Java Agent Virus...Please Help

Please help

I ran a full scan of Avast and it can up with these viruses.
I moved them into the chest and then later deleted them.

Java Agent – Win [Expl]
Java Agent – XK [Expl]
Java Agent – VZ [Expl]
Java Agent – WO [Expl]

they infected my Java Deployment cache on my main hard drive and also on one of my external hard drives under history.

I think there is still something in there as my internet connection keeps cutting out and my computer slows. Follow up scans with Avast anti virus and malwarebytes show nothing at all.

Regards,

Step1

Download OTL from one of the following links:
[]LINK 1
[
]LINK 2
[]LINK 3[/list]Remember to save it on your Desktop.
[list]
[
] Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

:Commands [purity] [emptytemp] [EMPTYFLASH] [EMPTYJAVA] [Reboot]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot when it is done. If it does not, please reboot your system. Post the new log.

Step2
Please again follow this manual and attach the log reports.
http://forum.avast.com/index.php?topic=53253.0

Tell us if the detection problem is still present.
Essexboy will analyze the log reports and forward to you further instructions how to remove aktive malware if present.

Thank you Magna
I attached the logs after following the instructions from that link for Essexboy to look over.

you are missing one OTL log…the one you are posting is the OTL extra

OTL Extras logfile created on: 2/16/2012 3:32:43 AM - Run 1

It is the other one OTL.txt that is important for Essexboy

Why not update java?

If u dont need it ditch it…uninstall it 8)

Hi true indian,

You think a step further ahead than should be. First the cleansing has to be performed by the malware remover. The objects were send to the chest, but were they blocked? That is the question. This should be checked at the hand of the logs. Now when the malware has been fully cleansed, java should be updated and previous instances of java uninstalled. After and only after the malware cleansing has been performed, the victim could check with http://secunia.com/vulnerability_scanning/online/ to see to what java version he should update,

polonus

Posted the otl text along with the extras

magna86 has this one ;D

Malwarebytes just found this today and I have it in quarentine at the moment.

Trojan.dropper C:\ProgramFiles(x86)\Ashampoo\AshampooWinoptimizer7\EXEDecrypt.exe

Is there a program to find any vulnerabilities in my computer or how these viruses keep getting in?

Magna is a bit busy at the moment

What symptoms are you experiencing as the logs look OK

The MBAM detection may be a False Positive

When I use a program like skype or anything that streams, my internet connection cuts out. This is how I discovered the first virus.

Ok lets check out one of the network files

[*]Run OTL.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
afd.*
/md5stop
CREATERESTOREPOINT

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[]When the scan completes, it will open one notepad window.
[
]Attach the log

Here is the new OTL log

The md5 appears correct - but lets replace it with a prior version

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Files ipconfig /flushdns /c C:\Windows\SysNative\drivers\afd.sys|C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_3695e61e8e2c13d4\afd.sys /replace

:Commands
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Latest OTL file.

A couple of desktop.ini files showed up on my desktop screen after running the last OTL scan.

I am also going to update Firefox after reading about the vulnerabilities.

We will hide those once you are happy

Could you now re-run Farbar please

Okay stupid question warning.

What is Farbar and where do I get it?

It is this programme you ran earlier

run farbar service scanner

http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FSS-1.jpg

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

Farbar Service Scanner Version: 14-02-2012
Ran by Mike PC (administrator) on 17-02-2012 at 16:28:40
Running from “C:\Users\Mike PC\Desktop”
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal


Internet Services:

Connection Status:

Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:

Firewall Disabled Policy:

System Restore:

System Restore Disabled Policy:

Security Center:

Windows Update:

Windows Defender:

File Check:

C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys
[2012-02-14 14:37] - [2011-12-27 22:59] - 0498688 ____A (Microsoft Corporation) 1C7857B62DE5994A75B054A9FD4C3825

C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

Could you have a quick test and let me know how it is performing please