I did a full scan yesterday and Avast Pro found a high risk Trojan in my Windows/Temp folder. The file is WER239B.tmp.hdmp. It says it is infected with WIN32:dialer-BOK. I don’t know because I scanned with all my other scanners on this pc and they find nothing (see signature). I suspect a FP so I tried sending from Avast’quarantine to Avast software the 96 MB file but so far it is still detected as Trj. Wonder if somebody can say something more on the subject. Usually I surf sandboxed, so the only way I got infected is through installation of programs (SpywareBlaster from MajorGeek) or email. Thanks! 
That is a dump file (http://filext.com/file-extension/HDMP) and as such I wouldn’t have thought it would be infected, but it is a compressed file and could get a strange result.
You should check it out at virustotal:
Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to Open the chest and right click on the file and select ‘Extract’ it to a temporary (not original) location first, see below.
Create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect*
That will stop the File System Shield scanning any file you put in that folder.
If this is an old file, then its value is much depreciated and could reasonably be removed, but if the detection isn’t good you want avast to correct the signature.
David, the file is too big (over 20 MB) at 96 MB so I can’t use VirusTotal. 
How old is it (creation/last modified date ?
2011-11-27 19:05
Don’t remember well, wasn’t it the last beta flop released by AVast? Not sure. Search for WER on the web and found it is a Microsoft service when the system fails. Now that I got my spirits back, I’m going to try to send the infected file at virus@avast.com as a compressed file password protected. :o
Little point in sending it compressed and password protected, how are they going to scan it if they can’t extract it.
Personally after a week the value of a dump file is deprecated, especially if the system is running OK.
Just emailed the compressed file but unable to password protect the zip-file with the native Windows 7 system. Seems you need to download 7-zip or Winzip to do so. Hope it’ll work the same and that Avast will have a look to it. ???
Thanks!!! 
As you suggest, I will delete it in 2-3 days, just to see if it is still a virus or a FP for Avast 8)
Hi gdiloren,
For a scan option, read: http://forum.avast.com/index.php?topic=37542.msg715047#msg715047
and read here for the malware description: http://vil.nai.com/vil/content/v_558734.htm#tab5
pol
According to McAfee, you need to run a MBR fix: http://origin-home.mcafee.com/VirusInfo/VirusProfile.aspx?key=557299#
Don’t know about that one. Better to let Essexboy look at it.
Hi DonZ63 & gdiloren,
Essexboy will soon be with us in this thread. He was noticed by me,
polonus
Only trouble is understanding how it got on my pc. I surf sandboxed and this doesn’t go through internet, it has to be installed. Anyway, it is successfully quarantined and I don’t seem to have any trouble with my bank accounts! I remeber my computer went into “hibernation” and I was “unable” to get it working so I "unconventionnally “shut it down”. That may be the reason of this dmp. dump file. ???
Some extra information about this virus can be found here :
http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=709141#none
The PSW prefix of the virus name stands for “Password Stealing.” Appears to me to be a keylogger or screen capture malware. Anti-viruses by and large not that effective against keyloggers.
I decided to delete the quarantined file and all the WERXXX.tmp files in the Windows/TEMP folder. So far, computer is normal and as fast as ever. Avast still quoted the infected file as the BOK trojan this morning. As for being a “keylogger”, thanks for the security warning but so far I have no movements on my bank accounts 8) and nothing happened since I use SafeZone.
Thanks to all for the help
You’re welcome.
It is easy enough to check out the MBR
Do the following:
[*]Click on the Start button and then choose Control Panel.
[*]Click on the System and Security link.
Note: If you’re viewing the Large icons or Small icons view of Control Panel, you won’t see this link so just click on the Administrative Tools icon and skip to Step 4.
[*]In the System and Security window, click on the Administrative Tools heading located near the bottom of the window.
[*]In the Administrative Tools window, double-click on the Computer Management icon.
[*]When Computer Management opens, click on Disk Management on the left side of the window, located under Storage.
After a brief loading period, Disk Management should now appear on the right side of the Computer Management window.
Note: If you don’t see Disk Management listed, you may need to click on the |> icon to the left of the Storage icon.
Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.
THEN
Please download MBRCheck.exe to your Desktop. Run the application.
If no infection is found, it will produce a report on the desktop. Post that report in your next reply.
If an infection is found, you will be presented with the following dialog:
[QUOTE]Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit:
[/quote]
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.
Think the MBR is healthy, OK! Your second option, the exe MBR check file is flagged as a virus by IMMUNET who readily quarantined it. OOf course, I won’t risk another infection. Everything seems fine on my pc now, I only added in the resident protection settings the “scan all files” option as I’m deceived Avast did not detect it before I took a full scan 3-4 days later. Thanks!
If you get a chance then incorporate the unallocated sector of your hard drive into a partition - as there is a TDL variant that will use unallocated space to store its files
If you get a chance then incorporate the unallocated sector of your hard drive into a partition - as there is a TDL variant that will use unallocated space to store its filesA couple of reference links on the subject.
http://chmag.in/article/sep2011/rootkits-are-back-boot-infection
http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html
Many recommmend a complete DoD level wipe on the infected hard drive before reinstalling OS or backup partition image. If partition is less than total hard drive size, backup image should be taken of the entire drive versus partiton image so that the infected unallocated space would be reformated by the image software on image restore. However, not foolproof hence the DoD wipe recommendation.
One last question. It’s like having skeleton (but dead organism) to get registry entries or MBR infected (?) but if the infected file was successfully deleted, is there still a danger? The virus seems to be dead, no trace of password stealing at all! :o