Help! Keep getting multiple Avast alerts every 5-10mins. that says Malware Blocked/Trojan Horse Blocked.
Object: 00000004.@/000000cb.@/80000000.@/80000032.@/80000064.@
Infection: Win32:Malware-gen
Win 32:Downloader-PKU [Trj]
Action: Moved to chest
Process: C:\windows\system32\services.exe
It simultaneously lists all the above alerts. Don’t know what to do or how to get rid of this. Please help! Not really computer saavy. Step by step directions would be helpful.
Thank You!
Whilst the alerts are a pain, avast is preventing the underlying infection from getting worse:
This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.
Hi,
I downloaded and ran the Malwarebytes Anti-Malware program and restarted my laptop immediately
when prompted to do so. I still am getting those Avast messages. How do I proceed now?
Log is listed below
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.07.20.01
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Kim :: KIM-HP [administrator]
7/19/2012 7:21:17 PM
mbam-log-2012-07-19 (19-21-17).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 190506
Time elapsed: 8 minute(s), 30 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 5
C:\Users\Kim\AppData\Local\Temp\0.3817629204532377 (Trojan.Agent.EXPD1) → Quarantined and deleted successfully.
C:\Users\Kim\AppData\Local\Temp\0.4214338525683843 (Trojan.Agent.EXPD1) → Quarantined and deleted successfully.
C:\Users\Kim\AppData\Local\Temp\msd1951877.exe (Trojan.Lameshield) → Quarantined and deleted successfully.
C:\Windows\Installer{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e}\U\00000008.@ (Trojan.Dropper.BCMiner) → Quarantined and deleted successfully.
C:\Users\Kim\AppData\Local\Temp\0.8762872347034028 (Exploit.Drop.9) → Quarantined and deleted successfully.
(end)
Is downloading OTL safe…keep getting messages that it is not safe to download and that its a risk to my computer.
yes it is safe… if not we would not use it
OBS and dont let avast run it in sandbox
How do I prevent Avast from not running OTL in the sandbox.
Tried to to download it twice and couldnt do it. I keep getting the message: “Windows cannot access the specific path or file. you may not have the appropriate permissions to acces the item.”
Set the autosandbox mode to Ask, then when you get the popup select Run normally and remember your answer.
From the avastUI, Additional Protection, AutoSandbox, Settings, set to Ask.
Thanks! It worked. Attached is the OTL.txt and Extras.txt
Hello,
Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.
Step 1
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{4D06CD33-0657-4FD5-BB5B-2C0AEAB01CA3}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
IE - HKLM\..\SearchScopes\{4D06CD33-0657-4FD5-BB5B-2C0AEAB01CA3}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2818425&SearchSource=3&q={searchTerms}"
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2818425&SearchSource=2&q="
O3 - HKU\S-1-5-21-3812528364-1390186582-2145737286-1000\..\Toolbar\WebBrowser: (no name) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - No CLSID value found.
O3 - HKU\S-1-5-21-3812528364-1390186582-2145737286-1000\..\Toolbar\WebBrowser: (no name) - {7AEB3EFD-E564-43F1-B658-5058A7C5743B} - No CLSID value found.
:files
ipconfig /flushdns /c
C:\Users\Kim\AppData\Roaming\Mozilla\Firefox\Profiles\njmdot3k.default\searchplugins\conduit.xml
C:\Windows\Installer\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e}
C:\Users\Kim\AppData\Local\{ea4c3b3f-ccfd-ca31-043b-cc5cfcbded0e}
:Commands
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
step2
Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.
Temporarily disable your AntiVirus program as before.
Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.
Step3
You need to run aswMBR.exe.
http://forum.avast.com/index.php?topic=53253.0
Attach here aswMBR.txt
Hi,
I did the three steps: Re-ran OTL, ComboFix, and aswMBR and the logs are attached below.
How do I proceed?
Thanks!
Unfortunately the next step is for magna86 to analyse the new logs.
You can report how your system is running after having performed the OTL fix that magna86 gave you, e.g. are you still getting avast alerts, etc.
We go to new battles 
Open notepad and copy/paste the text present inside the code box below:
File::
c:\programdata\Microsoft\Windows\DRM\BA7A.tmp.dat
DirLook::
c:\users\Kim\AppData\Local\Macrovision
FileLook::
c:\users\Kim\AppData\Local\Macrovision\wjyynrii.dll
C:\Windows\syswow64\drivers\scsk5.sys
DDS::
DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} - hxxp://download.softforum.co.kr/Published/XecureWeb/v7.2.5.0/xw_install.cab
DPF: {F939FEB8-9518-4A4A-BE60-D10FFB9557F2} - hxxp://download.kbstar.com/security/nprotect/netizenv55/npenkIEInstall5.cab
Save this as CFScript.txt
http://img213.imageshack.us/img213/1218/cfscript1.gif
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
Downloaded JavaRa to your Desktop
How is your computer running now?
I don’t see any picture/screenshot above, can you please repost.
Thanks!
It was, is just an animated gif showing you to drag the CFScript.txt desktop icon into ComboFix.exe desktop icon. If you can see them do that.
There appears to be a problem loading the image from imageshack.us, that is why you (and I) can’t see it, it is trying to load it but failing…
Attached is the log from ComboFix.
When I downloaded JavaRa I did not see and English language option.
Only see Dutch, Spanish, French, Italian, Nederlands and Suomi.
I am no longer receiveing the constant message alerts from Avast, which is a good sign.
You looks clean:
It is necessary to uninstall Combofix
Start >> Run
Combofix /Uninstall
Enter
JavaRa has support for English language but it does not matter.
Just go here:
http://www.java.com/en/
…and download and install fresh Java.
Thank you so much! Im no longer getting the Avast warning messages! Everything seems to be working well!
Do I need to do anything else?..delete any of the programs I downloaded to fix this issue?
Thanks again!
np 
There is no need for any further action.
I forgot to tell you how to remove OTL. ;D
Re-Run OTL and click CleanUp! button.
This command will also remove and other tools that we used.
Thank you again for all your excellent help. It is much appreciated! 