win32:malware-gen blocked by avast Solved

Question

Hello,

I am looking to get rid of the Win32:Malware-gen virus.
An Avast alert message pops up every time I start my PC indicating that a malicious software has been blocked: infection win32:malware-gen.
However, it is unable to remove it.

I have visited different forums and used the following programs:
- ADW Cleaner
- Rogue Killer
- ZHPdiag and ZHPfix
- Dr Web-CureIt
but none have detected a virus on my computer.
Could it be a false positive from Avast? I don't know what to do anymore.
I would like to point out that I am using Windows 7.

Configuration: Windows 7 / Firefox 24.0

lilidurhone · Accepted Answer

Hello

Sorry for butting in (if needed, elec, you can delete my message)

You need to report the false positive to Avast by right-clicking on the file in question, then submit it to Avast and fill out a form

Otherwise, post on the forum as a false positive

--
If there is a problem, there is always a solution
Don’t forget to mark your topic as resolved

Electricien 69 · Answer

Hello,

send all the reports from the tools via cjoint in your next message

--
O.o°*Member, Security Staff CCM o°.Oø¤º°'°º¤ø
=>>Breathe deeply, Write your message in proper French and clearly. It will be fine, you'll see, well, we're trying!!! o°Oø

cabrier · Answer

Hello,

Yes, it’s a false positive from Avast, it’s not the first case.

Avast should indicate the location of the file; send it for checking at:
https://www.virustotal.com/gui/

A+

--
--------Security Contributor---------
Blessed are those who can give without remembering and take without forgetting!

ikkual · Answer

Here is the Avast message:
http://cjoint.com/?3JAkuRCRjmr

the ADW Cleaner report:
http://cjoint.com/?3JAks59uc7C

the RK report:
http://cjoint.com/?3JAktFZCLo2

the ZHP report:
http://cjoint.com/?3JAkueHDIAs

ikkual · Answer

I can't find the item in question indicated by Avast, but I see that a new folder called HUDSON has been created in the folder C:\Users\...
I had never seen it before.
There are no files inside that I can analyze with VirusTotal.

Electricien 69 · Answer

for your detection by Avast, it is a false positive!

However, there are remnants of infections on the PC:

* /!\ Warning /!\,
* this script is only valid for this PC, during the cleaning process, do not use it on another PC, risk of crashing!

* Launch ZHPFix via the shortcut on your Desktop, the icon looks like a syringe.

/!\Users of Vista, Seven and W8:

* Right-click on the ZHPFix logo, "run as Administrator"

Click on "import"

You will see a warning message, click on Ok.

* * Copy (Ctrl + C) and paste (Ctrl + V) the following lines in bold into the ZHPFix window:
---------------------------------------------------------
ZHPFix Script
O3 - Toolbar: (no name) [64Bits] - [HKLM]{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} Orphan key
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\464AA55239C100F32AF2D438EDDC0F47]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\5652BA3D5FB98AE31B337BF0AF939856]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\86EB95E1AFCBABE3DB9ECCC669B99494]

ShortcutFix
Emptytemp
EmptyClsid

----------------------------------------------------------

- Click the "GO" button to start the cleaning,
- confirm the cleaning
- - Host the ZHPFIX.txt report on Cjoint, then copy/paste the link provided in your next response on the forum.
https://www.cjoint.com/ => https://www.commentcamarche.net/faq/29493-utiliser-cjoint-pour-heberger-des-fichiers

Tutorial at the bottom of this page:
http://nicolascoolman.webs.com/tutorials.htm

--
O.o°*Member, Security Staff CCM o°.Oø¤º°'°º¤ø
=>>Breathe deeply, write your message in good French and clearly. It's going to be fine, you'll see, at least we try!!! o°Oø

ikkual · Answer

Thank you, I'll try right away and I'll post the report.

ikkual · Answer

Here is the link ZHPfixreport:  http://cjoint.com/?3JAkVvdF7VK

Darklightning13 · Answer

I also have the same problem with the same Hudson thing.

Electricien 69 · Answer

You already have MBAM on your PC,

/!\ Users of Vista, Windows 7, and W8: Right-click on the Malwarebytes' Anti-Malware logo, "Run as Administrator"

. In the "Update" tab, click on the Check for updates button
. If the firewall asks for permission to connect for Malwarebytes, accept
. Once the update is complete
. go to the "Scan" tab
. Select Run a full scan
. Click on Scan
. The scan starts.
. At the end of the scan, a message appears: The scan has completed successfully. Click on 'Show results' to display all found items.
. Click on Ok to proceed.
. If malware has been detected, click on Show results
. Select all (or leave checked) and click on Delete selection. Malwarebytes will destroy the files and registry keys and put a copy in quarantine.
. Malwarebytes will open Notepad and copy the scan report there.
. go to the report/log tab
. you click on it to display it once displayed
. you click on edit at the top of Notepad, then on select all
. you click on edit again and then on copy and return to the forum and in your response
. You right-click in the reply box and paste
. At the end of the scan, MBAM may need to restart the PC to finalize the removal, so don't panic, reboot your PC !!!

