Repeating threat notification.

[manofkent]

I am getting the above notification every few minutes.
So far I've tried Avast, Spybot S&D; and MBAM.  They found some viruses but not the one causing this problem.
Yesterday evening I tried a boot-time scan but after I allowed it to fix the problems my windows would no longer boot up except in safe mode.
So I had to find a system restore that had not been damaged and got my XP running again.
However the Avast notification still appears every few minutes.
Would you be able to help me fix this please?
My sons insists the only way to cure it is a reformat of the HD and re-install of XP.

[DavidR]

Please post the logs of the scans you have done (attach them to the post using the Additional Options in the Reply section), this will give is a better idea of what is going on in your system.

Post the contents (or attach) the C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\report\aswBoot.txt file that will tell us what files were detected ?

When detected what action did you select (move to chest, delete, etc.) ?

[manofkent]

I think I asked them to be moved to the vault, but I can't find them now.
Is this any help?

08/03/2010 18:47
Scan of C: First Part

File C:\- AAA\Midi\T.zip|>T\Tequila e Bonetti.zip|>Tequila & Bonetti.mp3 Error 42125 {ZIP archive is corrupted.}
File C:\- AAA\Midi\T.zip|>T\The Banana Split Gang.zip|>The Banana Split Gang.mp3 Error 42125 {ZIP archive is corrupted.}
File C:\- AScan\Keygen.exe is infected by Win32:PUP-gen [PUP], Repair: Error 42060 {The file was not repaired.}
File C:\- Navigo\- United_Kingdom_and_Republic_of_Ireland 840.2570\TomTom Keygen 4.1D 2009.zip|>TomTom keygen 2009\Tomtom4.exe Error 42125 {ZIP archive is corrupted.}
File C:\- Navigon\MioPocket 3.0 Release 49.zip|>MioPocket 3.0 Release 49\MioAutoRun\Programs\Opera\opera.dll Error 42125 {ZIP archive is corrupted.}
File C:\- Navigon\MioPocket 3.0 Release 52.zip|>MioPocket 3.0 Release 52\MioAutoRun\Skin\Backgrounds\VistaAurora.bmp Error 42125 {ZIP archive is corrupted.}
File C:\- Newsleecher\- Newsleecher 4.0 Beta 18\Newsleecher v4.0 Beta 18\nl_setup_beta.exe|>regfix.exe is infected by Win32:Dropper-gen [Drp]
File C:\DKB Network Folder\JIC dct4 unlocker\unlocker.exe is infected by Win32:Malware-gen
File C:\DKB Network Folder\MSN\MSN 280208.exe|>MsnMsgs.msi|>MsgrCore.cab|>licensertf Error 42127 {CAB archive is corrupted.}
File C:\DKB Network Folder\MSN\MSN 280208.exe|>MsnMsgs.msi|>MsgrCore.cab Error 42144 {OLE archive is corrupted.}
File C:\DKB Network Folder\MSN\MSN 280208.exe|>MsnMsgs.msi Error 42127 {CAB archive is corrupted.}
File C:\Documents and Settings\Derek\Application Data\Sun\Java\Deployment\cache\6.0\16\488e63d0-3dd7c9e7|>vmain.class is infected by Java:Agent-AO [Trj]
File C:\Documents and Settings\Derek\Application Data\Sun\Java\Deployment\cache\6.0\60\240bc57c-45237d43|>vload.class is infected by Java:Agent-AP [Trj]
File C:\Documents and Settings\Derek\Application Data\Sun\Java\Deployment\cache\6.0\60\240bc57c-45237d43|>vmain.class is infected by Java:Agent-AQ [Trj]
File C:\Documents and Settings\Derek\Application Data\Sun\Java\Deployment\cache\6.0\61\7ae6b8bd-283ba160|>vmain.class is infected by Java:Agent-AO [Trj]
File C:\Documents and Settings\Derek\Application Data\Sun\Java\Deployment\cache\6.0\63\25097d3f-5fbc0de3|>vmain.class is infected by Java:Agent-AO [Trj]
File C:\Downloads\BitTorrent Downloads\newsleecher-4.0-beta-9-4.0-beta-7-3.9-final.exe|>$TEMP\windll.dll is infected by Win32:Malware-gen
