I couldn’t find anything on this particular version of the blighter, so here goes first time postin’.

I have my Avast run a complete scan of my computer every night and about three days ago it turned up red and warned me that there was the above mentioned Trojan in a .dll in some Office 2003 .msp patch in the C:\Windows\Installer-folder.

I was a bit sceptic 'cause the only thing I’d done the previous day was do a security Windows Update for Win7 64-bit. Avast couldn’t delete the file, quarantine it or fix it. So, like a complete n00b (I work in IT but panic when there’s something wrong with my own computer, LOL), I put the .msp in recycle bin and tried to empty the whole thing into bit hell where it supposedly belonged, but of course it couldn’t, the file supposedly being used by another program/process. So I puttered around my computer and somehow managed to get the whole .msp file missing I went to Safe Mode, ran System Restore, didn’t download the Windows Update again, re-ran Avast and it was happy as a clam there was nothing detected on the comp.

Lo and behold, the next morning Avast had found the same alleged Trojan this time in the C:$Recycle.Bin(enter a really long string of numbers here).msp|>serconv.dll Couldn’t delete/quarantine/fix, once again. Not even the boot time scan. (Which was a bit surprising since I understand that numbered folder is related to a user profile…) I couldn’t empty the recycle bin just for the hell of it 'cause the recycle bin is “empty”. And I don’t even really want to try and go to the hidden recycle bin folder and try to delete the whole .msp if I’m not absolutely sure I’m not gonna screw up my Windows, you know?

So, being the paranoid bastard that I am, I then ran Malwarebytes, SUPERantispyware, Kaspersky TDSSKiller, Comodo Cleaning Essentials (+killswitch and autoruns), Hitman Pro, Emsisoft Emergency Kit, and F-Secure Antivirus Trial. Some several times, and making sure they weren’t on at the same time.

NONE OF THEM found anything even relating to the Trojan Avast keeps complaining about. I also ran HiJackThis but to my eyes the log looked pretty normal. Then again I’m not an expert deciphering that. My computer is working normally and there’s nothing that seems even remotely suspicious about it or its behavior except for Avast’s pretty little red message.

So either Avast is a god of all things Trojan-related or this is a false positive.

Ideas?

–Suvi

follow the guide and attach the logs
http://forum.avast.com/index.php?topic=53253.0

Okay, here’s the MBAM log and after that the aswMBR log, and attached the OTL and Extras.

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.09.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Suvi :: KULTSU [administrator]

Protection: Disabled

9.6.2012 9:02:04
mbam-log-2012-06-09 (09-02-04).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 212010
Time elapsed: 4 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

---

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-09 09:51:05

09:51:05.067 OS Version: Windows x64 6.1.7601 Service Pack 1
09:51:05.067 Number of processors: 2 586 0x170A
09:51:05.067 ComputerName: KULTSU UserName: Suvi
09:51:07.438 Initialize success
09:51:08.530 AVAST engine defs: 12060801
09:51:19.481 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
09:51:19.481 Disk 0 Vendor: ST3500620AS HP26 Size: 476940MB BusType: 3
09:51:19.481 Disk 1 \Device\Harddisk1\DR1 → \Device\Ide\IdeDeviceP1T1L0-3
09:51:19.497 Disk 1 Vendor: ST3500418AS CC38 Size: 476940MB BusType: 3
09:51:19.497 Disk 0 MBR read successfully
09:51:19.512 Disk 0 MBR scan
09:51:19.512 Disk 0 Windows 7 default MBR code
09:51:19.512 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 459664 MB offset 63
09:51:19.543 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 17273 MB offset 941392935
09:51:19.575 Disk 0 scanning C:\Windows\system32\drivers
09:51:29.995 Service scanning
09:51:45.611 Modules scanning
09:51:45.611 Disk 0 trace - called modules:
09:51:45.642 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
09:51:45.642 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8004902060]
09:51:45.642 3 CLASSPNP.SYS[fffff8800165143f] → nt!IofCallDriver → [0xfffffa80043a3250]
09:51:45.658 5 ACPI.sys[fffff88000f127a1] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80043ac060]
09:51:46.781 AVAST engine scan C:\Windows
09:51:50.884 AVAST engine scan C:\Windows\system32
09:53:57.104 AVAST engine scan C:\Windows\system32\drivers
09:54:07.571 AVAST engine scan C:\Users\Suvi
10:12:58.402 AVAST engine scan C:\ProgramData
10:14:37.852 Scan finished successfully
10:18:21.308 Disk 0 MBR has been saved successfully to “C:\Users\Suvi\Desktop\MBR.dat”
10:18:21.323 The log file has been saved successfully to “C:\Users\Suvi\Desktop\aswMBR.txt”

–Suvi

malware remover is notified

Looking at the logs I believe this to be a false positive, however I will remove some security loopholes (old Java ) and empty the recycle bin for you

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Alright, here’s the new OTL log.

I see that you have Comodo IS as well as Avast, using 2 AV’s can lead to them detecting each other as they scan files… I would recommend that one be uninstalled

How is the computer behaving ?

Yes, I know, which is why I only have Comodo Firewall instead of the whole IS.

My computer is behaving normally.

If you have no further problems run OTL and hit the cleanup button to remove it and associated folders

Well, the only problem I had to begin with was Avast complaining, so I’ll just have to tell it to shut up about that file and everything will be a-okay

Thanks for the help!