Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: China's National Cybersecurity Standards Considered a Risk for Foreign Firms

Featured Deal: This Free Course Lets You Achieve Digital Transformation for Your Company

Help plzz

Started by Malik.ghaddar , Mar 02 2010 02:03 PM

This topic is locked

18 replies to this topic

#1 Malik.ghaddar

Members
30 posts
OFFLINE

Local time:01:47 AM

Posted 02 March 2010 - 02:03 PM

Hi today i turn on my pc and when window screen apears it show this error

after this i press ok and run antimalware bytes it show i infected file n remove it but still to make sure every thing is fine or not im posting hijack log here plz cheak

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:37 AM, on 3/2/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\VM303_STI.EXE
C:\WINDOWS\system32\DA9115\D2841D.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [D2841D] C:\WINDOWS\system32\DA9115\D2841D.EXE
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [NoIE4StubProcessing] C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
O4 - Startup: D2841D.lnk = C:\WINDOWS\system32\DA9115\D2841D.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 3526 bytes

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 miekiemoes

Malware Killer Dog

Malware Response Team
19,420 posts
OFFLINE

Gender:Female
Location:Belgium
Local time:08:47 AM

Posted 03 March 2010 - 06:00 AM

Hi,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Malik.ghaddar

Topic Starter

Members
30 posts
OFFLINE

Local time:01:47 AM

Posted 05 March 2010 - 11:15 AM

TX 4 helping bro..n Sorry 4 late reply heres Avira n HIjack reports

Avira REport

Avira AntiVir Personal
Report file date: Thursday, March 04, 2010 13:19

Scanning for 1817062 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : M-56B9FBF9FFA84

