Author Topic: need some experts on this!!  (Read 11754 times)

0 Members and 1 Guest are viewing this topic.

jpmartin

  • Guest
need some experts on this!!
« on: July 07, 2010, 04:50:39 AM »
I suspect there a trojans in my computer but I scans with avira security suites, but didn't detect this, and scans with Malwarebytes' Anti-Malware and detected and remove/deleted. But after reboot this trojans came back as well. Here is the HijackThis logs.

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Users\John\AppData\Local\Temp\Ujx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\program files\avira\antivir desktop\avcenter.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://m.www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files\McAfee\SiteAdvisor Enterprise\McIEPlg.dll
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - C:\Program Files\McAfee\SiteAdvisor Enterprise\McIEPlg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files\McAfee\SiteAdvisor Enterprise\McIEPlg.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Rhdxnyxmng] rundll32 "C:\Users\John\AppData\Roaming\wbadmint.dll",Aszf
O4 - HKCU\..\Run: [EWABQAF7KL] C:\Users\John\AppData\Local\Temp\Ujx.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files\McAfee\SiteAdvisor Enterprise\McIEPlg.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files\McAfee\SiteAdvisor Enterprise\McIEPlg.dll
O23 - Service: Avira Firewall (AntiVirFirewallService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exe
O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Defragmentation-Service (DfSdkS) - mst software GmbH, Germany - C:\Program Files\Ashampoo\Ashampoo WinOptimizer 7\Dfsdks.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee SiteAdvisor Enterprise Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe

--

SafeSurf

  • Guest
Re: need some experts on this!!
« Reply #1 on: July 07, 2010, 06:51:51 AM »
Do you have Avast on your machine or are you just posting here?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: need some experts on this!!
« Reply #2 on: July 07, 2010, 07:00:14 AM »
Do you have Avast on your machine or are you just posting here?
I guess Avira forum is not that good......... ;D

jpmartin

  • Guest
Re: need some experts on this!!
« Reply #3 on: July 07, 2010, 07:05:06 AM »
yes i used to have avast home version, but when the first version of 5.0 i had so many issues with it so i decided to change to avira, since then everything fine.

SafeSurf

  • Guest
Re: need some experts on this!!
« Reply #4 on: July 07, 2010, 07:11:29 AM »
I guess Avira forum is not that good......... ;D
That's what I was wondering.
If you don't have Avast, you really should be addressing your issue with Avira.

jpmartin

  • Guest
Re: need some experts on this!!
« Reply #5 on: July 07, 2010, 07:14:49 AM »
I guess Avira forum is not that good......... Grin
I agree with you, avira supports forum are really bad  :-\; but their software are really good in detection...

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: need some experts on this!!
« Reply #6 on: July 07, 2010, 07:16:14 AM »
This should have been posted in the " virus and worms " section.......so next time  ;)


Follow this guide from Essexboy, and attach the logs in your next reply here
http://forum.avast.com/index.php?topic=53253.0


see down left corner: Additional Options > Attach ( MBAM log / OTL.Txt and Extras.Txt )
« Last Edit: July 07, 2010, 07:20:23 AM by Pondus »

SafeSurf

  • Guest
Re: need some experts on this!!
« Reply #7 on: July 07, 2010, 07:19:36 AM »
I agree Pondus, but the OP does not have an Avast product and is posting here.  He has avira.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: need some experts on this!!
« Reply #8 on: July 07, 2010, 07:22:14 AM »
I agree Pondus, but the OP does not have an Avast product and is posting here.  He has avira.
That is the best thing about this forum......everyone gets malware help..... ;D

SafeSurf

  • Guest
Re: need some experts on this!!
« Reply #9 on: July 07, 2010, 07:25:29 AM »
OK... :-*

jpmartin

  • Guest
Re: need some experts on this!!
« Reply #10 on: July 07, 2010, 07:29:32 AM »
here is the log....

