i need help!!

people, this morning there’s a popup saying a file is infected with NutCracker Family. Avast cant move it to virus chest nor repair the file. Is it a false positive?
C:\Users\Chong\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData\Symantec\Shared\QBackup{110DAC0A-EDFE-4B8F-B3B8-66BECC16CD9F}.qbi

And also, yesterday night suddenly there’s a popup saying file is infected with JS:MalHead-U [Trj], Avast only can move file to virus chest and cant repair it.
C:\Users\Chong\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3H4OPEAZ\yt[1]htm

can anyone give me some guides to get rid these 2 viruses? T_____T

Hi, there is no need to panic. If the viruses are in the chest they are safe from harming your computer. The first entry seems to be a false positive to me, but to make sure you should upload the file for analysis at Virus Total. I would also recommend you do a full scan with Malwarebytes Anti-Malware from here. This will ensure that the Trojan doesn’t have any “friends”. Download, update and do a full scan. Then post the log here. You should also clear your temporary internet files/browser cache.

two things to try…

  1. open avast and schedual a boot scan to run the next time that you start the system…
    start avast and when you get to the ridiculous car radio looking control panel, click on the triangle in the upper left hand corner to make a menu appear, and in that menu select ‘schedual boot-time scan…’
    reboot when prompted and let it do it things… can take a very long time if you have a very large and full hard disk.
  2. download and run the free antimalware program all malwarebytes. the free program is that same as the paid program but only scans on demand (in other words, it is not continuously scanning. it only scans when you instruct it to do so). be careful downloading it as the manufacturer site directs you to downloads.com which is riddled with deceptive advertisements that encourage you to pay for garbage when the best antimalware product currently available is free.
    http://malwarebytes.org/
    good luck.

here’s the log for virustotal check on the qbi file

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.09 -
AhnLab-V3 5.0.0.2 2009.10.08 -
AntiVir 7.9.1.35 2009.10.08 -
Antiy-AVL 2.0.3.7 2009.10.05 -
Authentium 5.1.2.4 2009.10.09 -
Avast 4.8.1351.0 2009.10.08 Nutcracker family
AVG 8.5.0.420 2009.10.04 -
BitDefender 7.2 2009.10.09 -
CAT-QuickHeal 10.00 2009.10.09 -
ClamAV 0.94.1 2009.10.09 -
Comodo 2543 2009.10.09 -
DrWeb 5.0.0.12182 2009.10.09 -
eSafe 7.0.17.0 2009.10.08 -
eTrust-Vet 35.1.7058 2009.10.08 -
F-Prot 4.5.1.85 2009.10.08 -
F-Secure 8.0.14470.0 2009.10.09 -
Fortinet 3.120.0.0 2009.10.09 -
GData 19 2009.10.09 Nutcracker family
Ikarus T3.1.1.72.0 2009.10.09 -
Jiangmin 11.0.800 2009.10.08 -
K7AntiVirus 7.10.865 2009.10.08 -
Kaspersky 7.0.0.125 2009.10.09 -
McAfee 5765 2009.10.08 -
McAfee+Artemis 5765 2009.10.08 -
McAfee-GW-Edition 6.8.5 2009.10.09 -
Microsoft 1.5101 2009.10.08 -
NOD32 4491 2009.10.08 -
Norman 6.01.09 2009.10.08 -
nProtect 2009.1.8.0 2009.10.08 -
Panda 10.0.2.2 2009.10.08 -
PCTools 4.4.2.0 2009.10.08 -
Prevx 3.0 2009.10.09 -
Rising 21.50.40.00 2009.10.09 -
Sophos 4.45.0 2009.10.09 -
Sunbelt 3.2.1858.2 2009.10.09 -
Symantec 1.4.4.12 2009.10.09 -
TheHacker 6.5.0.2.033 2009.10.07 -
TrendMicro 8.950.0.1094 2009.10.09 -
VBA32 3.12.10.11 2009.10.08 -
ViRobot 2009.10.9.1977 2009.10.09 -
VirusBuster 4.6.5.0 2009.10.08 -

I’ve alr deleted the temporary internet files, i will post the malware scanning log later.

