Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus that deletes the exe files of antivirus and ccleaner


  • This topic is locked This topic is locked
3 replies to this topic

#1 binaya

binaya

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:lalitpur
  • Local time:09:29 AM

Posted 22 August 2010 - 09:07 AM

mellow.gif I don't know what to do guys. when i installed avg it didn't opened, i mean it opened but suddenly closed, every time i tried to open it. After some time i again checked what will happen but it showed that no exe file exists. I THINK it's some kind of malware.
Binaya

my logs are here


DDS (Ver_10-03-17.01) - NTFSx86
Run by vinaya at 5:19:31.46 on Sun 08/22/2010
Internet Explorer: 8.0.6001.18241
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.575.317 [GMT -7:00]

AV: My Security Shield *On-access scanning enabled* (Updated) {09433DA5-A405-452C-B22F-98D08A3CCDBD}
FW: My Security Shield *enabled* {1888D069-C896-440F-A6E8-E6CE269E412D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Mx One Antivirus\mogtr.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\Temp\winwpvnn.exe
C:\Documents and Settings\vinaya\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Mx_One_Guardian_Tiempo_Real] c:\program files\mx one antivirus\mogtr.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IFEO: image file execution options - svchost.exe
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\vinaya\applic~1\mozilla\firefox\profiles\66rzmfho.default\
FF - prefs.js: browser.search.selectedEngine - search

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-8-21 365904]
R3 aic32p;aic32p;\??\c:\windows\system32\drivers\hfojin.sys --> c:\windows\system32\drivers\hfojin.sys [?]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-8-21 20952]

=============== Created Last 30 ================

2010-08-21 22:15:02 0 d-sh--w- c:\docume~1\alluse~1\applic~1\MSAXALIS
2010-08-21 22:10:02 0 d-sh--w- c:\docume~1\alluse~1\applic~1\752f0da
2010-08-21 21:37:57 194048 ----a-w- c:\windows\Efiqia.exe
2010-08-21 21:16:02 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-08-21 21:16:02 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-08-21 21:15:45 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2010-08-21 21:15:45 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2010-08-21 21:15:45 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2010-08-21 21:15:45 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-08-21 21:15:45 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-08-21 17:10:14 0 d-----w- c:\docume~1\vinaya\applic~1\Malwarebytes
2010-08-21 17:10:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-21 17:10:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-21 17:10:03 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-21 17:10:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-21 04:11:00 28672 ------w- c:\windows\system32\SiSHook.dll
2010-08-21 04:11:00 184320 ------w- c:\windows\system32\SiSApCom.dll
2010-08-21 04:11:00 110592 ------w- c:\windows\system32\TVMode.dll
2010-08-21 04:10:41 331776 ----a-w- c:\windows\system32\sistray.exe
2010-08-21 04:10:35 103549 ----a-w- c:\windows\VGAsetup.ini
2010-08-21 04:10:29 49152 ----a-w- c:\windows\system32\SiSPower.dll
2010-08-21 04:10:11 0 d-----w- c:\program files\SiS VGA Utilities V3.64
2010-08-21 04:10:05 0 d-----w- c:\windows\system32\trayres
2010-08-21 04:10:01 100532 ----a-w- c:\windows\system32\VGAunistlog.ini
2010-08-20 14:41:49 0 d-----w- c:\docume~1\vinaya\applic~1\COWON
2010-08-20 14:30:44 0 d-----w- c:\docume~1\alluse~1\applic~1\RegCure
2010-08-20 14:10:44 0 d-----w- c:\program files\Mx One Antivirus
2010-08-20 14:03:48 0 d-----w- c:\windows\pss
2010-08-20 13:58:03 0 d-sh--w- c:\documents and settings\vinaya\PrivacIE
2010-08-20 13:52:36 26144 ------w- c:\windows\system32\spupdsvc.exe
2010-08-20 13:51:21 0 dc-h--w- c:\windows\ie8
2010-08-20 13:49:40 0 d-----w- C:\downloads
2010-08-20 13:49:40 0 d-----w- c:\docume~1\vinaya\applic~1\GrabPro
2010-08-20 13:49:36 0 d-----w- c:\program files\Orbitdownloader
2010-08-20 13:47:47 0 d-----w- c:\program files\common files\COWON
2010-08-20 13:47:45 0 d-----w- c:\program files\JetAudio
2010-08-20 13:46:58 0 d-----w- c:\program files\CCleaner
2010-08-20 13:43:01 0 d-----w- c:\windows\system32\LogFiles
2010-08-20 13:41:48 4096 -c--a-w- c:\windows\system32\dllcache\ksuser.dll
2010-08-20 13:40:33 36484 ----a-w- c:\windows\system32\drivers\SMBios.sys
2010-08-20 13:40:28 0 d-----w- C:\TempEI4
2010-08-20 12:31:56 0 d-sh--w- c:\documents and settings\all users\DRM
2010-08-20 12:30:51 0 d--h--w- c:\program files\WindowsUpdate
2010-08-20 12:29:31 0 d-----w- c:\program files\common files\MSSoap
2010-08-20 12:27:13 0 d-----w- c:\program files\Online Services
2010-08-20 12:27:03 0 d-----w- c:\program files\HashTab Shell Extension
2010-08-20 12:27:01 0 d-----w- c:\program files\Unlocker
2010-08-20 12:27:01 0 d-----w- c:\program files\Microsoft PowerToys
2010-08-20 12:26:37 0 d-----w- c:\program files\MSN Messenger
2010-08-20 12:26:28 0 d-----w- c:\program files\Windows Media Connect 2
2010-08-20 12:26:25 0 d-----w- c:\program files\Messenger
2010-08-20 12:26:21 0 d-----w- c:\program files\MSN Gaming Zone
2010-08-20 12:25:32 0 d-----w- c:\program files\Windows NT
2010-08-20 05:00:56 0 d-----w- c:\program files\common files\ODBC
2010-08-20 05:00:50 0 d-----w- c:\program files\common files\SpeechEngines
2010-08-20 05:00:16 0 d-----r- c:\documents and settings\all users\Documents

==================== Find3M ====================

2010-08-20 12:27:57 21640 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 5:20:24.34 ===============



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-22 07:04:16
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\vinaya\LOCALS~1\Temp\pxddqpog.sys


---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xF8545510]
pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0xF2FE1F00, 0x24000, 0x48000000]
? C:\WINDOWS\system32\drivers\hfojin.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Attached Files

  • Attached File  grme.txt   882bytes   3 downloads

Edited by binaya, 22 August 2010 - 09:11 AM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:29 AM

Posted 28 August 2010 - 04:34 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
  1. Do not run any other tool untill instructed to do so!
  2. Please Do not Attach logs or put in code boxes.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from RKUnHooker
      3.let me know of any problems you may have had

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:29 AM

Posted 01 September 2010 - 01:23 AM

Hello

three day bump

It has been Three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:29 AM

Posted 04 September 2010 - 12:41 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

The fixes and advice in this thread are for this machine only.
Do not apply the instructions from this thread to your own machine.
Please start a new thread describing your issue and someone will be along to assist you.


With Regards,
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users