Author Topic: need some experts on this!!  (Read 11758 times)

0 Members and 1 Guest are viewing this topic.

SafeSurf

  • Guest
Re: need some experts on this!!
« Reply #15 on: July 07, 2010, 08:13:54 AM »
It should pop up automatically in a Notepad format.  It is the 4th tab over from the left in version 1.46 of MBAM.

Click update so you have latest database before scanning.
·   Under Settings:
o   General: Automatically Save File After Scan Completes is checked off
o   Scanner SettingsCheck all boxes
o   Updater: Download and install update if available is checked off
·   Once the program has loaded, select "Perform FULL Scan", then click Scan.
·   The scan may take some time to finish, so please be patient.
·   When the disinfection scan is complete, a log will appear in Notepad and you may be prompted to Restart. (See Extra Note).
·   Click the “remove selected” button to quarantine anything found.  You will find the infection details under the Quarantine tab.
·   The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
·   Copy & Paste the entire report in your next reply.

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts -- Click OK to either and let MBAM proceed with the disinfection process; If asked to restart the computer, please do so immediately.


 


jpmartin

  • Guest
Re: need some experts on this!!
« Reply #16 on: July 07, 2010, 08:17:41 AM »
ok i think i get it...i hope this is what you want

OTL logfile created on: 7/6/2010 11:11:16 PM - Run 1
OTL by OldTimer - Version 3.2.7.1     Folder = D:\My Downloads
 Home Premium Edition  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 60.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 127.99 Gb Total Space | 92.66 Gb Free Space | 72.39% Space Free | Partition Type: NTFS
Drive D: | 74.50 Gb Total Space | 58.07 Gb Free Space | 77.94% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: JOHN-PC
Current User Name: John
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan
 
========== Processes (SafeList) ==========
 
PRC - [2010/07/06 23:09:54 | 000,574,976 | ---- | M] (OldTimer Tools) -- D:\My Downloads\OTL.exe
PRC - [2010/07/06 17:53:23 | 000,163,840 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\Ujx.exe
PRC - [2010/06/27 07:56:00 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2010/04/29 15:39:32 | 001,090,952 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2010/04/29 15:39:32 | 000,437,584 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2010/04/19 19:07:27 | 000,536,232 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exe
PRC - [2010/04/19 19:07:27 | 000,405,672 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avwebgrd.exe
PRC - [2010/04/19 19:07:27 | 000,337,064 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
PRC - [2010/04/19 19:07:27 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/03/25 13:20:06 | 000,226,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe
PRC - [2010/03/25 12:40:50 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/03/25 12:40:49 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/03/25 12:40:49 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009/10/30 22:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/08/24 22:16:36 | 000,406,016 | ---- | M] (mst software GmbH, Germany) -- C:\Program Files\Ashampoo\Ashampoo WinOptimizer 7\DfSdkS.exe
PRC - [2009/07/13 18:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/07/13 18:14:15 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
 
 

jpmartin

  • Guest
Re: need some experts on this!!
« Reply #17 on: July 07, 2010, 08:19:33 AM »
ok i think you mean this, but is too long

PRC - [2010/07/06 23:09:54 | 000,574,976 | ---- | M] (OldTimer Tools) -- D:\My Downloads\OTL.exe
PRC - [2010/07/06 17:53:23 | 000,163,840 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\Ujx.exe
PRC - [2010/06/27 07:56:00 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2010/04/29 15:39:32 | 001,090,952 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2010/04/29 15:39:32 | 000,437,584 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2010/04/19 19:07:27 | 000,536,232 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exe
PRC - [2010/04/19 19:07:27 | 000,405,672 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avwebgrd.exe
PRC - [2010/04/19 19:07:27 | 000,337,064 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
PRC - [2010/04/19 19:07:27 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/03/25 13:20:06 | 000,226,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe
PRC - [2010/03/25 12:40:50 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/03/25 12:40:49 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/03/25 12:40:49 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009/10/30 22:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/08/24 22:16:36 | 000,406,016 | ---- | M] (mst software GmbH, Germany) -- C:\Program Files\Ashampoo\Ashampoo WinOptimizer 7\DfSdkS.exe
PRC - [2009/07/13 18:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/07/13 18:14:15 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
 
