OTL or some thing

[jpmartin]

hello everyone,

Ijust wondering if someone can give me a link to download OTL or something to post my threat. Thanks

[SafeSurf]

If you are having a malware problem, please post it in the Virus and Worms section of the forum. 

Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0.  Follow the directions of obtaining an MBAM log (make sure you update MBAM first) and OTL logs and you can post the MBAM log here (copy and past) and the OTL log as an attachment (Additional Options in the bottom left corner under the message screen when posting).  We can then analyze this in the meantime for any malware, and if any malware is found we will refer you to one of our malware experts.  Thank you.

[DavidR]

hello everyone,

Ijust wondering if someone can give me a link to download OTL or something to post my threat. Thanks

Not only should you post it in the viruses and worms forum. You really should start the ball rolling with what is wrong with the system, alerts, etc. etc. before jumping in with an OTL log. The background to the problem will also give useful information to whoever is going/able to help.

[jpmartin]

sorry for not clearing my situation. My problem is that recently i got infected with Trojans, and I'm still down know it got into my system. I had tried scans my system and detected this files TR/Spy.114688.391 in my system. I have tried in normal scans and remove it unsuccessful; then i tried in safe mode but after reboot the virus come back as well and in the log it said this

"The file 'C:\Users\John\AppData\Roaming\wbadmint.dll'
contained a virus or unwanted program 'TR/Spy.114688.391' [trojan]
Action(s) taken:
An error has occurred and the file was not deleted. ErrorID: 26003.
The file could not be deleted!
Attempting to perform action using the ARK library.
The file could not be copied to quarantine!
The file could not be deleted!
The file was ignored!

I have tried all method but unsuccessful  . I scan with Malwarebytes' Anti-Malware and SUPERAntiSpyware Free Edition come with nothing in two full scan in standard mode and safe mode, didn't catch anything.


and right now I'm using avira security suite {I know post the problem in the wrong forums, but avira respond are way too slow, .... } also i'm suspected is a false positive, but not so sure. If someone from avast can lead me some light how to fix this problems that would be big help. Thanks in avance.......
 

[mkis]

Hi jpmartin

please could you run a hijackthis scan first to give us an overview of yr running gear
download hijackthis from here - click download link up in right corner (1.34mb)

http://www.filehippo.com/download_hijackthis/

run with save a log file and attach log to yr reply post using additional options (down left corner)

[jpmartin]

ok

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:37:34 PM, on 8/8/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10d.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=EM641578&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=EM641578&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=EM641578&id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=EM641578&id=menu_ie_exclude
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=EM641578&id=menu_ie_report
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Avira Firewall (AntiVirFirewallService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exe
O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

--
End of file - 6719 bytes

[jpmartin]

well tell you the truth I look through this hijackthis log didn't see anything wrong with it, but when i scan the OTL log show the problem.

[jpmartin]

In OTL log sow the problem, so here is the end of the OTL log

========== Files Created - No Company Name ==========
 
[2010/08/07 15:43:50 | 000,001,981 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/07/28 09:32:10 | 000,001,411 | ---- | C] () -- C:\Users\John\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/07/08 20:01:31 | 000,001,219 | ---- | C] () -- C:\Users\John\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced SystemCare.lnk
[2010/07/08 20:01:31 | 000,001,195 | ---- | C] () -- C:\Users\Public\Desktop\Advanced SystemCare.lnk
[2010/07/06 17:53:21 | 000,114,688 | RHS- | C] () -- C:\Users\John\AppData\Roaming\wbadmint.dll      [2009/10/04 14:48:52 | 000,190,976 | ---- | C] () -- C:\Windows\System32\WgaLogon.dll   {this is the problem showed in the avira reported}
[2009/08/03 15:07:42 | 000,667,136 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/07/13 16:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 16:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/06/26 20:02:59 | 000,024,944 | ---- | C] () -- C:\Windows\System32\drivers\GVTDrv.sys
[2009/06/26 16:29:53 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/06/26 13:03:49 | 000,000,010 | ---- | C] () -- C:\Windows\GSetup.ini
 
========== LOP Check ==========
 
[2010/06/30 14:35:56 | 000,000,000 | ---D | M] -- C:\Users\John\AppData\Roaming\Christofer Persson
[2010/08/07 20:31:52 | 000,000,000 | ---D | M] -- C:\Users\John\AppData\Roaming\FFSJ
[2010/07/28 08:37:52 | 000,000,000 | ---D | M] -- C:\Users\John\AppData\Roaming\IObit
[2010/07/09 15:19:08 | 000,000,000 | ---D | M] -- C:\Users\John\AppData\Roaming\LimeWire
[2010/07/20 20:13:55 | 000,000,000 | ---D | M] -- C:\Users\John\AppData\Roaming\Thinstall
[2009/10/22 17:30:28 | 000,000,000 | ---D | M] -- C:\Users\John\AppData\Roaming\Xilisoft Corporation
[2010/06/10 16:21:47 | 000,032,588 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 

[YoKenny]

 jpmartin is running Avira not avast! 

O23 - Service: Avira Firewall (AntiVirFirewallService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exe

and right now I'm using avira security suite {I know post the problem in the wrong forums, but avira respond are way too slow, .... }

[mkis]

@jpmartin - sorry about the delay

I put the Hijackthis scan to an independent analyser

HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt

Ad Muncher removes adverts, pop-ups and general annoyances in your browser, file-sharing and messenger programs. Causes conflicts with Outlook, game sites and web-building applications

It would not be unusual if there were resource conflicts, perhaps desktop or browser, but this would be most evident to the user - the issues will be noticeable. Otherwise, Admuncher is unlikely to be an issue. Bear in mind that there could easily be resource conflicts.

The following two entries could be an issue  -

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

To be fixed if not done intentionally. Fix this entry if you did not activate the 'Lock homepage from changes' option in some kind of anti-spyware tool.

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

To be fixed if not done intentionally. Fix this entry if you did not activate the 'Lock homepage from changes' option in some kind of anti-spyware tool.

If you have to intended to run the above settings then they are okay. If not I would advise you to fix them. I notice that you have proxy override. could you tell us a bit about this. If you decide to fix, then at the end check settings in Internet Options in Control Panel. (default is to best case scenario).

I dont know much about adobe platform on network though I do know adobe do this.


I think that when you consider the earlier issues with yr avira installation, and now the recurrence of issues. You do appear to have been infected if that is not so much the case now. The roaming | bamint thing I dont know about but appears to be an avira detection reading that I dont know much about. I would recommend that you completely uninstall avira from yr computer using the proper utility and install avast 5 Free.