Avast WEBforum
Other => Viruses and worms => Topic started by: dj_shimano on June 17, 2013, 09:30:57 PM
-
Pls i have this anoying virus and i can't get rid of that anoying virus :( so can AVAST FREE clean it or not :) i use now another anti-virus so if can avast clean this pice of shit (sorry about that) TROJAN HORSE DOWNLOADER.AGENT2.BHTO :'( if can do it that will be great and i will download this AVAST
thank you for your time :) and sorry again for bad languege :)
-
@dj_shimano
Helo and welcome to avast. ;) Let's check your system ...
- I will be working on your Malware issues this may or may not solve other issues you have with your machine.
- The fixes are specific to your problem and should only be used for this issue on this machine.
- If you don't know or understand something, please don't hesitate to ask.
- Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc...)
- Please DO NOT run any other tools or scans whilst I am helping you.
- It is important that you reply to this thread. Do not start a new topic.
- Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
- Absence of symptoms does not mean that everything is clear.
------------------------------------------------
1. Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr
Double click dds to run the tool.
* When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
Save both reports to your desktop. DDS.txt and Attach.txt attach back to topic.
2. Please download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe) and save it to your desktop.
Double click aswMBR.exe to start the tool.
- Select Yes if prompted to download the Avast database.
- Click Scan
- Upon completion of the scan ( Scan finished successfully ) click Save log and save it to your desktop, and post that log in your next reply for review.
Note: do NOT attempt any Fix yet.
-
i did not know how to attach fajl so i uploadet this way
DDS.txt
Attach.txt
aswMBR.txt
MBR
i did all those upload at:http://www.mediafire.com/?2zy4me7obbb799m
i hope someone can help and thx for reply
this is where virus is: c:\Documents and Settings\shima\Local Settings\Temp\iswizard\wuaudit.exe";"Moved to Virus Vault";"16.6.2013, 13:04:37";"File or Directory";""
-
now i now how to attach file ^_^
PLS someone look at this and i hope we can fix it :) if not then last option is RE-INSTAL Windows -_-
-
Hi dj_shimano,
c:\program files\Urban Jungle Autoskola
Are you from Serbia/Croatia/Bosnia? Pricas li naski? :)
Ja sam iz Srbije, zato pitam.
There is no need to run aswMBR more than one time.
Step#1
Please download zoek.exe (http://home.kpn.nl/stefsmeenk/zoek.exe/) and save it to your desktop.
- Close any open browsers.
- Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
- Double click on zoek.exe to run the tool .
Please wait while the tool does not start...
- Copy the text present inside the code box below and paste it into the large window in the zoek tool:
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0};c
{EEE6C35C-6118-11DC-9C72-001320C79847};c
{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39};c
emptyclsid;
c:\program files\sweetim;fs
FFdefaults;
chrdefaults;
c:\docume~1\shima\locals~1\temp\\tsiVi232.dll;f
ipconfig /flushdns >> %temp%\log.txt;b
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run];r
"tsiVideo"=-;r
filesrcm;
startupall;
wuaudit.exe;z
iswizard;z
firefoxlook;
chromelook;
resethosts;
emptyalltemp;
autoclean;
- Click on (http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png) button
Please wait until a logreport will open (this can be after reboot)
- Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named "zoek-results.log"
Step#2
Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
- Double-click to run it. When the tool opens click Yes to disclaimer.
- Under Optional Scan ensure "List BCD" and "Driver MD5" are ticked.
- Press Scan button.
- It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
- The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
How to attach logs in thread. Additional options > Browse
(http://s1224.photobucket.com/user/Essexboy3/media/Misc%20screen%20shots/SelectOTLtoattach.gif.html)
-
Komsija, sada vidim da si iz Crne Gore. :D
Eng: ... now I see you're from Montenegro. :D
-
pa super kad si nas :) jos bolje i onako nisam nesto fenomenalan sa engleskim :D sve sam uradio kao sto je napisano... sta sad da radim?
-
Molim te pisi na Engleskom, on je ovde officijialni jezik. ;)
Eng: Please write in English, it's official language here.
> Did you run Zoek script? Can you attach here zoek log?
C:\ directory named "zoek-results.log
edit:
Ne brini, Engleski ti je dobar.
Eng: Don't worry, your English is good. ;)
-
no prob ^_^ here is Zoek
-
Hi,
FRST log shows posible USB devices infections.
MountPoints2: {4ef3b57e-c27a-11e1-89e5-cc5de7b8467c} - H:\autorun.exe
MountPoints2: {6543ccb8-acf9-11e2-8b83-c1a1984c9c72} - G:\Windows\Install.exe
MountPoints2: {7ed08528-f0a7-11e1-8a5f-9bd85949887c} - G:\autorun.exe
MountPoints2: {84f6bcb1-eae4-11e1-8a49-8964422f4eaf} - H:\autorun.exe
MountPoints2: {a4a2f028-c204-11e1-9758-806d6172696f} - F:\Bin\ASSETUP.exe
MountPoints2: {a99c2f58-b20f-11e2-8b8b-f697eea4d8e1} - G:\AutoRun.exe {D2D77DC2-8299-11D1-8949-444553540000} 5.2066.1.A14B04 PID_0083 {01D42BF0-ED08-463f-8A28-99EB6FEE962B}
> Check USB storage devices / removable drives
Download MCShield from one of the following links:
MyCity - Official download link (http://www.mcshield.net/downloads.html)
Softpedija - Mirror download link (http://www.softpedia.com/get/Antivirus/MCShield.shtml)
- Double click MCShield-Setup to install the application.
> You have available Serbian language if you wish
- Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
- Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.
When all scanning is done, you need to attach a logreport that has made MCShield.