If you need help, check out this tutorial:
https://www.malekal.com/tutoriel-malwarebyte-anti-malware/

O.o°*Member, Security Staff CCM o°.Oø¤º°'°º¤ø
=>> Breathe deeply, write your message in good French and clearly. It'll be fine, you'll see, well, we're trying!!! o°Oø

Darklightning13 · Answer

I will do that when I have time, and I have a question: do you think it's a false positive for my thing since it's exactly the same thing as the author's?

Darklightning13 · Answer

I heard on another forum that there's a risk of using Malwarebytes and you say it will delete files, but if they're files that could be useful, what should I do?

Electricien 69 · Answer

Avast detects a bit of everything and anything!

As for MBAM; before quarantining, you can uncheck the detected items (false positives) and not delete them!

--
O.o°*Member, Security Staff CCM o°.Oø¤º°'°º¤ø
=>>Breathe deeply, write your message in proper French and clearly. It will go well, you'll see, well we're trying!!! o°Oø

Darklightning13 · Answer

Does Malwarebytes also detect false positives?  And considering my problem since it's the same as the author's, would you say it's a false positive or not?

Electricien 69 · Answer

It sometimes happens, due to the complexity of detecting certain infections, that tools (including MBAM) like antivirus software detect false positives!

Give me the download link for your software and I will test it right away ;-)

--
O.o°*Member, Security Staff CCM o°.Oø¤º°'°º¤ø
=>>Breathe deeply, write your message in proper French and clearly. It will be fine, you'll see, well we’ll try !!! o°Oø

Darklightning13 · Answer

For example, yesterday I did a quick and advanced scan with Avast and it didn't detect anything, and weirdly at startup there's something.

Electricien 69 · Answer

Attention, a quick scan does not replace a full scan:

The search mode and the examined modules are not the same!

Give me the download link for your software and I'll test it right away ;-)

--
O.o°*Member, Security Staff CCM o°.Oø¤º°'°º¤ø
=>>Breathe deeply, write your message in proper French and clearly. It will be fine, you'll see, well we'll try!!! o°Oø

Darklightning13 · Answer

I also specified that I did an advanced scan (complete is the same)  And what do you mean about your software, it's Avast?

Electricien 69 · Answer

What is the Orange software you are trying to download and install?

Give me its download link!

--
O.o°*Member, CCM security staff o°.Oø¤º°'°º¤ø
=>> Breathe deeply, write your message in good French and clearly. It's going to be fine, you'll see, well we’ll try!!! o°Oø

Darklightning13 · Answer

I'm not trying to download anything, it's just the file name with the name of the location.

Electricien 69 · Answer

The file name contains Orange!   Its location is in the temporary internet files!   Since it's an installer, you must have downloaded it somewhere!   Or you can run CCleaner and you won't see it anymore!     -- O.o°*Member, Security Staff CCM o°.Oø¤º°'°º¤ø =>>Breathe deeply, write your message in proper French and clearly. It will be fine, you’ll see, well we’ll try!!! o°Oø

Darklightning13 · Answer

I don't know anything, it might be someone else in my family who downloaded it.  And what is Hudson, actually?

ikkual · Answer

Excuse me, the complete scan took a long time but here is the report:  http://cjoint.com/?3JAma68zaIs  It did not detect anything.

ikkual · Answer

Does that mean the PC is clean?  The HUDSON folder is still there.  I haven't restarted the computer.

Electricien 69 · Answer

for the Hudson folder, no idea!  if it’s empty, delete it!   if you are not the only user of the PC, I strongly advise you to create a user with limited rights so as not to let the administrator session of the PC get messed up:  once the administrator session is corrupted, there is very little chance (depending on the damage) that we can repair Windows!    for the PC, I don't see anything infectious in the report!  you will need to uninstall all the tools :D     -- O.o°*Member, Security Staff CCM o°.Oø¤º°'°º¤ø =>>Breathe deeply, write your message in good French and clearly. It will be fine, you’ll see, well we’ll try!!! o°Oø

Darklightning13 · Answer

What do I do in summary because it's weird that it's only doing this at startup and not at another time  I will try to use cclaener

Electricien 69 · Answer

The executor remains in memory in temporary files, so you need to clear the browser's cache!     -- O.o°*Member, CCM security staff o°.Oø¤º°'°º¤ø =>> Breathe deeply, write your message in proper French and clearly. It will be fine, you'll see, well we’ll try!!! o°Oø

Darklightning13 · Answer

Comment faire pour vider le cache du navigateur ?

ikkual · Answer

Okay, I'll do that  However, Avast still shows the alert message and the Hudson folder gets recreated when I delete it.   So I can ignore the Avast report since it's a false positive.

