alarm everytime I boot, dialer? trojan?

This started happening after I downloaded a bad file

Now everytime I boot I get this red pop up:

trojan horse blocked

Object: htxp://bookmakers55.free.fr/Bitcoin/1/API.class

Process: C:\Windows\System32\svchost.exe

Infection: Java:Malware-gen [Trj]

I ran rkill: doesn’t show anything wrong, I ran mbar: doesn’t show anything wrong

tried super anti spyware, nothing found

I emptied my browser cache, I emptied my Java cache using ATF cleaner

don’t know what else to do, PC is a bit sluggish and once in a while out of nowhere the window pops up

any help greatly appreciated

follow guide, run first 4 programs as they are listed and attach logs
http://forum.avast.com/index.php?topic=53253.0

when done, malware removers will be notified… bc of different time zones it may be some waiting time before they arrive

ok attached is all my logs

AdwCleaner v3.001 - Report created 28/08/2013 at 20:40:58

Updated 24/08/2013 by Xplode

Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)

Username : Billy - BILLY-PC

Running from : C:\Users\Billy\Desktop\adwcleaner.exe

Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\ Internet Explorer v10.0.9200.16537

-\ Mozilla Firefox v22.0 (en-US)

[ File : C:\Users\Billy\AppData\Roaming\Mozilla\Firefox\Profiles\jt44bpon.default\prefs.js ]


AdwCleaner[R0].txt - [2241 octets] - [28/08/2013 01:30:09]
AdwCleaner[R1].txt - [887 octets] - [28/08/2013 20:33:54]
AdwCleaner[R2].txt - [748 octets] - [28/08/2013 20:40:58]
AdwCleaner[S0].txt - [2298 octets] - [28/08/2013 01:32:24]
AdwCleaner[S1].txt - [947 octets] - [28/08/2013 20:35:21]

########## EOF - C:\AdwCleaner\AdwCleaner[R2].txt - [926 octets] ##########

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.26.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16540
Billy :: BILLY-PC [limited]

8/28/2013 8:53:43 PM
mbam-log-2013-08-28 (20-53-43).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 255219
Time elapsed: 6 minute(s), 42 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

where is aswMBR log?

Monitoring… :slight_smile:

so0rry!

here is the aswMBR log

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-08-29 18:55:04

18:55:04.348 OS Version: Windows x64 6.1.7601 Service Pack 1
18:55:04.348 Number of processors: 4 586 0x203
18:55:04.348 ComputerName: BILLY-PC UserName: Billy
18:55:06.650 Initialize success
18:55:06.740 AVAST engine defs: 13082901
18:55:10.730 Disk 0 \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T1L0-4
18:55:10.730 Disk 0 Vendor: Size: 0MB BusType: 0
18:55:10.730 Disk 1 \Device\Harddisk1\DR1 → \Device\Ide\IdeDeviceP2T0L0-3
18:55:10.730 Disk 1 Vendor: Size: 0MB BusType: 0
18:55:10.740 Disk 2 \Device\Harddisk2\DR2 → \Device\Ide\IdeDeviceP2T1L0-6
18:55:10.740 Disk 2 Vendor: Size: 0MB BusType: 0
18:55:10.740 Disk 3 (boot) \Device\Harddisk3\DR3 → \Device\Ide\IdeDeviceP3T0L0-5
18:55:10.740 Disk 3 Vendor: Size: 0MB BusType: 0
18:55:10.750 Disk 4 \Device\Harddisk4\DR4 → \Device\Ide\IdeDeviceP3T1L0-7
18:55:10.750 Disk 4 Vendor: Size: 0MB BusType: 0
18:55:10.760 Disk 3 MBR read successfully
18:55:10.760 Disk 3 MBR scan
18:55:10.770 Disk 3 Windows 7 default MBR code
18:55:10.770 Disk 3 MBR hidden
18:55:10.780 Disk 3 Partition 1 00 07 HPFS/NTFS NTFS 1907727 MB offset 2048
18:55:10.780 Disk 3 scanning C:\Windows\system32\drivers
18:55:16.332 Service scanning
18:55:29.301 Modules scanning
18:55:29.301 Disk 3 trace - called modules:
18:55:29.311 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80039ab2c0]<<sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
18:55:29.311 1 nt!IofCallDriver → \Device\Harddisk3\DR3[0xfffffa8004a6d060]
18:55:29.321 3 CLASSPNP.SYS[fffff88000c6e43f] → nt!IofCallDriver → [0xfffffa8003ad1040]
18:55:29.321 5 ACPI.sys[fffff8800118f7a1] → nt!IofCallDriver → \Device\Ide\IdeDeviceP3T0L0-5[0xfffffa80045b3680]
18:55:29.331 \Driver\atapi[0xfffffa8003ae73f0] → IRP_MJ_CREATE → 0xfffffa80039ab2c0
18:55:30.821 AVAST engine scan C:\Windows
18:55:33.471 AVAST engine scan C:\Windows\system32
18:57:15.234 AVAST engine scan C:\Windows\system32\drivers
18:57:29.390 AVAST engine scan C:\Users\Billy
19:32:26.486 AVAST engine scan C:\ProgramData
19:33:55.026 Scan finished successfully
19:43:37.047 Disk 3 MBR has been saved successfully to “C:\Users\Billy\Desktop\MBR.dat”
19:43:37.047 The log file has been saved successfully to “C:\Users\Billy\Desktop\aswMBR.txt”