File C:\Downloads\Emule Downloads\Gpstacho Exe (2010 Portable)\Install.exe|>D:\xampp\htdocs\bundle\source\WS_WebFetti_MFC_SweetIM.exe|>SweetIMSU_Sub1752.exe|>idwbho2.dll is infected by Win32:BHO-AAU [Trj]
File C:\Downloads\Emule Downloads\Gpstacho Exe (2010 Portable)\Install.exe|>D:\xampp\htdocs\bundle\source\WS_WebFetti_MFC_SweetIM.exe|>SweetIMSU_Sub1752.exe is infected by Win32:Klone-CIU [Trj]
File C:\Downloads\Emule Downloads\Gpstacho Exe (2010 Portable).rar|>Install.exe|>D:\xampp\htdocs\bundle\source\WS_WebFetti_MFC_SweetIM.exe|>SweetIMSU_Sub1752.exe|>idwbho2.dll is infected by Win32:BHO-AAU [Trj]
File C:\Downloads\Emule Downloads\Gpstacho Exe (2010 Portable).rar|>Install.exe|>D:\xampp\htdocs\bundle\source\WS_WebFetti_MFC_SweetIM.exe|>SweetIMSU_Sub1752.exe is infected by Win32:Klone-CIU [Trj]
File C:\Downloads\Emule Downloads\Gpstacho For Mobile Phone\Setup.exe|>D:\xampp\htdocs\bundle\source\WS_WebFetti_MFC_SweetIM.exe|>SweetIMSU_Sub1752.exe|>idwbho2.dll is infected by Win32:BHO-AAU [Trj]
File C:\Downloads\Emule Downloads\Gpstacho For Mobile Phone\Setup.exe|>D:\xampp\htdocs\bundle\source\WS_WebFetti_MFC_SweetIM.exe|>SweetIMSU_Sub1752.exe is infected by Win32:Klone-CIU [Trj]
File C:\Downloads\Emule Downloads\Gpstacho For Mobile Phone.rar|>Setup.exe|>D:\xampp\htdocs\bundle\source\WS_WebFetti_MFC_SweetIM.exe|>SweetIMSU_Sub1752.exe|>idwbho2.dll is infected by Win32:BHO-AAU [Trj]
File C:\Downloads\Emule Downloads\Gpstacho For Mobile Phone.rar|>Setup.exe|>D:\xampp\htdocs\bundle\source\WS_WebFetti_MFC_SweetIM.exe|>SweetIMSU_Sub1752.exe is infected by Win32:Klone-CIU [Trj]
File C:\Downloads\Emule Downloads\Keygen Airnav Live Flight Tracker 2.1.zip|>Install.exe|>D:\xampp\htdocs\bundle\source\WebFetti_MFC_IWon_SweetIM.exe|>IWONX_sub1752.exe is infected by Win32:Malware-gen
File C:\Downloads\Emule Downloads\Keygen Airnav Live Flight Tracker 2.1.zip|>Install.exe|>D:\xampp\htdocs\bundle\source\WebFetti_MFC_IWon_SweetIM.exe|>SweetIMSU_Sub1752.exe|>idwbho2.dll is infected by Win32:BHO-AAU [Trj]
File C:\Downloads\Emule Downloads\Keygen Airnav Live Flight Tracker 2.1.zip|>Install.exe|>D:\xampp\htdocs\bundle\source\WebFetti_MFC_IWon_SweetIM.exe|>SweetIMSU_Sub1752.exe is infected by Win32:Klone-CIU [Trj]
File C:\Downloads\Internet Downloads\JIC dct4 unlocker\unlocker.exe is infected by Win32:Malware-gen
File C:\Downloads\Internet Downloads\JIC dct4 unlocker.zip|>unlocker.exe is infected by Win32:Malware-gen
File C:\Downloads\newsbin downloads\downloaded-files\alt.binaries.comp\BurnAware Professional v.2.3.8.rar|>patch\BurnAware.Professional.v2.3.8 patch.exe|>[Embedded_R#1c9c8] is infected by Win32:PSWtool-H [PUP]
File C:\Downloads\newsbin downloads\downloaded-files\alt.binaries.comp\BurnAware Professional v.2.3.8.rar|>patch\BurnAware.Professional.v2.3.8 patch.exe is infected by Win32:PSWtool-H [PUP]
File C:\Downloads\newsbin downloads\downloaded-files\alt.binaries.comp\patch\BurnAware.Professional.v2.3.8 patch.exe|>[Embedded_R#1c9c8] is infected by Win32:PSWtool-H [PUP]
File C:\Downloads\newsbin downloads\downloaded-files\alt.binaries.comp\patch\BurnAware.Professional.v2.3.8 patch.exe is infected by Win32:PSWtool-H [PUP]
File C:\Downloads\NewsLeecher Downloads\alt.binaries.multimedia\!RnE - 2010.01.21 07.52.43 - aaf-petticoat.junction.s01extras\aaf-petticoat.junction.s01extras.srr|>aaf-petticoat.junction.s01extras.avi Error 42126 {RAR archive is corrupted.}