Version information:
BUILD.DAT : 9.0.0.415 21609 Bytes 11/8/2009 10:00:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 19:26:34
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 18:58:26
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 19:35:50
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 18:58:54
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 15:35:52
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 21:16:36
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 21:17:04
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 21:17:14
VBASE004.VDF : 7.10.3.76 2048 Bytes 1/26/2010 21:17:14
VBASE005.VDF : 7.10.3.77 2048 Bytes 1/26/2010 21:17:14
VBASE006.VDF : 7.10.3.78 2048 Bytes 1/26/2010 21:17:14
VBASE007.VDF : 7.10.3.79 2048 Bytes 1/26/2010 21:17:16
VBASE008.VDF : 7.10.3.80 2048 Bytes 1/26/2010 21:17:16
VBASE009.VDF : 7.10.3.81 2048 Bytes 1/26/2010 21:17:16
VBASE010.VDF : 7.10.3.82 2048 Bytes 1/26/2010 21:17:16
VBASE011.VDF : 7.10.3.83 2048 Bytes 1/26/2010 21:17:16
VBASE012.VDF : 7.10.3.84 2048 Bytes 1/26/2010 21:17:18
VBASE013.VDF : 7.10.3.85 2048 Bytes 1/26/2010 21:17:18
VBASE014.VDF : 7.10.3.122 172544 Bytes 1/29/2010 21:17:18
VBASE015.VDF : 7.10.3.149 79872 Bytes 2/1/2010 21:17:20
VBASE016.VDF : 7.10.3.174 68608 Bytes 2/3/2010 21:17:20
VBASE017.VDF : 7.10.3.199 76800 Bytes 2/4/2010 21:17:22
VBASE018.VDF : 7.10.3.222 64512 Bytes 2/5/2010 21:17:22
VBASE019.VDF : 7.10.3.243 75776 Bytes 2/8/2010 21:17:24
VBASE020.VDF : 7.10.4.6 81920 Bytes 2/9/2010 21:17:24
VBASE021.VDF : 7.10.4.30 78848 Bytes 2/11/2010 21:17:24
VBASE022.VDF : 7.10.4.50 107520 Bytes 2/15/2010 21:17:26
VBASE023.VDF : 7.10.4.62 105472 Bytes 2/15/2010 21:17:26
VBASE024.VDF : 7.10.4.85 111616 Bytes 2/17/2010 21:17:28
VBASE025.VDF : 7.10.4.109 122368 Bytes 2/21/2010 21:17:28
VBASE026.VDF : 7.10.4.128 109056 Bytes 2/23/2010 21:17:30
VBASE027.VDF : 7.10.4.151 111104 Bytes 2/26/2010 21:17:32
VBASE028.VDF : 7.10.4.170 132608 Bytes 3/1/2010 21:17:32
VBASE029.VDF : 7.10.4.184 100864 Bytes 3/2/2010 21:17:34
VBASE030.VDF : 7.10.4.199 110592 Bytes 3/4/2010 21:17:34
VBASE031.VDF : 7.10.4.200 18944 Bytes 3/4/2010 21:17:34
Engineversion : 8.2.1.180
AEVDF.DLL : 8.1.1.3 106868 Bytes 3/4/2010 21:17:56
AESCRIPT.DLL : 8.1.3.17 1032570 Bytes 3/4/2010 21:17:54
AESCN.DLL : 8.1.5.0 127347 Bytes 3/4/2010 21:17:52
AESBX.DLL : 8.1.2.0 254323 Bytes 3/4/2010 21:17:56
AERDL.DLL : 8.1.4.2 479602 Bytes 3/4/2010 21:17:52
AEPACK.DLL : 8.2.1.0 426356 Bytes 3/4/2010 21:17:50
AEOFFICE.DLL : 8.1.0.39 196987 Bytes 3/4/2010 21:17:48
AEHEUR.DLL : 8.1.1.7 2326902 Bytes 3/4/2010 21:17:46
AEHELP.DLL : 8.1.10.1 237942 Bytes 3/4/2010 21:17:38
AEGEN.DLL : 8.1.2.0 373107 Bytes 3/4/2010 21:17:36
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 15:38:26
AECORE.DLL : 8.1.12.2 188790 Bytes 3/4/2010 21:17:36
AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 15:38:20
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 16:48:00
AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 23:14:04
AVREP.DLL : 8.0.0.7 159784 Bytes 3/4/2010 21:17:58
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 18:32:10
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 23:05:42
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 18:37:10
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 23:03:50
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 16:21:34
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 18:32:12
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 23:40:00
RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 20:25:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:, E:, F:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Thursday, March 04, 2010 13:19

Starting search for hidden objects.
'34338' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'vlc.exe' - '1' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned
Scan process 'YahooMessenger.exe' - '1' Module(s) have been scanned
Scan process 'ALG.EXE' - '1' Module(s) have been scanned
Scan process 'WSCNTFY.EXE' - '1' Module(s) have been scanned
Scan process 'WMIPRVSE.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'JQS.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'D2841D.EXE' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\system32\DA9115\D2841D.EXE'
Scan process 'CTFMON.EXE' - '1' Module(s) have been scanned
Scan process 'JUSCHED.EXE' - '1' Module(s) have been scanned
Scan process 'VM303_STI.EXE' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'SPOOLSV.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'EXPLORER.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'LSASS.EXE' - '1' Module(s) have been scanned
Scan process 'SERVICES.EXE' - '1' Module(s) have been scanned
Scan process 'WINLOGON.EXE' - '1' Module(s) have been scanned
Scan process 'CSRSS.EXE' - '1' Module(s) have been scanned
Scan process 'SMSS.EXE' - '1' Module(s) have been scanned
Process 'D2841D.EXE' has been terminated
C:\WINDOWS\system32\DA9115\D2841D.EXE
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] TR/Dropper.Gen:[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN]:<D2841D>=sz:D2841D.EXE
[NOTE] The file was deleted!

37 processes with 36 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!
Boot sector 'F:\'
[INFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '45' files ).