The malware scanning log shows that there’s no infected files.

pardon me as im a comp noob T___T

I would like to ask is there any chance that the virus will infected the files in D:?
my D: is from HP and it’s for recovery partition.

:slight_smile: Hi :

Your 1st Post indicated you MAY have Symantec “remnants” on your
computer !? IF true, it would be wise to run the “Norton Removal Tool” which
is available at several websites .

It seems unlikely since the malware seems to only have made it as far as your temp files.
Since only Avast! and GDATA detected the first file I am inclined to believe that it is a false positive (they share the same engine). You can zip the file into a password-protected zip file and send it to virus (at) avast.com for analysis. Just place the password in the body of the e-mail. Then they will be able to correct the false positive for the next definitions update.
You can find the Norton Removal Tool here.

And i need one more help.

Avast detected my D:\ (which is the recovery partition) have a couple of files infected with Win32:Trojan-gen {other}.
But i didnt store any files to the D:\ as i cant even access it… The files affected are pre-installed-games-related.
Avast cant move them to chest as access is denied

These are the log for the scan:
Sign of “Win32:Trojan-gen {Other}” has been found in “D:\hp\apps\APP08160\src\HP_Setups_English_Vista_Desktop_050807.exe\presetup\Zuma_Deluxe-Setup.exe[Embedded_I#01802d]\data{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\241\Launch.exe” file.

Sign of “Win32:Trojan-gen {Other}” has been found in “D:\hp\apps\APP08160\src\HP_Setups_English_Vista_Desktop_050807.exe\presetup\Zen_of_Sudoku-setup.exe[Embedded_I#01802d]\data{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\219\Launch.exe” file.

Sign of “Win32:Trojan-gen {Other}” has been found in “D:\hp\apps\APP08160\src\HP_Setups_English_Vista_Desktop_050807.exe\presetup\wonderland_secretworlds-setup.exe[Embedded_I#01802d]\data{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\7\Launch.exe” file.

Sign of “Win32:Trojan-gen {Other}” has been found in “D:\hp\apps\APP08160\src\HP_Setups_English_Vista_Desktop_050807.exe\presetup\Wizard_of_Oz-setup.exe[Embedded_I#001802d]\data{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\309\Launch.exe” file.

Sign of “Win32:Trojan-gen {Other}” has been found in “D:\hp\apps\APP08160\src\HP_Setups_English_Vista_Desktop_050807.exe\presetup\Virtual_Villagers_2-setup.exe[Embedded_I#001802d]\data{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\193\Launch.exe” file.

Sign of “Win32:Trojan-gen {Other}” has been found in “D:\hp\apps\APP08160\src\HP_Setups_English_Vista_Desktop_050807.exe\presetup\Treasures_of_the_Deep-hp-setup.exe[Embedded_I#01802d]\data{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\5\Launch.exe” file.

Sign of “Win32:Trojan-gen {Other}” has been found in “D:\hp\apps\APP08160\src\HP_Setups_English_Vista_Desktop_050807.exe\presetup\Teddy_Factory-setup.exe[Embedded_I#001802d]\data{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\6\Launch.exe” file.

Sign of “Win32:Trojan-gen {Other}” has been found in “D:\hp\apps\APP08160\src\HP_Setups_English_Vista_Desktop_050807.exe\presetup\spin_and_win-setup.exe[Embedded_I#01802d]\data{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\89\Launch.exe” file.

Sign of “Win32:Trojan-gen {Other}” has been found in “D:\hp\apps\APP08160\src\HP_Setups_English_Vista_Desktop_050807.exe\presetup\Spin_and_Play-setup.exe[Embedded_I#01802d]\data{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\133\Launch.exe” file.

Sign of “Win32:Trojan-gen {Other}” has been found in “D:\hp\apps\APP08160\src\HP_Setups_English_Vista_Desktop_050807.exe\presetup\Slingo_Quest-setup.exe[Embedded_I#01802d]\data{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\5\Launch.exe” file.