[manofkent]

Second part

File C:\Downloads\NewsLeecher Downloads\alt.binaries.multimedia\!RnE - 2010.01.21 07.56.44 - aaf-petticoat.junction.s01e01\aaf-petticoat.junction.s01e01.srr|>aaf-petticoat.junction.s01e01.avi Error 42126 {RAR archive is corrupted.}
File C:\Downloads\NewsLeecher Downloads\alt.binaries.warez\!RnE - 2010.06.06 08.39.07 - NewsLeecher 4.0 Beta 18\Newsleecher v4.0 Beta 18\nl_setup_beta.exe|>regfix.exe is infected by Win32:Dropper-gen [Drp]
File C:\Downloads\NewsLeecher Downloads\alt.binaries.warez.uk\A-Z 1 600K Uk Road Atlas For Memory Map.part1.rar|>A-Z 1 600K Uk Road Atlas For Memory Map.qct Error 42126 {RAR archive is corrupted.}
File C:\Old D-Drive\Downloads on D\BulletProof_FTP_Server_v2[1].2.1_build_11.zip|>G6FTPSrv.exe|>[UPX] is infected by Win32:PUP-gen [PUP]
File C:\Old D-Drive\Downloads on D\MFR53b.zip|>MFR53b.exe|>%AppDir%\MFR.exe Error 42145 {Installer archive is corrupted.}
File C:\Old D-Drive\Downloads on D\MFR53b.zip|>MFR53b.exe Error 42125 {ZIP archive is corrupted.}
File C:\Old D-Drive\Shared Files on D\Software\BulletProof_FTP_Server_v2[1].2.1_build_11\G6FTPSrv.exe|>[UPX] is infected by Win32:PUP-gen [PUP]
File C:\Old D-Drive\Shared Files on D\Software\BulletProof_FTP_Server_v2[1].2.1_build_11.zip|>G6FTPSrv.exe|>[UPX] is infected by Win32:PUP-gen [PUP]
File C:\Old D-Drive\Shared Files on D\Software\CoolEditPro2\cep21\cepsetup.exe|>%MAINDIR%\fhtpro.flt Error 42145 {Installer archive is corrupted.}
File C:\Old D-Drive\Shared Files on D\Software\CoolEditPro2\cep21\cepsetup.exe|>%MAINDIR%\cel.flt Error 42145 {Installer archive is corrupted.}
File C:\Old D-Drive\Shared Files on D\Software\CoolEditPro2\cep21\cepsetup.exe|>%MAINDIR%\ceplive.dll Error 42145 {Installer archive is corrupted.}
File C:\Old D-Drive\Shared Files on D\Software\CoolEditPro21.zip|>CoolEditPro2\cep21\cepsetup.exe|>%MAINDIR%\fhtpro.flt Error 42145 {Installer archive is corrupted.}
File C:\Old D-Drive\Shared Files on D\Software\CoolEditPro21.zip|>CoolEditPro2\cep21\cepsetup.exe|>%MAINDIR%\cel.flt Error 42145 {Installer archive is corrupted.}
File C:\Old D-Drive\Shared Files on D\Software\CoolEditPro21.zip|>CoolEditPro2\cep21\cepsetup.exe|>%MAINDIR%\ceplive.dll Error 42145 {Installer archive is corrupted.}
File C:\Program Files\DAEMON Tools Lite\uninst.exe|>[Embedded_I#1fc4e]|>[Embedded_R#6f4e8] is infected by Win32:Adware-gen [Adw]