08:34:55   John   MESSAGE   Protection started successfully
08:34:58   John   MESSAGE   IP Protection started successfully
08:50:44   John   IP-BLOCK   89.185.229.128
09:12:14   John   IP-BLOCK   208.73.210.28
09:33:12   John   IP-BLOCK   212.117.164.211
09:33:36   John   IP-BLOCK   213.5.64.5
11:58:48   John   IP-BLOCK   212.117.164.211
11:58:48   John   IP-BLOCK   212.117.164.211
11:58:48   John   IP-BLOCK   212.117.164.211
11:58:48   John   IP-BLOCK   212.117.164.211
11:58:56   John   IP-BLOCK   212.117.164.211
11:58:56   John   IP-BLOCK   212.117.164.211
14:40:31   John   MESSAGE   Protection started successfully
14:40:35   John   MESSAGE   IP Protection started successfully
14:52:58   John   MESSAGE   Protection started successfully
14:53:02   John   MESSAGE   IP Protection started successfully
15:06:50   John   MESSAGE   Protection started successfully
15:06:53   John   MESSAGE   IP Protection started successfully
15:50:16   John   IP-BLOCK   89.185.229.128
16:02:41   John   IP-BLOCK   212.117.164.211
16:02:41   John   IP-BLOCK   212.117.164.211
16:02:49   John   IP-BLOCK   212.117.164.211
16:21:15   John   IP-BLOCK   212.117.164.211
16:21:23   John   IP-BLOCK   212.117.164.211
16:40:37   John   IP-BLOCK   212.117.164.211
16:40:53   John   IP-BLOCK   212.117.164.211
17:47:24   John   IP-BLOCK   95.211.99.84
17:47:24   John   IP-BLOCK   62.213.100.140
17:50:12   John   IP-BLOCK   217.23.9.248
17:53:01   John   IP-BLOCK   216.240.146.119
18:07:08   John   MESSAGE   Protection started successfully
18:07:11   John   MESSAGE   IP Protection started successfully
18:19:35   John   MESSAGE   Protection started successfully
18:19:39   John   MESSAGE   IP Protection started successfully
19:14:42   John   MESSAGE   Protection started successfully
19:14:45   John   MESSAGE   IP Protection started successfully
19:18:53   John   IP-BLOCK   94.75.228.175
19:18:53   John   IP-BLOCK   94.75.228.175
19:28:55   John   MESSAGE   IP Protection stopped
19:28:55   John   MESSAGE   IP Protection started successfully
19:29:17   John   MESSAGE   IP Protection stopped
19:29:18   John   MESSAGE   IP Protection started successfully
19:35:02   John   IP-BLOCK   94.75.228.175
19:35:02   John   IP-BLOCK   94.75.228.175
20:29:08   John   IP-BLOCK   94.75.228.175
20:29:08   John   IP-BLOCK   94.75.228.175
20:30:53   John   IP-BLOCK   94.75.228.175
20:30:53   John   IP-BLOCK   94.75.228.175
20:49:16   John   DETECTION   C:\Windows\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.JOB   Trojan.Downloader   QUARANTINE
21:25:01   John   DETECTION   C:\Windows\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.JOB   Trojan.Downloader   DENY
21:49:29   John   DETECTION   C:\Windows\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.JOB   Trojan.Downloader   DENY
22:10:24   John   MESSAGE   Protection started successfully
22:10:28   John   MESSAGE   IP Protection started successfully

SafeSurf

  • Guest
Re: need some experts on this!!
« Reply #11 on: July 07, 2010, 07:39:41 AM »
This should have been posted in the " virus and worms " section.......so next time  ;)

Follow this guide from Essexboy, and attach the logs in your next reply here
http://forum.avast.com/index.php?topic=53253.0

see down left corner: Additional Options > Attach ( MBAM log / OTL.Txt and Extras.Txt )

Where is this log from?  It doesn't look like an MBAM scan log as Pondus directed, then OTL if positive.

Besides avira, do you also have mcafee?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: need some experts on this!!
« Reply #12 on: July 07, 2010, 07:59:10 AM »
That looks as the log list in MBAM and not what we want.
We want the scan log, that will show the malware found and removed





jpmartin

  • Guest
Re: need some experts on this!!
« Reply #13 on: July 07, 2010, 08:04:33 AM »
ok i'm a little confuse on the OTL?
and scan log isn't it the list after MBAM finished scan?

jpmartin

  • Guest
Re: need some experts on this!!
« Reply #14 on: July 07, 2010, 08:08:40 AM »
how do i get to the scan log?