Avast WEBforum
Other => Viruses and worms => Topic started by: mark1123emily on July 19, 2009, 05:25:08 PM
-
Hi! I've been using Avast! for quite some time now and this is the first time I encountered this kind of problem. After Avast! updated I turned off my laptop because I was done using it and then after turning it on again it always shows an explorer.exe error then Avast! detects a trojan horse under the location C:/user/update.exe which I can delete but it keeps coming back. I've got experiences with worms before but Avast! immediately solves my problems. This time its different Avast! cannot detect what or where the worm is just the Trojan Horse. I wasn't going to conclude that due to the update that this happened but the same thing happened to my other laptop. Same issue. Same problem. Please help me out. I did everything scanned everything even the memory test but nothing can be detected except for the trojan on the said folder. I dont know what to do.. My virus database version is 090719-0, 07/19
Thanks alot!
-
If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again. What is your firewall ?
If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).
- 1. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe), right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
- 2. SUPERantispyware (http://www.superantispyware.com) On-Demand only in free version.
Don't worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie (http://en.wikipedia.org/wiki/HTTP_cookie).
-
Thanks but I installed AVG and found out that I have a Torjan Horse Agent2.IIE infection it is still currently running it's scan I'm not sure if AVG could get rid of this. BTW this laptop is new i'm still exploring it. not yet a week old and it's infected already. :(
-
You should probably do a boot time scan. That should fix the problem!
-
If avast is detecting it, a boot time scanning should take care of it. Anyway, when a virus is recurrent, better is:
I suggest:
1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! (http://www.freedrweb.com/cureit/) instead.
3. Use MBAM (http://malwarebytes.org/mbam.php) (or SUPERantispyware (http://www.superantispyware.com) or even Spyware Terminator (http://www.spywareterminator.com/)) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest avast! antirootkit (http://files.avast.com/files/beta/aswar.exe) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp).
5. Make a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here or this analysis site (http://www.hijackthis.de/#anl). Or even submit the RunScanner (http://www.runscanner.net/) log to to on-line analysis.
6. Clean your Hosts file (replacing it) with HostsMan (http://www.abelhadigital.com) tool.
7. Disable System Restore and then reenable it again.
8. Immunize your system with SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html).
9. Check if you have insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/).
-
Avast! could only detect the trojan horse located as C:\user\update.exe in both my laptops. When I ran Avg it detected a Trojan Horse agent2.IIE located at C:\Driver\Files\DT.exe again in both my laptops. How could I have gotten the same infection in different laptops. I didn't do anything that could transfer the infection to the other laptop. Thanks for all your help.
-
This link explains what this virusDT.exe does. It seems a nasty bit of kit.One of its aliases is Update.exe. So it would seems related to what Avast found. Has AVG removed it ?
http://spywarefiles.prevx.com/spywarefiles.asp?FXC=IEGJ790070 (http://spywarefiles.prevx.com/spywarefiles.asp?FXC=IEGJ790070)
-
I suppose you're not using avast and AVG at the same time in the same computer.
Maybe the infection come from the same website visited on both computers...
-
Well Avast does detect the update.exe trojan but not the AVG. Although it does detect the DT.exe virus but the avast cannot. I installed malwarebytes and super antispyware I was surprised that there are about 8 trojans in the system restore detected by the super antispyware whereas the malwarebytes detected OGa\RD\GOx.exe. BTW i removed the avast temporarily. Both laptops wasn't use for any other similar apps except for Avast update. I have a friend who is also using Avast. He used AVG to scan his laptop and found similar trojans. I did a little experimentation with this laptop and opted not to delete the OGa\RD\GOx.exe file and for sure it threw that update.exe trojan it messes with my start up a little window will pop out.
this was the infections found by malwarebytes:
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67kln5j0-4opm-01we-aax2-314cca554372} (Generic.Bot.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67kln5j0-4opm-01we-aax5-314cca322142} (Generic.Bot.H) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\OGa\RD\GOx.exe (Generic.Bot.H) -> No action taken.
-
Send GOx.exe to virustotal and show us the result. Also if the virus total is detecting a lot virus then please feel free to send the file trought Avast! chest then send it to ALWIL. So they can improve our detection.
Thank.
Mr.Agent
-
I'll do what you suggested. I already removed it from this laptop coz its scaring the heck out of me. I'll be fixing my other laptop tomorrow since they're both infected with the same thing. Thanks alot!
