windows file infected with Win32: Malware-gen cannot move delete or fix

Hello, i need a little help and advice with the infection found by Avasts Boot scanner, 2 infected files, 1st moved to the virus vault as it was a absolute software Lo Jack file, the 2nd was a windows file which will not move to chest - object name not found, Delete - The operation is not supported for this type of archive., Repair - Object name already exists. had to ignore the infection.

It is the Win32: Malware-gen.
1st infection.
File C:\Program Files (x86)\Absolute Software\LoJack Install\FactoryInstallerLib.DLL|>[Embedded_I#0601c] is infected by Win32:Malware-gen, Moved to chest

2nd infection.
File C:\WINDOWS\Installer\f1b2.msi|>_A752C74228F5CF2AA93A043C19DD56E0|>_DFB7B5BFA295555328DE038386F8BCAA|>[Embedded_I#0601c] is infected by Win32:Malware-gen, Delete: Error 42111 {The operation is not supported for this type of archive.}

help and advice on what to do with this infection is much appreciated, thankyou.

paul

Hello Paul

Please download DDS and save it to your Desktop from here:
http://www.bleepingcomputer.com/download/dds/dl/104/

Double click to run the tool, click the Start button.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

Save both reports to your desktop. DDS.txt and Attach.txt attach back to topic.

here are the 2 txt files

Uninstall AVG Antivirus, next

Uninstall Programs and Features and run AVG Uninstall tool http://www.avg.com/ww-en/utilities

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

AVG was uninstalled but when it uninstalled it recommended that the Link scanner by left on the system but i thought the actual AVG 2014 was uninstalled, was it mistake to listen to it and leave the Link scanner in place.

Run FRST program.

AVG 2014 link scanner uninstalled.
AVG uninstaller run, rebooted once.
FRST run.
2 x txt attached

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Start
(AVG Secure Search) C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\17.0.12\ToolbarUpdater.exe
HKLM-x32\...\Run: [vProt] - C:\Program Files (x86)\AVG Nation toolbar\vprot.exe [2403144 2013-11-13] ()
C:\Program Files (x86)\AVG Nation toolbar\vprot.exe
SearchScopes: HKCU - {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://avg.nation.com/avgtbavg/search/web?cid={5DDCC39A-1768-4A65-B1F6-1706368FDFA3}&mid=33a27b5c7da247d386f82104e470021e-6185edbb78741edceb805eebace7fc7d38e79f1a&lang=en&ds=AVG&coid=avgtbavg&pr=pr&d=2013-11-12 13:58:55&v=17.0.0.12&pid=nation&sg=0&sap=dsp&q={searchTerms}
BHO-x32: No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} -  No File
Toolbar: HKLM-x32 - No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} -  No File
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -  No File
Handler-x32: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\17.0.12\ViProtocol.dll (AVG Secure Search)
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin - C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\17.0.12\\npsitesafety.dll (AVG Technologies)
CHR HKLM-x32\...\Chrome\Extension: [ndibdjnfmopecpmkdieinmbadjfpblof] - C:\ProgramData\\ChromeExt\\avg.crx
R2 vToolbarUpdater17.0.12; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\17.0.12\ToolbarUpdater.exe [1733448 2013-11-12] (AVG Secure Search)
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\17.0.12\ToolbarUpdater.exe
R1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [46368 2013-11-12] (AVG Technologies)
C:\Windows\system32\drivers\avgtpx64.sys
2013-12-06 10:41 - 2013-12-06 10:41 - 00000000 ____D C:\Users\User\AppData\Local\AVG Secure Search
2013-12-06 10:33 - 2013-12-06 10:33 - 04434976 _____ (AVG Technologies) C:\Users\User\Desktop\avg_isct_stb_all_2014_4161.exe
2013-11-12 13:58 - 2013-11-12 13:57 - 00046368 _____ (AVG Technologies) C:\Windows\system32\Drivers\avgtpx64.sys
2013-11-13 16:11 - 2013-11-12 13:58 - 00000000 ____D C:\Program Files (x86)\AVG Nation toolbar
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
File: c:\windows\system32\services.exe
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

.

********** Next **********

Please download zoek.zip or zoek.rar by smeenk (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive…

[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

this help is amazing argus, but i’m not sure what just happened? i ran frst64 and it updated then i clicked fix once it created Fixlog.txt i saw it saved to the desktop then the laptop restarted and now the desktop has dissappeared and i got basic grey theme all quick launch short cuts are gone and most of the programs that were running are now off, only the dell dat safe is running? did something break, omg this is my managers laptop, so i hope not, :frowning:
the desktop is just black a windows fault appeared unable to find the desktop.

I need sleep now mate, i may have to use system restore back to the point AVG was removed i have 4 restore points to choose from.

my manager is tank sized 6 1/2ft ex Slovenian Nato army lietenant,on this laptop i fixed the broken defender, i fixed the broken windows update which was stopping service pack 1 and 81 other updates from installing, i removed mcafees security scanner, removed pandas free anti virus and removed trial full AVG2014 and put AVAST on as its the only anti virus i recommend by a mile. the only thing left to fix was that one win32: malware-gen infection. hope its an easy fix, thanks for all the help so far its much appreciated.

ctrl+alt+del

Start Task manager
Click File > New task run

write explorer.exe click OK

i did that and i got a dong windows error noise.
Location is not available.
c:\windows system32\config\system profile\Desktop refers to a location that is unavailable.

Reboot comp. click F8 choose last good known configuration

that worked ty, desktop running again.
attached the file.

"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender\en-US" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.

it was malware.

How is your computer behaving now ?

zoek run
notepad log results attatched

after i fixed the windows earlier with the command prompt, typing sfc/scannow, it found and fixed errors and made defender work once again, it needed updating before use, then a quick scan and then a full scan came back with clean results. wow so defender was somehow infected then, good news you had my back and have given me this expert help, i can’t thank you enough super malware fighter.

i really need sleep now only got 5hrs sleep before a night shift, so if there is anything else need doing i’ll do it after my shift, thank you again, you have been a super star.

OK. I will review Zoek and you go to sleep.

[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

C:\Windows\sysWoW64\config\systemprofile\AppData\Locallow\AVG Nation toolbar;f
C:\Users\User\AppData\Local\AVG Nation toolbar;f
C:\Users\User\AppData\Locallow\AVG Nation toolbar;f
C:\ProgramData\AVG;fs
C:\ProgramData\{01BD4FC9-2F86-4706-A62E-774BB7E9D308};fs
{149BD4C1-7105-4020-88A5-FF21A059D4B0};c
emptyalltemp;
autoclean;
emptyclsid;
ipconfig /flushdns >> %temp%\log.txt;b

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

after the 1st zoek script run yesterday, laptop started and windows update did 6 updates, i just run zoek again, log attached.
laptop did need a reboot to complete the script run this time.
after we run that avg complete uninstaller yesterday, i was surprised to still see avg files still on the log.
this log looked like a lot were cleaned out, wow good job.
sleeping now, working 10hr night shifts on the weekend.
thank you soo much for all this help