Virus deletes Avast/AVG gui

Viruses and worms
1

I have something on my system and its deleting selected files from the anti virus programs. The only way i know im infected is that the icons for both arent showing the right picture and when i go back to look for their source the file is gone. I have run both programs and the most they detected was some neroupgrade.exe and java stuff. I ran a boot scan and thats where those came up.

I login today and avast is now gone.

neroupgrade is still running and i have another program running that even google doesnt know of

wKIIOVRNu.exe

C:\ProgramData\0qlQpgxLLD0i\g71f1lhX6bVSzjlf\hbmEQIUcuglcAsd\wsa8EwJJUZBk4i

too bad windows cant see it nor can anything else and i have no idea what it does.

Any ideas?

2

On top in this forum section you find a sticky post called “logs to assist in cleaning malware”
Follow the instructions and attach the logs

3

1

4

2

5

Please attach the log it will make it easier for you

6

lol here is the otl. Didnt see attachement till after. Idiot me.

7

After this run could you reinstall Avast and let me know if it now works

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;127.0.0.1:9421; O4 - HKCU..\Run: [IyxndyO] c:\ProgramData\UthwsnF\KxpeuwE\IyxndyO.exe (PhedexbFileDescription) O4 - HKCU..\Run: [pKZ4xc] C:\ProgramData\0qlQpgxLLD0i\g71f1lhX6bVSzjlf\hbmEQIUcuglcAsd\wsa8EwJJUZBk4i\wKIIOVRNu.exe () O4 - HKCU..\Run: [TsdskfH] c:\ProgramData\MkekdaT\QevceaY\TsdskfH.exe (PhedexbFileDescription) O4 - HKCU..\Run: [TwiqatN] c:\ProgramData\CxnheoA\DbomqgR\TwiqatN.exe (PhedexbFileDescription) [2012/06/06 10:40:07 | 000,000,000 | -HSD | C] -- C:\ProgramData\UthwsnF [2012/06/06 10:23:28 | 000,000,000 | -HSD | C] -- C:\ProgramData\MkekdaT [2012/06/05 01:09:50 | 029,852,556 | ---- | C] (PhedexbFileDescription) -- C:\ProgramData\QSZqyCLhx7.exe [2012/06/05 01:09:33 | 029,091,909 | ---- | C] (PhedexbFileDescription) -- C:\ProgramData\vElu2843MzH.cpl [2012/06/05 01:09:25 | 030,582,906 | ---- | C] (PhedexbFileDescription) -- C:\ProgramData\whdxJomiogWj.cpl [2012/06/05 01:08:49 | 000,000,000 | -HSD | C] -- C:\ProgramData\CxnheoA [2012/06/05 01:08:42 | 030,100,287 | ---- | C] (PhedexbFileDescription) -- C:\ProgramData\binghBgljApZ.exe [2012/06/05 01:08:33 | 000,000,000 | -HSD | C] -- C:\ProgramData\0qlQpgxLLD0i [2012/06/05 01:09:51 | 029,852,556 | ---- | M] (PhedexbFileDescription) -- C:\ProgramData\QSZqyCLhx7.exe [2012/06/05 01:09:33 | 029,091,909 | ---- | M] (PhedexbFileDescription) -- C:\ProgramData\vElu2843MzH.cpl [2012/06/05 01:09:25 | 030,582,906 | ---- | M] (PhedexbFileDescription) -- C:\ProgramData\whdxJomiogWj.cpl [2012/06/05 01:08:42 | 030,100,287 | ---- | M] (PhedexbFileDescription) -- C:\ProgramData\binghBgljApZ.exe [2012/06/05 01:08:33 | 000,000,173 | ---- | M] () -- C:\ProgramData\97083540792f064a9f6a31208b4a04ff55827e1d [2012/06/05 01:08:27 | 027,332,575 | ---- | M] () -- C:\ProgramData\2k7y43zv.lnk [2010/12/04 23:20:37 | 000,000,000 | ---D | M](C:\Users\chuckles\Documents\?? ???) -- C:\Users\chuckles\Documents\?? ??? [2010/12/04 23:20:37 | 000,000,000 | ---D | C](C:\Users\chuckles\Documents\?? ???) -- C:\Users\chuckles\Documents\?? ???

:Files
ipconfig /flushdns /c
c:\ProgramData\UthwsnF
C:\ProgramData\0qlQpgxLLD0i

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

8

I ran malbytes earlier. Here are the logs. I put avg back on because i could repair it easier. It ran once and its gui is gone again. Im assuming avast will have the same issue. But i can put avast back on again.

9

Is this after the OTL fix ?

10

not yet. i did that earlier. Will run now.

11

Yes retry either AVG or Avast after the OTL run

12

That seemed to do it. I repaired avg, restarted checked to see if it was there then restarted again and it was there. here is the log from OTL with what it fixed.

Any idea what it was?

13

It was any one of the trojan family tyhat tries to download an MBR changing pI am surprised it did not do that

How is the computer behaving now ?rogramme… In fact

14

No issues right now. Restarted multiple times and the anti virus turns on. Going to put avast back on now. I just wish it had a repair function lol :slight_smile:

Thank you!

15

There is a repair function go to control panel as if to uninstall but select repair from the options

16

you dont mean to install avast and AVG?