Starting the file scan:

Begin scan in 'C:\' <XP>
C:\PAGEFILE.SYS
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\WINDOWS\system32\FA95A1\cnvpe.fne
[DETECTION] Is the TR/Agent.61440.CZ Trojan
C:\WINDOWS\system32\FA95A1\spec.fne
[DETECTION] Is the TR/Vundo.73728.EC Trojan
C:\Documents and Settings\Administrator\Local Settings\Temp\E_N4\cnvpe.fne
[DETECTION] Is the TR/Agent.61440.CZ Trojan
C:\Documents and Settings\Administrator\Local Settings\Temp\E_N4\spec.fne
[DETECTION] Is the TR/Vundo.73728.EC Trojan
C:\Documents and Settings\Administrator\My Documents\vlc-1.0.2-win32.exe
[0] Archive type: NSIS
--> ProgramFilesDir/AUTHORS.txt
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\System Volume Information\_restore{8E937D52-BEAC-4BB0-963B-010FEF344FF1}\RP54\A0094918.EXE
[DETECTION] Is the TR/Dropper.Gen Trojan
Begin scan in 'D:\' <WORK>
Begin scan in 'E:\' <MIX MALL>
E:\Virtual Drive 7.01\INSTMSIA.EXE
[DETECTION] Is the TR/Dropper.Gen Trojan
E:\Virtual Drive 7.01\INSTMSIW.EXE
[DETECTION] Is the TR/Dropper.Gen Trojan
E:\My Imp DAta\WinRar_3.7_Setup_installer.exe
[DETECTION] Is the TR/Patched.Gen2 Trojan
E:\My Imp DAta\Media Player 10.0 Final\Energy Bliss Viz for MediaPlayer 10\MP10_EnergyBlissViz.EXE
[DETECTION] Is the TR/Patched.Gen2 Trojan
E:\My Imp DAta\CamStudio 2[1].1.051\CamStudio20.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
Begin scan in 'F:\' <MICS>

Beginning disinfection:
C:\WINDOWS\system32\FA95A1\cnvpe.fne
[DETECTION] Is the TR/Agent.61440.CZ Trojan
[NOTE] The file was moved to '4c063097.qua'!
C:\WINDOWS\system32\FA95A1\spec.fne
[DETECTION] Is the TR/Vundo.73728.EC Trojan
[NOTE] The file was moved to '4bf53099.qua'!
C:\Documents and Settings\Administrator\Local Settings\Temp\E_N4\cnvpe.fne
[DETECTION] Is the TR/Agent.61440.CZ Trojan
[NOTE] The file was moved to '4d831e28.qua'!
C:\Documents and Settings\Administrator\Local Settings\Temp\E_N4\spec.fne
[DETECTION] Is the TR/Vundo.73728.EC Trojan
[NOTE] The file was moved to '4a7727c2.qua'!
C:\System Volume Information\_restore{8E937D52-BEAC-4BB0-963B-010FEF344FF1}\RP54\A0094918.EXE
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4bc0305a.qua'!
E:\Virtual Drive 7.01\INSTMSIA.EXE
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4be33078.qua'!
E:\Virtual Drive 7.01\INSTMSIW.EXE
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4be33079.qua'!
E:\My Imp DAta\WinRar_3.7_Setup_installer.exe
[DETECTION] Is the TR/Patched.Gen2 Trojan
[NOTE] The file was moved to '4bfe3095.qua'!
E:\My Imp DAta\Media Player 10.0 Final\Energy Bliss Viz for MediaPlayer 10\MP10_EnergyBlissViz.EXE
[DETECTION] Is the TR/Patched.Gen2 Trojan
[NOTE] The file was moved to '4bc1307c.qua'!
E:\My Imp DAta\CamStudio 2[1].1.051\CamStudio20.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4bfd308d.qua'!

End of the scan: Thursday, March 04, 2010 14:11
Used time: 38:09 Minute(s)

The scan has been done completely.