the bold line was in red

http://i.imgur.com/weVCzW0.jpg
Please download TDSSKiller

[*]Double click TDSSKiller.exe
[*]Press Start Scan but do nothing else as we are just looking for what is there.
[*]If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.
[*]Attach the log in your next reply

[*]A copy of the log will be saved automatically to the root of the drive (typically C:)


tdsskiller didn’t find anything (attached log)

could it be a false alarm?

or is it something in the MBR cause aswMBR went red on:

18:55:29.321 5 ACPI.sys[fffff8800118f7a1] → nt!IofCallDriver → \Device\Ide\IdeDeviceP3T0L0-5[0xfffffa80045b3680]
18:55:29.331 \Driver\atapi[0xfffffa8003ae73f0] → IRP_MJ_CREATE → 0xfffffa80039ab2c0

what is IRP_MJ_CREATE ?

thank you

Hi,

Before we continue, did you know that you system is set to connect to a proxy server? Do you use this computer to connect to work/school from home?

my Firefox was set up to connect through a proxy (for work), but my IE is not set up for that, I guess this is where you saw the settings

Yeah that is what I was looking at. :slight_smile:

http://i.imgur.com/OJQgrbU.png
Tweaking.com Registry Backup

[]Download the tool found here to your Desktop so it is easy to find.
[
]Double click on the file you just downloaded to install it to your system.

[*]Once the tool is installed, double-click on the Tweaking.com Registry Backup icon
Note The tool should automatically open to the Backup Registry tab.

http://i.imgur.com/TRfuT3t.jpg

[*]Press Backup Now
[*]When the back up is complete, the tool will tell you that Successful / Files Backed Up
[*]You have now successfully backed up your Registry.


http://i.imgur.com/ttLR1ki.jpg

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

:Services

:OTL
IE:64bit: - HKLM..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM..\SearchScopes{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: “URL” = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM..\SearchScopes{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: “URL” = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-3232025066-2710452634-392097264-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 60 A4 D8 C3 8C 5D CD 01 [binary data]
IE - HKU\S-1-5-21-3232025066-2710452634-392097264-1001..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-21-3232025066-2710452634-392097264-1001..\SearchScopes{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: “URL” = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE10SR
IE - HKU\S-1-5-21-3232025066-2710452634-392097264-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: “ProxyEnable” = 0
IE - HKU\S-1-5-21-3232025066-2710452634-392097264-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: “ProxyOverride” = *.local
IE - HKU\S-1-5-21-3232025066-2710452634-392097264-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: “ProxyServer” = 109.237.253.53:3128
O1 - Hosts: 216.239.32.20 www.google.ae # bck9
O1 - Hosts: 216.239.32.20 www.google.at # bck9
O1 - Hosts: 216.239.32.20 www.google.be # bck9
O1 - Hosts: 216.239.32.20 www.google.ca # bck9
O1 - Hosts: 216.239.32.20 www.google.ch # bck9
O1 - Hosts: 216.239.32.20 www.google.cl # bck9
O2:64bit: - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.
[1 C:\Windows*.tmp files → C:\Windows*.tmp → ]
[2013/05/01 19:17:44 | 000,000,029 | ---- | C] () – C:\Windows\DEBUGSM.INI
@Alternate Data Stream - 76 bytes → C:\Users\Billy\Documents\Visitation%20Insert2b.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes → C:\Users\Billy\Documents\vanessa-a211.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes → C:\Users\Billy\Documents\SpaceTheatre1965___563.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes → C:\Users\Billy\Documents\SpaceTheatre1965___562.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes → C:\Users\Billy\Documents\Sacre.wav:Roxio EMC Stream
@Alternate Data Stream - 76 bytes → C:\Users\Billy\Documents\mix.mp3:Roxio EMC Stream
@Alternate Data Stream - 76 bytes → C:\Users\Billy\Documents\logo.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes → C:\Users\Billy\Documents\ignite3.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes → C:\Users\Billy\Documents\ignite2.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes → C:\Users\Billy\Documents\ignite1.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes → C:\Users\Billy\Documents\dangle703.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes → C:\Users\Billy\Documents\dangle702.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes → C:\Users\Billy\Documents\CCFA_Logo_ENG_bw.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes → C:\Users\Billy\Documents\Carter side 1.wav:Roxio EMC Stream
@Alternate Data Stream - 147 bytes → C:\ProgramData\TEMP:CB0AACC9

