Comp blue-screened due to virus (mult. ?)

Hi there (I’m tempted to say it’s me again :-[…)… I was wondering if any of you guys could kindly help out again…
I’ve had this new computer for about 3 weeks or so. I’ve installed most things I needed right-away (which was when I got in touch last time - but that’s been sorted), and a few missing programs well over a week ago. Everything has been running fine - until Friday, when the computer blue-screened.

(This might not be important: worked on comp. most of the day, installed a Firefox-update, but nil else. Downloaded a Windows-update, but did not install. Blue screened when shutting down and then after trying to turn it on again the next day. Would boot 'til “loading preferences” and then blue-screen. Ran hardware-test which was o.k., asked for help and heard the suggestion that this could either be a software prob or a virus. It was suggested to reinstall a previous backup).

So reinstalled previous backup (with some difficulty since Acronis not running the way it should), updated Avast, and found virus. Went through all my previous backups I had done in the process of installing the computer while online. And all of them have a virus. So this is something I must have caught very early on, and also something that was there when I contacted you last time, just hadn’t been detected then.
Why it was only activated now, I don’t know. But the question is: can I get rid of it or do I need to re-install from scratch ?

What I have done now is re-installed the latest backup I have, updated only the Avast VPS (to version: 081161-1,16.11.2008) and started Avast. And here is what it showed:

During Memory test, the following virus was found: File name: c:\windows\system32\dpcdll32.dll Win32:Trojan-gen (other)
Action: moved to chest.

During further Memory test, the following was displayed:
Avast has found a virus in the operating memory. … recommended that you restart the computer and let avast scan all data in the boot phase… → yes

During boot test: File C:\System Volume Information_restore{tons of numbers}.dll is infected by win32:Trojan-gen (other)
Action: moved to chest.

During further boot test: File C:\Windows\system32\trz97.tmp is infected by win32:Trojan-gen(other)
Action: attempted"move to chest" but warning: File is in Windows-folder, are you sure ? So I pressed “No” (although I think it’s a temporary folder and should be o.k., but really not sure), so tried option “repair” and received: “error 42060 (file was not repaired)”, therefore chose “ignore”.

Now before I do anything else, I’d just love to know whether I can move this last file to the chest ??
If yes, I can then do another Avast-scan, send the file off and go from there…
If no, I don’t know.
Oh, and just in case someone is going to suggest to “turn off system restore” etc - unfortunately, I have no clue how to do that ??? So sorry, but not very computer-literate, still getting to know my new laptop and fighting its “childhood illnesses”, let alone struggling with Windows XP (coming from 2k). I know this does not help. Once again, sorry. But will need step-by-step guidance. Thanks so much. Sydney.

Windows XP SP3, Avast 4.8, File Version 081161-1 from 16 Nov 08, Core 2 Duo, 2.4 GHz, 3 GB RAM

If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:

  1. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

  2. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).
    If avast does not detect it, you can try DrWeb CureIT! instead.

  3. It will be good if you download, install, update and run SUPERantispyware, MBAM or SpywareTerminator.
    If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
    About legit antispyware applications or the bad ones see here.

  4. If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster for XP/Vista. For XP only: Panda.

  5. Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.

  6. After you’re clean, disable System Restore on Windows ME, XP or Vista. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After disabling you can enable it again. To use System Restoration it’s necessary to disable avast! self-protection: avast! settings > Troubleshooting > Disable avast! self-defence module then start a System Restore.

  7. Use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

  8. Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.

Hi Tech, thanks for you reply.
Where did you get the idea that my virus is recurring ?
If I expressed myself in any misleading way, I am sorry.
All I said was that I have the same infection on all my backups and they had not been detected at the time (with the older virus databases).
And all I’d really need to know for now is whether or not I can send the following infected file to the chest (which is detected through Avast boot-scan):
File C:\Windows\system32\trz97.tmp
And I’ll go from there.
(I have MBAM & SAS).
Thanks.

Well… it’s a general behavior when virus infects System Restore, temporary files, etc.

And what about if you update the virus database?

Yes, you can send this file to Chest.

Hi. O.k. so I while installing my computer over the past weeks, I ran multiple Avast-scans and did mulitple backups. - which were clean at the time. If I re-install these older backups now and scan them with the current database, they are all infected. That’s why I tend to think that this is one and the same infection that had just not been detected at the time, but is now. So in effect, I do not have even one virus-free backup for this computer.
Since they all seem to be infected with the same virus/viruses, I have re-installed my latest backup and that’s the one I will work with now. And yes, of course, it’s running with the latest Avast-database.
So what I’ll do now is run the boot-scan again and move that file to chest as suggested.
And I’ll update this post once that’s been done. Thanks for now. S.

In a boot-time scanning, select how to automatically process infected files (suggestion: send to Chest).
Choose how to automatically process infected system files (suggestion: ignore/do nothing).
Post back the results.

As described in my initial post, this is what I have done with the other files.:

During Memory test, the following virus was found: File name: c:\windows\system32\dpcdll32.dll Win32:Trojan-gen (other)
Action: moved to chest.

During boot test: File C:\System Volume Information_restore{tons of numbers}.dll is infected by win32:Trojan-gen (other)
Action: moved to chest.

The last one: File C:\Windows\system32\trz97.tmp is infected by win32:Trojan-gen(other)
I ignored previously but am boot-scanning for just now and I will send to chest as soon as it’s found.

Are you suggesting that I should re-install the first one because ít’s a system-file:
c:\windows\system32\dpcdll32.dll
or does your instruction only relate to system-files found during boot-scan, not memory-scan ??
There are no infected system-files in the boot-section. This is the whole list of infections. Nothing else (for now).

O.k. Ran 2 boot-scans and on both occasions, that temp-file was not detected any more.
Is it possible that it’s disappeared or is it likely still there and just not picked up ???
I searched for it on the computer as well, but could not find it.
Instead (on boot-scan), Avast is telling me that 2 of my files are now corrupt.
The file-name displayed does not even exist like that. I have one file that starts with the same words (it’s a Word-document in “my files”). And when I opened it (after the boot-scan had finished), it was just fine.
Is this anything to worry about ?
I ran another thorough Avast-scan and nothing was detected.
So I now have those 2 files in my chest (the one from the memory-scan and the other from the boot-scan) with one tmp-file ? missing ? (It crossed my mind that this could have been a false positive, but then: why can’t I find the file at all - through my search-function on XP??)
Should I try finding that missing file first and if yes: how. Or should I just not worry about it and send the other 2 off ?
Alternatively, I could restore that whole backup again and do another boot-scan and just delete the tmp-file then…
Please advise. Thanks.

I suggest a full computer on-line scanning:
Kaspersky (very good detection rates)
ESET NOD32
Trendmicro housecall
F-Secure
BitDefender (free removal of the malware)

Hi Tech, thanks for your advice. But I reinstalled the backup yesterday and went from there.
Please see my post “Virus isolated ? what now ?”.
Once again, thanks heaps for your help. I kinda knew what to do once I moved that file to chest.
Sydney.

But are you sure the backup was clean? ???

No. of course the backup was not clean. Please see the other topic. Thanks.