Msn / trojan?

[pp05]

I login into windows live (msn messenger) and Avira fires up box to let me know I have some trojan in my temporary folder. Unless I quarantine it, it keeps popping up.

any ideas?

[GoNz0]

use a better anti virus springs to mind ?

[smargh]

Nope. With the info given ("PC broke, virus message, can I fix?"), all I can suggest is that you reformat or replace the hard drive and start afresh with a new one.

... unless you supply the following:

- OS?
- did this alert appear as soon as you booted up your PC? (if so, it was probably already on the PC and was just set to auto-start)
- what is the name of the "virus" which was found?
- what's the full path to this "virus"? Is it the same file every time?
- what does virustotal.com have to say about this file?
- has there been any other odd things happening on your PC?
- does Malwarebytes find anything?

[CrazyMonkey]

Avira is a fantastic anti-virus, there dropper detection is brilliant.

Do a Hijackthis scan and post the logfile.

As suggested, running Malwarebytes' Anti-Malware is also a good idea.

[pp05]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:51:54 AM, on 9/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Avira\AntiVir Desktop\update.exe
c:\program files\avira\antivir desktop\avcenter.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1254263259750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1254263253250
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SmartLinkService (pm0aayqa) - Unknown owner - C:\WINDOWS\system32\vejil.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 5033 bytes

Avira is a fantastic anti-virus, there dropper detection is brilliant.

Do a Hijackthis scan and post the logfile.

As suggested, running Malwarebytes' Anti-Malware is also a good idea.

[pp05]

Nope. With the info given ("PC broke, virus message, can I fix?"), all I can suggest is that you reformat or replace the hard drive and start afresh with a new one.

... unless you supply the following:

- OS?
- did this alert appear as soon as you booted up your PC? (if so, it was probably already on the PC and was just set to auto-start)
- what is the name of the "virus" which was found?
- what's the full path to this "virus"? Is it the same file every time?
- what does virustotal.com have to say about this file?
- has there been any other odd things happening on your PC?
- does Malwarebytes find anything?

- Windows XP sp2 Home Edition.
- It doesn't appear at boot up. It tends to appear whilst I am online.
- It appears to be same name. Its been detected in username\local settings\temporary internet files\CONTENT.IE5\OLQFGXER\ADSAdClient31[1].htm

letters in red change.

I haven't tried malwarebytes or virustotal. I haven't noticed odd things happening but this pc did have autorun bug before [now deleted ]- which would get onto usb memory sticks.

Avira simply alerts me with 'contains recognition patterns of the HTML/infected webpage.GEN script virus'.

[pp05]

While I was running Malwarebytes just now got another alert.
[img=http://img98.imageshack.us/img98/4506/shot2.gif]


Malwarebytes found 4 objects. I clicked on remove.
[img=http://img9.imageshack.us/img9/3251/shot3r.th.gif]

[pp05]

On my main rig these are residing in local settings\data application\Opera\Opera\cache\

[smargh]

http://www.confickerworkinggroup.org...feyechart.html

Try Process Monitor - http://live.sysinternals.com/procmon.exe - while the PC is idle but with IE and Opera running. Filter out the processes which are doing background stuff (but check that they don't look suspicious anyway, as some malware adds itself to other processes).

Try full scans with the free Kaspersky online scanner, the BitDefender online scanner (2 engines in 1 - very good), and the free VIPRE Rescue scanner - http://live.sunbeltsoftware.com/ - the Vipre thing can give false positives sometimes though.

Ensure that you can see hidden files, then start->run to these folders to look for either hidden files or suspicious-looking files with random-looking filenames, and specifically recently modified or created files. Submit suspicious files to www.virustotal.com:

%appdata%
%temp%
%windir%\temp
%windir%\system32
%windir%\system32\drivers

Finally, run the built-in Windows utility sigverif.exe to verify most (but not all, unfortunately) Windows system files.

Autoruns (live.sysinternals.com/autoruns.exe) has two useful options to tick to check the integrity of files to see whether malware has patched them - "Hide Microsoft and Windows entries" and "Verify Code Signatures".

[OilSheikh]

1. Install NOD32 trial
2. Scan PC from safe mode

[CrazyMonkey]

Run hijackthis and select,

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O23 - Service: SmartLinkService (pm0aayqa) - Unknown owner - C:\WINDOWS\system32\vejil.exe (file missing)

and click fix checked.

Bar that your log is clean.

Run CCleaner to clear all your temporary files, the JS/FakeAlert is just a fakepage aimed at tricking you into downloading/paying for something, which itself is usually infected.

Remove all that MalwareBytes found.