3443 Scanned directories
101851 Files were scanned
12 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
1 files were deleted
0 Viruses and unwanted programs were repaired
10 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
101837 Files not concerned
994 Archives were scanned
4 Warnings
13 Notes
34338 Objects were scanned with rootkit scan
0 Hidden objects were found

Hijack Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:14:55 AM, on 3/5/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\program files\avira\antivir desktop\avcenter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://internet.wateen.net/home?confirmed=...&t=g6ckbqsa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
O4 - Startup: D2841D.lnk = C:\WINDOWS\system32\DA9115\D2841D.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 3730 bytes

#4 miekiemoes

Malware Killer Dog

Malware Response Team
19,420 posts
OFFLINE

Gender:Female
Location:Belgium
Local time:08:47 AM

Posted 05 March 2010 - 11:22 AM

Hi,

* Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

#5 Malik.ghaddar

Topic Starter

Members
30 posts
OFFLINE

Local time:01:47 AM

Posted 05 March 2010 - 04:39 PM

BRo By mistake i Made full scan instead of quick scan then read ur reply compltly :-l But when full scan complet it shows 3 infected files which it deltes secesfully aftrer that i also run quick scan and both logs r here now with new hijack log also.. 1 thing more when i was performing full scan on malware byte Avira Av indicates 4 some viruses which i also delted ...

Full scan result

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

3/5/2010 1:21:39 PM
mbam-log-2010-03-05 (13-21-39).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 139331
Time elapsed: 33 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\FA95A1\RegEx.fnr (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\Program Files\uSeesoft\MP3 Converter\RSMgr.dll (Backdoor.Generic) -> Quarantined and deleted successfully.
E:\Virtual Drive 7.01\Vcd Cutter 4.04\VCDCUT.EXE (Malware.Packer) -> Quarantined and deleted successfully.

Quick scan result

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

3/5/2010 1:28:29 PM
mbam-log-2010-03-05 (13-28-29).txt

Scan type: Quick Scan
Objects scanned: 107581
Time elapsed: 6 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

HIjack Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:33:00 PM, on 3/5/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://internet.wateen.net/home?confirmed=...&t=g6ckbqsa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
O4 - Startup: D2841D.lnk = C:\WINDOWS\system32\DA9115\D2841D.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 3731 bytes

#6 miekiemoes

Malware Killer Dog

Malware Response Team
19,420 posts
OFFLINE

Gender:Female
Location:Belgium
Local time:08:47 AM

Posted 06 March 2010 - 01:54 AM

Hi,

I'm sorry to bug you once again, but your database version says: Database version: 3510
We are already 3828 now, so I guess you forgot to use the update feature. So please open Malwarebytes, click the updates tab, click to check for the updates and once the updates are downloaded, rescan again with malwarebytes (Quickscan as this one is more powerful).
Malwarebytes was updated last week already to deal with this variant you are dealing with, so that's why the update is important.
When done, post the scan log and a new HijackThis log.

#7 Malik.ghaddar

Topic Starter

Members
30 posts
OFFLINE

Local time:01:47 AM

Posted 06 March 2010 - 06:08 AM

HI ...heres new log after update of mlware

Malwarebytes' Anti-Malware 1.44
Database version: 3828
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

3/6/2010 3:04:36 AM
mbam-log-2010-03-06 (03-04-36).txt

Scan type: Quick Scan
Objects scanned: 108987
Time elapsed: 4 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\DA9115 (Worm.AutoRun) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\E_N4 (Worm.Autorun) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Administrator\Local Settings\Temp\E_N4\krnln.fnr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\E_N4\HtmlView.fne (HackTool.Patcher) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\E_N4\internet.fne (HackTool.Patcher) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\E_N4\eAPI.fne (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\E_N4\dp1.fne (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\E_N4\shell.fne (Worm.Autorun) -> Quarantined and deleted successfully.

new hijack Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:06:53 AM, on 3/6/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://internet.wateen.net/home?confirmed=...&t=g6ckbqsa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
O4 - Startup: D2841D.lnk = C:\WINDOWS\system32\DA9115\D2841D.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 3595 bytes

#8 miekiemoes

Malware Killer Dog

Malware Response Team
19,420 posts
OFFLINE

Gender:Female
Location:Belgium
Local time:08:47 AM

Posted 06 March 2010 - 06:14 AM

Hi,

This is much better already...

