I need to assistance to know if the message that I keep getting from avast could be a false positive. I originally got a pop up for Trojan detection. It was:
Object - C:Windows\assembly\tmp\U\80000032.@
Infection - Win32:DNSchanger-VJ[Trj]
Action - Moved to chest
Process - C:\Program Files (x86)\Internet Explorer
Avast said that it was blocked and and the system was secure. Then prompted me to reboot and run a real-time bootscan which I did. 8 viruses and were moved to the chest. Upon reboot I ran CCleaner on Windows & Applications and removed deleted all junkfiles, I then had it scan the registry and remove any harmful items. I then ran SAS and it had removed 1 harmful file. I then ran MBAM and it had removed 1 malware threat. I also ran Glary Utilities and it had fixed some registry files and cleaned out a bunch of temporary files.
I then went and opened IE and got another pop up for a blocked trojan for the same files, skipped the reboot and went directly to the C:\Windows\assembly folder, had MBAM scan the folder but nothing was found, had avast scan the folder and 2 threats were found. They were:
1)Filename - C:\Windows\assembly\tmp\U\00000002.@|[Embedded_R#00290]
Status - Threat:Win32:Malware-gen
Action - Move to chest
2)Filename - C:\Windows\assembly\tmp\U\80000032.@
Status - Threat:Win32:DNSchanger-VJ[Trj]
Action - Move to chest
I applied both of these and it was successful. I then rebooted my machine and opened IE get the same message about the same trojan being blocked and that the system is secure. I’m not sure if this is a fake positive because I can go back to assembly folder and every time I scan it with avast it finds the same malware and claims that it has been moved to the chest. I am still getting popups on it being blocked,usually the process is Steam or Avast or SAS or MBAM, sometimes it will be a svchost.exe that is the process. I’m just not sure what to do to get rid of this. Honestly my laptop works just fine, but I want to be 100% sure there is no issue.
This one is going to need specialist analysis and malware removal.
Unfortunately essexboy, who normally covers these analysis and specialist malware removal tasks is on holiday. There a couple of others who have experience of the analysis of the OTL logs, but they aren’t a frequently on-line as essexboy is/was.
Essexboy is on holiday and will be away from his system 28th September to 6th October. It may take him a little while after that to aclimatise ;D
We have the exact same thing happening and it started Sept 29th also. It wasn’t actually blocked, and managed to change some settings including “removing” the server from the network. Will be glad when dud comes back from vacation
I certainly wouldn’t wait to resolve this, but follow essexboy’s advice to use the geekstogo site where he is also an instructor and moderator (when not on holiday or the avast forums).
This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the logs and start your own new topic here http://forum.avast.com/index.php?board=4.0 and click the New Topic button at the top of the page. Give some basic information on your system OS, etc. and a description of the alert, attach the logs there, not in the LOGS topic.
Thank you for poiting me in the right direction. I ran malware bytes and it seems to have taken care of the issue- for now. I notice that when i am having the problem (avast putting virus in chest everytime i open a new browser window) i will always have PING*32.exe and conhost.exe running in task mgr. Which, i have never seen those processes running untill i started having this problem. Do you know what that means? Is it bad?
I clicked the link to OTC that you provided and avast wants to run it in the sandbox, but it wont run. So i am stuck.
From this point forward, please create your own new topic for comments/problems, so as not to hijack this one. When you run OTL use the drop down list to have the autosandbos run it normally. Then attach the logs in your new topic.
