I am being invaded… by vbs:exedropper-gen[trj] and win32:ramnit-b… avast is deleting or putting them in a chest… how do I make it stop though? it is running rampant through my files… will avast be able to block them all?

Ok… it says that most were deleted or put in the chest… over 8600… but the shield tells me that those files are infected… what do I do? the pop up said I don’t need to do anything… but why does the shield still tell me that I have infected files… even when I ran a scan it showed no infections… please help… I am confused…

btw… I am running the free version… 5.0.594

Welcome to the forum.

Open the Avast GUI > Settings > Virus Chest > Maximum size of chest…change it to zero to allow more to stay in the Chest so nothing is deleted.

What kind of scan did you run?

so I don’t want it deleted? ohhhh ok… so I am infected then?

I ran a full system scan, but I started getting the pop ups well before that… they have slowed way down… but I still get a few here and there…

So you deleted things that were in the Virus Chest?

yes… I did… and right now I am not happy about that…

Do not turn your machine off.

Did you change any default settings of Avast? When you get a warning…does it say put in Virus Chest?

I only changed the setting so I can keep all incoming in the chest and not have them deleted.
When I get a warning it says it is going to the chest

Good. Update your Avast definitions, then run a FULL scan with Avast. Anything that is put into the Chest…leave there.

After you update your definitions…sign offline to do your Full Scan. Then you can post your results.

Ok… be back in a bit…

ok… I am back… now what?

Did the Full scan show anything?

Next, check your computer for malware with Malwarebytes’ Anti-Malware (MBAM).
· Download free http://www.malwarebytes.org/ for an on-demand scanner.
· Double Click mbam-setup.exe to install the application.
· After install, click update so you have latest database before scanning.
· Under Settings:
o General: Automatically Save File After Scan Completes is checked off
o Scanner Settings: Check all boxes
o Updater: Download and install update if available is checked off
· Once the program has loaded, select “Perform FULL Scan”, then click Scan.
· The scan may take some time to finish, so please be patient.
· When the disinfection scan is complete, a log will appear in Notepad and you may be prompted to Restart. (See Extra Note).
· Click the “remove selected” button to quarantine anything found. You will find the infection details under the Quarantine tab.
· The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
· Copy & Paste the entire report in your next reply.

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts – Click OK to either and let MBAM proceed with the disinfection process; If asked to restart the computer, please do so immediately.

I’m sorry, I fell asleep at the wheel…

on avast:
the full scan reported no infections but did say that some files could not be scanned… I didn’t get that the first time I did the full scan…

MBAM:
I ran the scan but now I can’t click on the quarantine tab… I have 11 infections

I ran the scan but now I can't click on the quarantine tab.. I have 11 infections

yeah, that remove selected wouldn’t allow me to click it…

I rescanned… and here you go… I have to go to work… so I will check in when I return home…

thanks for all the help… I am a bit of a novice here…

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4494

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/28/2010 2:03:01 PM
mbam-log-2010-08-28 (14-03-01).txt

Scan type: Full scan (C:|)
Objects scanned: 267873
Time elapsed: 2 hour(s), 0 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{f02fabcb-92dd-475a-98af-14217bd50746} (Adware.Gamevance) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{f02fabcb-92dd-475a-98af-14217bd50746} (Adware.Gamevance) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.AntiVirus2008) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{f10587e9-0e47-4cbe-abcd-7dd20b862223} (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.PWS) → Data: c:\program files\microsoft\desktoplayer.exe → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) → Bad: (c:\windows\system32\userinit.exe,c:\program files\microsoft\desktoplayer.exe) Good: (userinit.exe) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Microsoft\DesktopLayer.exe (Trojan.PWS) → Delete on reboot.

well, I have been home for a few hours, and I am not getting the pop ups anymore… I want to thank safesurf… I am not sure I am done yet… but I know I will forget…

so thank you for all the help so far… and if we are done… thank you!

Tina

Hi Tina,

So is your machine and Avast working properly now after MBAM quarantined your infections?

To answer your question, no you are not done.

1. Do you have any passwords stored on your machine? Gaming passwords or any other? If so, delete the passwords as a precaution.

2. Update and run another MBAM scan and if anything comes up, put them in quarantine. Copy and paste your log here in this thread.

3. Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0. You already did the MBAM part. Scroll down to the red OTL and download the OTL file, which you need to download to your desktop. Follow the instructions on the link I just gave you. Attach 2 (large) OTL log files (located on your desktop) to your next post. To attach: click “Additional Options” > Attach > browse (desktop) > post (you will need to attach 2 logs to your post).

Let me know if you have any questions.

Hi guys,

Looks like this little b*stard is a recent phenomenon.

I have exactly the same problem.

May I just say that this thread has been really helpful

BUT…for me when the trojan had finished tearing through my pc (and when the virus chest was full), I got a ‘WINDOWS FILE PROTECTION’ pop up saying that ‘programs that are required for windows to run properly have been replaced by unrecognised versions…please insert XP CD to restore the original versions’

now this didnt seem to be a problem at this stage, I just ignored the box (did not close it).

When I had finished an avast full system scan (which showed no files infected), I then went on to do a Malwarebytes scan also, as suggested in this thread.

I opened Malwarebytes, clicked on ‘update’ but there was an error and malware could not update. I then attempted to reopen firefox(with the intention of downloading malwarebytes again from scratch to get the latest definitions) but firefox would not get beyond the ‘previous session crashed’ pop up.

I then tried IE but this proceeded to start installing itself, presumably a symptom as described by the above ‘WINDOWS FILE PROTECTION’ box that appeared.

I’ve no idea what to do now :-\

I suppose I could do a malwarebytes scan without the updated definitions, but as this is a comparatively new virus I dont know how useful this will be .

Many thanks in advance for any advice you may have