JS:Banker-0 [Trj]

Avast is giving red flags on basically every .exe i have installed. I’ve run a quick scan and a boot-scan which put quite a few things in the virus chest. I also ran spybot, but that found nothing. I downloaded Malwarebytes, that found nothing. I ran OTC and the .txt is attached. After all this i am still getting the same Threat Detected alerts from avast.

Some other ones it mentions:
Java.Agent- DQ [Trj]
Java.Agent- BW [Trj]
Java.Agent- BM [Expl]
Win32:Malware-gen
Win32:JunkPoly-B [Cryp]

Avast is giving red flags on basically every .exe i have installed
sounds like a file infector...... is any of the malware names Vitro/Virut/Sality ?

anyway Essexboy is notified and will look at the log when he arrives

he usually is in here from 8:00pm to 11:59pm UK time

It’s probably a browser hi-jacker, look below for more info.

127.0.0.1	www.007guard.com
127.0.0.1	007guard.com
127.0.0.1	008i.com
127.0.0.1	www.008k.com
127.0.0.1	008k.com
127.0.0.1	www.00hq.com
127.0.0.1	00hq.com
127.0.0.1	010402.com
127.0.0.1	www.032439.com
127.0.0.1	032439.com
127.0.0.1	www.0scan.com
127.0.0.1	0scan.com
127.0.0.1	1000gratisproben.com
127.0.0.1	www.1000gratisproben.com
127.0.0.1	1001namen.com
127.0.0.1	www.1001namen.com
127.0.0.1	100888290cs.com
127.0.0.1	www.100888290cs.com
127.0.0.1	www.100sexlinks.com
127.0.0.1	100sexlinks.com
127.0.0.1	10sek.com
127.0.0.1	www.10sek.com
127.0.0.1	www.1-2005-search.com
127.0.0.1	1-2005-search.com

The virus is trying to connect to a variety of malware websites but is doing it via 172.0.0.1 (locally). Above are the ones it’s connecting to.

explorer.exe : MD5=0FB9C74046656D1579A64660AD67B746 -> C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_54149f9ef14031fc\explorer.exe -> [2011/02/26 01:19:21 | 002,616,320 | ---- | M] (Microsoft Corporation)
 explorer.exe : MD5=15BC38A7492BEFE831966ADB477CF76F -> C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe -> [2009/07/13 21:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation)
 explorer.exe : MD5=255CF508D7CFB10E0794D6AC93280BD8 -> C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_525b5180f3f95373\explorer.exe -> [2011/02/26 01:51:13 | 002,614,784 | ---- | M] (Microsoft Corporation)
 explorer.exe : MD5=2626FC9755BE22F805D3CFA0CE3EE727 -> C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_51a66d6ddafc2ed1\explorer.exe -> [2009/10/31 01:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation)
 explorer.exe : MD5=2AF58D15EDC06EC6FDACCE1F19482BBF -> C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_51a3a583dafd0cef\explorer.exe -> [2011/02/26 01:33:07 | 002,614,784 | ---- | M] (Microsoft Corporation)
 explorer.exe : MD5=40D777B7A95E00593EB1568C68514493 -> C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_53bc10fdd7fe87ca\explorer.exe -> [2010/11/20 08:17:09 | 002,616,320 | ---- | M] (Microsoft Corporation)
 explorer.exe : MD5=8B88EBBB05A0E56B7DCC708498C02B3E -> C:\Windows\explorer.exe -> [2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation)
 explorer.exe : MD5=8B88EBBB05A0E56B7DCC708498C02B3E -> C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_5389023fd8245f84\explorer.exe -> [2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation)
 explorer.exe : MD5=9FF6C4C91A3711C0A3B18F87B08B518D -> C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_526619d4f3f142e6\explorer.exe -> [2009/08/03 01:49:47 | 002,613,248 | ---- | M] (Microsoft Corporation)
 explorer.exe : MD5=B95EEB0F4E5EFBF1038A35B3351CF047 -> C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_51e07e31dad00878\explorer.exe -> [2009/08/03 01:35:50 | 002,613,248 | ---- | M] (Microsoft Corporation)
 explorer.exe : MD5=C76153C7ECA00FA852BB0C193378F917 -> C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f369

^
|
Seem to be the affected areas, since I don’t know what I am doing, I can’t really help you further. I’m not 100% sure that these are the centre of the infection but it looks that way.

[quote author=Pondus link=topic=78559.msg648872#msg648872 date=1306141489]

sounds like a file infector...... is any of the malware names Vitro/Virut/Sality ?
Didn't see any of those names but I got Win32:JunkPoly-B[Cryp], are those significant? Also found a new one, INF:AutoRun-gen2[Wrm]

The host file is OK as they are set to loopback

I have found it and it is a password stealer

One or more of the identified infections is a backdoor Trojan and a key logger.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

  1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

  2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.


Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 [Unregister Dlls]
[Files/Folders - Modified Within 30 Days]
NY ->  secrty.dll -> C:\Users\Jman\secrty.dll
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

New OTC log is attached. Problem still persists.

This does sound like a file infector - what is the virus reported by Avast ?

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

ComboFix log attached.

And here is what avast is finding:
INF:AutoRun-gen2[Wrm]
Win32:JunkPoly-B[Cryp]
Java.Agent- DQ [Trj]
Java.Agent- BW [Trj]
Java.Agent- BM [Expl]
Win32:Malware-gen

Lets get a second opinion on this as I am not seeing anything untoward at the moment. What file location is Avast giving e.g. c:\windows\system32\abd.exe

Download Dr Web from here Fill in the small form and download

It will download as an 8 digit file save it to your desktop

Restart in safe mode and run
Accept the enhanced version
Then run the quick scan
About halfway through you will be prompted to buy - just X the box closed
Once finished it will generate a log please attach that

Would not give me a log, but the express search came up with no infected files at all. Should I try A full scan?

Yes please - do you have a file path for the infected elements ?

There are a ton of separate paths but here is a few:
C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA
C:\Windows\system32
C:\Users\Jman\AppData\Local\Apps\2.0\WDRGCCZK.K2J\EDXK0VQ1.8q2
C:\Users\Jman\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47
C:\Users\Jman\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\72a66fbb-75b86928
E:\Windows.old\Program Files\Online Services\PeoplePC\System

Some are simply just running off of C:\Users\Jman\Desktop, C:\Users\Jman\Downloads
Running Full Dr. Web scan right now.

Results for Dr. Web Full scan.

Intriguing - all that found was the one in quarantine that we deleted earlier

Are the alerts still appearing ?

Actually, since ComboFix the messages have stopped. It might be dead.

Could you run for a day or so and let me know if there are any further problems or not ;D

Will do. Thanks for all the help.