Update-is now Trojan-gen- as of Fri nite. Help

[Therese Kean]

Hi to all last night as I was on Facebook and went to a link(which I will never do again) family tree thing, The trojan alert happened. It all happened fast. The alert said at the top "not to worry" amongst other things. and wanted to download(I think) the problem file? It all happened too fast for me. I did I think what I should do pressed the button on the alert It came up to do  something as I was still on line then the everything stopped on Internet explorer that is.
I have Malwarebytes Anti Malware so I did a full scan. That came up clear no viruses.

On the "Avast on Access scanner -Resident protection- Last night it read-
Last scanned- http://apps.facebook.com/xzx/.
Last infected://antyspywares.com/indexphp?affid=91702 etc(couldnt read rest here)
Infected count 1
Task name Resident protection

Every thing seems to be ok should I be relieved or is there something I should be doing?

Also I will be runnig an Avast full scann Shoud I turn all other stuff off when I do the scan and disconnect wireless stick when I do the scan
Am having problems writting this new topic as the page will not stay up for me to type the last half of this message is that a "virus issue?
Would appreciate some help thanks  

[Therese Kean]

I have just completed (nearly) 98per cent of "Avast thorough Scan & This warning came up -

The instruction at " Ox7c159fa0"referenced memory at 0xc0330189".The memory could not be read"

Click ok to terminate
click cancel to debug the program.

I clicked cancel and didn't see anything happen.
It may have of course.
Also the scan disappeared and didnt complete appariently.

Has any one got any suggestions.
I have tried reading the " What to do suggestions  from Evangalist (think thats his name) but I am not sure what I am doing so decided to come straight to the forum as helped me last time.

[Jastis Bago]

U can use Norman Malware Cleaner.....

[Yanto.Chiang]

Hi Tree,

I am not evangelist yet, and i am still beginner too,

But in this case have you do the boot time scan with your PC/Notebook?

[mikaelrask]

I suggest you run MBAB and SAS I see if they could solve your problem.

http://filehippo.com/download_malwarebytes_anti_malware/

http://filehippo.com/download_superantispyware/

and please make the facebook lnk you posted unclickable. change it to wxw or something like that, so other users don't get infected.

good luck and write back if you get any problems. and welcome to the forum.   

[Therese Kean]

Thanks for help. Have already done the MAM scan as already had that on my computer. Have downloaded as suggested "super Antispyware" the results of that is -
Adware tracking cookie - and 70 detected files which have been quarantined.
Where do I find info about Trojon virus.
Have put a false name on the link in my first post - thanks for pointing that out as I would not want to be responsible for infecting someone elses computer.
Will try to keep you upto date with how I go from here.

[Therese Kean]

Yanto-Chiang, and others.
I did a boot scan friday night it came up clean, did one Sat night as I had the Trojan-gen alert again and have the below files now in "The Chest"
File C:/SYSTEM VOLUME Information/_restore{64C55BAE-0167-4E29-A424-..etc
I not happy even about giving the full file no- finishing with .exe
I was told it was infected by "Win32:Trojan-gen.
It has now been moved to the chest.
I downloaded "SUPERAntispyware" which has been finding Adware cookies but didn't find the Virus. Avast alerted me to this.

What happens now. have I got "rid"of the problem?

The files where "windows files" but as it was infected I still chose to send infected files to "the chest".

Can someone assure me some how that I'm doing the right stuff?
Do I get the system cleaned but am not sure how to activate this on avast. I tried it and was told I have to pay it.  :(Am not the happiest  My husband wants me to go back to Nortan can you help us out.

[John2009]

My mom had the same problem with family  tree, except rogue AVs kept popping up like PE scan

[Tarq57]

It looks to me as though Avast has blocked the rogue application from downloading.
I'd be fairly interested to see the scan report from SAS, where it found 70 infected files (!), if you can locate and post that, perhaps as an attachment.
Infections found in the location "system volume information" are to do with System Restore. Quarantining something from within renders that restore point inoperable. And sometimes, quarantining is not possible, because the data to be quarantined is too large/locked, in which case it should be deleted.

I think you have done the correct thing, in terms of repeat scans. You may want to turn system restore off, reboot, turn it back on. This will purge all restore points, and new (hopefully clean) points will start to be created. The only reason for doing this is that if there is a trojan in one of the restore points, and you happen to restore using that point, the trojan could gain access to the system. (It's all fairly unlikely, but it could happen, if there were still something undetected in a restore point.)

