When I open some of the desktop folders avast comes up with the following message:
C:\WINDOWS\System32\msacmx.dll is infected with the WIN32:Trojan-gen {other} virus.
I then move it to the chest.
I have updated and ran the following applications:
CCleaner
CWShredder (Tells me there is nothing there)
Adaware (Found 4 critical & 1 registry entry which I removed)
I am using Zone Alarm, Avast AV with Auto Updates, Spyblaster 3.3.
Browser is the Mozilla Suite
I have ran a boot scan and deleted the following file:
C\WINDOWS\System32\msacmx.dll
After restarting I went to open a folder and the same message came up again. I have done a hijack this and analysed it online, but I’m not sure what I should be doing with this. Here is the log:
Logfile of HijackThis v1.99.1
Scan saved at 8:08:44 AM, on 5/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Try to schedule boot-time scan in avast’s menu (or try the ‘Schedule Boot-Time Scan’ using RajZors AEC avast! External Control Tool
For an on-line scan of your Hijackthis log file try here http://hijackthis.de/index.php
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
Adaware - nothing found
CW Shredder - nothing found
Ran CCleaner and deleted the stuff
Ran bootscan - nothing found
Here is a hjt log from today.
Logfile of HijackThis v1.99.1
Scan saved at 5:18:52 PM, on 25/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
You didn’t mention if avast! found anything during a boot time scan: as you say the other programs found nothing, did avast! remove this file?
This log seems to be clean, but you need to update windows to SP2. which is much more secure. You can do it at the update site with broadband, or order a free CD if you’re on dial up, where a download might take six hours.
Boot scan didn’t detect anything.
I already have CWShredder, it didn’t detect this either.
When I started again today, as soonas I open a folder on the desktop, avast find this #^*^!>" thing.
I am going to upgrade to SP2 soon (broadband is getting conectged soon).
Any other suggestions??
You said you have CWShredder. But you know the old program is discontinued and the latest updates are from the new maker InterMute. The link is http://www.intermute.com/products/cwshredder.html
Did you have the latest version? Sorry, this was just a question on my behalf. If you got rid of the malware, tell us about it. We want to know.
I have downloaded and run the lastest version of cwshredder from the above website.
Silly question - Once I have moved the infected file to the chest, how do I then find it to us the above online scanner?
I have used the search function, but it can’t find it & I have browsed to where it should be, but no.
Right click the avast! icon, select Start avast! Antivirus and right click on the skin somewhere (or click on Menu) and select Virus Chest, that is how to find it.
Unfortunately you wont be able to submit it to Jotti from the chest because it is a protected area. You would have to copy it to a temporary location (or restore it to the original location) first.
I'm starting to run out of patience.
By submitting it to Jotti, you will not only be helping yourself (by getting confirmation) but helping others. If it is a false positive, then alwil can hopefully resolve it to the benefit of others, perhaps even those who have helped you.
If it is a false positive, then if you can zip and password protect (‘virus’, will do) the suspect file and send it to virus @ avast.com (no spaces).
Give a brief outline of the problem, the fact that you believe it to be a false positive and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.
When the Avast! warning comes up I moved the file this time. (It went to the data\moved file)
Went to Jotti and browsed to the moved file. (The avast! warning comes up again, but I closed it this time)
Put in the box and submitted, this is what I got
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
You will have to 1) temp disable avast standard shield and possibly web shield once you have established the connection to Jotti. 2) you may have to move the file out of the avast moved folder as it may be protected in the same way you can’t do anything with a file in the chest, as I said above.
I have scanned with Jotti and it has confirmed it is infected with a malware. I have downloaded a couple of programs suggested in other posts that I will try. I’ll keep you informed, but any suggestions will be welcomed.
Thanks to all the suggestions, I finally got rid of this annoying little problem last night.
I scanned with TDS-3 as suggested in another post but it didn’t find anything. Then I tried TrojanHunter. It found (Foton.100) in the dllhost.exe file in windows\systyem32 and cleaned it.
So far so good.