Start -> All Programs -> MCShield -> Logs
Attach here -> AllScans.txt
Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.
============ Next ===========
Re-run Zoek.exe as you did before but use this script:
emptyalltemp;
C:\Documents and Settings\shima\Local Settings\Temp\iswizard;f
C:\DOCUME~1\shima\LOCALS~1\Temp\tsiVi132.dll;f
C:\DOCUME~1\shima\LOCALS~1\Temp\tsiVi032.dll;f
C:\Documents and Settings\All Users\Application Data\TEMP;vs
jcdgjdiieiljkfkdcloehkohchhpekkn;chr
Please attach here fresh zoek.exe log
============ Next ===========
And now, we are move to heavy artillery....
1. Download ComboFix from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your Desktop.
If you are unsure how ComboFix works please read this guide (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) carefully.
note: ComboFix must be downloaded to your Desktop.
2. Temporarily disable your AntiVirus program.
You may read it how to do it on Serbian language:
http://www.mycity.rs/MyCity-Laboratorija/Iskljucivanje-zastitnog-softvera.html
3. Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.
-
i did all what you told me :)
-
Hi,
Can you please attach here MCShield's AllScans.txt logreport?
Start -> All Programs -> MCShield -> Logs
Attach here -> AllScans.txt
Step#1
1. Again, temporaly disable your AV software ...
2. Open notepad and copy/paste the text present inside the code box below:
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SweetIM"=-
"Sweetpacks Communicator"=-
KillAll::
Folder::
c:\program files\SweetIM
ClearJavaCache::
Firefox::
FF - ProfilePath - c:\documents and settings\shima\Application Data\Mozilla\Firefox\Profiles\g2af35yv.default\
FF - user.js: browser.sessionstore.resume_from_crash - false
FF - user.js: browser.sessionstore.resume_from_crash - false
FF - user.js: browser.sessionstore.resume_from_crash - false
RegNull:
[HKEY_USERS\S-1-5-21-515967899-261478967-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BF713E29-3232-BEE7-DFBD-58C20AB929D0}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iagcchhpkbfglbcend"=hex:6a,61,64,6e,64,66,68,6c,68,62,63,70,67,64,69,69,63,61,
65,6b,00,0e
"haabikmegagnehcp"=hex:6a,61,63,6e,64,69,63,6d,68,6a,6c,66,66,69,6b,63,6a,64,
6a,64,00,ff
"iaclckchghkmhamffg"=hex:63,61,68,6e,68,69,00,7c
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )
Step#2
- Download AdwCleaner (http://www.general-changelog-team.fr/en/downloads/finish/20-outils-de-xplode/2-adwcleaner) (by Xplode) on your desktop.
- Click on the [Delete] Wait for the programme completes his work.
The program will close all active programs. Click OK to confirm that.
On the next two windows that open ( Informations and Restart required ) click OK
- The computer will restart and open a notepad ( C:\AdwCleaner[S1].txt ) with the report.
- Save the notepad report on the Desktop
- Please attach here C:\AdwCleaner[S1].txt
Note: The report will also be stored on C:\AdwCleaner[S1].txt [/list]
--------------------------------
>> In your next reply please attach here:
- MCShield's AllScans.txt
- Combofix's Combofix.txt
- AdwCleaner's AdwCleaner[S1].txt
>> Tell me, how is your computer running now? 8)
-
i scan today local disc C with anti-virus and it did not find anything ^_^ when i post first text here my AVG in every 3-4 min detect TROJAN HORSE DOWNLOADER.AGENT2.BHTO and when it detect i clean it but again AVG detect it and that was all day in every 3-4 min it was so anoying that i was planing to reinstal windows but I made the right decision to contact you from AVAST ^_^ from now on i will use just AVAST ^_^
Now my PC from last night was good boy and no more this nasty virus ^_^ i was trying to download from torrent City Car Driving (PC Game) and i download a baaaad virus -_- hate when that happens -_-
Yugoslavia: Hvala brate na pomoci :) dobar si bio :)
ENG: Thanks brother for your help :) You did good job :)
-
Drago mi je da sam pomogao domacem coveku. ;) Cuvaj se tih sajtova i zena ... :D
Malware Removal ( i ostalo ) mozes traziti i na domacem forumu ( pogledaj link iz potpisa ), ja i moje kolege smo tamo.
Eng: Glad I could help a countryman. Keep Safe. In future, you can ask for malware removal on my home forum too.
I will remove used tools, and also perform some post_cleaning process.
It is necessary to uninstall ComboFix :
- Click Start (or (http://amf.mycity.rs/pg/images/VistaStartButton.png)) then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
- In the line of text type in (Copy) the following:
ComboFix /Uninstall Note that there is a space between " ComboFix " and " /Uninstall " .
- then click OK (or press Enter ).
Wait for the uninstall process is complete.
--------------------------------
Please download DelFix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix) by "Xplode" to your Desktop.
Run the tool and check the following boxes below;
- Remove disinfection tools
- Create registry backup
- Purge System Restore
Now click on "Run" button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt
> I don't need DelFix log report.
--------------------------------------
I recommended to use Malwarebytes and to use MCShield if you will.
Both programs are fully compatible with your AV.
- You may download Malwarebytes AntiMalware Free from here:
http://www.malwarebytes.org/
http://www.malwarebytes.org/products/malwarebytes_free/
It will scan and remove any known malware from computer.
- You may download MCShield from one of the following links:
MyCity - Official download link (http://www.mcshield.net)
Softpedija - Mirror download link (http://www.softpedia.com/get/Antivirus/MCShield.shtml)
It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.
Cheers
-
thanks man i did unistal combofix and run delfix as you told me... :) thank's again :)
i find your website and i bokmark it :)