File C:\Program Files\DAEMON Tools Lite\uninst.exe|>$PLUGINSDIR\setuphlp.dll|>[Embedded_R#6f4e8] is infected by Win32:Adware-gen [Adw]
File C:\Program Files\Opti Drive Control\b-odc144-patch.exe|>[UPX] is infected by Win32:Malware-gen
File C:\System Volume Information\_restore{92C68702-ECB5-4A56-B250-555EEFA6D085}\RP783\A0207678.exe is infected by Win32:Malware-gen
File C:\System Volume Information\_restore{92C68702-ECB5-4A56-B250-555EEFA6D085}\RP783\A0207679.exe is infected by Win32:Malware-gen
File C:\System Volume Information\_restore{92C68702-ECB5-4A56-B250-555EEFA6D085}\RP784\A0210019.exe is infected by Win32:MalOb-BR [Cryp]
File C:\System Volume Information\_restore{92C68702-ECB5-4A56-B250-555EEFA6D085}\RP785\A0210041.exe is infected by Win32:Trojan-gen
File C:\System Volume Information\_restore{92C68702-ECB5-4A56-B250-555EEFA6D085}\RP785\A0210071.exe is infected by Win32:Malware-gen
File C:\System Volume Information\_restore{92C68702-ECB5-4A56-B250-555EEFA6D085}\RP785\A0210075.exe is infected by Win32:Malware-gen
File C:\System Volume Information\_restore{92C68702-ECB5-4A56-B250-555EEFA6D085}\RP785\A0210079.exe is infected by Win32:Malware-gen
File C:\System Volume Information\_restore{92C68702-ECB5-4A56-B250-555EEFA6D085}\RP785\A0210210.exe is infected by Win32:Trojan-gen
File C:\System Volume Information\_restore{92C68702-ECB5-4A56-B250-555EEFA6D085}\RP785\A0210211.exe is infected by Win32:Trojan-gen
File C:\System Volume Information\_restore{92C68702-ECB5-4A56-B250-555EEFA6D085}\RP785\A0210212.exe is infected by Win32:Malware-gen
File C:\System Volume Information\_restore{92C68702-ECB5-4A56-B250-555EEFA6D085}\RP785\A0210214.exe is infected by Win32:Trojan-gen
File C:\System Volume Information\_restore{92C68702-ECB5-4A56-B250-555EEFA6D085}\RP785\A0210215.exe is infected by Win32:Trojan-gen
File C:\System Volume Information\_restore{92C68702-ECB5-4A56-B250-555EEFA6D085}\RP785\A0210216.exe is infected by Win32:Malware-gen
File C:\System Volume Information\_restore{92C68702-ECB5-4A56-B250-555EEFA6D085}\RP785\A0210224.exe is infected by Win32:Malware-gen
File C:\System Volume Information\_restore{92C68702-ECB5-4A56-B250-555EEFA6D085}\RP785\A0210228.exe is infected by Win32:Trojan-gen
Number of searched folders: 23210
Number of tested files: 1378211
Number of infected files: 48

[DavidR]

Well I don't see anything immediately related to system files that would have any impact on not booting if they were gone.