:Files
ipconfig /flushdns /c

:Commands
[emptytemp]
[resethosts]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

Attach the new OTL logs that are made and then let me know how your system is running. :slight_smile:

Alright, did everything

the pop up is gone!!! finally, and the PC seems to be running good

thanks a lot man, I really appreciate it ;D

attached OTL log

Hi,

Let’s check for anything else hiding…

http://i.imgur.com/GUZVCQN.jpg
Malwarebytes

Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.

ESET Online Scanner

Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
[*]Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.[*] Turn off the real time scanner of any existing antivirus program while performing the online scan[*]Tick the box next to YES, I accept the Terms of Use.[*]Click Start[*]When asked, allow the activex control to install[*]Click Start[*]Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.[*]Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.[*]Click Scan[]Wait for the scan to finish[]When the scan is done, if it shows a screen that says “Threats found!”, then click “List of found threats”, and then click “Export to text file…”[] Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.[]Close the ESET online scan, and let me know how things are now.

Still need help?

Hi, i have exactly the same problem, if anyone could help me, here are my logs.
Thanks in advance.

AdwCleaner v3.005 - Report created 25/09/2013 at 21:56:50

Updated 22/09/2013 by Xplode

Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)

Username : Rnuls - RNULS-PC

Running from : D:\Download\Downloads\adwcleaner.exe

Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{116BA71C-8187-4F15-9A1F-C9D6289155D1}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{2974C985-8151-4DE5-B23C-B875F0A8522F}
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}

***** [ Browsers ] *****

-\ Internet Explorer v8.0.7601.17514

-\ Mozilla Firefox v

[ File : C:\Users\Rnuls\AppData\Roaming\Mozilla\Firefox\Profiles\zw9a1zph.default\prefs.js ]

-\ Google Chrome v

[ File : C:\Users\Rnuls\AppData\Local\Google\Chrome\User Data\Default\preferences ]


AdwCleaner[R0].txt - [1530 octets] - [25/09/2013 21:00:15]
AdwCleaner[R1].txt - [1378 octets] - [25/09/2013 21:03:26]
AdwCleaner[R2].txt - [1438 octets] - [25/09/2013 21:13:06]
AdwCleaner[R3].txt - [1358 octets] - [25/09/2013 21:56:50]

########## EOF - C:\AdwCleaner\AdwCleaner[R3].txt - [1418 octets] ##########

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Version de la base de données: v2013.09.25.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Rnuls :: RNULS-PC [administrateur]

25/09/2013 21:59:14
mbam-log-2013-09-25 (21-59-14).txt

Type d’examen: Examen rapide
Options d’examen activées: Mémoire | Démarrage | Registre | Système de fichiers | Heuristique/Extra | Heuristique/Shuriken | PUP | PUM
Options d’examen désactivées: P2P
Elément(s) analysé(s): 249726
Temps écoulé: 3 minute(s), 26 seconde(s)

Processus mémoire détecté(s): 0
(Aucun élément nuisible détecté)

Module(s) mémoire détecté(s): 0
(Aucun élément nuisible détecté)

Clé(s) du Registre détectée(s): 0
(Aucun élément nuisible détecté)

Valeur(s) du Registre détectée(s): 0
(Aucun élément nuisible détecté)

Elément(s) de données du Registre détecté(s): 0
(Aucun élément nuisible détecté)

Dossier(s) détecté(s): 0
(Aucun élément nuisible détecté)

Fichier(s) détecté(s): 0
(Aucun élément nuisible détecté)

(fin)

and aswMBR log.
Thanks to you.

rnuls please start a new topic and attach your logs there instead of hijack another active thread.

ok, sorry.

no problem :wink: we learn something new every day.