Avast! detected a threat during a scheduled full scan of my system. I moved the files to the chest and then did a Boot Time Scan as requested. It told me that a file is infected by win32:Malware-gen. Why I tried to move it to the chest, I got error 42111 - the operation is not supported. Same error when I tried to delete it. I run Malware Bytes before reading this forum and it found nothing. I’ve attached the requested logs. Please help! Thanks!
Hello 
Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Then…
Please download GMER, AntiRootkit tool from the link below and save it to your Desktop:
Gmer download link
Note: file will be random named
Double-clicking to run GMER.
[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click Scan button and wait until the full scan is complete;
[*]Click Save … - save the report to the Desktop (named Gmer );
Attach here Gmer logreports.
I ran Farbar. Logs are attached. I started running GMER, it began its initial scan and possibly finished, but crashed. The Blue Screen said KERNEL_DATA_INPAGE_ERROR, problem detected, Windows Shut Down. It showed some Technical Information STOP: … and atapi_sys with the address. Should I try running GMER again?
try run GMER from safe mode…
TwinHeadedEagle will be offline for a few hours so check back later.
Ran GMER from Safe Mode with Networking. Did initial scan and ran full scan for awhile, but crashed. Same Blue Screen KERNEL error as above. Stopped on win32k.sys. Rebooted, then ran GMER in Safe Mode without Networking. Same results as when ran in Safe Mode with Networking. Initial Scan said Unknown MBR code.
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:05EE1EEF
C:\Documents and Settings\David\Local Settings\Temp\AskSLib.dll
C:\Documents and Settings\David\Local Settings\Temp\drm_dyndata_7370007.dll
C:\Documents and Settings\David\Local Settings\Temp\SIntf16.dll
C:\Documents and Settings\David\Local Settings\Temp\SIntf32.dll
C:\Documents and Settings\David\Local Settings\Temp\SIntfNT.dll
C:\Documents and Settings\Elissa\Local Settings\Temp\AskSLib.dll
C:\Documents and Settings\Elissa\Local Settings\Temp\SIntf16.dll
C:\Documents and Settings\Elissa\Local Settings\Temp\SIntf32.dll
C:\Documents and Settings\Elissa\Local Settings\Temp\SIntfNT.dll
cmd: ipconfig /flushdns
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
Then…
Download TDSSKiller and save it to your desktop
Execute TDSSKiller.exe by doubleclicking on it.
Confirm “End user Licence Agreement” and “KSN Statement” dialog box by clicking on Accept button.
[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt
Please post the contents of that log in your next reply.
Then…
Can you make a ScreenShot of Avast detection?
Ran FRST and TDSSKiller. Logs are attached. Can you give me instructions for making a ScreenShot of detection?
Go to Avast chest, and take a ScreenShot of the screen
How to take a screen shot → http://www.wikihow.com/Take-a-Screenshot-in-Microsoft-Windows
Thanks! There were 4 files yesterday and 2 more from 10-9-13. On 10/10/13 I saw an Avast Boot Scan running in the morning. I’ll attach the log. The boot scan keeps showing this same file. I’ll attach the first 4 screen shots to this reply and the earlier ones to the next reply. Also on 10/10 I ran Malware Bytes and found 1 Object which I quarantined and deleted successfully. It was PUP.Optional.OpenCandy. Guess I’ll send them individually. Let me know if this is what you’re looking for. I numbered the ones from yesterday as 1,2,3,4 and the ones from 10/10 as a,b
Here’s a screen shot from 10/10
And another. The other ones from yesterday look similar to the one I sent earlier. Let me know if you’d like to see 2,3,4. The differences I saw were different users. One for David, two for Linda, one for Elissa, and slightly different \ch_u?\ numbers.
Can you click on Scan Logs, and post Screen Shot of this Windows?
Is this latest Avast version (2014)?
Here’s the lastest scan log. Is this what you were looking for?
Here’s one from two weeks ago. Do you think the infections are the same or related?
To answer your question, I have not yet upgraded to 2014 Avast
In logs, I don’t see active malware, so I think that this is majority of the cases False Positive detection.
Please, update Avast to latest version (2014), update virus database and wait a bit, and let me know how are things going (do you still have detections)
Double post.
Thanks for all your help!
The scheduled full scan ran fine overnight with no detections, so I ran a boot scan this morning. It again listed the same file that I attached yesterday in awsBoot.txt - Earthlink Setup. Just wanted to double check that it is not something I should be concerned with. I don’t use Earthlink and am thinking of removing those files from my system. If the Add or Remove programs doesn’t work, I may just delete the file. It’s old, from 2004. Thanks for your thoughts.
Ran virus total. Said it had analyzed the file a year ago and found 2 infections. Ran it again. It found 3 infections. Sending you screenshot of new run since I didn’t see any logs or other output.