Though these give me some concerne that you are inviting trouble:
File C:\- AScan\Keygen.exe is infected by Win32:PUP-gen [PUP], Repair: Error 42060 {The file was not repaired.}
File C:\- Navigo\- United_Kingdom_and_Republic_of_Ireland 840.2570\TomTom Keygen 4.1D 2009.zip|>TomTom keygen 2009\Tomtom4.exe Error 42125 {ZIP archive is corrupted.}
File C:\Downloads\Emule Downloads\Keygen Airnav Live Flight Tracker 2.1.zip|>Install.exe|>D:\xampp\htdocs\bundle\source\WebFetti_MFC_IWon_SweetIM.exe|>IWONX_sub1752.exe is infected by Win32:Malware-gen
~~~etc. etc.~~~

The use of keygens, apart from any legal/moral issues are frequently accompanied by unwanted guests ans these can introduce backdoors into your system.

Obviously the "archive is corrupted" notification of a file that can't be scanned aren't an indication they are infected or suspect.

Seeing stuff related to JAVA and class could mean you have an out of date version of JAVA which should be updated and the old version uninstalled. There may also be other software that requires updating - I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.

- Infected Restore Points - There really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore.
 
- Worst case scenario it isn't infected and you delete it, you can't use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.
 
- So if there is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.

As I said, I don't see anything immediately related to system files that would have any impact on not booting if they were gone. Though it isn't unusual in some cases when malware is removed it can be hooked into the OS boot (commonly winlogon), but again I don't see anything like that in the above.

Next step attach the log files of MBAM and Spybot scan that you did.

[manofkent]

Hi
Firstly, a lot has happened since that log file was created. I have deleted all those infected files.
Secondly, my PC is booting into XP OK now except for the Avast warning that flashes up at varying intervals.
Spybot found nothing on the last scan.
Here is a log from MBAM quick scan this morning. I ran another this afternoon which came up clean.
I will run a full MBAM scan later today.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4387

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

04/08/2010 07:46:44
mbam-log-2010-08-04 (07-46-44).txt

Scan type: Quick scan
Objects scanned: 146203
Time elapsed: 24 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02dca195-602b-4b1f-83ff-381b7e804bdb} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{02dca195-602b-4b1f-83ff-381b7e804bdb} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmortidqxr (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\HDBHO.dll (Trojan.BHO.H) -> Quarantined and deleted successfully.

[DavidR]

The infected file appears to be related to:

HiDownload(HD) is leader of all-in-one stream downloader that aims to download multimedia streaming video and audio, enabling you to download movies, music and capture streaming video and audio,record radio from Internet. Support MMS, RTSP, RTMP, HTTP stream protocols.

So it is a Browser Helper Object for HiDownload, which might be considered adware if it is ad supported.

Does that ring any bells, e.g. is that an application you installed ?
http://www.neuber.com/taskmanager/process/hdbho.dll.html
http://www.threatexpert.com/files/hdbho.dll.html

[manofkent]

I installed HiDownload about 2 years ago. Are you saying it has become infected?

[DavidR]

No I'm saying that is what MBAM considers is a trojan.BHO, not all BHOs are malicious and some when used with free programs are ad supported. I have no idea how MBAM makes its determination, all I was doing was giving a possible idea and one which if you used the program would know if it displayed ads, etc. when used.

[manofkent]

Hi
Sorry I didn't get back to you sooner but strange things have been happening.
