Need Help :(

hi to all… my avast detected a trojan virus. when i delete it, it comes back again… i attach a log file of hijackthis.text

please help me :-[ thanks in advance…

Empty your Temp files. you can use ATF cleaner http://download.cnet.com/ATF-Cleaner/3000-18512_4-89432.html

Check your computer for Malware with

Malwarebytes Antimalware http://filehippo.com/download_malwarebytes_anti_malware/
after install click UPDATE and run quick scan, click on REMOVE SELECTED to quarantine anything found

SUPERAntiSpyware http://filehippo.com/download_superantispyware/
Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26

If anything is found come back and post the scan logs here

I see you have avast 4.8. Do you know that avast 5 is released ?

ok i will post the results later.

no i dont know that avast 5 is released… should i upgrade to avast 5?

The short answer is your you should download and install avast 5.0 if your OS supports it.

If you have win2k, winXP, Vista or Win7 your OS is supported in avast 5.0.

ive done all pondus said but same thing happen… :frowning:

heres the new scan…

can you post the scan logs from Malwarebytes and superantispyware ?

i deleted the scan log for mbam.
heres the scanlog for super anti spyware.
ill rescan mbam ill post it later.

scan log for mbam

Have a look at the first link, http://forum.avast.com/index.php?topic=53253.0

You can find instructions on how to run OTL and post a log ( copy/paste ) hopefully Essexboy will take a look for you.

Also from your HJT log i see C:\WINDOWS\system32\gyzu.exe, go to virus total , click on browse, navigate to gyzu.exe and upload it. Post the url to the virustotal results http://www.virustotal.com/

heres the scan for OTL.

link for virus total:
http://www.virustotal.com/analisis/a2b94feb1ef0b542c84f2ff63af2576f79ab3614239311355c3310929d199a3f-1270654716

