcher.A
Norman 6.06.10 2010.11.17 W32/Suspicious_Gen2.EGQWZ
nProtect 2010-11-17.01 2010.11.17 Trojan.Generic.5025054
Panda 10.0.2.7 2010.11.16 Suspicious file
PCTools 7.0.3.5 2010.11.17 -
Prevx 3.0 2010.11.17 -
Rising 22.74.02.03 2010.11.17 -
Sophos 4.59.0 2010.11.17 -
SUPERAntiSpyware 4.40.0.1006 2010.11.17 Trojan.Agent/Gen-HackPatch
Symantec 20101.2.0.161 2010.11.17 WS.Reputation.1
TheHacker 6.7.0.1.086 2010.11.17 -
TrendMicro 9.120.0.1004 2010.11.17 PAK_Generic.001
TrendMicro-HouseCall 9.120.0.1004 2010.11.17 -
VBA32 3.12.14.2 2010.11.17 -
VIPRE 7332 2010.11.17 Trojan.Win32.Generic!BT
ViRobot 2010.11.17.4153 2010.11.17 -
VirusBuster 12.76.3.0 2010.11.16 -
Additional information
Show all
MD5 : daf8b3ceaafbd9a910baa045a57252d6
SHA1 : d33efbc5ac16e2ed3891ee6a1a0d1575e31fdf06
SHA256: d746e66d721d9a6ba3a1044152fe1e10da7b6ef8db3947213a78bc76be116556

???

11

It would have been much easier just to post the URL to the results. You should always have virustotal rescan the file as time could mean either more or less scanners detect it, so it is best to have the latest results as in your first post it was 11/43, yet the second post (same MD5) has a detection rate of 18/43.

The two sets of results are the same as the MD5 (a unique file identifier) is the same, so if these were different file names that you uploaded (you did upload both of the files avast detected ?), then it just adds to the suspicion/confirmation of the original avast detections.

So at the very least least I would say uninstall this dubious tuneup utilities 2009 version, this may well stop the regeneration of this file/s.

I have never felt that any tune up utility is worth bothering with, some mess up more than they help. There is a topic in the general forum on this veru thing tune up utilities.

12

Well, thank you very much!!!

Ive just scan in VT only one (the patch.exe one) for any reazon the other one is not any more in the analysis information place! May be someting happend after the last up date, but its only one in the chest !?

Any way, I will eliminate this tune up…

SAS is not detecting anyting now and Avast neither. Shall I belive that my computer its save now!?

Last question; what shall I do with this Suspect Folder in the C:\ with the patch.exe inside, eliminate the folder??

Thank you for the help!!! :slight_smile:

13

You’re welcome.

It certainly looks to be clear, just keep monitoring your system and continue with your regular scans.

Remove the patch.exe file and leave the suspect folder and its exclusion, in case you need to repeat this in the future.