Dear old faceplant. Problem is that anyone can create a quiz, or a challenge, or something that looks interesting, and the average user is quite likely to use it, unaware that it could be contaminated. There is a "report" button for such applications that are either dangerous, or inappropriate (say, surprise pornography) so that such applications can be reported to Facebook. You might want to use that report button, especially if others (as above) have reported similar problems with a Facebook application.

Of course, there's also always the chance it could be a FP, but unless you really want to use the application, why chance it? The part-URL quoted for the Avast resident protection: "antyspywares.com" indicates it is quite likely to be hosting a rogue. (Try "Googling" that name. Not many hits. (= recent, probably.) The hit that does seem to reference it produces a webshield alert. So I'm inclined to think it wasn't a FP.

I think these social networking sites are a large vector for malware, and that such rogue hostings are likely to increase. Not saying "don't use FB", just "don't go to any old application". Let someone else be the guinea pig.

[Therese Kean]

Tarq57
thanks for your input. Have just had a look. Will do the turn the System restore and reboot as you suggest.
How do I send  & make attatchments of the 70 infected files?
Will be doing this sometime tomorrow.
In talking to a friend about doing scans when the computor is not "online" which is what I have been doing.
What happens when online and a scan is done? I am on a laptop and stop the wireless most of the time but what of most computors that are online 24/7 for instance, and carry out scans? What effect does this have to the computor etc.
There seems to be confusion on this issue. T

[Tarq57]

You should not have to type copies of the detections. The program should have saved a log, somewhere. Unfortunately it is a while since I've had SAS installed, so I don't remember where to find the log file, but if you can find it, attach it to a post.

I can't answer with any real authority regarding the online/offline question when doing a scan. It would make sense to me that if offline, when malware is deleted, it may leave parts in other locations that might try re-installing the actual malware files. Being offline may prevent this. Pure conjecture on my part.
Even if the above is valid, it would probably only be true for certain malwares, and the status might even change on a day to day basis, as scanner detection/cleanup routines are modified with updates.

Short answer, I don't think it does any harm to be online (but it may) but, provided the scanner is updated, it can't do any harm to be offline. (Except if, following a scan, you want to submit a file to the manufacturer of the scanner.)

[Therese Kean]

Sad to say have just done a boot scan, and the results where as follows
File c:/Docments and Settings/user/local Setting/TemporaryInternet files/content.IES/u8PNAG41/wf2id02[1].htm
is infected by JS:ScriptIP-jnf[Trj]
I selected move to chest, as didnt know what to do
I have been told to clean not sure how.
Tarq- havent disabled the restore yet as suggested Will try and do that.
Any more help and what should I do now,
will try and attach files from SAS.
Worked out how to attch SAS file but the problem is couldnt find the Quarantine file to attch will keep looking
but this latest trojen is a bit of a worry

[Tarq57]

What I'd do is run the disk cleanup utility, (or better yet, ATF cleaner or Ccleaner- if you haven't got just ask) and run a boot scan with Avast.

Moving an infected or suspect file to the chest is almost always the correct action (if possible) yunless the detection is known to be false.

Re attaching a log file, it's not the quarantine contents that's needed, but the actual log file.
Most programs create a log file for the last scan (or last several scans) and it is usually (but not always) kept at the root directory of the program files folder for that application. Have a look in the program files folder for Superantispyware, time permitting. See if you can find it. It should present as a text file, created or modified the day you did the scan, and be somewhere in the 5-15KB size. If you can't easily find it, don't worry, I'll do a bit of asking and try and find where it's kept. Let me know.

[Therese Kean]

Haven't got the Ccleaner -ask where ? at Avast home page?

[Tarq57]

Ccleaner download page, the program is by Piriform, is popular, free.There is also a help forum.
Once installed, I would suggest for a start you set it up by selecting the "Cleaner" window, and there will be a list of "cleanables" under the "windows" pane. Tick all under "internet explorer" (except history, if you want to retain that), none in windows explorer, "temporary files" in System, none anywhere else in that area.
In the "applications" pane, I cannot remember what is included in the defaults. (Mine has been modified.)
But if you see any kind of "temporary" files, tick it, and you can tick everything in the "internet" section, which will include Java.

Do not run the "issues" scan, yet. It's a reg cleaner, and generally safe. But no need to run it, (a) ever, according to some, and (b) at least until you have understood what it does.

There is no hurry to do any of this, if you are the sort of person who would rather read the help information for a program and get to know it first, that's fine.
If you run the settings I've suggested, it will reduce the amount required to scan, and possibly even the malware with it. And do no harm, (Rule #1)
Ccleaner is often recommended as the first step in a malware cleanup regimen, on may malware forums.