Hi, I’ve got some serious issues and I can’t fix them alone.

I’ll tell you everything so far;

-Yesterday I ran a full system scan, I do this every week usually on a Monday but this week I did it on the Wednesday, and when it was finished it told me it had found a Trojan-gen in a file I think was called “report.exe” in my folder C:\windows\configsetroot$oem$$1\Apps, when I tried to move it to chest and I was told that it was unable to do so.

-I did some investigated and when I tried to Right Click>Properties on the file the little Avast red pop up saying it had stopped access come up in my bottom right hand corner and the file changes it’s name from “report.exe” to “trzEE31.tmp”, I scanned again and Avast still only found this file however when I tried to Right Click>Properties on another file in that folder the same thing happened wherein the file changed it’s name from whatever it was to “trzE434.tmp” so this one hid itself away from Avast and I only found it by looking. Avast had the blue popup in the bottom right hand corner telling me it had a new update available, I thought I shouldn’t really go updating it when I’m infected.

-By this time I had been trying to figure out what to do for an hour, it was 1AM and I was too tired to think, so I set Avast to do a boot time scan and went to shutdown so I could try to fix this in the morning, today, however Windows apparently had updates it needed to do and I didn’t really want updates trying to happen while I knew I was infected so I just turned everything off by the switches and went to bed.

-I turned on my computer today and Avast ran it’s boottime scan, it found the “report.exe” file fairly quickly and when I tried to move it to chest I was told “Move to chest: Error 0XC000007B {Bad Image}” and when I tried to delete the file I was told “Delete: Error 0xc0000034 {Object Name not found}” this made sense as I thought if the file changed it’s name yesterday then it’s hiding with this name and all that so I clicked ignore and the scan continued. A little while later in the scan it found an infected file “C:\users[My name]\downloads\flvmplayer.exe|>nsis.hdr is infected by NSIS:solimba-B [PUP]” when I tried to send to chest and then to delete I got those same two errors I had received previously. After then finding some corrupt files in my steam folder which I doubt really matter, Avast found the file “C:\windows\configsetroot$oem$$1\Apps\trzEE31.tmp” which I thought was strange since it already found it under the name “report.exe”? I tried to move to chest, no luck, however delete worked this time.

-After the scan was over I tried to log in, the screen went black and I got the “This copy of Windows 7 is not genuine” message in the bottom right hand corner, this scared me a little because my Windows 7 is genuine and I didn’t know whether I could even get into the computer now however after about half a minute my computer loaded up. I opened Task Manager straight away and looked for anything suspicious, Windows went on to automatically update itself, I assume with what I wouldn’t let it last night?, and then a popup telling me that Windows needed to restart come up which I have postponed, I then opened Chrome and signed up for this forum and posted this.

I don’t know how many of these trz.tmp files there are, as Avast only found one hidden and I only found one other myself, I don’t know if this “flvmplayer.exe” file is the cause or if it even has anything to do with this? I don’t recognise it or remember downloading it… I’m not even sure what it is and I can’t find it in my downloads folder unless I am missing it or something…

follow this guide and attach the requested logs…not copy and paste. http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

when done a removal expert will be notified and help you

Like a typical idiot I ran OTL without the Custom Scans/Fixes section, I let it do it’s scan and then I redid it with the Custom Scans/Fixes information.

I’ve attached the results to AdwCleaner, Malwarebytes and OTL, I will attach the results to aswMBR in the next post as I can only attach 4 per post.

I’ve attached the results to aswMBR in this post, as well as adding the results to the OTL scans when I forget to add the Custom Scans/Fixes section, I doubt these will be needed but I thought I better add them also.

flvmplayer.exe is a media player and this is probably the installation file. It does come bundled with adware dependant on where you got it from

C:\windows\configsetroot$oem$ this appears to be part of the manufacturers installation data and should have been removed before you got the system

Not a lot showing elsewhere

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
O3 - HKU\S-1-5-21-107039990-3625247061-350829234-1001\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
@Alternate Data Stream - 24 bytes -> C:\Windows:54D52DF6B9E50869

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Okay here you go, the first file attached is one that camp up after the reboot after the “Run Fix” and the second file attached is the one from after “Quick Scan”

After the reboot, I logged in and everything was black and a window came up saying download OTL or something before my desktop showed up, I clicked okay and after a minute or so my desktop came up.