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - Startup: D2841D.lnk = C:\WINDOWS\system32\DA9115\D2841D.EXE

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

There are still some things I need to check though, so * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

#9 Malik.ghaddar

Topic Starter

Members
30 posts
OFFLINE

Local time:01:47 AM

Posted 06 March 2010 - 09:57 AM

ComboFix 10-03-05.03 - Administrator 03/06/2010 3:55.1.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.281 [GMT -8:00]
Running from: c:\documents and settings\Administrator\My Documents\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system\oeminfo.ini

.
((((((((((((((((((((((((( Files Created from 2010-02-06 to 2010-03-06 )))))))))))))))))))))))))))))))
.

2010-03-05 20:43 . 2010-03-05 20:43 -------- d-----w- C:\FOUND.049
2010-03-05 18:57 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-05 18:57 . 2010-03-05 18:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-05 18:57 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-04 21:12 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-03-04 21:12 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-03-04 21:12 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-03-04 21:12 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-03-04 21:12 . 2010-03-04 21:12 -------- d-----w- c:\program files\Avira
2010-03-04 21:12 . 2010-03-04 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-03-03 20:01 . 2010-03-03 20:01 -------- d-----w- C:\FOUND.048
2010-03-02 19:02 . 2010-03-02 19:02 -------- d-----w- c:\program files\CCleaner
2010-03-02 18:55 . 2010-03-02 18:55 -------- d-----w- c:\program files\Trend Micro
2010-03-02 18:49 . 2010-03-02 18:49 -------- d--h--w- c:\windows\ie8
2010-03-02 18:40 . 2009-12-11 08:38 69120 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-03-02 15:41 . 2010-03-02 15:41 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-03-02 15:41 . 2010-03-02 15:41 79488 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-02 11:19 . 2009-10-11 12:17 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-02 11:19 . 2010-03-02 11:19 -------- d-----w- c:\program files\Java
2010-03-02 11:19 . 2010-03-02 11:19 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-02-28 20:06 . 2010-02-28 20:06 -------- d-----w- C:\FOUND.047
2010-02-10 11:25 . 2010-02-10 11:25 -------- d-----w- c:\program files\Stardock
2010-02-10 11:25 . 2010-02-10 11:25 -------- d-----w- c:\program files\Common Files\Stardock
2010-02-10 11:07 . 2010-02-10 11:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Vso
2010-02-10 11:07 . 2010-02-10 11:07 -------- d-----w- c:\program files\VSO
2010-02-10 11:06 . 2010-02-10 11:06 -------- d-----w- C:\OutputFolder
2010-02-05 17:23 . 2010-02-05 17:23 -------- d--h--w- c:\windows\system32\FA95A1
2010-02-05 17:23 . 2010-02-05 17:23 -------- d--h--w- c:\windows\system32\9DFC64
2010-02-05 17:23 . 2010-02-05 17:23 -------- d--h--w- c:\windows\system32\67E1E8
2010-02-05 15:08 . 2010-02-05 15:08 -------- d-----w- C:\FOUND.046