BTW how do I send it? its still in my quarantine in malwarebytes.
-
;D hi kabayan,
Do you currently use P2P file sharing software?
Please read this article: So how did I get infected in the first place?" © Tony Klein (http://www.freedomlist.com/forum/viewtopic.php?t=22879) 8)
-
nope don't do p2p file sharing. Im using firefox as my browser. This laptop is new, just a week old. Although i already cleared the infections I had earlier, Im still getting a few ones mostly they land on my system restore. Thanks alot for all your help. The other laptop sad to say got 53 infections! :( But I haven't connected both laptops by any means. It has the same infection as this one has. But it has a trojan downloader inserted to one of it's programs (Flushcode.exe). II'm currently downloading Spybot search and destroyer hope this will end my infection streak.
-
i can't download spybot search and destroy. It's either being canceled or if I could download it, it says I have no permission to access it. Why is that? I can't even download spyware blaster nor the avast anti rootkit!!! what's going on!!!!!!
-
i can't download spybot search and destroy. It's either being canceled or if I could download it, it says I have no permission to access it. Why is that? I can't even download spyware blaster nor the avast anti rootkit!!! what's going on!!!!!!
Most probably you're infected and the malware is preventing you to get protection/cleaning software.
It sounds like a hosts file problem. Check the contents of the file at the location for your operating system.
Windows 95 - C:windows
Windows 98 - C:\windows
Windows Me - C:\windows
Windows 2000 - C:windows\system32\drivers\etc
Windows XP - C:\windows\system32\drivers\etc
Windows NT - C:\winnt\system32\drivers\etc
Windows Vista - C:\windows\system32\drivers\etc
Note the file does not have an extention, it's simply hosts
The default file consists of a number of example lines preceded with # The only required line is
127.0.0.1 localhost
You can get a good replacement and more info on what the hosts file does from here
http://www.mvps.org/winhelp2002/hosts.htm
HostsMan could be the best tool for having it updated: http://www.abelhadigital.com
HOSTS file redirect a common malware tactic to block AV sites making it difficult to remove malware. Check your HOSTS file using notepad or a text editor of your choice and look for entries with avast.com on the line, you may well see other AV sites.
-
I've deleted a tracking cookie from doubleclick. Is that bad? Im kinda new at this thing coz its my first time to encounter such problems. Im really lost! Thank you very much for all your help!
Ive searched the file c:/etc (file path for xp you've given me earlier) I couldn't see what you were pertaining to all I got was:
hosts
hosts.backup
lmhosts
networks
protocol
services
They're all under etc folder. THANK YOU SO MUCH!
-
No problem
-
I've deleted a tracking cookie from doubleclick. Is that bad? Im kinda new at this thing coz its my first time to encounter such problems. Im really lost! Thank you very much for all your help!
Ive searched the file c:/etc (file path for xp you've given me earlier) I couldn't see what you were pertaining to all I got was:
hosts
hosts.backup
lmhosts
networks
protocol
services
They're all under etc folder. THANK YOU SO MUCH!
the one you want is 'hosts'
or you could open notepad, click file --> open and paste this path into the filename:
C:\WINDOWS\system32\drivers\etc\hosts
It will open up and you can check it to see what it contains like Tech says
-Scott-
-
Is it good that I only have those things under my etc folder? wow it's now that I realize that there are too much threat!
Thank you! Thank you! for the insights!
-
Thank you Scott and tech! I really don't know what to do well I've downloaded spybot s&d from another pc and got it installed here at my eeepc. I was able to install it using a flashdisk I ran a scan and got three alerts from a tracking cookie, it was red so I removed it. When I checked my hosts file (thanks to Scott who taught me how to) spybot entered the host file after I immunized my system. What should I look for that seems suspiscious? I'll try to redownload the spyblaster to see if everything works out. Thank you guys!
-It's still getting cancelled. :( I guess it must be something from the previous infections. I ran everything MBM, SAS, AVG and SPYBOT none can be detected anymore.. Must be something from my registry.. :(
-
I'll try to redownload the spyblaster to see if everything works out. Thank you guys!
I think you are referring to spwareblaster. In any way dont go to spyblaster.com - it gives you a rogue application
-
got three alerts from a tracking cookie
Don't worry, almost innocuous.
