Trojan found in cache

[Godeszila]

Avast free 6.0.1125
def 110513-1

On my laptop Avast found a Trojan in the Firefox cache during a scheduled scan. All shields are always running, and the program and virus definitions are set to self update, as well as vista.
Avast put the Trojan in the virus chest. But Avast found something the last 3 scheduled scans, each in different places. Before that I had a different anti-virus(kapersky- but FF didn't like it). Do I need to be concerned?
I ask because on my home computer Avast never finds anything and I visit the same websites with that computer. Avast has been installed on my home computer since I got it.
And why would the Trojan make it into the cache if the web shield is running? The Trojan wasn't found until a scan was run.


Thanks for taking the time to help a noob.

One more unrelated question, can I have Malwarebytes installed at the same time as Avast without conflict?
 

[MAG]

Well, I can answer one of your questions.

Yes, you can have malwarebytes and avast, and I suggest you do install malwarebytes (if you don't already have it), run a scan, and post the results back here. I'm sure someone will be along to advise.

If you have avast pro (real time protection), I don't bother with any exclusions between mbam and avast other than the one suggested by DavidR - exclude the folder C:windows\temp\_avast. I see no conflicts

[Godeszila]

if I don't have pro, ( I don't) what are the exclusions? please post the "for dummy's" version of instructions. 

Here is the malwarebytes log

[DavidR]

With the free version of MBAM it isn't so critical to add the c:\windows\temp\_avast_ folder to the MBAM Ignore List, but it won't hurt.

This Ignore List entry is more for the Pro MBAM version as it is resident and would be scanning files that avast sends there to scan. I only have this on the system were I have MBAM Pro, but not on this one with MBAM free (on-demand).

[Godeszila]

ok, thank you.


so back to my first question...?

[SafeSurf]

You can rescan what is in the Virus Chest by right clicking on it (make sure your Avast definitions are updated first).  If the scan comes out clean, just delete the cache file.  Normally we recommend keeping files in the Chest longer, but since you state it is cache, it can be deleted if it is clean.  You can also upload the files to Avast to make sure it is real or a FP; and this is done at the next virus definitions update.

[MAG]

Not sure whether people had noticed the OPs mbam log - I've reprinted it below. Apologies if you had already seen it. It's not clear if he's actioned the mbam registry findings.


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6569

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

5/13/2011 3:24:55 PM
mbam-log-2011-05-13 (15-24-41).txt

Scan type: Quick scan
Objects scanned: 177085
Time elapsed: 5 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 3
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Malware.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> No action taken.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> No action taken.

Folders Infected:
c:\Users\mercasaurus\AppData\Roaming\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com (PUP.PlaySushi) -> No action taken.
c:\Users\mercasaurus\AppData\Roaming\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\chrome (PUP.PlaySushi) -> No action taken.
c:\Users\mercasaurus\AppData\Roaming\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\components (PUP.PlaySushi) -> No action taken.

Files Infected:
c:\Users\mercasaurus\AppData\Roaming\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\chrome.manifest (PUP.PlaySushi) -> No action taken.
c:\Users\mercasaurus\AppData\Roaming\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\install.rdf (PUP.PlaySushi) -> No action taken.
c:\Users\mercasaurus\AppData\Roaming\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\chrome\pstextlinks.jar (PUP.PlaySushi) -> No action taken.
c:\Users\mercasaurus\AppData\Roaming\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\components\playsushiff.dll (PUP.PlaySushi) -> No action taken.
c:\Users\mercasaurus\AppData\Roaming\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\components\playsushiff.xpt (PUP.PlaySushi) -> No action taken.

[Godeszila]

No, I didn't see that it said to do anything?

[SafeSurf]

Update MBAM again and rescan it.  When it asks what to do, put infected items into quarantine.  Do NOT delete.  You can always get items out of quarantine if needed.

Cut and paste your new MBAM log or add it as an attachment to your next post.

Let us know how your machine is behaving after running this second scan.  Thank you.

[DavidR]

MBAM doesn't ask what to do (it doesn't mention quarantine) as such, it pre-checks any of the detection and you choose from the Action buttons.

The Remove Selected button is somewhat misleading as it sends then to Quarantine and doesn't actually remove/delete them (just moves the entries into quarantine), see image example.

So you need to run MBAM again and this time click the Remove Selected button.

[Godeszila]

Everything is running fine now, thanks for the help.

[DavidR]

No problem, glad I could help.

A belated welcome to the forums.