Hi, Avast recently detected win32.malware-gen on my computer through a normal quick scan. It’s strange because I don’t normally download things very often, and I don’t visit very many sites that would be called “suspicious.” The file name was C:\Windows\sysprep32\WinLog.exe. Malwarebytes didn’t detect anything. Could somebody help me check if my computer is still infected? Thanks. I’ve also attached the OTL, I can also post the extras log if needed.
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-30 17:22:52
17:22:52.733 OS Version: Windows x64 6.1.7601 Service Pack 1
17:22:52.733 Number of processors: 8 586 0x1E05
17:22:52.733 ComputerName: JOSEPH-PC UserName: Joseph
17:22:55.478 Initialize success
17:22:59.004 AVAST engine defs: 12083001
17:23:01.687 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
17:23:01.687 Disk 0 Vendor: ST950042 0003 Size: 476940MB BusType: 3
17:23:01.703 Disk 0 MBR read successfully
17:23:01.703 Disk 0 MBR scan
17:23:01.703 Disk 0 Windows VISTA default MBR code
17:23:01.718 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 200 MB offset 2048
17:23:01.734 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 430420 MB offset 411648
17:23:01.734 Disk 0 Partition - 00 0F Extended LBA 31210 MB offset 881911808
17:23:01.765 Disk 0 Partition 3 00 12 Compaq diag NTFS 15109 MB offset 945829888
17:23:01.781 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 31209 MB offset 881913856
17:23:01.828 Disk 0 scanning C:\windows\system32\drivers
17:23:15.212 Service scanning
17:23:39.190 Modules scanning
17:23:39.705 Disk 0 trace - called modules:
17:23:39.720 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
17:23:39.720 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8007e6a790]
17:23:39.736 3 CLASSPNP.SYS[fffff8800180143f] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0xfffffa8007bf6050]
17:23:45.991 AVAST engine scan C:\windows
17:23:57.832 AVAST engine scan C:\windows\system32
17:27:18.387 AVAST engine scan C:\windows\system32\drivers
17:27:50.008 AVAST engine scan C:\Users\Joseph
17:43:34.909 AVAST engine scan C:\ProgramData
17:56:56.801 Scan finished successfully
18:01:01.070 Disk 0 MBR has been saved successfully to “C:\Users\Joseph\Desktop\MBR.dat”
18:01:01.079 The log file has been saved successfully to “C:\Users\Joseph\Desktop\aswMBR.txt”
Your logs looks good. avast hase detected malware and did his job removing it.
Do the following. OTL script will order OTL to remove some remains.
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:OTL
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-451074437-1028034490-3473829783-1004\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-451074437-1028034490-3473829783-1004\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
:files
C:\Users\Joseph\Desktop\MBR.dat
:commands
[CREATERESTOREPOINT]
[purity]
[emptytemp]
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.[/list]
Additional checks:
[*] Re-run OTL. Make sure all other windows are closed and to let it run uninterrupted.
[*] Click on Scan All Users
[*] Paste this into Custom Scans/Fixes box at the bottom
[*] Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[list]
[*] When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:OTL
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
:files
C:\install.exe
:commands
[CREATERESTOREPOINT]
[emptytemp]
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
After this, we should be done here.
Malicious file has been deleted. Do you have any future detection?
While running the program, OSL froze. I had to restart because the whole computer became non-responsive for hours. I turned my computer back on, and nowI have a bunch of desktop.ini files on my desktop. Should I attempt to re-run the fix? It froze when it said “creating system restore point.”
You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone. Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.
Clean your temporary & junk files to speed up performance.
[*]Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
Thank you for your help! To get rid of the desktop.ini files, do i just hide hidden files? For some reason after the OSL froze, hidden files are showing.