Please help a newbie (Hijackthis log included)

[bohemia]

Hi, I've just gotten a new laptop and am terrified as I keep getting the virus found message - three of them every hour in quick succession.  I don't know much about computers, so would really appreciate some help.  The log for the message read:

24/03/2008 3:21:44 AM   SYSTEM   1976   Sign of "Win32:Agent-SXR [Wrm]" has been found in "w1.m[broken]adway.net/u/_qbotnti.exe" file. 

I'm even more terrified as last time the virus found message popped up, I stupidly closed the window with the X instead of clicking the block button!  I was recommended Hijackthis, but of course have no idea what the log means, so here it is.  I would be very grateful for some help.

[DavidR]

Well the detection is good as DrWeb link checker also detects (In file _qbotnti.exe found virus BackDoor.IRC.Qbot.origin). Please modify your post and edit the URL so it isn't active, avoiding accidental exposure to the curious, e.g. "http :// w1 . madway.net/u/_qbotnti.exe"

Thankfully the web shield should be detecting this and only gives one option 'Abort Connection.' This stops the file from being downloaded to your system, that's the good news. The bad news there is something undetected or hidden on your system trying to connect to that site.

What is your firewall (it should be capable of blocking unauthorised outbound Internet Connections) as it is either XP's firewall or disabled ?

You are using the beta version of HJT and that isn't the latest, so you should get the latest one, FileHippo Download - HiJackThis and run it again.

You are also running HJT from the Desktop it should be in its own folder, the above download file should create a folder for it.

Once you have done that post the new log.

[bohemia]

Thanks very much for your help.  Since then, avast has located the virus itself on my computer and I moved it to the chest.  It then happened again - the log file is attached.

I have run the new HiJackThis, and attach the log for that as well.

Finally, I downloaded the trial of System Mechanic (in my little panic).  I used it to clean up my start items, I thought, but now I've removed the auto start for the fingerprint scanner I use a lot for internet banking etc.  I really need it back - any tips?  It's still there on the windows startup screen.  It's Protector Suite QL, if that helps.  There was nothing on the settings menu for it that struck me as immediately relevant.

Ok, one more question - is System Mechanic going to interact negatively with avast?

Again, thanks a lot for your help - computers and I have never really understood one another.

[Lisandro]

I've removed the auto start for the fingerprint scanner I use a lot for internet banking etc.  I really need it back - any tips?  It's still there on the windows startup screen.

Isn't there a quarantine or restore feature into System Mechanic?

It works perfectly with avast.

[bohemia]

There is, but it confused me somewhat - I'm happy to report that there was a repair option for the fingerprint scan after all, and it's back up and running.

I can't believe how quick you guys are with your responses!  This forum is great.

[bohemia]

Further update - I'm now also getting additional virus found messages.  Logs attached.   Ahhhrrrggg!

[oldman]

Hi

Please download ComboFix from Here or Here to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.[/color]
  
  -----------------------------------------------------------

• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
  
• When finished, it will produce a report for you. 
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
  

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

[DavidR]

You are still using the beta version of HJT (there is a more up to date one, I gave the link) and you are still running it from the desktop.

[rockstar_not]

I'm getting the same warning about the _qbotnti.exe from the same website.

Windows DEP also will say that it is closing Windows Explorer.

So what is the recommended action here?

There's mixed recommendations.  Also, what exactly is Hijack This - the name sounds like a virus itself.

[polonus]

Hi rockstar_not,

HijackThis and ComboFix are two of the best things that happened to malware fighters, it was made by a Dutch student by the name of Merijn Bellekom. It is NO malware, it is the best ANTI-Malware analysis tool we have, together with the more recent DSS scanner tool. Read and orientate here:
http://forum.avast.com/index.php?topic=28597.msg233800#msg233800
I propose you to download hjt and put a log file as an attachment to your next posting, and follow the recommendations of "oldman" as posted above,

polonus

[DavidR]

@ rockstar_not

Please don't post your HiJackThis log in this topic, it will only confuse matters having different analysis/help going on in the same topic. Click the New Topic button at the top of the forum list of topics (presumably how you arrived at this topic).

[rockstar_not]

@ rockstar_not

Please don't post your HiJackThis log in this topic, it will only confuse matters having different analysis/help going on in the same topic. Click the New Topic button at the top of the forum list of topics (presumably how you arrived at this topic).

David - understood.

I downloaded Hijack this, ran it and posted a new topic with attached logfile.  It's in the thread linked here:
http://forum.avast.com/index.php?topic=34466.0

I think the advice is to wait until that's analyzed before trying the other compfix program, correct?

[DavidR]

Probably best, to check out the HJT first there might be something obvious that can be fixed.