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-04 11:29 . 2010-02-04 11:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-01-05 18:56 . 2010-01-05 18:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\dvdcss
2010-01-04 11:05 . 2010-01-04 11:05 737280 ----a-w- c:\windows\iun6002.exe
2009-12-21 19:14 . 2006-03-28 18:23 916480 ----a-w- c:\windows\system32\wininet.dll
2005-07-14 20:31 . 2006-05-24 18:37 27648 --sha-w- c:\windows\system32\AVSredirect.dll
2005-06-22 06:37 . 2006-05-24 18:37 45568 --sha-r- c:\windows\system32\cygz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-25 198160]
"BigDog303"="c:\windows\VM303_STI.EXE" [2005-10-25 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 09:06 1667584 ------w- c:\program files\Messenger\msmsgs.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/4/2010 1:12 PM 108289]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [12/23/2009 12:46 AM 36608]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://internet.wateen.net/home?confirmed=true&submitButton=OK&t=g6ckbqsa
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ifo38cty.default\
FF - prefs.js: browser.startup.homepage - hxxp://internet.wateen.net/home?CPURL=http%3A%2F%2Fen-us.start3.mozilla.com%2Ffirefox%3Fclient%3Dfirefox-a%26rls%3Dorg.mozilla%3Aen-US%3Aofficial&t=g057rvkt
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-PCSuiteTrayApplication - c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 03:58
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog303 = c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)????????????????0?????????@??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-220523388-602162358-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ba,4e,ef,7e,c8,2b,9f,46,92,11,48,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ba,4e,ef,7e,c8,2b,9f,46,92,11,48,\

[HKEY_USERS\S-1-5-21-220523388-602162358-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
.
Completion time: 2010-03-06 03:59:29
ComboFix-quarantined-files.txt 2010-03-06 11:59

Pre-Run: 1,309,982,720 bytes free
Post-Run: 1,367,384,064 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 9B0CBE3D3986D68437249F760A07D29B

#10 miekiemoes

Malware Killer Dog

Malware Response Team
19,420 posts
OFFLINE

Gender:Female
Location:Belgium
Local time:08:47 AM

Posted 06 March 2010 - 10:19 AM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

QUOTE

Folder::
c:\windows\system32\FA95A1
c:\windows\system32\9DFC64
c:\windows\system32\67E1E8

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

#11 Malik.ghaddar

Topic Starter

Members
30 posts
OFFLINE

Local time:01:47 AM

Posted 06 March 2010 - 02:19 PM

hi ...heres now result after doing as u said

ComboFix 10-03-05.03 - Administrator 03/06/2010 11:12:27.2.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.284 [GMT -8:00]
Running from: c:\documents and settings\Administrator\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\My Documents\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\67E1E8
c:\windows\system32\67E1E8\f0c737.txt
c:\windows\system32\9DFC64
c:\windows\system32\FA95A1
c:\windows\system32\FA95A1\dp1.fne
c:\windows\system32\FA95A1\eAPI.fne
c:\windows\system32\FA95A1\HtmlView.fne
c:\windows\system32\FA95A1\internet.fne
c:\windows\system32\FA95A1\krnln.fnr
c:\windows\system32\FA95A1\shell.fne

.
((((((((((((((((((((((((( Files Created from 2010-02-06 to 2010-03-06 )))))))))))))))))))))))))))))))
.

2010-03-06 14:48 . 2010-03-06 14:48 -------- d-----w- C:\FOUND.050
2010-03-05 20:43 . 2010-03-05 20:43 -------- d-----w- C:\FOUND.049
2010-03-05 18:57 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-05 18:57 . 2010-03-05 18:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-05 18:57 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-04 21:12 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-03-04 21:12 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-03-04 21:12 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-03-04 21:12 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-03-04 21:12 . 2010-03-04 21:12 -------- d-----w- c:\program files\Avira
2010-03-04 21:12 . 2010-03-04 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-03-03 20:01 . 2010-03-03 20:01 -------- d-----w- C:\FOUND.048
2010-03-02 19:02 . 2010-03-02 19:02 -------- d-----w- c:\program files\CCleaner
2010-03-02 18:55 . 2010-03-02 18:55 -------- d-----w- c:\program files\Trend Micro
2010-03-02 18:49 . 2010-03-02 18:49 -------- d--h--w- c:\windows\ie8
2010-03-02 18:40 . 2009-12-11 08:38 69120 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-03-02 15:41 . 2010-03-02 15:41 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-03-02 15:41 . 2010-03-02 15:41 79488 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-02 11:19 . 2009-10-11 12:17 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-02 11:19 . 2010-03-02 11:19 -------- d-----w- c:\program files\Java
2010-03-02 11:19 . 2010-03-02 11:19 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-02-28 20:06 . 2010-02-28 20:06 -------- d-----w- C:\FOUND.047
2010-02-10 11:25 . 2010-02-10 11:25 -------- d-----w- c:\program files\Stardock
2010-02-10 11:25 . 2010-02-10 11:25 -------- d-----w- c:\program files\Common Files\Stardock
2010-02-10 11:07 . 2010-02-10 11:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Vso
2010-02-10 11:07 . 2010-02-10 11:07 -------- d-----w- c:\program files\VSO
2010-02-10 11:06 . 2010-02-10 11:06 -------- d-----w- C:\OutputFolder
2010-02-05 15:08 . 2010-02-05 15:08 -------- d-----w- C:\FOUND.046

