My PC seems to have slowed down a bit lately - using 100% cpu all the time - ran a boot scan and after 79% scan AV came up with delfiles-AZ (trj). When I chose the number to put it into chest or repair, AV said: “it’s in the windows folder - are you sure?” Well, at that point I didn’t know what I should do, so I said “ignore” – don’t think that was the best choice, but the wording of the scan result was a little intimidating - I didn’t know if I should mess with the windows folder. Any suggestions as to what I should now do?? It looks like this is a bad trojan and I don’t wish to have it on my system. Should I cancel the rest of the boot scan and start over and when it gets to that point, should I ignore the “are you sure” part and repair?? Any help would be appreciated. Thanks very much.

attach the requested logs http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

when done a removal expert will be notified and help you

Before going thru all of the suggested steps as detailed in your post, I did a MWB quick scan (2x) and nothing came up as infected. I have posted this info on their website and await an answer. It seems troubling that 2 different results were detected - which is the truth? Anyway, if possible could you answer regarding the “lingo” question. When a result comes up with “are you sure” regarding actions for a windows infected file, what is the recommended answer? I’m quite sure “ignore” is not the best one. Thanks very much.

What was the name of the file that was reported as infected ?

delfiles-AZ (trj)

that is the malware name given by avast…what essexboy want is the file name and location… like C:/? ? ? ? / ? ? ? ? / ? ? ? …

Sorry - I thought of that after I logged off. I think this is the area: C:\windows\softwaredistribution\download\aaeaf9 - there were a bunch more letters after the 9 but I didn’t get them all. I also hit the ESC key after sitting on a 79% scan for an interminable amount of time. Should I run another boot scan?? Thanks.

Should I run another boot scan?? Thanks.

Another issue which concerns me - don’t know if it is related to this malware or not - when I run a quick scan, it comes up with 4 files that could not be scanned as they were password protected - when I go to the bottom of the window to select the items to take action for them, the apply line is greyed out so I cannot take any action with the 4 files. Thank you.

Of course the Apply action is Greyed out, there is nothing wrong with the file other than it is password protected.

What we need are the file names and locations, that helps is determine if the file would legitimately be password protected ?

Sorry - here are files name: C:\ datasafe.green.ico C:\ diff_000001.dif C:\ irimg1.bmp C:\programfiles(x86)>irimg1.jpg Thanks again.

Here are the scans. The OTL scan is one not two. It did not generate “extras.txt” - Also do not get the following: "To attach : Within the post select :
Additional options Browse Locate the OTL log Select the OTL log

So,cannot provide that as I cannot locate as instructed. Thank you.

Also do not get the following: "To attach : Within the post select : Additional options Browse Locate the OTL log Select the OTL log

but your malwarebytes log is the protection log…we want the scan log
MBAM list of loggs are spilt in two…top is scan logs, listed at bottom protection logs…and all have a date

Essexboy is notified

I can see nothing apparent in that log, it may be a false positive

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

OK - here is MWB log. There was another log generated after one of the scans - I think OTL but not sure. It had a time of today at 1:07 pm not this am when I was doing all of this - It is "vcredist_x86.log - Thanks again. I just tried to post with that x86 log and got a 413 msg - too large??? so I guess I won’t post that one…

As I say I feel that this is a false positive, but could you run combofix to confirm

Well, I think that is probably true - my system does not seem have any quirky behavior going on. Perhaps I will at some point do the combofix install. The instructions for temporarily disabling MWB are circular (go to these instructions) and when you do, it says the same thing but not how to do so. I will contact MWB forum for that. Also, the thing that prompted me to do a boot scan was the 100% cpu usage - since that scan, even tho I said, IGNORE to the detection of a possible infection, the cpu usage has dropped to 54% so something has improved.

I would ask of you however, when one does a boot scan and a warning is generated about an infection, what is the recommended procedure? Move to virus chest? - quarantine? I would really like to know as I could have avoided all of these scans, etc. had I just taken one of those routes. I said ignore due to the seemingly “dangerous” course of acting on a WINDOWS file. The wording to those actions of quarantine etc - was ARE YOU SURE? If you are not a technical person, such as I am not, that sounded like it was a risky move. I think Avast should clarify that wording for that particular type of scan. There are many people that want AV protection but are not highly trained in the depths of these “machines”. Thanks again for your help.

first boot scan is not meant to be used as a regular scanner…
it is meant to be used when something bad is going on and avast have problems removing a bug…or if the program itselfe tell you to run it

Clean, Quarantine, or Delete?
http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm

Thanks for input - just to clariify - I did not use this as a regular scanner. I used it because of the high cpu usage which I thought was an indicator of a possible sysem infection. I’ll follow your next link to the definition of what to do but no one has yet answered regarding the ARE YOU SURE lingo. Unless it is addressed in your link, I guess I’m just out of luck. Thanks again for everyone’s help.

The are you sure is because Avast scans before windows and an infected system file that is unable to be repaired but moved to quarantine instead may have consequences when you try to boot