Darklightning13 · Answer

Moreover, it's exactly the same file as the one from the topic author; I just looked at their message from Avast, and it’s exactly the same.

ikkual · Answer

It is also due to SetupOrangeUpdate.  I'm not the one using the PC where the problem is, so I don't know if anyone has downloaded anything to cause that.

Darklightning13 · Answer

Yeah it's exactly the same and I don't know what to do, I'm desperate  I'm worried about my PC

Darklightning13 · Answer

For example, if Malwarebytes detects an infected system file, what should I do?

Electricien 69 · Answer

For Hudson, I don't know what it is, but display the hidden files and you'll see if there's content in the directory!    -- O.o°*Member, CCM security staff o°.Oø¤º°'°º¤ø =>>Breathe deeply, write your message in correct French and clearly. It will be fine, you'll see, well we're trying!!! o°Oø

ikkual · Answer

there's nothing, even when displaying hidden folders. However, according to Avast, the infected file is in this folder.  I have a friend who had the same issue today; he updated Avast and the alert no longer appeared at startup, maybe they fixed the false positive.  In any case, the Hudson folder is still there; I don't understand why.

ikkual · Answer

and it's impossible to remove the file from the Avast quarantine zone

Electricien 69 · Answer

ok,  we're going to tackle it, but differently!  *  /!\Warning: This software should only be used as prescribed by a qualified helper. Do not use it outside of this context: dangerous!    /!\ Vista Users: Don't forget to temporarily disable UAC just for the time of disinfecting your PC, it will need to be reactivated later.   &#9658; Download ComboFix from this link and save it on your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe or here: https://forum.pcastuces.com/combofix_renomme_au_telechargement-f31s22.htm Read this https://www.bleepingcomputer.com/combofix/fr/comment-utiliser-combofix  Before using ComboFix:  &#9658; close all open program windows.  &#9658; Temporarily disable only for the duration of using ComboFix, the real-time protection of your Antivirus and Antispyware, which can significantly interfere with the search and cleaning procedure of the tool. Once done, double-click on Combofix.exe on your desktop.  /!\ Vista & Windows 7 Users: Right-click on the ComboFix logo, "run as Administrator"  - Answer yes to the warning message so that the program can start analyzing the PC.  - ComboFix may need to connect to the internet to find updates, so you need to allow it.  /!\ During this step, do not use the PC and do not open any programs.  - At the end of the scan, it is possible that ComboFix will need to restart the PC to finalize the disinfection/search, let it do so. - A report will then open in Notepad; this report file, ComboFix.txt, is automatically saved and stored at C:\ComboFix\ComboFix.txt) &#9658; Reactivate the real-time protection of your Antivirus and Antispyware before reconnecting to the internet. &#9658; Return to the forum and copy and paste the entire content of ComboFix.txt into your next message.   -- O.o°*Member, CCM Security Staff o°.Oø¤º°'°º¤ø =>> Breathe deeply, write your message in good French and clearly. It'll be alright, you'll see, let's try!!! o°Oø

ikkual · Answer

I ran ComboFix as you told me, here is the report:   http://cjoint.com/?3JAt2i1te1R

ikkual · Answer

I'm sorry, I won't be able to reconnect until late tonight or tomorrow morning.  Thank you for your help.

Darklightning13 · Answer

Well, I am facing the same problem.

Electricien 69 · Answer

Restart your PC and let me know if the device is still detected!  Talk to you soon   -- O.o°*Member, CCM security staff o°.Oø¤º°'°º¤ø =>> Breathe deeply, write your message in proper French and clearly. It will be fine, you'll see, at least we’ll try!!! o°Oø

Darklightning13 · Answer

I just restarted my PC using the restart option and I haven't received any messages so far, yet this afternoon when I turned my computer back on because someone had turned it off, I got a message.  And now I have nothing, strange.