What should I look for that seems suspiscious?
Open it in Notepad and post the contents here.
-
It's long so I split it in half. Thanks again!
-
here's part2! Thanks for your time!
-
@NMB yeah.. I was trying to download the spywareblaster that was posted earlier. Sorry for the typo..
BTW I just installed spybot a couple of hours ago.
-
I can't analyze such a big hosts file and can't make sure it's clean.
You can try to remove Spybot protection of the hosts file and check if all the entries disappear.
I also suggest you use HostsMan to completely substitute your hosts file and not using Spybot anymore.
HostsMan offers two options, completely substitute and update the hosts file. The first time you run it, choose substitute.
-
Thanks alot! I'll just download it to another pc. Is it ok if I just use MBM, SAS, Hostsman and AVG/Avast (I'm currently using AVG coz avast wasnt able to detect some of the trojans that were given to me by that darn oGax.exe)? Remove the Spybot completely or just replace it's host file with Hostsman? And which is better Spyware blaster of spybot 'coz you told me earlier to have my laptop immunized.
thank you so much!
-
Is it ok if I just use MBM, SAS, Hostsman and AVG/Avast (I'm currently using AVG coz avast wasnt able to detect some of the trojans that were given to me by that darn oGax.exe)?
Use only one antivirus at a time: or AVG or avast. If you want to receive help here, I suggest avast.
Remove the Spybot completely or just replace it's host file with Hostsman?
Remove the host protection (option) into Spybot and close the program.
If you don't know how to do it, just uninstall Spybot.
And which is better Spyware blaster of spybot 'coz you told me earlier to have my laptop immunized.
SpywareBlaster is better.
-
Thanks alot! I was using Avast for years now! Because of the initial problem of having two laptops infected at the same time with the same breed of virus I resorted to checking out different softwares/programs to clean it out. I still don't know where the heck did that OGax.exe came from and MBM was the only one that could detect it. I had no problems downloading the MBM and SAS even if I was infected with OGax.exe Trojan agent2.iie, Update.exe, DT.exe but with Avast anti rootkit I wasn't able to download it. After everything is cleaned I now can't download spybot and spyware blaster but I haven't tried simple anti-virus programs yet. I'll try everything tomorrow (given it's 3am here) and keep everyone updated. Thank you so much for all your help!
PS:
I'll be returning Avast soon, once my troubles will be solved so I won't have any problems with auto update.
:)
-
Is it ok if I just use MBM, SAS, Hostsman and AVG/Avast (I'm currently using AVG coz avast wasnt able to detect some of the trojans that were given to me by that darn oGax.exe)?
Use only one antivirus at a time: or AVG or avast. If you want to receive help here, I suggest avast.
I would choose avast and use AVG installer or revo uninstaller http://www.revouninstaller.com/ (http://www.revouninstaller.com/) to uninstall AVG.
-
Sucks for me though, Can't really download softwares using this laptop. But I tried other formats (mp3's) it can... I can't even download revo. Either cancelled or windows have no permission. :(
-
Seems like everyday AVG could find a trojan horse generic14.GID tucked away in my system restore! I ran MBAM and SAS nothing was detected what's going on why doesn't it go away! :(
-
Do not worry about anything found in system restore, these can be deleted by disabling,the re-enabling SR.This will delete ALL restore points.So you may want to leave it for now.
Try a couple of things, first post a HijackThis log, choose scan and save a log file.Copy/paste the txt log.
Also, preferably from a clean pc,download Avira Rescue CD. Simply download the file,double click it,insert blank disc, the program is burnt to disc.Insert disc into infected pc,reboot.Follow the instruction from the link.If anything is found,write down the findings and post back
http://filehippo.com/download_hijackthis/ (http://filehippo.com/download_hijackthis/)
http://forum.avira.com/wbb/index.php?page=Thread&postID=730130#post730130 (http://forum.avira.com/wbb/index.php?page=Thread&postID=730130#post730130)
You said your laptop is one week old, if it has a recovery partition, the very best advise,would be to restore it to its factory settings,and start afresh.
-
this is an eeepc model, so i have no dvd/cd rom. Im trying to do the system restore tru the programs/application/system tools/system restore but usually an error happens. It keeps saying that it cannot perform system restore. Thanks alot! Im still trying to call the store from which I brought this maybe they can restore it using an external ROM.
