Hello, extremely helpful and patient avast! forum staff!
I’ve been dealing with a persistent infection or attempted infection by Win32:Malware-gen since 10/24/10. While I dismissed it as an irritant for almost a month, I’ve gotten to the point where I’m both worried about it and tired of dealing with it.
Whenever I boot my computer each morning, I get a notice from avast! about a detected threat, which is usually a gibberish .exe name that has attempted to infect vbc.exe in C:\Windows\winsxs.
I’ve run avast! and gotten numerous hits, but it didn’t seem to solve the problem. I’ve also run Malwarebytes, which was unable to find any source.
Enclosed are the logs from both Malwarebytes and OTL. Please let me know if I need to provide further information or take further steps to assist with the diagnosis.
Thank you in advance for your help and time.
EDIT: The virus’ actual target appears to be vbc.exe in some Microsoft.NET folder, but avast!'s warning closed too quickly for me to write it down properly and there doesn’t seem to be any log of it.
[*] Click on the “Execute selected scripts”.
[*] Automatic scanning, healing and system check will be executed.
[*] A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
[] It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
[] All applications will work properly after the system restart.
When restarted
[*] Start AVZ.
[*] Choose from the menu “File” => "Standard scripts " and mark the “Advanced System Analysis " check box.
[*] Click on the “Execute selected scripts”.
[*] A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.
Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post
Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop
Now an analysis scan
Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder then attach the zip file to your next post zip or upload to Mediafire and post the sharing link.
The file is located at C:\Users[i]your name[/i]\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip
Object: C:\Users\Will\AppData\Local\Temp\l6edsxoj.exe (this changes; it’s always some random combination of letters and numbers)
Infection: Win32:Malware-gen
Action: Moved to chest
Process: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
[]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[]Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
It is actually trying to use the dotnet framework as opposed to dotnet being infected, well thats my reading anyway ;D But using CF will show me any hidden drivers or reg entries to confirm one way or the other
By sunbelt he means the anti-spyware Sunbelt CounterSpy, your using that are you, if not essexboy possibly means spybot, which I see in the combofix log.