Virus Trojan:

[Freder]

I have the trojan virus and maybe anothers..

The avast antivirus show me that I have "Win32:Patched-CK [trj]", now the virus has attack Avast antivirus as well.

I have many symptoms and when a fix something (for example the sound, I can listen youtube, afterwards, when I restart the computer I can't listen it again).

I have done everything that says here: http://www.computerhope.com/forum/index.php/topic,46313.0.html

I did 2 things different:

1. I didn't download "PS1a" because I have Service Pack 2 (SP2), and I thought that it was enough (maybe I am wrong, Im beginner)

2. I installed and ran Malwarebytes before than SUPERAntiSpyware. That was because I was working in Safe Mode and windows didn't allowed me to install SUPERAntiSpyware. So I installed and ran Malwarebytes, then this program asked me to restart the computer and then I could install SUPERAntiSpyware (not in safe Mode).

Tell me if I have to do anything else. However here I have attached the logs:

Thanks very much for your help.

[attachment deleted by admin]

[darhblader]

judgeing by the comment that it undoes changes on startup i'd say its a startup problem

you can look at your startup programs by typing msconfig in the run command.
you can disable everything apart from your virus scanner and (if you have one) firewall and see if that stops the problem. if it doesnt then its not a complete program

try that first and tell me if it works though

hope it helps

andy

[brundle]

Have you run an Avast boot-scan? It will check your PC before Windows loads, making it easier to remove problems. http://www.schmahl.net/avastbootscan.php

[Freder]

I did disabled all boxes in start up apart from nod antivirus. Then I restarted and I run nod32 antivirus and it found the virus in memory, with this message:

virus Win32/TrojanProxy.Agent.NCI found in operating memory. NOD32 can clean this infiltration. No action can be taken while the file is in memory. Click "Leave" to continue and subsequently run the cleaning of all local disks. System memory infection originated from file C:\WINDOWS\system32\winlogon.exe.

Then it found this:
File C:\WINDOWS\explorer.exe is infected with virus Win32/TrojanProxy.Agent.NCI. NOD32 can clean this infiltration. But it was cleaned.

File C:\WINDOWS\system32\gaopdxlrnmettlqxqmltltxewjbobqyjvulvpr.dll is infected with trojan Win32/TrojanClicker.Agent.NGB. The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed. (I copied to quarentine)

File C:\WINDOWS\system32\lsass.exe is infected with virus Win32/TrojanProxy.Agent.NCI. NOD32 can clean this infiltration. But it was cleaned.

File C:\WINDOWS\system32\svchost.exe is infected with virus Win32/TrojanProxy.Agent.NCI. NOD32 can clean this infiltration.

File C:\WINDOWS\system32\winlogon.exe is infected with virus Win32/TrojanProxy.Agent.NCI. NOD32 can clean this infiltration. then I cleaned and it says:
C:\WINDOWS\system32\winlogon.exe - Win32/TrojanProxy.Agent.NCI virus - cleaned (after the next restart) [2]

etc...

what should I do??

Other symptom of this virus, or maybe because I deleted some infected files, are: that when I open windows, appear the desktop empty. There is nothing only the desktop theme.

But I found a way to access to the programs by using Ctrl+Alt+Del ... and then file, ...browser...

what should I do with the virus in memory??

I have already ran the avast boot -scan (before windows start) .. and many files included one in Avast folder are infected.

[darhblader]

try booting in safe mode by hitting f8 at startup ad then selecting safe mode

run nod again and see if it can clean the memory

i've never had an affected memory before from nod so i have no experience in this. but i think safemode is your best bet.

[darhblader]

oh and as for the disappearing desktop, you can restart the explorer.exe from task manager by going into new task and typing explorer

usually this just happens as a fluke and is usually sorted on next boot but do post if it doesnt

[brundle]

Does that mean you're using NOD32 & Avast at the same time? Or did you install NOD32 after removing Avast?
If NOD32 "quarantined" those absolutely essential Windows files that would explain your lack of a desktop after booting. Something has (had) hooked itself into them. You could try SFC /scannow from the "Safe Mode with Command Prompt" to replace the files with originals, have your XP CD handy.

[evilfantasy]

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

• O4 - HKCU\..\Run: [Administrator] C:\Documents and Settings\Administrator\Administrator.exe /i
• O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
• O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
• O21 - SSODL: VDEiAp - {21288ECA-8B82-2460-C8BE-B5B45A2A4A37} - C:\WINDOWS\system32\jzyy.dll (file missing)

.
Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Download DrWeb CureIt & save it to your desktop. Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start
  
• An information notice will appear, click OK.
  
• This starts a short scan that will scan the files currently running in memory.
• If you get a prompt to buy the full version just exit out of the window. The scanner will still work without buying the full version
  
• If or when something is found, click the Yes button when it asks you if you want to cure it.

• Once the short scan has finished, Click Settings > Change Settings
  
• Under the Scanning tab UNcheck Heuristic analysis and click OK
  
• Back at the main window, select the Complete scan button and then click the Green Arrow Start Scanning button on the right and the scan will start.
  
• Click Yes to all if it asks if you want to cure/move any file(s).
  
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
  
• Save the DrWeb.csv report to your Desktop.
  
• Exit Dr.Web Cureit.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

* After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
* Copy and paste that log in the next reply

[whatchamacallit]

try using other anti-virus that maybe remove the trojan virus