Hi lets start clearing it away

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
SRV - [2010/04/05 20:09:46 | 000,284,672 | ---- | M] (Four-F) [Auto | Stopped] -- C:\WINDOWS\system32\mounneviz.exe -- (neyyu234q9)
SRV - [2010/04/05 20:09:46 | 000,284,672 | ---- | M] (Four-F) [Auto | Stopped] -- C:\WINDOWS\system32\wufuttety.exe -- (iuafiqm23ok5o84u)
SRV - [2010/04/05 20:09:46 | 000,284,672 | ---- | M] (Four-F) [Auto | Stopped] -- C:\WINDOWS\system32\tuwi.exe -- (biaiefqi)
SRV - [2010/04/05 20:09:46 | 000,284,672 | ---- | M] (Four-F) [Auto | Stopped] -- C:\WINDOWS\system32\zooqueluhez.exe -- (auo8eyee)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 127.0.0.1:8080
O4 - HKLM..\Run: [cekiro] C:\WINDOWS\system32\gyzu.exe (Four-F)
O4 - HKLM..\Run: [quobyz] C:\WINDOWS\system32\fyquooqu.exe (Four-F)
O4 - HKLM..\Run: [rany] C:\WINDOWS\system32\fyquooqu.exe (Four-F)
O4 - HKLM..\Run: [tolyg] C:\WINDOWS\system32\gyzu.exe (Four-F)
O4 - HKLM..\RunServices: [cekiro] C:\WINDOWS\system32\gyzu.exe (Four-F)
O4 - HKLM..\RunServices: [quobyz] C:\WINDOWS\system32\fyquooqu.exe (Four-F)
O4 - HKLM..\RunServices: [rany] C:\WINDOWS\system32\fyquooqu.exe (Four-F)
O4 - HKLM..\RunServices: [tolyg] C:\WINDOWS\system32\gyzu.exe (Four-F)
O20 - HKLM Winlogon: TaskMan - (C:\Documents and Settings\Charlon\Application Data\xmkk.exe) - C:\Documents and Settings\Charlon\Application Data\xmkk.exe File not found
O33 - MountPoints2\{2a37ee22-f364-11de-83d6-001aef01ef71}\Shell\AutoRun\command - "" = F:\JAGODE\\saslagom.exe -- File not found
O33 - MountPoints2\{2a37ee22-f364-11de-83d6-001aef01ef71}\Shell\open\command - "" = F:\JAGODE\\saslagom.exe -- File not found
O33 - MountPoints2\{639d67a8-a79e-11de-81ff-00261881aba1}\Shell\AutoRun\command - "" = F:\curqp.exe -- File not found
O33 - MountPoints2\{639d67a8-a79e-11de-81ff-00261881aba1}\Shell\open\Command - "" = F:\curqp.exe -- File not found
O33 - MountPoints2\{e02d578c-19de-11df-8470-001aef01ef71}\Shell\AutoRun\command - "" = F:\NAUMI\\radil.exe -- File not found
O33 - MountPoints2\{e02d578c-19de-11df-8470-001aef01ef71}\Shell\open\command - "" = F:\NAUMI\\radil.exe -- File not found
[2010/04/06 12:20:29 | 000,284,672 | ---- | C] (Four-F) -- C:\WINDOWS\System32\nopabe.exe
[2010/04/06 12:15:07 | 000,284,672 | ---- | C] (Four-F) -- C:\WINDOWS\System32\wufuttety.exe
[2010/04/06 01:18:14 | 000,284,672 | ---- | C] (Four-F) -- C:\WINDOWS\System32\tuwi.exe
[2010/04/06 01:17:22 | 000,284,672 | ---- | C] (Four-F) -- C:\WINDOWS\System32\rofaken.exe
[2010/04/06 01:14:29 | 000,284,672 | ---- | C] (Four-F) -- C:\WINDOWS\System32\zooqueluhez.exe
[2010/04/05 21:00:12 | 000,000,000 | ---D | C] -- C:\gPotato
[2010/04/05 20:50:20 | 000,284,672 | ---- | C] (Four-F) -- C:\WINDOWS\System32\mounneviz.exe
[2010/04/05 20:49:27 | 000,284,672 | ---- | C] (Four-F) -- C:\WINDOWS\System32\nuju.exe
[2010/04/05 20:48:22 | 000,284,672 | ---- | C] (Four-F) -- C:\WINDOWS\System32\quoulyh.exe
[2010/04/05 20:10:27 | 000,284,672 | ---- | C] (Four-F) -- C:\WINDOWS\System32\fyquooqu.exe
[2010/04/05 20:09:46 | 000,284,672 | ---- | C] (Four-F) -- C:\WINDOWS\System32\gyzu.exe
[2010/04/06 13:05:30 | 000,284,672 | ---- | M] (Four-F) -- C:\WINDOWS\System32\nopabe.exe
[2010/04/06 10:53:12 | 000,284,672 | ---- | M] (Four-F) -- C:\WINDOWS\System32\rofaken.exe
2010/04/05 20:09:46 | 000,284,672 | ---- | M] (Four-F) -- C:\WINDOWS\System32\zooqueluhez.exe
[2010/04/05 20:09:46 | 000,284,672 | ---- | M] (Four-F) -- C:\WINDOWS\System32\wufuttety.exe
[2010/04/05 20:09:46 | 000,284,672 | ---- | M] (Four-F) -- C:\WINDOWS\System32\tuwi.exe
[2010/04/05 20:09:46 | 000,284,672 | ---- | M] (Four-F) -- C:\WINDOWS\System32\quoulyh.exe
[2010/04/05 20:09:46 | 000,284,672 | ---- | M] (Four-F) -- C:\WINDOWS\System32\nuju.exe
[2010/04/05 20:09:46 | 000,284,672 | ---- | M] (Four-F) -- C:\WINDOWS\System32\mounneviz.exe
[2010/04/05 20:09:46 | 000,284,672 | ---- | M] (Four-F) -- C:\WINDOWS\System32\gyzu.exe
[2010/04/05 20:09:46 | 000,284,672 | ---- | M] (Four-F) -- C:\WINDOWS\System32\fyquooqu.exe
[2010/04/05 16:51:13 | 000,000,512 | -H-- | M] () -- C:\Documents and Settings\Charlon\My Documents\hahaha.db

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

new OTL scan and ComboFix log.

Those two logs do not look too bad now - what problems do you still have ?

its gone now… thanks again… ;D

Go to PROFILE then Modify Profile then Forum Profile Information then Please select your country: then Signature: and put information about your system just like my signature about your system just like my signature so that the helpers can offer pertinent advice.

Done ;D

thanks again…