avast blocking hh.exe

hi …few days ago avast started to block conenection hxxp://146.185.246.50/hh.exe and it does till now. Scaned pc with Malwarebytes and it detects some trojans :

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.26.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
User :: LO [administrator]

2012.09.26 16:48:46
mbam-log-2012-09-26 (16-48-46).txt

Scan type: Full scan (C:|D:|E:|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 228626
Time elapsed: 20 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 3
C:\RESTORE\k-1-3542-4232123213-7676767-8888886 (Trojan.Agent) → Quarantined and deleted successfully.
C:\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013 (Worm.AutoRun.Gen) → Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1830 (Worm.AutoRun) → Quarantined and deleted successfully.

Files Detected: 4
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\425P7AWA\x[1] (Malware.Packer.u64) → Delete on reboot.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CWA73FOH\x[1] (Malware.Packer.u64) → Delete on reboot.
C:\RESTORE\k-1-3542-4232123213-7676767-8888886\Desktop.ini (Trojan.Agent) → Quarantined and deleted successfully.
C:\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Worm.AutoRun.Gen) → Quarantined and deleted successfully.

(end)

after that avast still blocking from time to time that hh.exe…

follow this guide and attach the logs (not copy and paste) http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

OBS and edit the URL you posted above so it is not clickable…change http to hxxp

AdwCleaner looks like clear…

mbam

OTL

aswMBR

Signs of Zero Access there

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[]Accept the disclaimer and allow to update if it asks
[
]Allow the installation of th erecovery console

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Also see: http://www.threatexpert.com/files/hh.exe.html

polonus

looks like combofix stucks…console shows text:

Scanning fo infected files…
This typically doesn’t take more than 10 minutes
However, scan times for badly infected machines may easily double
T was unexpected at this time.

…and nothing happends

OK change of tactic… First delete the current copy of Combofix from the desktop
Download a fresh copy but rename it to Gotcha prior to saving
Then boot to safe mode and run the renamed combofix from there

same… :frowning:

I have the technology

[*] Download RogueKiller and save it on your desktop.

NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

https://dl.dropbox.com/u/73555776/RKScan.GIF

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

https://dl.dropbox.com/u/73555776/RKDelete.GIF

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

https://dl.dropbox.com/u/73555776/RKFixShortcuts.GIF

[*]The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

well… yesterday windows crashed… got some win32 errors and couldnt start it…today coming home i bought windows 7…and instaled it… At the moment everything fine…do i have to run on it any antimalware program right now?

No need a fresh install of windows 7 will wipe the drive. ;D I think you will find it a better OS

1 more thing… i formated just 1 half of hard, that part where widows xp was installed…is it bad idea?

No as the other half was probably clean, malware likes to sit on the system drive