Strange message and svchost infection

[candle]

Hello,

I recently installed Avast today to clear out several problems dealing with the Skynet virus.  Spyware Doctor has been alerting me of and blocked a rootkit.tdss several times today and recently was able to remove it. As far as I know they have been successfully removed.

However, now I have in the Avast virus chest:
cru629.dat infected by Win32:Trojan-gen{Other}
svchost.exe infected by Win32:Trojan-gen{Other}
wisdstr.exe infected by Win32:Fraudo [Trj]

I'm new to this and not not very knowledgable about the computer system, but I'm aware that svchost.exe is a very important file that should not be deleted. For the past 3 hours I've been looking up what to do, but no one else seems to have had this problem? I've been looking up several threads that had false positives on the Trojan-gen and similar problems with the svchost.exe, but I still don't know what to do with these files. There doesn't seem to be much on this Fraudo, too.

I've continued several scant scannings with both Avast and Spyware Doctor, and everything looks good.
I minimized all my programs and to my surprise, there is a message.

Where is this message coming from??

I want to see if the message remains after I reboot the computer, but I'm afraid of something stranger happening.

[mathboyx215]

Yes scvhost.exe is a very important file but some virus will try to disguise as scvhost.exe
Also from the background,I can see that you are infected with some kind of fake alert.

Please download malwarebytes http://filehippo.com/download_malwarebytes_anti_malware/
After you have it installed,update it and run a quick scan.
After it finishes the scan,remove everything that is infected.If the program ask for you to restart,please do so.
Then post back a log from malwarebytes

[candle]

I see. What happens to the original file if a virus disguises as it?
The message is gone now. Thank you.

Windows Antivirus Pro is hard to get rid of once and for all. I know I deleted desot.exe at least twice from system32 this week.
Malwarebyte's scan didn't pick up the svchost.exe. Does that mean it's okay, or is Malwarebyte not specialized to pick up that virus..?
Here's the log:

Malwarebytes' Anti-Malware 1.40
Database version: 2618
Windows 5.1.2600 Service Pack 3

8/14/2009 1:23:34 AM
mbam-log-2009-08-14 (01-23-34).txt

Scan type: Quick Scan
Objects scanned: 107897
Time elapsed: 6 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_ANTIPPRO2009_12 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Rogue.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\desot.exe (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\e.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\uninstall.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bennuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bincd32.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\onhelp.htm (Rogue.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysnet.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wispex.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp4.dat (Malware.Trace) -> Quarantined and deleted successfully.

[nmb]

Hi cree

you have done a quick scan. Do a full scan using mbam and post log here. may be it can catch some more. also get superantispyware(sas) update and do a full scan.

come back.

[Tarq57]

Yes scvhost.exe is a very important file but some virus will try to disguise as scvhost.exe
Also from the background,I can see that you are infected with some kind of fake alert.

Just a minor, almost "nitpicky" (but maybe important) correction: scvhost.exe is a malware file. svchost.exe is a legitimate Windows file, that can be used by certain malware types. There are normally multiple instances of svchost.exe running,(I've seen up to ~6)  if you look in taskmanager, and you should not normally be concerned about that.

You have indeed been infected by a rogue security application. MBAM has probably killed it, but do as suggested and run a full scan.
The removal of the infections has probably meant that svchost.exe is no longer called upon by the rogue program. You should not search for it with a view to deleting it.

[mathboyx215]

correction: scvhost.exe is a malware file. svchost.exe is a legitimate Windows file

Thanks for pointing out the mistake

[candle]

When Malwarebytes does a full scan, does it also scan through the files in Avast's virus chest?
Thank you for the explanation, Tarq. The file I have is svchost.exe.

I did a full scan and nothing malicious was detected except for 4 adwares under "Online Services/AOL", which I have no need of and removed.
cru629.dat, svchost.exe, and wisdstr.exe are still in the virus chest.

Also, while the desktop message was still visible, the desktop icon labels' lost their transparency. Though the message is gone, the icons haven't returned to normal. I've already checked the "Use drop shadows for icon labels on the desktop" under System Properties, but nothing is happening.

[DavidR]

It can't scan the virus chest as all the files are encrypted.

[Tarq57]

Tried rebooting?

[candle]

Rebooting doesn't do anything.

I moved the files from the chest to scan with Malwarebytes.

A full scan showed only this...
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
...
Files Infected:
C:\WINDOWS\cru629.dat (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\svchost.exe (Trojan.Agent) -> No action taken.

But when scanning the indidual files via right click, the svchost.exe was not shown to be infected.
On the other hand, Spyware Doctor notified only cru629.dat as a "backdoor.Small!ct".

Another quick scan by malwarebytesshows:
Files Infected:
C:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\cru629.dat (Trojan.Downloader) -> No action taken.
C:\WINDOWS\svchost.exe (Trojan.Agent) -> No action taken.

At the present, I've moved all three back to Avast's virus chest.


EDIT: I've fixed the opaque desktop icon problem by deleting "tets" under desktop properties>Desktop>Customize>Web
EDIT2: http://support.microsoft.com/?kbid=314056
If svchost.exe is found under C:\\WINDOWS\system32 , then this file under C:\\WINDOWS isn't the real file? There is another svchost.exe under system32.