Sign of “Win32:Trojan-gen {Other}” has been found in “D:\hp\apps\APP08160\src\HP_Setups_English_Vista_Desktop_050807.exe\presetup\Mystic_Inn-setup.exe[Embedded_I#001802d]\data{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\51\Launch.exe” file.

Sign of “Win32:Trojan-gen {Other}” has been found in “D:\hp\apps\APP08160\src\HP_Setups_English_Vista_Desktop_050807.exe\presetup\MCF_Prime_Suspects-setup.exe[Embedded_I#001802d]\data{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\57\Launch.exe” file.

Sign of “Win32:Trojan-gen {Other}” has been found in “D:\hp\apps\APP08160\src\HP_Setups_English_Vista_Desktop_050807.exe\presetup\Mahjong_Match-setup.exe[Embedded_I#01802d]\data{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\7\Launch.exe” file.

Sign of “Win32:Trojan-gen {Other}” has been found in “D:\hp\apps\APP08160\src\HP_Setups_English_Vista_Desktop_050807.exe\presetup\Mahjong_Escape_Ancient_China-setup.exe[Embedded_I#01802d]\data{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\4\Launch.exe” file.

Sign of “Win32:Trojan-gen {Other}” has been found in “D:\hp\apps\APP08160\src\HP_Setups_English_Vista_Desktop_050807.exe\presetup\mah_jong_quest-setup.exe[Embedded_I#01802d]\data{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\608\Launch.exe” file.

Sign of “Win32:Trojan-gen {Other}” has been found in “D:\hp\apps\APP08160\src\HP_Setups_English_Vista_Desktop_050807.exe\presetup\luxor_new-setup.exe[Embedded_I#01802d]\data{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\22\Launch.exe” file.

Sign of “Win32:Trojan-gen {Other}” has been found in “D:\hp\apps\APP08160\src\HP_Setups_English_Vista_Desktop_050807.exe\presetup\Luxor_Amun_Rising-setup.exe[Embedded_I#01802d]\data{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\19\Launch.exe” file.

Sign of “Win32:Trojan-gen {Other}” has been found in “D:\hp\apps\APP08160\src\HP_Setups_English_Vista_Desktop_050807.exe\presetup\Luxor_2-setup.exe[Embedded_I#001802d]\data{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\16\Launch.exe” file.

Sign of “Win32:Trojan-gen {Other}” has been found in “D:\hp\apps\APP08160\src\HP_Setups_English_Vista_Desktop_050807.exe\presetup\Jewel_Match-setup.exe[Embedded_I#01802d]\data{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\169\Launch.exe” file.

Sign of “Win32:Trojan-gen {Other}” has been found in “D:\hp\apps\APP08160\src\HP_Setups_English_Vista_Desktop_050807.exe\presetup\insaniquarium_deluxe-setup.exe[Embedded_I#01802d]\data{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\538\Launch.exe” file.

Sign of “Win32:Trojan-gen {Other}” has been found in “D:\hp\apps\APP08160\src\HP_Setups_English_Vista_Desktop_050807.exe\presetup\Galapago-setup.exe[Embedded_I#01802d]\data{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\6\Launch.exe” file.

Could this be another false positive case?


Is your computer an HP (Hewlett-Packard) computer?

And, are you saying all those POPCAP games came pre-installed on this computer when it was new?


yea my comp is HP
yup, those games are pre-installed…
now the prob is avast found threats in D:, which is the recovery partition…
I cant even explore the recovery partition as it’s protected.

i scanned with other anti-virus online scanner but no threats are found…
MBAM didnt find any threats too.


While I do not think there is much danger related to those POPCAP games, it is my guess that these games might occasionally “call home.”

I suggest you contact POPCAP games to ask why their games might include code that could be detected as Win32:Trojan-gen.


i’ve contacted popcap, and their reply is becoz those files are .exe, therefore avast detected them as trojan.
they said it’s a false positive from avast…

hope avast can update.