My avast recently picked up some Trojan-gens on the on access protection control. So I decided to do a full system scan and it has found a few more.
I also ran a spyware scan and found entries like “Microsoft security center.overide / disable” etc.
Anyway, it seems that my Windows Security Center has been disabled completely, and when I go to turn it back on it says “Windows Security Center can’t be started”. I tried turning the firewall back on manually but the turn on icon was grayed out.
Windows defender also deleted “SpySheriff” which I believe is a fake spyware program, however, I have not had any pop ups except from that of Avast On Protection Control.
I have attached my log file from today, displaying where the viruses are located and what they are called.
Does anybody have any idea how I can get my windows security center to work again and how to completely eliminate the Trojan-gen?
Thanks all for the help
EDIT: I have deleted the files from the chest by accident, sorry I didnt realise this was a bad thing
EDIT 2: Just found this:
if you're using avast anti-virus there is a bug in the program for win32 trojan. It appears to be a false positive. Try AVG anti-virus or norton instead.
is this true or not?
Additional Information:
OS: Vista Home Premium x64bit
Avast Version: 4.7 Home Edition
VPS File Version: 000714-3
Text from log file:
09/02/2007 18:51:32 SYSTEM 1696 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Users\Stu\AppData\Local\Microsoft\Messenger\[email address removed]\SharingMetadata\Logs\Dfsr00005.log (C:\Users\Stu\AppData\Local\Microsoft\Messenger\[email address removed]\SharingMetadata\Logs\Dfsr00005.log) returning error, 00000005.
10/02/2007 22:02:22 SYSTEM 1660 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Users\Stu\AppData\Local\Temp\~DF123B.tmp (C:\Users\Stu\AppData\Local\Temp\~DF123B.tmp) returning error, 00000005.
18/02/2007 12:59:58 SYSTEM 1924 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\gwdppru.exe" file.
18/02/2007 13:00:20 SYSTEM 1924 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\fdpxssak.exe" file.
18/02/2007 13:00:32 SYSTEM 1924 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KVUDFTCP\ndnwtuhrrb[1].htm" file.
18/02/2007 13:00:38 SYSTEM 1924 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\eadyjxv.exe" file.
18/02/2007 13:00:44 SYSTEM 1924 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SS1SIHF5\lrnkl[1].htm" file.
18/02/2007 13:00:55 SYSTEM 1924 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\xalslpf.exe" file.
18/02/2007 13:01:07 SYSTEM 1924 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CHM3M4RZ\pzfsrbhie[1].htm" file.
18/02/2007 13:01:17 SYSTEM 1924 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\balbwjfo.exe" file.
18/02/2007 13:01:17 SYSTEM 1924 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\ekaitu.exe" file.
18/02/2007 13:01:20 SYSTEM 1924 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\frqiq.exe" file.
18/02/2007 13:01:21 SYSTEM 1924 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\ibffue.exe" file.
18/02/2007 13:01:22 SYSTEM 1924 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\sxpdoth.exe" file.
18/02/2007 13:01:24 SYSTEM 1924 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\balbwjfo.exe" file.
18/02/2007 13:03:02 SYSTEM 1924 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\vhtso.exe" file.
18/02/2007 15:51:34 Stu 1328 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CHM3M4RZ\fyrfbraxu[1].txt" file.
18/02/2007 15:56:50 Stu 1328 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CHM3M4RZ\xunfavdlx[1].htm" file.
18/02/2007 15:56:54 Stu 1328 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KVUDFTCP\cvffp[1].txt" file.
18/02/2007 15:56:55 Stu 1328 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KVUDFTCP\ntdnjku[1].htm" file.
18/02/2007 15:56:57 Stu 1328 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R284FFYG\zlnxhr[1].txt" file.
18/02/2007 15:57:01 Stu 1328 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SS1SIHF5\dwdynoscct[1].htm" file.
18/02/2007 15:57:04 Stu 1328 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SS1SIHF5\uxyroof[1].txt" file.
Let us know how this works and if you are symptom free after these addition scans. Also, do you have a third party firewall installed or do you rely on the Windows Firewall alone?
EDIT:
EDIT 2: Just found this:
Quote
if you’re using avast anti-virus there is a bug in the program for win32 trojan. It appears to be a false positive. Try AVG anti-virus or norton instead.
is this true or not?
All AVs have false positives from time to time. Avast! is no exception. Its because of this possibility that putting files into the chest, rather than deleting them, is the preferred course of action.
But stating that win32:trojan is an FP is painting with a pretty broad brush - it implies that all trojans detected by avast! are false positives and this simply isn’t the case.
Windows defender also deleted "SpySheriff" which I believe is a fake spyware program ...
Ok so I have tried the Security Center fix. It has worked partially, I can now access the security center. However, I still cannot turn the firewall on.
I will try those other programs now but the AVG Antispyware will not run because I have a 64 bit OS. I will try the other programs now.
I am also trying a system restore from a few days ago, see if this helps.
The Vista firewall, although it has outbound protection it isn’t set to rules checking so effectively it still allows outbound connection. So it may well be worth checking out the default Vista firewall settings and beef up the outbound protection. I have also heard that the Vista firewall isn’t that flexible or configurable, so you might consider a third party firewall.
Sorry I can’t be of more help on the vista side as I remain on XP Pro.
18/02/2007 19:10:39 Stu 4048 Sign of "Win32:Adware-gen. [Adw]" has been found in "E:\System Volume Information\_restore{E9C43D59-A40F-4ACE-A02F-7357906EACB5}\RP492\A0044197.exe" file.
I have selected move to chest, so I dont know if it has done anything yet.
After researching the items in your log it appears these four may have been trojan downloaders,
uxyroof
xunfavdlx
ntdnjku
dwdynoscct
while Prevx reports it is investigating some of the others, presumably based on suspicious activity on users’ computers.
Assuming all the downloaders have been removed you should just be in a verification/cleanup phase right now, so its not too surprising that you’re not finding much.
I dunno what to do, I run Spybot S&D and cleared infections but it is still here.
Im no expert so Im counting on you.
Here`s my HijackThis log
Logfile of HijackThis v1.99.1
Scan saved at 17:17:51, on 19.2.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
First your JAVA is way out of date.
Ensure you have the latest version of JRE because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.
Then get the latest update from here http://www.java.com/en/download/index.jsp
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
Having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable. Decision time.
Are you still using the gogle toolbar if not fix,
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
What is this
C:\Program Files\Anti-Blaxx 1.18\Anti-Blaxx.exe
Suspect:
C:\WINDOWS\TEMP\winB88.tmp.exe
O4 - HKCU..\Run: [fa4d67d6.exe] C:\Documents and Settings\Požnjsk\Local Settings\Application Data\fa4d67d6.exe
I suggest you visit this on-line analysis and check out the unknown entries, did you install them, know them, google search the file names, etc.