Malware.Gen found on Malwarebyte, how do I remove it?

Inactive
By sunbeam08
May 4, 2011
Topic Status:
Not open for further replies.
  1. I did a full scan on Malwarebyte and it found 'Malware.Gen' but says no action was performed. How do I remove this from my computer to prevent infection? Thanks.
  2. sunbeam08

    sunbeam08 Newcomer, in training Topic Starter Posts: 78

    I already ran TFC, virus scan also found 1 infection which was quarantined and removed. Here's the Malwarebyte log

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6493

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    5/3/2011 10:17:01 PM
    mbam-log-2011-05-03 (22-16-57).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 287595
    Time elapsed: 1 hour(s), 5 minute(s), 26 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\system volume information\_restore{5d527826-05bd-4a83-8416-28acdda14001}\RP116\A0019772.exe (Malware.Gen) -> No action taken.
  3. sunbeam08

    sunbeam08 Newcomer, in training Topic Starter Posts: 78

    Here's the log from the Virus scan.

    ****************** Sophos Anti-Virus Log - 5/4/2011 5:19:09 AM **************

    20110501 013314 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
    20110501 013333 Using detection data version 4.64G (detection engine 3.18.0). This version can detect 2466833 items.
    20110501 013334 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
    20110501 033328 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
    20110501 033336 Using detection data version 4.64G (detection engine 3.18.0). This version can detect 2466838 items.
    20110501 033336 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
    20110501 073309 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
    20110501 073320 Using detection data version 4.64G (detection engine 3.18.0). This version can detect 2466840 items.
    20110501 073320 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
    20110501 163359 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
    20110501 163428 Using detection data version 4.64G (detection engine 3.18.0). This version can detect 2466844 items.
    20110501 163431 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
    20110501 203241 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
    20110501 203255 Using detection data version 4.64G (detection engine 3.18.0). This version can detect 2466849 items.
    20110501 203255 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
    20110502 023259 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
    20110502 023304 Using detection data version 4.64G (detection engine 3.18.0). This version can detect 2466856 items.
    20110502 023304 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
    20110502 063245 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
    20110502 063303 Using detection data version 4.64G (detection engine 3.18.0). This version can detect 2466871 items.
    20110502 063303 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
    20110502 163625 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
    20110502 163640 Using detection data version 4.64G (detection engine 3.18.0). This version can detect 2466899 items.
    20110502 163643 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
    20110502 203455 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
    20110502 203503 Using detection data version 4.64G (detection engine 3.18.0). This version can detect 2466918 items.
    20110502 203504 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
    20110502 223457 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
    20110502 223503 Using detection data version 4.64G (detection engine 3.18.0). This version can detect 2466925 items.
    20110502 223503 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
    20110502 224421 Scan 'Scan my computer' started.
    20110502 235723 File "C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP96\A0016061.exe" belongs to adware or PUA 'NirCmd' (of type Other).
    20110503 000332 Scanning "C:\Documents and Settings\camron\Application Data\Skype\temp-hMhIPhLgJ5rdpQdItIV7RJz5" returned SAV Interface error 0xa0040210: The file could not be accessed.
    20110503 000332 Scanning "C:\Documents and Settings\camron\Application Data\Skype\temp-UpuTqMYPRuu5bSHeecRhRRlv" returned SAV Interface error 0xa0040210: The file could not be accessed.
    20110503 000339 Scanning "C:\Documents and Settings\camron\Local Settings\Temp\etilqs_umB93lCAMlWo5BZ" returned SAV Interface error 0xa0040210: The file could not be accessed.
    20110503 001327 Scanning "C:\Documents and Settings\camron\Local Settings\Temp\boost_interprocess\DDM0serviceLock" returned SAV Interface error 0xa0040202: Scan failed.
    20110503 003603 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
    20110503 003619 Using detection data version 4.64G (detection engine 3.18.0). This version can detect 2466936 items.
    20110503 003619 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
    20110503 004345 Adware or PUA 'NirCmd' has been detected.
    20110503 004345 Scan 'Scan my computer' completed.
    20110503 004346 Summary of results for scan 'Scan my computer':
    Items scanned: 139667
    Errors: 4
    Items quarantined: 1
    Items dealt with: 0
    20110503 023515 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
    20110503 023527 Using detection data version 4.64G (detection engine 3.18.0). This version can detect 2466950 items.
    20110503 023527 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
    20110503 052635 File "C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP96\A0016061.exe" belongs to adware or PUA 'NirCmd' (of type Other).
    20110503 052636 File "C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP96\A0016061.exe" has been cleaned up.
    20110503 052636 Adware or PUA 'NirCmd' has been removed.
    20110503 052847 Scanning "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9UATIT7I\Bonjour[1].msi" returned SAV Interface error 0xa004021a: Sophos Anti-Virus could not proceed, the file was corrupted.
    20110503 052848 Scanning "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9UATIT7I\Bonjour[1].msi" returned SAV Interface error 0xa004021a: Sophos Anti-Virus could not proceed, the file was corrupted.
    20110503 052900 Scanning "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\89KPSTYA\iTunes[1].msi" returned SAV Interface error 0xa004021a: Sophos Anti-Virus could not proceed, the file was corrupted.
    20110503 052900 Scanning "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\89KPSTYA\iTunes[1].msi" returned SAV Interface error 0xa004021a: Sophos Anti-Virus could not proceed, the file was corrupted.
    20110503 055543 Scanning "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\89KPSTYA\iTunes[1].msi" returned SAV Interface error 0xa004021a: Sophos Anti-Virus could not proceed, the file was corrupted.
    20110503 055545 Scanning "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\89KPSTYA\iTunes[1].msi" returned SAV Interface error 0xa004021a: Sophos Anti-Virus could not proceed, the file was corrupted.
    20110503 055545 Scanning "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\89KPSTYA\iTunes[1].msi" returned SAV Interface error 0xa004021a: Sophos Anti-Virus could not proceed, the file was corrupted.
    20110503 055545 Scanning "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\89KPSTYA\iTunes[1].msi" returned SAV Interface error 0xa004021a: Sophos Anti-Virus could not proceed, the file was corrupted.
    20110503 055545 Scanning "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\89KPSTYA\iTunes[1].msi" returned SAV Interface error 0xa004021a: Sophos Anti-Virus could not proceed, the file was corrupted.
    20110503 055545 Scanning "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\89KPSTYA\iTunes[1].msi" returned SAV Interface error 0xa004021a: Sophos Anti-Virus could not proceed, the file was corrupted.
    20110503 055545 Scanning "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\89KPSTYA\iTunes[1].msi" returned SAV Interface error 0xa004021a: Sophos Anti-Virus could not proceed, the file was corrupted.
    20110503 055545 Scanning "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\89KPSTYA\iTunes[1].msi" returned SAV Interface error 0xa004021a: Sophos Anti-Virus could not proceed, the file was corrupted.
    20110503 055546 Scanning "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\89KPSTYA\iTunes[1].msi" returned SAV Interface error 0xa004021a: Sophos Anti-Virus could not proceed, the file was corrupted.
    20110504 013552 Using detection data version 4.64G (detection engine 3.18.0). This version can detect 2466950 items.
    20110504 013552 User (NT AUTHORITY\LOCAL SERVICE) has started on-access scanning for this machine.
    20110504 014247 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
    20110504 014258 Using detection data version 4.64G (detection engine 3.18.0). This version can detect 2467034 items.
    20110504 014258 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
    20110504 034211 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
    20110504 034229 Using detection data version 4.64G (detection engine 3.18.0). This version can detect 2467049 items.
    20110504 034229 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
    (73 items)
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The one entry found is in a System Restore point. Even if you checked for removal, Mbam can't remove a restore point as it is in a protected system folder. As long as it in only in that location, it is not active in the system unless you do a System Restore and happen to choose that point.