Electricien 69 · Answer

This message was opened at the request of ikkual, whose PC I am in charge of handling!   Friend Darklightning13:  Stay on your topic here:  https://forums.commentcamarche.net/forum/affich-28966279-avast-virus-malware   Thank you for your understanding.  :-)    -- O.o°*Member, CCM security staff o°.Oø¤º°'°º¤ø =>>Breathe deeply, write your message in good French and clearly. It will go well, you'll see, at least we’ll try!!! o°Oø

Darklightning13 · Answer

Sorry, I didn't see that, but you can't come help me because I have the same problem.

ikkual · Answer

Good evening,  I just turned my PC back on, and Avast didn't display the warning message. And there are no more files in the quarantine area, so the problem seems to be resolved.  However, the Hudson folder is still there and cannot be deleted. I also noticed that ComboFix added several folders in C:\

ikkual · Answer

I am currently running a full scan with Avast and MBAM to check.

Electricien 69 · Answer

The Hudson folder, as it is set up, is like an account on your PC:   2013-10-26 17:25 . 2013-10-26 17:25 -------- d-----w- c:\users\Hudson 2013-10-26 14:40 . 2013-10-26 14:40 -------- d-----w- c:\users\Louis 2013-10-26 14:31 . 2013-10-26 14:31 -------- d-----w- c:\users\Laurence 2013-10-25 18:31 . 2013-10-25 18:31 -------- d-----w- c:\users\Administrator   Since you are not the only user of this PC, check in the user account manager if there isn't an account named Hudson!     -- O.o°*Member, Security Staff CCM o°.Oø¤º°'°º¤ø =>> Breathe deeply, write your message in proper French and clearly. It's going to be fine, you'll see, well we're trying!!! o°Oø

ikkual · Answer

Indeed, it does not appear in the user account manager and no one has created a session under that name.  I saw it for the first time in C:\Users\ when I went to check the location of the infected file indicated by Avast.   (Results of the complete scan by Avast and MBAM: no infections detected.)

Electricien 69 · Answer

Download SEAF.exe (from C_XX) to your desktop. http://general-changelog-team.fr/telechargements/logiciels/viewdownload/83-outils-de-cxx/52-seaf   ? Double click on SEAF.exe (Run as administrator for Vista).  ? Check the boxes: - Also search in the registry - Additional information   ? Type exactly this text in that window and confirm by [Enter]:  Hudson    ? Wait during the search, and do not touch anything ...  ? A window with a .txt log will appear.  ? Copy/paste this report into your next response.   -- O.o°*Member, Security Staff CCM o°.Oø¤º°'°º¤ø =>>Breathe deeply, write your message in good French and clearly. It will be fine, you'll see, well, we’ll try!!! o°Oø

ikkual · Answer

1. ========================= SEAF 1.0.1.0 - C_XX 2. 3. Started at: 16:06:30 on 10/27/2013 4. 5. Value(s) sought: 6. Hudson 7. 8. Legend: TC => Creation date, TM => Modification date, DA => Last access 9. 10. (!) --- Additional information 11. (!) --- Registry search 12. 13. ====== File(s) ====== 14. 15. No file found 16. 17. 18. ====== Registry entry(ies) ====== 19. 20. No item in the registry found 21. 22. ========================= 23. 24. End at: 16:07:46 on 10/27/2013 25. 467805 items analyzed 26. 27. ========================= 28. E.O.F

ikkual · Answer

strange, he finds nothing

ikkual · Answer

yet the folder is still there even if it is empty.  C:\Users\Hudson\LOCALS~1\Temp

Electricien 69 · Answer

Is your internet service provider Orange?    -- O.o°*Member, CCM security staff o°.Oø¤º°'°º¤ø =>> Breathe deeply, write your message in proper French and clearly. It will be fine, you will see, well we're trying!!! o°Oø

ikkual · Answer

Yes, I have a livebox.

Electricien 69 · Answer

Have you recently updated your box?  If so, this corresponds to that!  Next time it appears, delete it manually!   In the meantime, there's this folder to delete:    C:\Users\Hudson   Restart your PC and let me know how it's working before starting the rest and end     -- O.o°*Member, CCM Security Staff o°.Oø¤º°'°º¤ø =>>Breathe deeply, write your message in proper French and clearly. It will go well, you'll see, at least we try!!! o°Oø

ikkual · Answer

Not using the computer, I went to check the control panel for recently installed updates and I didn't see any orange updates.  I'm deleting the hudson folder again and restarting the computer, and I'll let you know.

