Recently I keep getting this warning, it says virus threat
detected, it started when I when I tried to read a message from
UPS (united parcel service) in my e-mail, I deleted the message
but still keep getting this, now it dose not seem to matter if
I am in my e-mail, or just browseing, in fact it just popped up,now while writeing this,:
avast!NetworkShield has blocked a harmful site.
visit avast portal for more info

object 91.204.48.46/test/dot.exe
URL:Mal
blocked
C:\WINDOWS\system32\svchost.exe

sometimes it says /test/69.exe instead of /test/dot.exe

Any one know what it means, ?
From Garry

was there an attachment ? did you open it ?

Fake UPS Invoice Email
http://pandalabs.pandasecurity.com/fake-ups-invoice-email/
http://www.spamfighter.com/News-15162-Fake-UPS-Spam-E-mails-Spread-Malware.htm

and many more
http://www.google.no/#hl=no&source=hp&biw=1276&bih=604&q=fake+UPS+mail&aq=f&aqi=&aql=&oq=&gs_rfai=&fp=32d629ba921fe968

C:\WINDOWS\system32\svchost.exe

and they report it solved by running these, see reply #4 and #6

Kaspersky TDSS killer http://support.kaspersky.com/downloads/utils/tdsskiller.exe
Norman Malware Cleaner http://www.norman.com/support/support_tools/58732/en-us

was there an attachment ? did you open it ?
Yes there was a attachment, but I was perhaps fortunately,I was
not able to open it, it said it was the “label address” and
was neccesary to get info, or pickup the paquette, I deleted it, and also te e-mail…maybe I should have kept it formore info, ?..
from Garry

have you tried the tools suggested

Yes I downloaded the tools mentioned,

Quote:from Reply #2 on
"similar problem here http://forum.avast.com/index.php?topic=65031.0

and they report it solved by running these, see reply #4 and #6

Kaspersky TDSS killer http://support.kaspersky.com/downloads/utils/tdsskiller.exe
Norman Malware Cleaner http://www.norman.com/support/support_tools/58732/en-us
and actually several
“virus” or malwares were found,…and now the warning has stopped popping up, thank you very much everyone, for this
info,…I have the logs from the scans, if anyone wants to
see them, but since at this time it seems to be “cured”…
I don’t see any reason to post the logs. how ever I will check
back to see if anyone wants to see them. Also this seems to be
a great forum, so I will continue to check in from time to time.
from Garry
http://www.garryspages.webs.com

I’m glad that things appear to be resolved for you. See how your machine runs over the next day or two. If all runs well, please go back to the first open post in this topic, click the modify button in that Post and change the title/subject, add [Resolved] to the beginning of the title so this thread can be closed.

I would suggest that you browse the “General Topics” section for updates and new threats that warn users of incidents like you experienced so perhaps in the future you can avoid such an incident. We try to post this to help people and educate them as well.

Feel free to come back any time you need help, to learn something new, or just to ask questions. We are here 24/7 for your convenience. Thank you.

..I have the logs from the scans, if anyone wants to see them,

if they are big, then post as attachments. see lower left corner > additional options

1st log
Norman Malware Cleaner
Version 1.8.2
Copyright © 1990 - 2010, Norman ASA. Built 2010/10/15 20:10:44

Norman Scanner Engine Version: 6.06.07
Nvcbin.def Version: 6.06.00, Date: 2010/10/15 20:10:44, Variants: 7676569

Scan started: 2010/10/16 15:39:05

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600 Service Pack 2
Logged on user: WINLEONIC\LEONIC

Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = “Explorer.exe rundll32.exe qvuo.sbo nvijs” → “Explorer.exe”
Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = 0xFFFFFF9D → 0x00000000
Removed registry value: HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer → NoResolveSearch = 0x00000001
Removed registry value: HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer → NoResolveSearch = 0x00000001
Removed registry value: HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer → NoResolveSearch = 0x00000001
Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer → NoResolveSearch = 0x00000001

Scanning kernel…

Kernel scan complete

Scanning bootsectors…

Number of sectors found: 3
Number of sectors scanned: 3
Number of sectors not scanned: 0
Number of infections found: 0
Number of infections removed: 0
Total scanning time: 1s 313ms

Scanning running processes and process memory…

Number of processes/threads found: 2463
Number of processes/threads scanned: 2463
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 3m 7s

Scanning file system…

Scanning: prescan

Scanning: C:*.*

C:\WINDOWS\system32\calc.exe (Infected with W32/Smalldoor.BVTK)
Removed link file: C:\Documents and Settings\LEONIC\Escritorio\Calculadora (2).lnk
Deleted file

Scanning: D:*.*

D:\HBCD\WinTools\WinTools\KillBox.exe (Infected with W32/Suspicious_Gen2.dam)
Deleted file

D:\WinTools\KillBox.exe (Infected with W32/Suspicious_Gen2.dam)
Deleted file

Scanning: E:*.*

E:\NEWFRDOSCD\SOURCE\bz2\sample1.bz2/file0 (Error whilst scanning file: I/O Error (0x00220001))

Scanning: F:*.*

Scanning: J:*.*

J:\NEWFRDOSCD\SOURCE\bz2\sample1.bz2/file0 (Error whilst scanning file: I/O Error (0x00220001))

Scanning: K:*.*

Scanning: L:*.*

L:\HBCD\WinTools\KillBox.exe (Infected with W32/Suspicious_Gen2.dam)
Deleted file

Running post-scan cleanup routine:
Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = “Explorer.exe rundll32.exe qvuo.sbo nvijs” → “Explorer.exe”
from Garry

Ok that was it on logs, I hope that was not to big, the other
2 logs where, from a portable HD I have, that had all the same
stuff I had backed up, the reports, or logs, were the same.
thanks again everyone
from Garry

I would be concerned with a number of the file detections by Norman:
First deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to quarantine, etc. a protected area and investigate.

Killbox.exe is a tool and if on your system legitimately isn’t an issue; calc.exe is another file in a legit location, so warrants investigation before deletion.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page.

This one seems to be the major find as that is saying change the explorer shell settings to use and register a different file rundll32.exe qvuo.sbo nvijs.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = “Explorer.exe rundll32.exe qvuo.sbo nvijs” → “Explorer.exe”