Thank you very much for all your help!!! :)
-
Hi Mark1123emily
If you have the computer only one week, then you should not be experiencing these problems, especially in System Restore. If still under warranty, then the computer can be taken back to the vendor. If not under warranty, then the vendor should still make the effort to return the computer to running condition, though not obliged to. With eeepc, hard to imagine problems so quickly. Not the normal situation. But anyway, best to try the store first, then come back to the forum if you have no luck there, and provide any new details.
-
Seems like everyday AVG could find a trojan horse generic14.GID tucked away in my system restore! I ran MBAM and SAS nothing was detected what's going on why doesn't it go away! :(
Generic detections are a compromise between finding that normal signatures wouldn't find anf finding something that is a good file.
A generic signatures, is generally trying to catch multiple or new variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected.
So when MBAM, SAS and previously avast befor you ran AVG found no infected restore point, I would have to doubt the AVG detection of the restore point using a generic signature.
System Volume Information folder Restore points are by their nature inert, you would have to use system restore and restore your computer to a point where the suspect/infected restore point was restored.
Infected Restore Points - There really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore.
- Worst case scenario it isn't infected and you delete it, you can't use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.
- So if there is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.
So as micky77 suggested clearing all restore points would resolve this once and for all, regardless if the detection by AVG is good or a false positive.
-
Hi! First of all, a big Thanks to everyone who have taken their time to help me. I've learned a lot from you guys.
Secondly, I've decided to do a system recovery (restoring it to it's original factory setting) provided by Asus. Since it's only almost two weeks old, I don't have any important files in it yet. I still don't know where I got the Malware OGax.exe that for some reason infected both laptops (eee pc 1000HE & 701). So to end my misery (Downloading problems) I did a system restore for the 1000HE which has a F9 system recovery function. I am currently installing Avast! an I'm planning to install MBAM, SAS and Spyware blaster. This laptop (1000HE) was the only one displayed on the shop. So I guess they must have used to it to a lot of demos to their customers. They claim that they only order one for each model and replace it when it is already sold. So I guess they used it to test the wifi, LAN etc to see if it's working and that might be the cause of the dreaded malware getting into it. The only thing that both came into contact with both laptops was my BF's SDHC card where he puts his files. Since I've gotten this laptop I only used it for net (Facebook mainly). But before I used it for net purposes I made sure to ALWAYS install Avast! Even with other Computers that I have (and repaired).
I'll update you guys to see if everything's OK.
Again, Thank you so much!
Mark1123emily
-
You're welcome, god luck with the factory restore.
-
Can you give me the link from which I can download the Avast home edition? seems now that is my problem I've tried Downloading Avast twice now but it says Connection Terminated retrying ???
Thanks
-
oki here it is:
http://www.avast.com/eng/download-avast-home.html
-
Thank you!!! :)
-
Can you give me the link from which I can download the Avast home edition? seems now that is my problem I've tried Downloading Avast twice now but it says Connection Terminated retrying ???
Are you using a download manager (if so what) ?
How are you downloading were you trying to download and install in one action or saving the installation file to your hard disk first ?
-
Secondly, I've decided to do a system recovery (restoring it to it's original factory setting)
Very wise decision. For the future,consider purchasing,something like Acronis True Image. This will take a snap shot of your entire computer,you can then restore to that image, no need to go back to square one. Also for safer surfing, consider using Sandboxie, all surfing,is contained in a 'sandbox' When you finish surfing , the entire box is deleted.
-
I got it from cnet. It needs to download the setupeng first before it automatically installs. I am currently Downloading the actual setupeng now.
@micky77- I'll consider that. I need to install Avast first before doing anything that involves the net
-
You would be best to get it directly from avast.com (from the link you were given scroll down to the language version you want) download.com gets very busy and that could be a factor.
Plus I don't like the download a small file that starts to do the installation whilst on-line, it is much better to get the full setup file (from avast as above instruction) and install off-line, you can then save a copy of that file, should you need it in the near future.
-
Yup I'm downloading it now.. I ran MBAM from my newly recovered laptop it says that I have one infection security.disabled from the registry what should I do about this?
-
This is weird even if I download the setup it fails to install :( says self extractions fails, clear internet cache, try downloading file again but I did clear my temp files before doing so.
First the trojans and now Avast! ???
-
I've managed to successfully install avast! :)
thanks guys!