Is It a Virus!? Please Help.

[l.lawliet]

Help! I think my computer is infected. because in task manager it showed EPHQ.exe which avast! detected to but couldn't remove. Please how can i remove it?

I also have malwarebytes.

[!Donovan]

What was the name of the virus? Where was it located?

Action 1: Do a boot time scan with avast.

If failed, Action 2: Download SuperAntiSpyware and do a full system scan.

If failed, Action 3: Send it to VirusTotal and post the findings. Try doing a full scan with a savelog file with Trendmicro HijackThis and report the findings.

If failed I will lead you to more actions.

[l.lawliet]

is called Win32:Ardamax-KB [Spy] and is in C:\windows\system32 now im going to do a boot time scan

[!Donovan]

is called Win32:Ardamax-KB [Spy] and is in C:\windows\system32 now im going to do a boot time scan

Ah, someone is spying on your keystrokes and taking screenshots of your PC with Ardamax 2.8 or 2.9. A boot time scan should remove this virus. Be warned that everything you typed got spyed on so change all your passwords.

[l.lawliet]

ardamax is over but something else just appeared avast detected In C:/Program Files/Internet Explorer/ods.exe and in the same folder msn.exe help

[!Donovan]

Again, what is the filename and where is it located and what is the virus name and upload it to virustotal and report the results.

Edit: my 500th post. *cheers*

[DavidR]

ardamax is over but something else just appeared avast detected In C:/Program Files/Internet Explorer/ods.exe and in the same folder msn.exe help

What was the malware name given ?

This could be cloaked malware so it might have other elements and avast is detecting the file creation but not what is creating them. What is your firewall ?

What does the MBAM scan log say ?

[l.lawliet]

ardamax is over but something else just appeared avast detected In C:/Program Files/Internet Explorer/ods.exe and in the same folder msn.exe help

What was the malware name given ?

This could be cloaked malware so it might have other elements and avast is detecting the file creation but not what is creating them. What is your firewall ?

What does the MBAM scan log say ?

Win32:Trojan-Gen{Other}

Windows firewall

Malwarebytes' Anti-Malware 1.37
Database version: 2249
Windows 5.1.2600 Service Pack 3

08/06/2009 5:18:49 PM
mbam-log-2009-06-08 (17-18-49).txt

Scan type: Quick Scan
Objects scanned: 78858
Time elapsed: 17 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{f710fa10-2031-3106-8872-93a2b5c5c620} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{f710fa10-2031-3106-8872-93a2b5c5c620} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit (Backdoor.Bot) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\ntos.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Delete on reboot.

Files Infected:
c:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ntos.exe (Backdoor.Bot) -> Delete on reboot.
C:\Program Files\Internet Explorer\ods.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\stm.exe (Trojan.Agent) -> Quarantined and deleted successfully.

[Mr.Agent]

If you recently downloaded a keygen or hacks its can be the cause of the problem. I repeat never do this. Hacker are out door of your pc and wait to you to drop off for steal everything. May god bless you. I can not help with this but i can just say fight for your life ! And i hope there another good avast! user and evangelist can help you. Im not expert im only beginner.

Sorry.

Mr.Agent

[!Donovan]

ardamax is over but something else just appeared avast detected In C:/Program Files/Internet Explorer/ods.exe and in the same folder msn.exe help

What was the malware name given ?

This could be cloaked malware so it might have other elements and avast is detecting the file creation but not what is creating them. What is your firewall ?

What does the MBAM scan log say ?

Win32:Trojan-Gen{Other}

Windows firewall

<Quoted MBAM log removed>

It would of been nice if you sent the files to avast chest and sent them to alwil insted...

[l.lawliet]

okay ill do it.And no i did not download an keygen or cracks etc. i will send everything in Chest

[DavidR]

OK these ones detected as trojan.agent are often also downloaders, so they download more malware, so you need a firewall that is capable of blocking unauthorised outbound Internet Connections.

Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

- There are many freeware firewalls such as, Comodo (care required now it is a suite not to install the anti-virus element), PCTools Firewall Plus, Online Armor and recently released, Outpost Firewall free 6.5 (2009)

See http://www.matousec.com/projects/firewall-challenge/results.php.

Many forum users are using all of the above:
- PC Tools Firewall seems to have the least user headaches as it doesn't seem to be constantly asking the user questions about this and that.
- Online Armor for the most parts fine but it has caused some users grief after avast program updates and that is something you have to watch out for.
- Comodo is now a suite and you have to do a custom install so as not to install the antivirus element (or use the add remove programs to remove the AV element if already installed), of all the firewalls listed this seems to be the noisiest in asking questions, depending on settings and elements used, so it could be daunting for those not to familiar with firewalls or their systems.
- Outpost Firewall 2009 free, a cut down version of the Outpost Firewall Pro version, which should still provide good protection, http://free.agnitum.com/. Download, http://www.filehippo.com/download_outpost_firewall/

[Mr.Agent]

Like DavidR said Vista is more secure because they added a outbound connection so its more protected.

[DavidR]

Only if it is enabled and by default it isn't enabled.

[l.lawliet]

Please help the two viruses

ods.exe
msn.exe
stm.exe

They always come back after reboot.

Help.

I chose Comodo Firewall

stm.exe was removed but not The other ones.