    When we help with cleaning, we have the old restore points dropped at the end and a new, clean restore point set.

    Are you having problems that led you to run Mbam or did you just do it for the heck of it? I can tell you how to remove that restore point, but if additional malware is on the system, all restore points will have been removed. If malware corrupts the system, sometimes the only way back in is to use a restore point.

    How dangerously do you want to live? Do you want to make sure the system is clean first, then drop the old restore points? Or do you want to say 'to heck with it' and remove all of your safely net of the restore points?

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    It's your call!
  5. sunbeam08

    sunbeam08 Newcomer, in training Topic Starter Posts: 78

    I have no idea what a restore point is :D. I was just scanning because something felt different, I cannot pinpoint what. I will get to all the steps a bit later. Thanks.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    See http://en.wikipedia.org/wiki/System_Restore

    You did the same thing you did in your 2 previous threads:
    c:\system volume information\_restore{5d527826-05bd-4a83-8416-28acdda14001}\RP116\A0019772.exe (Malware.Gen) -> No action taken.
    You did not read the directions:
    In this case, unlike the entries in>
    the current entry is not active in your system.
    ==============================================
    It would be helpful to you to get some basic reference material about the computer in general and the operating system specifically. Your system was cleaned in 12/2010 and again in 3/2011. But it does not appear that you absorbed any of the information that was given to you.
    =========================================
    If you want to continue, please follow the additional steps in the thread link I left for you.

    If you do not, please uninstall Malwarebytes and delete the log. Then do the following:>>

    You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".

      To remove old Restore Points
      • Use the same path as you did for System Tools, but choose Disc Cleanup instead> then the More Options tab.
      • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

      Helpful screen shots for System Restore can be found HERE.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.