For the past few days, my computer is doing some bad things I guess, and my host provider keeps blacklisting me. I cannot go to any of the domains I own. Sometimes I cannot get to other websites either. I would have to contact my provider, they would unblock but this would happen all over again.

Doing a full scan on malwarebytes, which takes eternity!! They found two files infected with something called trojan downloader. They are in the library/mail/v2/pop-example@incoming.yahoo.verizon.net/inbox… the address goes on, but that should give you an idea of what it’s targeting? So one is in one of these folders, and another is in the same pop folders but for a different email account. Anyway, if you delete them in malwarebytes, it shows up again on the next scan.

Tried kasperky, but it didn’t find anything. Tried Microsoft Security Essentials, they found something called “trojan.downloader win32 kulouz B.” But MSE couldn’t delete it.

Host provider says try avast. So that’s why I’m here. Avast found 2 items also in the mail/pop folder locations, but again, different email accounts. Avast calls it: Threat: MX97:Mailcab-C[Trj] and Threat: JS:Bankfraud-CA [Trj]. But I cannot move to chest and I cannot delete. Move to chest yields: “Error: The process cannot access the file because it is being used by another process (32).” Trying to Delete yeilds: “Error: Access is denied (5)”

I also tried drilling into the folders and locating the actual file but when I try to delete it, it says “file too large for the destination folder…”

Anybody have a clue? I’m trying desperately to not have to reformat my hard drive. Thank you in advance.

Please attach your logs. (AdwCleaner, MBAM, OTL and aswMBR…!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0

Okay, but regarding mbam, the quick scans always show nothing. It’s the full scan that will show the trojan downloader. Should I attach one of those full scan logs?

It's the full scan that will show the trojan downloader. Should I attach one of those full scan logs?

OBS: seems to be in a mail
They are in the library/mail/v2/pop-example@incoming.yahoo.verizon.net/inbox

since not detected by MBAM quick scan it is not running active…

But I cannot move to chest and I cannot delete. Move to chest yields: "Error: The process cannot access the file because it is being used by another process (32)." Trying to Delete yeilds: "Error: Access is denied (5)"

I use outlook. It’s not opened. It’s only set to download mail when I open it.

ok…attach the logs requested by Asyn…then a removal expert will fix it later today.

Okay, here are my attachments.

And here is the aswMBR.

One more piece of info, I’m not sure if this matters. I’m using windows 7 via bootcamp in macbook. That’s why I’m trying hard not to reformat because I’m not sure what the process would be like.

BTW, the MBAM log says no action taken. But I’ve ran it several times and delete them several times, other logs will show DELETE AT REBOOT. I must have given you a log where I didn’t bother to delete or got cut off.

Here’s one that shows delete at reboot.

OK, don’t worry about that.

H first thing to do is delete the contents of your old e-mails deleted items folder

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
[1832/11/28 21:30:07 | 000,004,804 | ---- | M] () (No name found) -- C:\Users\ktmac\AppData\Roaming\Mozilla\Firefox\Profiles\2cbgi2e3.default\extensions\rntckdgyio@rntckdgyio.org.xpi

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Here is the log of the quick scan after the run fix.

There was a log for the run fix too. Let me know if you need that also.

BTW, not sure if this means anything, but I haven’t been able to complete a mbam FULL scan for the past several attempts. Been getting blue screen then reboot. Not sure if this means the issue is getting worst?

Could you run MBAM in safe mode please and let me know if it crashes again… At what point does it crash ?

Man I don’t know what point. The times when I’ve witnessed the blue screen, it came after 7 hours. I noticed the last time it came much quicker, within the hour. You know how a full scan can take 7 to 17 hours. So when it runs, I just leave. But I know it crashes because I’ll comeback to desktop that has obviously been rebooted. And a pop up that says "windows encountered an error… "

Another peculiar thing that has been happening. Not sue if this has anything to do with the virus or just a coincidence, but I’ve been getting shockwave plugin crashes from time to time when visiting espn. This has never happened before.

Anyway, how do I run MBAM in safe mode? And do you want me to do normal or full scan? Full scan can take forever, so I won’t get back to you guys for awhile.

Anyway, how do I run MBAM in safe mode?

http://windows.microsoft.com/is-is/windows7/start-your-computer-in-safe-mode

http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/#windows7

Okay, it’s running a full scan on safe mode right now. I’ll report back.

Hey guys, FULL SCAN crashed in safe mode too.

“Windows has recovered from an unexpected shutdown.”

In the problem signature, the problem event name is Blue Screen.

I just ran mbam again QUICK SCAN, and it was okay. It’s only crashing on FULL.

A quick scan is sufficient as a full scan visits areas that are not really relevant

To get to safe mode
Reboot the computer then press and hold F8 as soon as it powers up
Select Safe mode with networking from the menu

I ran avast full scan again.

Same two infected files showed up. Move to chest still did not work, but the delete was successful.

What do you guys think that means?