I ran a full MBAM scan and got the following:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4387

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

04/08/2010 20:31:49
mbam-log-2010-08-04 (20-31-49).txt

Scan type: Full scan (C:\|)
Objects scanned: 372280
Time elapsed: 2 hour(s), 18 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\- Navigon\MioPocket 3.0 Release 59\MioPocket 3.0 Release 59\MioAutoRun\Programs\Microsoft Reader\DASShp.dll (Malware.Packer.Gen) -> No action taken.
C:\- Navigon\MioPocket 3.0 Release 59\MioPocket 3.0 Release 59\MioAutoRun\Programs\Microsoft Reader\Dmgr.dll (Malware.Packer.Gen) -> No action taken.
C:\- Navigon\MioPocket 3.0 Release 59\MioPocket 3.0 Release 59\MioAutoRun\Programs\Microsoft Reader\ebriched.dll (Malware.Packer.Gen) -> No action taken.
C:\- Navigon\MioPocket 3.0 Release 59\MioPocket 3.0 Release 59\MioAutoRun\Programs\Microsoft Reader\udhid.dll (Malware.Packer.Gen) -> No action taken.
C:\Downloads\BitTorrent Downloads\TMPGEnc XPress 4.6.3.268\keygen.exe (Malware.Packer.Gen) -> No action taken.
C:\Downloads\NewsLeecher Downloads\alt.binaries.nl\NewsLeecher 4.0 Beta 18\NewsLeecher 4.0 Beta 18\Newsleecher v4.0 Beta 18\nl_setup_beta.exe (Trojan.Downloader) -> No action taken.
C:\Downloads\NewsLeecher Downloads\alt.binaries.nl\NewsLeecher 4.0 Beta 18\NewsLeecher 4.0 Beta 18\Newsleecher v4.0 Beta 18\NewsLeecherV4beta18\newsLeecher.exe (Trojan.Downloader) -> No action taken.
C:\Downloads\NewsLeecher Downloads\alt.binaries.nl\Newsleecher v4.0 Beta 18 wih working suoersearch\Newsleecher v4.0 Beta 18 wih working suoersearch\Newsleecher v4.0 Beta 18\nl_setup_beta.exe (Trojan.Downloader) -> No action taken.
C:\Downloads\NewsLeecher Downloads\alt.binaries.nl\Newsleecher v4.0 Beta 18 wih working suoersearch\Newsleecher v4.0 Beta 18 wih working suoersearch\Newsleecher v4.0 Beta 18\NewsLeecherV4beta18\newsLeecher.exe (Trojan.Downloader) -> No action taken.
C:\Downloads\NewsLeecher Downloads\alt.binaries.boneless\DVDInfo.Pro.v4.626-CORE\keygen.exe (Malware.Packer.Gen) -> No action taken.
C:\- Nokia\file9\LogoManager128\mxb_LogoManager128.exe (Trojan.Bancos) -> No action taken.
C:\Program Files\Windows Live\Messenger\riched20.dll (Adware.MyWebSearch) -> No action taken.
C:\Program Files\Pegasys Inc\TMPGEnc 4.0 XPress\keygen.exe (Malware.Packer.Gen) -> No action taken.

After moving the files to the vault, my PC decided it didn't want to boot up.
None of the system restores worked.
I could only boot into safe mode.
After poking and prodding around until 1:00 am the machinesuddenly booted OK.
This morning it again booted OK and I ran a MBAM quick scan which found no problems.
The strangest thing is since last night there have been no more alerts from Avast.
My only remaining problem is the random pop up web pages that occasionally pop up without my asking.
I will let you know of any further changes.

[DavidR]

I' always concerned about detections supposedly base on packers (Malware.Packer.Gen) and more so when the detection is generic (.gen), so I would suggest that you check these out at virustotal before taking any action on them..

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.


However, this one shows that you are taking risks, keygens and cracks, etc. put you at greater risk as the often come accompanied by malware:
C:\Downloads\BitTorrent Downloads\TMPGEnc XPress 4.6.3.268\keygen.exe (Malware.Packer.Gen)


This is similar as downloads from unknown sources (alt.binaries) is also a risk:
C:\Downloads\NewsLeecher Downloads\alt.binaries.nl\NewsLeecher 4.0 Beta 18\NewsLeecher 4.0 Beta 18\Newsleecher v4.0 Beta 18\nl_setup_beta.exe (Trojan.Downloader)

more keygens:
C:\Downloads\NewsLeecher Downloads\alt.binaries.boneless\DVDInfo.Pro.v4.626-CORE\keygen.exe (Malware.Packer.Gen)
C:\Program Files\Pegasys Inc\TMPGEnc 4.0 XPress\keygen.exe (Malware.Packer.Gen)
C:\Program Files\Pegasys Inc\TMPGEnc 4.0 XPress\keygen.exe (Malware.Packer.Gen)