Electricien 69 · Answer

ok,    -- O.o°*Member, CCM Security Staff o°.Oø¤º°'°º¤ø =>>Breathe deeply, write your message clearly and in good French. It will go well, you’ll see, well we’ll try!!! o°Oø

ikkual · Answer

The folder was not visible right after the startup but reappeared later.

Electricien 69 · Answer

Monitor the folder in question just in case, and after the updates to your box,   there may be system files that get created inside!   HERE   or     Check the following boxes:  => Reactivate UAC (just for Vista, Seven, and W8)  => Remove disinfection tools (checked by default)  * Then click on Run and wait during the removal process. * When the procedures are completed, the tool will close and disappear from the desktop * A report is saved to the clipboard: you just need to right-click and "paste" in your next reply to send me the report ** the report is stored at this location: C:\DelFix.txt Attention: The report is unique and is deleted each time we re-run one or more options of DelFix.       * Update your antivirus, run a full scan of your PC, and keep me informed of the result :-)     -- O.o°*Member, Security Staff CCM o°.Oø¤º°'°º¤ø =>> Breathe deeply, write your message in proper French and clearly. It will be fine, you'll see, well we're trying!!! o°Oø

ikkual · Answer

# DelFix v10.5 - Report created on 27/10/2013 at 17:18:44 # Updated on 17/10/2013 by Xplode # Username: Laurence - PC-MEUNIER # Operating System: Windows 7 Home Premium Service Pack 1 (64 bit)  ~ UAC Activation ... OK  ~ Removal of disinfecting tools ...  Deleted: C:\Qoobox Deleted: C:\AdwCleaner Deleted: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ZHP Deleted: C:\Program Files (x86)\ZHPDiag Deleted: C:\Program Files (x86)\SEAF Deleted: C:\Users\Laurence\Desktop\ComboFix.txt Deleted: C:\Windows\grep.exe Deleted: C:\Windows\PEV.exe Deleted: C:\Windows\NIRCMD.exe Deleted: C:\Windows\MBR.exe Deleted: C:\Windows\SED.exe Deleted: C:\Windows\SWREG.exe Deleted: C:\Windows\SWSC.exe Deleted: C:\Windows\SWXCACLS.exe Deleted: C:\Windows\Zip.exe Deleted: HKLM\SOFTWARE\OldTimer Tools Deleted: HKLM\SOFTWARE\AdwCleaner Deleted: HKLM\SOFTWARE\Swearware Deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SEAF Deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZHPDiag_is1  ########## - EOF - ##########

ikkual · Answer

I already updated Avast and performed a full scan this morning. It didn't find anything.  If I understand correctly, the only thing to do is to monitor if any files are created inside the Hudson folder. It's still very strange that it keeps recreating itself every time we delete it.  Otherwise, there are several folders that were created in C:\ following the analysis with ComboFix. Can we delete them?

ikkual · Answer

The problem is that I don't remember which ones.

ikkual · Answer

Actually, they may have already been there, I don’t remember. Many are empty, they probably aren’t worth much.  At least, there are no more infections on the PC and the Win32:malware-gen alert from Avast no longer appears.  I am very grateful for your help.

Electricien 69 · Answer

The folders created by Combofix are backups of your system files just in case you need to restore them!  So, it's up to you to decide if you want to delete them, but keep them; they don't take up much space!  For these directories, there are probably hidden files, so as long as you haven't enabled the display of hidden files, you won't see anything!   That said, happy surfing ;-)   -- O.o°*Member, CCM Security Staff o°.Oø¤º°'°º¤ø =>>Breathe deeply, write your message in proper French and clearly. It'll be fine, you'll see, well, we hope so!!! o°Oø

ikkual · Answer

I researched this Hudson folder on various forums. Here’s what I found:  https://forums.commentcamarche.net/forum/affich-28700359-creation-spontanee-de-repertoire  http://answers.microsoft.com/fr-fr/protect/forum/protect_other-protect_scanning/cr%C3%A9ation-non-sollicit%C3%A9e-de-dossiers/d1911821-80cf-4dca-8fd6-5637de26cfb4  Apparently, this folder is not harmful and could be due to an update of Adobe Reader or Orange.  I won't elaborate further on this since the topic is closed, but I’m posting this for those who might have encountered the same issue and are concerned about the appearance of this folder.

Win32:malware-gen blocked by avast

65 réponses

Texture issues in enshrouded

Edit ad on leboncoin for free

Disable hard drive password

Duration of unpaid filing with telephone operators

Where to rewatch temptation island...

Black screen at wakfu launch

My pc starts up correctly but my screen won't turn on: what should i do?

Voicemail icon that remains displayed

Is onfancy.fr reliable?

Is the sports shoes website reliable?