The file Windows>ConfigSetRoot>$oem$>$1>Apps>trzE434.tmp still exists, I assume this is also not the only hidden trz.tmp file lurking around?

^ I posted before I was done, I have edited above with all information.

Total Files Cleaned = 5,982.00 mb this was why windows took a while to load, OTL was cleaning up ;D

As I say I believe Windows>ConfigSetRoot>$oem$ is a false positive as that is the folder where a silent install of windows is carried out from and report.exe will do a lot of digging around in the system to ensure it loaded properly. Due to this characteristic Avast does not like it…But, the files are probably hidden/read only

How is the computer behaving otherwise ?

Nothing in particular was happening with it before, it seems to be running as it always has.

So if $oem$ is a false positive why did report.exe turn into trzEE31.tmp? And now neither of those exist because trzEE31.tmp was deleted during that Avast boottime scan before I posted here? I still have a trz.tmp file in that folder and I’m sure there are more hidden somewhere because I only found that by Right Click>Properties on the file that it was hiding in… I’m sure there are more?

Should I update Avast now? Will that fix why it couldn’t move the trz.tmp files into the chest?

Am I still infected, should I be worried more trz.tmp files will turn up? What should I do with the ones I’ve still got?

They are not an infection, you can delete the folder if you wish, but it is doing no harm

I’m really thankful for you helping me

I still have a bunch of questions if you wouldn’t mind aswering them…

I deleted the $oem$ folder, it was like 12GB are you sure that was okay to go?
Why did the computer say that my version of Windows 7 wasn’t genuine?
Why did report.exe and that other file I can’t remember the name of turn into trz.tmp files?
What should I do with the Trojan file, C:\Windows\System32\msvfd2.exe, in Malwarebytes’ quarantine?
And please tell me why Avast couldn’t move the trz.tmp files to the chest?

Why did the computer say that my version of Windows 7 wasn't genuine?

This was due to the report file resetting the windows validation.. Normal OEM method

Why did report.exe and that other file I can't remember the name of turn into trz.tmp files?

Not quite sure on that one yet

What should I do with the Trojan file, C:\Windows\System32\msvfd2.exe, in Malwarebytes' quarantine?

It is quite safe there, if you experience no problems then in about a week or so delete it

And please tell me why Avast couldn't move the trz.tmp files to the chest?

Again not quite sure so I will need to check that out

I deleted the $oem$ folder, it was like 12GB are you sure that was okay to go?

That was the data to preinstall windows for you

I updated Avast to the newest version and newest definitions, please get back to me with information on why some of this happened if you figure it out… Also if you need me to do anything else to help figure this out just let me know

Either way thank you so much for helping me! :3

Good afternoon, so I decided I should run a full scan on Avast today just to be sure everything’s clean. The scan was taking ages, it was 2 and a half hours in and still at 0% and then I ran into an issue, Avast said that some files could not be scanned and it won’t let me click apply to move them to chest, repair or delete them.

C:\ProgramData\Microsoft\Windows Defender\Definition Updates.…\mpasbase.vdm Error: The system cannot find the path specified (3)
C:\ProgramData\Microsoft\Windows Defender\Definition Updates.…\mpengine,dll Error: The system cannot find the path specified (3)
C:\ProgramData\Microsoft\Windows Defender\Definition Updates.…\mpengine.dll Error: The system cannot find the path specified (3)

I didn’t know where to post this so I just thought I’d add it to this thread.

Error: The system cannot find the path specified (3)

moving files that can not be found is very difficult. ;D

but why do you want to move them…this is a scan error and not detections, and that is why avast will take no action
this error is usually gone if you reboot and scan again…by the name they belong to win defender update

Okay thanks, one last thing I see from other threads that people were told to run a cleanup on OTL or something but I wasn’t? Is that something important what does it do?

Relax…be patient, essexboy is working your case and will be back soon

Yep when I run the cleanup I remove my rubbish and give some little security tips

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run AdwCleanr and select Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button

https://dl.dropbox.com/u/73555776/disc%20clean.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe