Jump to content

osama.pif


irakli_san
 Share

Recommended Posts

hi there

in every ~5 minutes computer is trying to writhe a autorun.inf file on all external drives(usb, floppy). and i have wierd file called osama.pif in my temp folder. i opened autorun.inf with notepad and its something like "shellexecute=SYSTEM~1\osama.pif". and i have "System Volume Information." on my usb drive that i think its not right.

i know that my computer is infected but in not that clever to solve the problem. can anyone help me? or add solution in next software update?

here is autorun.inf and HijackThis log. i will attach pif file. thanks

[AutoRun]

;D{PBk&@BY@C]<7b<0cE{m08sDjuZupD3UFLtCtN1o9xY&uhBvpYHVusWrq\I9vThCD}OG6>eSEorHKXpl+GhenHACthoI[k[6N\kj9INcaV[EXfuz|9elRNXU4

;mBtmXebYd<oVB2PqQm}OEuN8YSahe/aN23+fL2aaBVtXcB

shellexecute=SYSTEM~1\osama.pif

;>J#@jy6vDKYev44wG|4jDBrMnCT60H}/XxWvf9[CIoFfE.B}YW4%U]q2BpApSlx<X3L

;lIl4Npa+\62k8Z3zappIu4[A4Cpy6%@t9<26o{MWJmgQhIe+MFC5z{61fQoNl]d>x4SJs+]ki]EK1nZ5.<nB/o&UT+5sH3}*m[6AOA<JIFvOb2uBWIdEshlLK/

shell\about=Open

;4h|9b5F[]fS]GT6AJoT1OiwJDtF

;fjJzCfBW|tpzA{xS+B.>Awm2[F9EEXd#noW9]g8L*jicDAjp*kQsXD}mz>[yt

shell\about\command=SYSTEM~1\osama.pif

;SGBM}@GmheCj6a.n1WoYrQP1odf/.#pkVx89/Ozi0RJcB19wOB*eX#eGNDvBWBLxh}73ru2CG[cO1D4qmDBM

;L8xhY{T+Do0qXSM/3[iA@0X%Qua\x1u<sE]JMRbHA2@iyluxU&WDwrgPV\S.9g]GT<3Dq5*<rdDh5H]#F|A#{S#FnvL|>FOps6OsE

----------------------------------------------------------------------------

Logfile of HijackThis v1.99.1

Scan saved at 1:28:51 AM, on 9/25/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\ESET\ESET Smart Security\egui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\ESET\ESET Smart Security\ekrn.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Tablet.exe

C:\WINDOWS\system32\WTablet\TabUserW.exe

C:\WINDOWS\system32\Tablet.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll

O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [ASRInst_V] C:\WINDOWS\system32\regsvr32.exe "C:\Program Files\Common Files\Panasonic\PSL_DMOG726Dec.dll" /s

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{21B8D48D-BA17-4EF2-A851-D27099EFF803}: NameServer = 217.147.227.67,213.157.196.131

O17 - HKLM\System\CS1\Services\Tcpip\..\{21B8D48D-BA17-4EF2-A851-D27099EFF803}: NameServer = 217.147.227.67,213.157.196.131

O17 - HKLM\System\CS2\Services\Tcpip\..\{21B8D48D-BA17-4EF2-A851-D27099EFF803}: NameServer = 217.147.227.67,213.157.196.131

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

Link to post
Share on other sites

Hi there irakli_san, and welcome to Malwarebytes.

Please find this file osama.pif and attach it in a zipped folder here in a new topic you start, link back to your thread in the HJT forum please.

Make sure your running as an administrator on the machine. Allow email from Malwarebytes.org and set your preferences in the User Control Panel to email notifications for replies to your topics. This ensures you make prompt replies back and we get you cleaned in the fastest way possible.

Please set your system to show

all files; Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

If you haven't already, please get these programs, update and run a complete scan removing all items found.

Spybot Search & Destroy Be sure to use the immunize feature. But do not enable TeaTimer at this time.

Open SB S&D

Make sure you are in Advanced Mode. Click on the Mode link at the top of the program and then Advanced Mode.

Click on the Tools section and then Resident.

You will see two items.

1. Resident "SD helper" (Internet Explorer bad download blocker.) active

2. Resident "Tea Timer" (Protection of over-all system settings.) active.

Uncheck number 2..

Leave number 1 checked always.

You can enable Tea Timer again if you wish once all special fixes have been done.

Please run a quick scan of your main drive, usually C with MBAM making sure you check all items found for removal. Please post that log in your next reply.

Then go here and run a scan PandaActive Scan There is a full tutorial on how to to this at the top of this forum.

Post the logs from the Panda and MBAM scans please, along with a log from this program HiJack This!

You will post three logs. 1. MBAM scan. 2. Panda Active Scan. 3. HiJack This scan. Please run and post the scans in this order. You will finish the MBAM first so go ahead and post that log, then move on to Panda and so forth.

I will analyze the logs and give you further instructions. Be sure to set your email to allow mail from Malwarebytes.org and your personal settings to send an email on reply to your topic. This will let you know when there has been an update to your topic and you can come and see what has been said.

Be patient and persistent. These things can take time and many procedures.

Link to post
Share on other sites

oh and i found another one on my second computer. should i post it here? or start another topic.

autorun:

;i35KqiALakD1s4DkSo9272laD2sKpad5rw04KI1ksdmlcSad4k4338osssiCLoLLf6wSe0DDjqiAAa4

sj3r3dklfw7DrJlLwqaicsK3Lso40nw4qK74pa23lis3kAD

[AutoRun]

;4ddo0akaas33eDic20o3KkisqjJl34mawkfKif53Ho8aASSljj4o3eDaAdKalfUAkr412iKD6jdrDa5

J

open=idjx0e.exe

;los

shell\open\Command=idjx0e.exe

;s3

shell\open\Default=1

;wISKOilCdDKaA52wLko3d7340rLaUi7sL8ksL53iDZ2pD

shell\explore\Command=idjx0e.exe

;slar3JJaAs5

i can upload idjx0e.exe too

Link to post
Share on other sites

oh, and there is scheduled task named system.job

with path "C:\Docume~1\ADMINI~1\Locals~1\Temp\osama.pif"

Malwarebytes' Anti-Malware 1.28

Database version: 1214

Windows 5.2.3790 Service Pack 2

9/27/2008 9:43:17 PM

mbam-log-2008-09-27 (21-43-17).txt

Scan type: Full Scan (C:\|)

Objects scanned: 154445

Time elapsed: 43 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:05:50 PM, on 9/27/2008

Platform: Windows 2003 SP2 (WinNT 5.02.3790)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\Program Files (x86)\DAEMON Tools Lite\daemon.exe

C:\WINDOWS\SysWOW64\ctfmon.exe

C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe

C:\Program Files (x86)\Analog Devices\SoundMAX\Smax4.exe

C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe

C:\Program Files (x86)\Bonjour\mDNSResponder.exe

C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe

C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_64server.exe

C:\WINDOWS\SysWOW64\PnkBstrA.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

F2 - REG:system.ini: UserInit=userinit

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files (x86)\FlashGet\jccatch.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files (x86)\FlashGet\getflash.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files (x86)\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files (x86)\FlashGet\jc_all.htm

O8 - Extra context menu item: &Download with FlashGet - C:\Program Files (x86)\FlashGet\jc_link.htm

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files (x86)\FlashGet\FlashGet.exe

O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files (x86)\FlashGet\FlashGet.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - ESC Trusted Zone: http://runonce.msn.com

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5BAB9EB3-A15E-48AA-8921-FE4C5B41E3CD}: NameServer = 217.147.227.67,217.147.227.68

O17 - HKLM\System\CCS\Services\Tcpip\..\{B1FE713F-7EC7-4C71-B62F-D440E09F48AF}: NameServer = 217.147.227.67,87.253.32.131

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe

O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)

O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2009 64-bit 64-bit (mi-raysat_3dsMax2009_64) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_64server.exe

O23 - Service: mental ray 3.5 Satellite (64-bit) (mi-raysat_3dsmax9_64) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_64server.exe

O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)

O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: NMIndexingService - Unknown owner - C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe (file missing)

O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)

O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)

O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: SPM License Server (spmd) - mental images GmbH - C:\spm\spmdib.exe

O23 - Service: TabletServicePen - Unknown owner - C:\WINDOWS\system32\Pen_Tablet.exe (file missing)

O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)

O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)

O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--

End of file - 8558 bytes

SpybotSD.Results.txt

mbam_log_2008_09_27__21_43_17_.txt

hijackthis.txt

hijackthis.txt

SpybotSD.Results.txt

mbam_log_2008_09_27__21_43_17_.txt

hijackthis.txt

hijackthis.txt

Edited by JeanInMontana
add logs in line
Link to post
Share on other sites

i just finished scanning first computer with panda so here it is

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-09-28 00:17:44

PROTECTIONS: 1

MALWARE: 11

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

ESET Smart Security 3.0 3.0 Yes Yes

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00055560 Exploit/LoadImage HackTools No 0 Yes No C:\Program Files (x86)\Codemasters\GRID\audio\speech\en\08_accidents\team9Term_2.raw

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[2].txt

00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@bs.serving-sys[1].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt

00286736 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@www6.addfreestats[1].txt

00385653 W32/Lineage.JUX.worm Virus/Worm No 0 Yes No E:\virusebi\idjx0e.zip[autorun.inf]

01895148 Malicious Packer SecRisk No 0 No No E:\Install\3D soft\Modo302\KEYGEN\XF-Modo301-KG.exe[E:\Install\3D soft\Modo302\KEYGEN\XF-Modo301-KG.exe][is152047.exe]

02940722 Trj/Downloader.MDW Virus/Trojan No 1 No No E:\Install\2D Soft\photomatix_pro_v3.rar[Photomatix Pro v3.0\Photomatix.Pro.v3.0.Keygen.exe]

03009106 W32/Xor-encoded.A Virus No 0 Yes No E:\virusebi\osama.pif.zip[stub.exe]

03709072 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Rar$DR00.453\idjx0e.exe

03709072 Generic Malware Virus/Trojan No 0 Yes No E:\virusebi\idjx0e.zip[idjx0e.exe]

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location 2t@x

s5

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description 2t@x

s5

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

Link to post
Share on other sites

Look I don't know what your up to but your running an infected server with illegal software showing in your logs. Posting stuff from other machines also infected. Did they get that way from your server? Get that thing offline and get rid of your cracks and key gens. Those lines below show the keygens.

00385653 W32/Lineage.JUX.worm Virus/Worm No 0 Yes No E:\virusebi\idjx0e.zip[autorun.inf]

01895148 Malicious Packer SecRisk No 0 No No E:\Install\3D soft\Modo302\KEYGEN\XF-Modo301-KG.exe[E:\Install\3D soft\Modo302\KEYGEN\XF-Modo301-KG.exe][is152047.exe]

02940722 Trj/Downloader.MDW Virus/Trojan No 1 No No E:\Install\2D Soft\photomatix_pro_v3.rar[Photomatix Pro v3.0\Photomatix.Pro.v3.0.Keygen.exe]

03009106 W32/Xor-encoded.A Virus No 0 Yes No E:\virusebi\osama.pif.zip[stub.exe]

All logs need to be posted in the reply not as attachments.

Link to post
Share on other sites

  • Root Admin

Hello irakli_san,

I will be taking over for Jean. She has some other commitments to take care of right now.

Please go through your data and remove all of the illegal software and we'll be glad to assist you with cleaning up the system.

It's okay to work on multiple systems, but not in the same post.

However if you're running a Repair Shop then you should be using a special license that grants you the right to use it on multiple systems as part of your business.

You can contact Marcin for further details, his username is RubberDucky

So, moving forward please remove the items requested.

STEP 1

Run MB and go to the UPDATE tab and update the program

STEP 2

Remove the network cable connection to the Internet

STEP 3

Do a Quick Scan with MB and make sure you allow it to remove anything it finds.

STEP 4

Reboot the computer

STEP 5

Run HJT and do a scan only

STEP 6

Post back the MB log and the HJT log directly {do not attach it as a file}

.

Link to post
Share on other sites

  • Root Admin

Since there has been no response in over 5 days I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you
Fully Understand

how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting
Pre- HJT Post Instructions

Also don't forget that we offer
FREE
assistance with General PC questions and repair here
PC Help

If you're pleased with the product
Malwarebytes
and the service provided you, please let your friends, family, and co-workers know.
http://www.malwarebytes.org

.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.