Hi! I’ve been using Avast! for quite some time now and this is the first time I encountered this kind of problem. After Avast! updated I turned off my laptop because I was done using it and then after turning it on again it always shows an explorer.exe error then Avast! detects a trojan horse under the location C:/user/update.exe which I can delete but it keeps coming back. I’ve got experiences with worms before but Avast! immediately solves my problems. This time its different Avast! cannot detect what or where the worm is just the Trojan Horse. I wasn’t going to conclude that due to the update that this happened but the same thing happened to my other laptop. Same issue. Same problem. Please help me out. I did everything scanned everything even the memory test but nothing can be detected except for the trojan on the said folder. I dont know what to do… My virus database version is 090719-0, 07/19
Thanks alot!
If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again. What is your firewall ?
If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).
-
- MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later. - 2. SUPERantispyware On-Demand only in free version.
Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.
Thanks but I installed AVG and found out that I have a Torjan Horse Agent2.IIE infection it is still currently running it’s scan I’m not sure if AVG could get rid of this. BTW this laptop is new i’m still exploring it. not yet a week old and it’s infected already.
You should probably do a boot time scan. That should fix the problem!
If avast is detecting it, a boot time scanning should take care of it. Anyway, when a virus is recurrent, better is:
I suggest:
- Clean your temporary files.
- Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
- Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
- Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
- Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
- Clean your Hosts file (replacing it) with HostsMan tool.
- Disable System Restore and then reenable it again.
- Immunize your system with SpywareBlaster.
- Check if you have insecure applications with Secunia Software Inspector.
Avast! could only detect the trojan horse located as C:\user\update.exe in both my laptops. When I ran Avg it detected a Trojan Horse agent2.IIE located at C:\Driver\Files\DT.exe again in both my laptops. How could I have gotten the same infection in different laptops. I didn’t do anything that could transfer the infection to the other laptop. Thanks for all your help.
This link explains what this virusDT.exe does. It seems a nasty bit of kit.One of its aliases is Update.exe. So it would seems related to what Avast found. Has AVG removed it ?
http://spywarefiles.prevx.com/spywarefiles.asp?FXC=IEGJ790070
I suppose you’re not using avast and AVG at the same time in the same computer.
Maybe the infection come from the same website visited on both computers…
Well Avast does detect the update.exe trojan but not the AVG. Although it does detect the DT.exe virus but the avast cannot. I installed malwarebytes and super antispyware I was surprised that there are about 8 trojans in the system restore detected by the super antispyware whereas the malwarebytes detected OGa\RD\GOx.exe. BTW i removed the avast temporarily. Both laptops wasn’t use for any other similar apps except for Avast update. I have a friend who is also using Avast. He used AVG to scan his laptop and found similar trojans. I did a little experimentation with this laptop and opted not to delete the OGa\RD\GOx.exe file and for sure it threw that update.exe trojan it messes with my start up a little window will pop out.
this was the infections found by malwarebytes:
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components{67kln5j0-4opm-01we-aax2-314cca554372} (Generic.Bot.H) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components{67kln5j0-4opm-01we-aax5-314cca322142} (Generic.Bot.H) → No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\OGa\RD\GOx.exe (Generic.Bot.H) → No action taken.
Send GOx.exe to virustotal and show us the result. Also if the virus total is detecting a lot virus then please feel free to send the file trought Avast! chest then send it to ALWIL. So they can improve our detection.
Thank.
Mr.Agent
I’ll do what you suggested. I already removed it from this laptop coz its scaring the heck out of me. I’ll be fixing my other laptop tomorrow since they’re both infected with the same thing. Thanks alot!
BTW how do I send it? its still in my quarantine in malwarebytes.
;D hi kabayan,
Do you currently use P2P file sharing software?
Please read this article: So how did I get infected in the first place?" © Tony Klein 8)
nope don’t do p2p file sharing. Im using firefox as my browser. This laptop is new, just a week old. Although i already cleared the infections I had earlier, Im still getting a few ones mostly they land on my system restore. Thanks alot for all your help. The other laptop sad to say got 53 infections! But I haven’t connected both laptops by any means. It has the same infection as this one has. But it has a trojan downloader inserted to one of it’s programs (Flushcode.exe). II’m currently downloading Spybot search and destroyer hope this will end my infection streak.
i can’t download spybot search and destroy. It’s either being canceled or if I could download it, it says I have no permission to access it. Why is that? I can’t even download spyware blaster nor the avast anti rootkit!!! what’s going on!!!
Most probably you’re infected and the malware is preventing you to get protection/cleaning software.
It sounds like a hosts file problem. Check the contents of the file at the location for your operating system.
Windows 95 - C:windows
Windows 98 - C:\windows
Windows Me - C:\windows
Windows 2000 - C:windows\system32\drivers\etc
Windows XP - C:\windows\system32\drivers\etc
Windows NT - C:\winnt\system32\drivers\etc
Windows Vista - C:\windows\system32\drivers\etc
Note the file does not have an extention, it’s simply hosts
The default file consists of a number of example lines preceded with # The only required line is
127.0.0.1 localhost
You can get a good replacement and more info on what the hosts file does from here
http://www.mvps.org/winhelp2002/hosts.htm
HostsMan could be the best tool for having it updated: http://www.abelhadigital.com
HOSTS file redirect a common malware tactic to block AV sites making it difficult to remove malware. Check your HOSTS file using notepad or a text editor of your choice and look for entries with avast.com on the line, you may well see other AV sites.
I’ve deleted a tracking cookie from doubleclick. Is that bad? Im kinda new at this thing coz its my first time to encounter such problems. Im really lost! Thank you very much for all your help!
Ive searched the file c:/etc (file path for xp you’ve given me earlier) I couldn’t see what you were pertaining to all I got was:
hosts
hosts.backup
lmhosts
networks
protocol
services
They’re all under etc folder. THANK YOU SO MUCH!
No problem
the one you want is ‘hosts’
or you could open notepad, click file → open and paste this path into the filename:
C:\WINDOWS\system32\drivers\etc\hosts
It will open up and you can check it to see what it contains like Tech says
-Scott-
Is it good that I only have those things under my etc folder? wow it’s now that I realize that there are too much threat!
Thank you! Thank you! for the insights!
Thank you Scott and tech! I really don’t know what to do well I’ve downloaded spybot s&d from another pc and got it installed here at my eeepc. I was able to install it using a flashdisk I ran a scan and got three alerts from a tracking cookie, it was red so I removed it. When I checked my hosts file (thanks to Scott who taught me how to) spybot entered the host file after I immunized my system. What should I look for that seems suspiscious? I’ll try to redownload the spyblaster to see if everything works out. Thank you guys!
-It’s still getting cancelled. I guess it must be something from the previous infections. I ran everything MBM, SAS, AVG and SPYBOT none can be detected anymore… Must be something from my registry…