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-04 11:29 . 2010-02-04 11:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-01-04 11:05 . 2010-01-04 11:05 737280 ----a-w- c:\windows\iun6002.exe
2009-12-21 19:14 . 2006-03-28 18:23 916480 ------w- c:\windows\system32\wininet.dll
2005-07-14 20:31 . 2006-05-24 18:37 27648 --sha-w- c:\windows\system32\AVSredirect.dll
2005-06-22 06:37 . 2006-05-24 18:37 45568 --sha-r- c:\windows\system32\cygz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-25 198160]
"BigDog303"="c:\windows\VM303_STI.EXE" [2005-10-25 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 09:06 1667584 ------w- c:\program files\Messenger\msmsgs.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/4/2010 1:12 PM 108289]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [12/23/2009 12:46 AM 36608]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://internet.wateen.net/home?confirmed=true&submitButton=OK&t=g6ckbqsa
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ifo38cty.default\
FF - prefs.js: browser.startup.homepage - hxxp://internet.wateen.net/home?CPURL=http%3A%2F%2Fen-us.start3.mozilla.com%2Ffirefox%3Fclient%3Dfirefox-a%26rls%3Dorg.mozilla%3Aen-US%3Aofficial&t=g057rvkt
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 11:15
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog303 = c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)????????????????0?????????@??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-220523388-602162358-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ba,4e,ef,7e,c8,2b,9f,46,92,11,48,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ba,4e,ef,7e,c8,2b,9f,46,92,11,48,\

[HKEY_USERS\S-1-5-21-220523388-602162358-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
.
Completion time: 2010-03-06 11:16:56
ComboFix-quarantined-files.txt 2010-03-06 19:16
ComboFix2.txt 2010-03-06 11:59

Pre-Run: 1,317,339,136 bytes free
Post-Run: 1,313,734,656 bytes free

- - End Of File - - 37B04FEBAD190AB622D1944CCDF843FD

#12 miekiemoes

Malware Killer Dog

Malware Response Team
19,420 posts
OFFLINE

Gender:Female
Location:Belgium
Local time:08:47 AM

Posted 07 March 2010 - 07:52 AM

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

#13 Malik.ghaddar

Topic Starter

Members
30 posts
OFFLINE

Local time:01:47 AM

Posted 07 March 2010 - 08:26 AM

Hi...Im done with all thing exept
"Resets System Restore again" sorry how 2 do this

and 1 thing more my dekstop appear late it take much time any solution 4 that before it was not like that..tx

#14 miekiemoes

Malware Killer Dog

Malware Response Team
19,420 posts
OFFLINE

Gender:Female
Location:Belgium
Local time:08:47 AM

Posted 07 March 2010 - 08:52 AM

Hi,

QUOTE

"Resets System Restore again" sorry how 2 do this

Combofix already did that for you instead.

QUOTE

and 1 thing more my dekstop appear late it take much time any solution 4 that before it was not like that..tx

Sorry, don't understand what you mean. Do you mean that startup goes a bit slower? If so, then it's because you have no an Antivirus installed which indeed causes a little delay. This is normal. Rather to have a little delay on startup and be protected against malware than no protection at all, because that's how you got infected in the first place.

Also, please update your Windows to Service Pack 3 asap!

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!