:o 1st of all I feel special ! to receive 5 malware trojans or whatever they are …Thanks to Avast it warned me this morning that
something was not right… when i turned on my computer .
Avast put them in the Chest. but dont know if they can still return
to do more dammage .

filesystemsheild.
10/16/2010 12:11:36 AM C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\scmwerxnao.tmp [L] Win32:Malware-gen (0)
10/16/2010 12:11:36 AM C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\scmwerxnao.tmp [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The system cannot find the file specified
During the file delete, error occurred: The system cannot find the file specified
File was successfully moved to chest…
10/16/2010 12:11:48 AM C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nxermawsoc.tmp [L] Win32:SuspBehav-C [Heur] (0)
10/16/2010 12:11:48 AM C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nxermawsoc.tmp [L] Win32:SuspBehav-C [Heur] (0)
While moving file to chest, error occurred: The system cannot find the file specified
During the file delete, error occurred: The system cannot find the file specified
File was successfully moved to chest…
10/16/2010 12:11:53 AM C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ncxwoaserm.tmp [L] Win32:SuspBehav-C [Heur] (0)
10/16/2010 12:11:53 AM C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ncxwoaserm.tmp [L] Win32:Crypt-HTA [Trj] (0)
While moving file to chest, error occurred: The system cannot find the file specified
During the file delete, error occurred: The system cannot find the file specified
File was successfully moved to chest…
10/16/2010 12:11:59 AM C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rnosewcaxm.tmp [L] Win32:Crypt-HSZ [Drp] (0)
File was successfully moved to chest…
10/16/2010 12:12:11 AM C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csaxwormen.tmp [L] Win32:Malware-gen (0)
File was successfully moved to chest…
*

• avast! Real-time Shield Scan Report
• This file is generated automatically

These Trojan cannot harm your pc when they already moved to Avast!chest. :-*

They where all located in Temp files…you can try cleaning your temp files

TFC - Temp File Cleaner by OldTimer
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

;D

Thanks again for saving my Butt :o
i think i can safely say this is the best free antivirus out there.
And thanks for the help Guys

ok ran the TFC cleaner and did a reboot , system froze up and wouldnt
continue to boot had to shut off and reboot . And after reboot avast
web sheild was off and wouldnt come back on for a bit . kinda freaked me out… svchost.exe error keeps popping up w/beep every restart now?

Is the Avast web shield working now? If not, please try an Avast Repair:

• Go to Control Panel > Add/Remove programs > Avast Antivirus.
• Scroll down and choose Repair function in the pop-up window.
• Reboot.

When you say that the “svchost.exe error keeps popping up w/beep every restart now,” what exactly is happening?

Can you please check for malware with Malwarebytes’ Anti-Malware (MBAM).
· Download free http://www.malwarebytes.org/ for an on-demand scanner.
· Double Click mbam-setup.exe to install the application.
· After install, click update so you have latest database before scanning.
· Under Settings:
o General: Automatically Save File After Scan Completes is checked off
o Scanner Settings: Check all boxes
o Updater: Download and install update if available is checked off
· Once the program has loaded, select “Perform FULL Scan”, then click Scan.
· The scan may take some time to finish, so please be patient.
· When the disinfection scan is complete, a log will appear in Notepad and you may be prompted to Restart. (See Extra Note).
· Click the “remove selected” button to quarantine anything found. You will find the infection details under the Quarantine tab.
· The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
· Copy & Paste the entire report in your next reply.

Thank you.

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4891

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

10/20/2010 7:27:34 AM
mbam-log-2010-10-20 (07-27-34).txt

Scan type: Full scan (C:|)
Objects scanned: 80170
Time elapsed: 56 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\S-1-5-21-682003330-1715567821-839522115-500\Dc27.exe (Hacktool.PasswordDump) → Quarantined and deleted successfully.
Yes thankyou very much for your help . the error is gone upon startup , and the avast av was starting with 2 tools not on upon startup but not after repair in add&remove TY
Looks like its been there since 2002!

???
And the fun is just starting!
Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4891

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

10/20/2010 11:02:16 AM
mbam-log-2010-10-20 (11-02-16).txt

Scan type: Quick scan
Objects scanned: 147091
Time elapsed: 9 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\MADOWN (Worm.Magania) → No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) → Bad: (0) Good: (1) → No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Did you update MBAM prior to doing this last scan?

May I ask why did you not quarantine the infections in this last MBAM instead of “take no action?”

We have a deeper problem. Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0.

Follow the directions for obtaining the OTL logs. Post the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post). I will be contacting a Certified Malware expert to review your OTL logs once you post them. His name is Essexboy, and he is on UK time zone.

Once you perform your OTL log, please do not make any changes to your machine or you will have to repeat these steps again. Essexboy will respond to you in this thread to give you further instructions, so please check the thread at least daily; I will be in the background while he performs the malware removal. In the meantime, I will continue to provide you will assistance. Thank you.

Do you have any questions?

PS: And you thought the fun was just beginning? Just wait until Essexboy opens his bag of tricks and starts working. At least you have a sense of humor about this situation.

yes i updated Malwarebytes . before each use. below is attach i hope

thanks for your quick reply

???hope that this can help
thanks again

Yes, the logs were helpful. Essexboy will be around in about 10 or so hours to give you further instructions, so please check in around then or after that if you can.

Hi once you have completed this run can you let me know what problems remain

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent) FF - prefs.js..network.proxy.http: "127.0.0.1" FF - prefs.js..network.proxy.http_port: 8118 FF - prefs.js..network.proxy.no_proxies_on: "127.0.0.1" FF - prefs.js..network.proxy.socks: "127.0.0.1" FF - prefs.js..network.proxy.socks_port: 9050 FF - prefs.js..network.proxy.socks_remote_dns: true FF - prefs.js..network.proxy.ssl: "127.0.0.1" FF - prefs.js..network.proxy.ssl_port: 8118 FF - prefs.js..network.proxy.type: 4 O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C70E30C7-140A-4166-A2E8-43557E62B41A} - No CLSID value found. O4 - HKCU..\Run: [Start WingMan Profiler] File not found O4 - HKCU..\Run: [Vidalia] C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe File not found

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

yes thankyou for the help verymuch .
here are the 2 files generated by OTL scan and 1 from after the reboot
when i tried to run OTL it didnt run

What are your current problems please

;D
As of today : we have no more problems . that you can help with !

Unless you have a extra million or two laying around unused :o

thanks so very much for all your help . If ever i can be of some help please let me know.

Bon Voyage Mates

Looking at that I am a happy bunny

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

SPRING CLEAN

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe