Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: jpmartin on July 07, 2010, 04:50:39 AM
-
I suspect there a trojans in my computer but I scans with avira security suites, but didn't detect this, and scans with Malwarebytes' Anti-Malware and detected and remove/deleted. But after reboot this trojans came back as well. Here is the HijackThis logs.
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Users\John\AppData\Local\Temp\Ujx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\program files\avira\antivir desktop\avcenter.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://m.www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files\McAfee\SiteAdvisor Enterprise\McIEPlg.dll
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - C:\Program Files\McAfee\SiteAdvisor Enterprise\McIEPlg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files\McAfee\SiteAdvisor Enterprise\McIEPlg.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Rhdxnyxmng] rundll32 "C:\Users\John\AppData\Roaming\wbadmint.dll",Aszf
O4 - HKCU\..\Run: [EWABQAF7KL] C:\Users\John\AppData\Local\Temp\Ujx.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files\McAfee\SiteAdvisor Enterprise\McIEPlg.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files\McAfee\SiteAdvisor Enterprise\McIEPlg.dll
O23 - Service: Avira Firewall (AntiVirFirewallService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exe
O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Defragmentation-Service (DfSdkS) - mst software GmbH, Germany - C:\Program Files\Ashampoo\Ashampoo WinOptimizer 7\Dfsdks.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee SiteAdvisor Enterprise Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe
--
-
Do you have Avast on your machine or are you just posting here?
-
Do you have Avast on your machine or are you just posting here?
I guess Avira forum is not that good......... ;D
-
yes i used to have avast home version, but when the first version of 5.0 i had so many issues with it so i decided to change to avira, since then everything fine.
-
I guess Avira forum is not that good......... ;D
That's what I was wondering.
If you don't have Avast, you really should be addressing your issue with Avira.
-
I guess Avira forum is not that good......... Grin
I agree with you, avira supports forum are really bad :-\; but their software are really good in detection...
-
This should have been posted in the " virus and worms " section.......so next time ;)
Follow this guide from Essexboy, and attach the logs in your next reply here
http://forum.avast.com/index.php?topic=53253.0
see down left corner: Additional Options > Attach ( MBAM log / OTL.Txt and Extras.Txt )
-
I agree Pondus, but the OP does not have an Avast product and is posting here. He has avira.
-
I agree Pondus, but the OP does not have an Avast product and is posting here. He has avira.
That is the best thing about this forum......everyone gets malware help..... ;D
-
OK... :-*
-
here is the log....
08:34:55 John MESSAGE Protection started successfully
08:34:58 John MESSAGE IP Protection started successfully
08:50:44 John IP-BLOCK 89.185.229.128
09:12:14 John IP-BLOCK 208.73.210.28
09:33:12 John IP-BLOCK 212.117.164.211
09:33:36 John IP-BLOCK 213.5.64.5
11:58:48 John IP-BLOCK 212.117.164.211
11:58:48 John IP-BLOCK 212.117.164.211
11:58:48 John IP-BLOCK 212.117.164.211
11:58:48 John IP-BLOCK 212.117.164.211
11:58:56 John IP-BLOCK 212.117.164.211
11:58:56 John IP-BLOCK 212.117.164.211
14:40:31 John MESSAGE Protection started successfully
14:40:35 John MESSAGE IP Protection started successfully
14:52:58 John MESSAGE Protection started successfully
14:53:02 John MESSAGE IP Protection started successfully
15:06:50 John MESSAGE Protection started successfully
15:06:53 John MESSAGE IP Protection started successfully
15:50:16 John IP-BLOCK 89.185.229.128
16:02:41 John IP-BLOCK 212.117.164.211
16:02:41 John IP-BLOCK 212.117.164.211
16:02:49 John IP-BLOCK 212.117.164.211
16:21:15 John IP-BLOCK 212.117.164.211
16:21:23 John IP-BLOCK 212.117.164.211
16:40:37 John IP-BLOCK 212.117.164.211
16:40:53 John IP-BLOCK 212.117.164.211
17:47:24 John IP-BLOCK 95.211.99.84
17:47:24 John IP-BLOCK 62.213.100.140
17:50:12 John IP-BLOCK 217.23.9.248
17:53:01 John IP-BLOCK 216.240.146.119
18:07:08 John MESSAGE Protection started successfully
18:07:11 John MESSAGE IP Protection started successfully
18:19:35 John MESSAGE Protection started successfully
18:19:39 John MESSAGE IP Protection started successfully
19:14:42 John MESSAGE Protection started successfully
19:14:45 John MESSAGE IP Protection started successfully
19:18:53 John IP-BLOCK 94.75.228.175
19:18:53 John IP-BLOCK 94.75.228.175
19:28:55 John MESSAGE IP Protection stopped
19:28:55 John MESSAGE IP Protection started successfully
19:29:17 John MESSAGE IP Protection stopped
19:29:18 John MESSAGE IP Protection started successfully
19:35:02 John IP-BLOCK 94.75.228.175
19:35:02 John IP-BLOCK 94.75.228.175
20:29:08 John IP-BLOCK 94.75.228.175
20:29:08 John IP-BLOCK 94.75.228.175
20:30:53 John IP-BLOCK 94.75.228.175
20:30:53 John IP-BLOCK 94.75.228.175
20:49:16 John DETECTION C:\Windows\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.JOB Trojan.Downloader QUARANTINE
21:25:01 John DETECTION C:\Windows\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.JOB Trojan.Downloader DENY
21:49:29 John DETECTION C:\Windows\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.JOB Trojan.Downloader DENY
22:10:24 John MESSAGE Protection started successfully
22:10:28 John MESSAGE IP Protection started successfully
-
This should have been posted in the " virus and worms " section.......so next time ;)
Follow this guide from Essexboy, and attach the logs in your next reply here
http://forum.avast.com/index.php?topic=53253.0
see down left corner: Additional Options > Attach ( MBAM log / OTL.Txt and Extras.Txt )
Where is this log from? It doesn't look like an MBAM scan log as Pondus directed, then OTL if positive.
Besides avira, do you also have mcafee?
-
That looks as the log list in MBAM and not what we want.
We want the scan log, that will show the malware found and removed
-
ok i'm a little confuse on the OTL?
and scan log isn't it the list after MBAM finished scan?
-
how do i get to the scan log?
-
It should pop up automatically in a Notepad format. It is the 4th tab over from the left in version 1.46 of MBAM.
Click update so you have latest database before scanning.
· Under Settings:
o General: Automatically Save File After Scan Completes is checked off
o Scanner Settings: Check all boxes
o Updater: Download and install update if available is checked off
· Once the program has loaded, select "Perform FULL Scan", then click Scan.
· The scan may take some time to finish, so please be patient.
· When the disinfection scan is complete, a log will appear in Notepad and you may be prompted to Restart. (See Extra Note).
· Click the “remove selected” button to quarantine anything found. You will find the infection details under the Quarantine tab.
· The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
· Copy & Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts -- Click OK to either and let MBAM proceed with the disinfection process; If asked to restart the computer, please do so immediately.
-
ok i think i get it...i hope this is what you want
OTL logfile created on: 7/6/2010 11:11:16 PM - Run 1
OTL by OldTimer - Version 3.2.7.1 Folder = D:\My Downloads
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 60.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 127.99 Gb Total Space | 92.66 Gb Free Space | 72.39% Space Free | Partition Type: NTFS
Drive D: | 74.50 Gb Total Space | 58.07 Gb Free Space | 77.94% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: JOHN-PC
Current User Name: John
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan
========== Processes (SafeList) ==========
PRC - [2010/07/06 23:09:54 | 000,574,976 | ---- | M] (OldTimer Tools) -- D:\My Downloads\OTL.exe
PRC - [2010/07/06 17:53:23 | 000,163,840 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\Ujx.exe
PRC - [2010/06/27 07:56:00 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2010/04/29 15:39:32 | 001,090,952 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2010/04/29 15:39:32 | 000,437,584 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2010/04/19 19:07:27 | 000,536,232 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exe
PRC - [2010/04/19 19:07:27 | 000,405,672 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avwebgrd.exe
PRC - [2010/04/19 19:07:27 | 000,337,064 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
PRC - [2010/04/19 19:07:27 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/03/25 13:20:06 | 000,226,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe
PRC - [2010/03/25 12:40:50 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/03/25 12:40:49 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/03/25 12:40:49 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009/10/30 22:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/08/24 22:16:36 | 000,406,016 | ---- | M] (mst software GmbH, Germany) -- C:\Program Files\Ashampoo\Ashampoo WinOptimizer 7\DfSdkS.exe
PRC - [2009/07/13 18:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/07/13 18:14:15 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
-
ok i think you mean this, but is too long
PRC - [2010/07/06 23:09:54 | 000,574,976 | ---- | M] (OldTimer Tools) -- D:\My Downloads\OTL.exe
PRC - [2010/07/06 17:53:23 | 000,163,840 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\Ujx.exe
PRC - [2010/06/27 07:56:00 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2010/04/29 15:39:32 | 001,090,952 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2010/04/29 15:39:32 | 000,437,584 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2010/04/19 19:07:27 | 000,536,232 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exe
PRC - [2010/04/19 19:07:27 | 000,405,672 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avwebgrd.exe
PRC - [2010/04/19 19:07:27 | 000,337,064 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