 
========== Modules (SafeList) ==========
 
MOD - [2010/07/06 23:09:54 | 000,574,976 | ---- | M] (OldTimer Tools) -- D:\My Downloads\OTL.exe
MOD - [2009/07/13 18:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/13 18:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/13 18:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/13 18:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/13 18:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/13 18:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/13 18:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/13 18:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/13 18:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/13 18:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/13 18:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2009/07/13 18:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll
 

SafeSurf

  • Guest
Re: need some experts on this!!
« Reply #18 on: July 07, 2010, 08:21:59 AM »
Where is the MBAM Full Scan?

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: need some experts on this!!
« Reply #19 on: July 07, 2010, 10:19:54 AM »
returning to yr OP (opening post) and the HijackThis log JP Martin

- you appear to be infected - the following two entries

C:\Users\John\AppData\Local\Temp\Ujx.exe

O4 - HKCU\..\Run: [EWABQAF7KL] C:\Users\John\AppData\Local\Temp\Ujx.exe

Check this link -- http://www.superantispyware.com/malwarefiles/UJX.EXE.html


First I would first download and run Superantispyware (SAS) as advised, and that should remove the infection
Then run another HjT scan and see how doing.
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: need some experts on this!!
« Reply #20 on: July 07, 2010, 11:56:24 AM »
HijackThis log

To fix an entry in HjT, put a check in the box next to the entry
go to left bottom corner and click Fix Checked

Here is yr trojan downloader - Fix checked
O4 - HKCU\..\Run: [EWABQAF7KL] C:\Users\John\AppData\Local\Temp\Ujx.exe

This one will slow down yr computer - fix checked
O13 - Gopher Prefix:

browser  online games - you should know the program
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe

OTL log

the following entry directs to the virus -

========== Processes (SafeList) ==========

PRC - [2010/07/06 17:53:23 | 000,163,840 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\Ujx.exe

also in memory properties, the page file entry -  not that familiar with OTL, someone else
Paging file location(s): ?:\pagefile.sys [binary data]
Edit - okay I been to OTL to look now and this entry is normal running
« Last Edit: July 07, 2010, 12:42:59 PM by mkis »
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

jpmartin

  • Guest
Re: need some experts on this!!
« Reply #21 on: July 07, 2010, 08:37:04 PM »
Thank you mkis and and SafeSurf, and others you guys are very helpful in showing step by step of removing viruses.  ;D ;D;

avast forums is the best in helping others.... ;) ;)

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: need some experts on this!!
« Reply #22 on: July 07, 2010, 09:09:47 PM »
Follow these destructions

GMER Rootkit Scanner - Download - Homepage
  • Download GMER
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe.

  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

    Click the image to enlarge it
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" 
  • Save the log where you can easily find it, such as your desktop.
**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

THEN

Download OTL  to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select Scan all users
  • Under the Custom Scan box paste this in

netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.scr
%systemroot%\*._sy
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Attach all logs

SafeSurf

  • Guest
Re: need some experts on this!!
« Reply #23 on: July 08, 2010, 08:46:52 AM »
jpmartin,

Thank you for letting us fix your problem. :)   Would you like to give Avast another try since we fixed your problem?

Here are the links to the downloads for the latest versions of Avast 5.0.594:

Freehttp://files.avast.com/iavs5x/setup_av_free.exe
Pro  –  http://files.avast.com/iavs5x/setup_av_pro.exe
AIS  –  http://files.avast.com/iavs5x/setup_ais.exe

Thank you to the other Evangelists who assisted in this situation as well.

SHARKY7SHARKY

  • Guest
Re: need some experts on this!!
« Reply #24 on: July 08, 2010, 08:58:05 AM »
McAfee Could be conflicting with Avast also you need to get rid of all old left over crap that security programmes leave behind.

SafeSurf

  • Guest
Re: need some experts on this!!
« Reply #25 on: July 08, 2010, 09:04:40 AM »
SHARKY7SHARKY,

mcaffee has already been addressed with the OP.  However the priority is for the OP to remove the virus first, which he understands how to do.  Thank you for your input.  ;)