BleepingComputer.com: Avast detecting C:\WINDOWS\setpwr32.exe as "Win32:Malware-gen" virus

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Avast detecting C:\WINDOWS\setpwr32.exe as "Win32:Malware-gen" virus I'm hoping this is a false positive

#1 User is offline   LaneG004 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 1
  • Joined: 02-September 11

Posted 02 September 2011 - 09:03 AM

Avast just started detecting C:\WINDOWS\setpwr32.exe as "Win32:Malware-gen" virus. I uploaded the file to virustotal and only a few scanners said it was harmful. I'm thinking this is a false positive but I wanted to get a 2nd opinion. Thank you.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by administrator at 8:29:01 on 2011-09-02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1231 [GMT -4:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\AVAST Software\Avast Business\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVAST Software\Avast Business\AvastNet.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\rserver30\RServer3.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\AVAST Software\Avast Business\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\logon.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.live.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Spark] c:\program files\spark\Spark.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [UltraMon] "c:\program files\ultramon\UltraMon.exe" /auto
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast] "c:\program files\avast software\avast business\avastUI.exe" /nogui
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\coraln~1.lnk - c:\program files\tadiran\cmanager\CManager.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spark.lnk - c:\program files\spark\Spark.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ticker~1.lnk - \\ptfp1\ticker\ticker.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: SpecifyDefaultButtons = 1 (0x1)
uPolicies-explorer: Btn_Back = 1 (0x1)
uPolicies-explorer: Btn_Forward = 1 (0x1)
uPolicies-explorer: Btn_Stop = 1 (0x1)
uPolicies-explorer: Btn_Refresh = 1 (0x1)
uPolicies-explorer: Btn_Home = 1 (0x1)
uPolicies-explorer: Btn_Search = 1 (0x1)
uPolicies-explorer: Btn_Favorites = 1 (0x1)
uPolicies-explorer: Btn_History = 1 (0x1)
uPolicies-explorer: Btn_Folders = 2 (0x2)
uPolicies-explorer: Btn_Fullscreen = 2 (0x2)
uPolicies-explorer: Btn_Tools = 2 (0x2)
uPolicies-explorer: Btn_MailNews = 2 (0x2)
uPolicies-explorer: Btn_Size = 2 (0x2)
uPolicies-explorer: Btn_Print = 1 (0x1)
uPolicies-explorer: Btn_Edit = 2 (0x2)
uPolicies-explorer: Btn_Discussions = 2 (0x2)
uPolicies-explorer: Btn_Cut = 2 (0x2)
uPolicies-explorer: Btn_Copy = 2 (0x2)
uPolicies-explorer: Btn_Paste = 2 (0x2)
uPolicies-explorer: Btn_Encoding = 2 (0x2)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoSMHelp = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240319531025
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {9C5FFF8F-0FE6-47AC-A0E6-85EF424F9D32} - hxxps://ondemand.fiserv.com/COM/MOVEitUploadWizard6.0.0.ocx
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.12 192.168.0.24
TCP: Interfaces\{72732BB5-ED13-470C-AD15-960A64BABC07} : DhcpNameServer = 192.168.0.12 192.168.0.24
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2009-4-3 24064]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-7-27 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-4-21 319576]
R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [2008-4-24 45848]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-21 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast business\AvastSvc.exe [2011-7-27 42184]
R2 avast! Net Client Service;avast! Net Client Service;c:\program files\avast software\avast business\AvastNet.exe [2011-7-27 176072]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [2008-4-30 1238344]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2006-9-24 11776]
R3 k57w2k;Broadcom NetLink ™ Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2009-4-3 176640]
R3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [2006-11-1 3328]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [2006-9-24 3584]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-25 14336]
.
=============== Created Last 30 ================
.
2011-09-02 12:18:25 388096 ----a-r- c:\documents and settings\administrator.pioneertelephon\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-09-02 12:18:23 -------- d-----w- c:\program files\Trend Micro
2011-09-02 12:17:02 -------- d-sh--w- c:\documents and settings\administrator.pioneertelephon\PrivacIE
2011-08-10 04:51:26 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 04:51:15 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
==================== Find3M ====================
.
2011-08-10 02:36:25 40112 ----a-w- c:\windows\avastSS.scr
2011-08-10 02:18:29 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
.
============= FINISH: 8:29:41.53 ===============

Attached File(s)

  • Attached File  attach.txt (19.55K)
    Number of downloads: 0
  • Attached File  ark.txt (118.89K)
    Number of downloads: 1

#2 User is offline   etavares 

  • Bleepin' Remover
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 10,743
  • Joined: 16-August 08
  • Gender:Male

Posted 06 September 2011 - 07:39 PM

Welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.sys /90
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\system32\*.exe /lockedfiles
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\*
    %USERPROFILE%\..|smtmp;true;true;true /FP
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.


We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.

If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Posted Image
Unified Network of Instructors and Trusted Eliminators

#3 User is offline   etavares 

  • Bleepin' Remover
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 10,743
  • Joined: 16-August 08
  • Gender:Male

Posted 11 September 2011 - 06:55 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Posted Image
Unified Network of Instructors and Trusted Eliminators

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users