PRC - [2010/04/19 19:07:27 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/03/25 13:20:06 | 000,226,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe
PRC - [2010/03/25 12:40:50 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/03/25 12:40:49 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/03/25 12:40:49 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009/10/30 22:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/08/24 22:16:36 | 000,406,016 | ---- | M] (mst software GmbH, Germany) -- C:\Program Files\Ashampoo\Ashampoo WinOptimizer 7\DfSdkS.exe
PRC - [2009/07/13 18:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/07/13 18:14:15 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
========== Modules (SafeList) ==========
MOD - [2010/07/06 23:09:54 | 000,574,976 | ---- | M] (OldTimer Tools) -- D:\My Downloads\OTL.exe
MOD - [2009/07/13 18:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/13 18:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/13 18:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/13 18:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/13 18:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/13 18:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/13 18:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/13 18:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/13 18:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/13 18:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/13 18:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2009/07/13 18:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll
-
Where is the MBAM Full Scan?
-
returning to yr OP (opening post) and the HijackThis log JP Martin
- you appear to be infected - the following two entries
C:\Users\John\AppData\Local\Temp\Ujx.exe
O4 - HKCU\..\Run: [EWABQAF7KL] C:\Users\John\AppData\Local\Temp\Ujx.exe
Check this link -- http://www.superantispyware.com/malwarefiles/UJX.EXE.html
First I would first download and run Superantispyware (SAS) as advised, and that should remove the infection
Then run another HjT scan and see how doing.
-
HijackThis log
To fix an entry in HjT, put a check in the box next to the entry
go to left bottom corner and click Fix Checked
Here is yr trojan downloader - Fix checked
O4 - HKCU\..\Run: [EWABQAF7KL] C:\Users\John\AppData\Local\Temp\Ujx.exe
This one will slow down yr computer - fix checked
O13 - Gopher Prefix:
browser online games - you should know the program
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
OTL log
the following entry directs to the virus -
========== Processes (SafeList) ==========
PRC - [2010/07/06 17:53:23 | 000,163,840 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\Ujx.exe
also in memory properties, the page file entry - not that familiar with OTL, someone else
Paging file location(s): ?:\pagefile.sys [binary data]
Edit - okay I been to OTL to look now and this entry is normal running
-
Thank you mkis and and SafeSurf, and others you guys are very helpful in showing step by step of removing viruses. ;D ;D;
avast forums is the best in helping others.... ;) ;)
-
Follow these destructions
(http://www.geekstogo.com/misc/guide_icons/gmer.png) GMER Rootkit Scanner - Download (http://www.gmer.net/gmer.zip) - Homepage (http://www.gmer.net/)
- Download GMER
- Extract the contents of the zipped file to desktop.
- Double click GMER.exe.
(http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif)
- If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
- In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
(http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg) (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
Click the image to enlarge it
- Then click the Scan button & wait for it to finish.
- Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
- Save the log where you can easily find it, such as your desktop.
**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.
THEN
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Select Scan all users
- Under the Custom Scan box paste this in
netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.scr
%systemroot%\*._sy
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Attach all logs
-
jpmartin,
Thank you for letting us fix your problem. :) Would you like to give Avast another try since we fixed your problem?
Here are the links to the downloads for the latest versions of Avast 5.0.594:
Free – http://files.avast.com/iavs5x/setup_av_free.exe (http://files.avast.com/iavs5x/setup_av_free.exe)
Pro – http://files.avast.com/iavs5x/setup_av_pro.exe (http://files.avast.com/iavs5x/setup_av_pro.exe)
AIS – http://files.avast.com/iavs5x/setup_ais.exe (http://files.avast.com/iavs5x/setup_ais.exe)
Thank you to the other Evangelists who assisted in this situation as well.
-
McAfee Could be conflicting with Avast also you need to get rid of all old left over crap that security programmes leave behind.
-
SHARKY7SHARKY,
mcaffee has already been addressed with the OP. However the priority is for the OP to remove the virus first, which he understands how to do. Thank you for your input. ;)