irakli_san Posted September 24, 2008 ID:28957 Share Posted September 24, 2008 hi therein every ~5 minutes computer is trying to writhe a autorun.inf file on all external drives(usb, floppy). and i have wierd file called osama.pif in my temp folder. i opened autorun.inf with notepad and its something like "shellexecute=SYSTEM~1\osama.pif". and i have "System Volume Information." on my usb drive that i think its not right.i know that my computer is infected but in not that clever to solve the problem. can anyone help me? or add solution in next software update?here is autorun.inf and HijackThis log. i will attach pif file. thanks[AutoRun];D{PBk&@BY@C]<7b<0cE{m08sDjuZupD3UFLtCtN1o9xY&uhBvpYHVusWrq\I9vThCD}OG6>eSEorHKXpl+GhenHACthoI[k[6N\kj9INcaV[EXfuz|9elRNXU4;mBtmXebYd<oVB2PqQm}OEuN8YSahe/aN23+fL2aaBVtXcBshellexecute=SYSTEM~1\osama.pif;>J#@jy6vDKYev44wG|4jDBrMnCT60H}/XxWvf9[CIoFfE.B}YW4%U]q2BpApSlx<X3L;lIl4Npa+\62k8Z3zappIu4[A4Cpy6%@t9<26o{MWJmgQhIe+MFC5z{61fQoNl]d>x4SJs+]ki]EK1nZ5.<nB/o&UT+5sH3}*m[6AOA<JIFvOb2uBWIdEshlLK/shell\about=Open;4h|9b5F[]fS]GT6AJoT1OiwJDtF;fjJzCfBW|tpzA{xS+B.>Awm2[F9EEXd#noW9]g8L*jicDAjp*kQsXD}mz>[ytshell\about\command=SYSTEM~1\osama.pif;SGBM}@GmheCj6a.n1WoYrQP1odf/.#pkVx89/Ozi0RJcB19wOB*eX#eGNDvBWBLxh}73ru2CG[cO1D4qmDBM;L8xhY{T+Do0qXSM/3[iA@0X%Qua\x1u<sE]JMRbHA2@iyluxU&WDwrgPV\S.9g]GT<3Dq5*<rdDh5H]#F|A#{S#FnvL|>FOps6OsE----------------------------------------------------------------------------Logfile of HijackThis v1.99.1Scan saved at 1:28:51 AM, on 9/25/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.5730.0013)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\ESET\ESET Smart Security\egui.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\DAEMON Tools\daemon.exeC:\Program Files\ESET\ESET Smart Security\ekrn.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\Tablet.exeC:\WINDOWS\system32\WTablet\TabUserW.exeC:\WINDOWS\system32\Tablet.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\Program Files\HijackThis\HijackThis.exeO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dllO2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dllO2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dllO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [ASRInst_V] C:\WINDOWS\system32\regsvr32.exe "C:\Program Files\Common Files\Panasonic\PSL_DMOG726Dec.dll" /sO4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgentO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitserviceO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htmO8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htmO9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dllO9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exeO9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exeO17 - HKLM\System\CCS\Services\Tcpip\..\{21B8D48D-BA17-4EF2-A851-D27099EFF803}: NameServer = 217.147.227.67,213.157.196.131O17 - HKLM\System\CS1\Services\Tcpip\..\{21B8D48D-BA17-4EF2-A851-D27099EFF803}: NameServer = 217.147.227.67,213.157.196.131O17 - HKLM\System\CS2\Services\Tcpip\..\{21B8D48D-BA17-4EF2-A851-D27099EFF803}: NameServer = 217.147.227.67,213.157.196.131O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exeO23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exeO23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe Link to post Share on other sites More sharing options...
JeanInMontana Posted September 25, 2008 ID:29036 Share Posted September 25, 2008 Hi there irakli_san, and welcome to Malwarebytes. Please find this file osama.pif and attach it in a zipped folder here in a new topic you start, link back to your thread in the HJT forum please.Make sure your running as an administrator on the machine. Allow email from Malwarebytes.org and set your preferences in the User Control Panel to email notifications for replies to your topics. This ensures you make prompt replies back and we get you cleaned in the fastest way possible.Please set your system to show all files; Click Start.Open My Computer.Select the Tools menu and click Folder Options.Select the View Tab.Under the Hidden files and folders heading select Show hidden files and folders.Uncheck the Hide protected operating system files (recommended) option.Click Yes to confirm.Click OK.If you haven't already, please get these programs, update and run a complete scan removing all items found.Spybot Search & Destroy Be sure to use the immunize feature. But do not enable TeaTimer at this time. Open SB S&D Make sure you are in Advanced Mode. Click on the Mode link at the top of the program and then Advanced Mode.Click on the Tools section and then Resident.You will see two items.1. Resident "SD helper" (Internet Explorer bad download blocker.) active2. Resident "Tea Timer" (Protection of over-all system settings.) active.Uncheck number 2..Leave number 1 checked always.You can enable Tea Timer again if you wish once all special fixes have been done.Please run a quick scan of your main drive, usually C with MBAM making sure you check all items found for removal. Please post that log in your next reply.Then go here and run a scan PandaActive Scan There is a full tutorial on how to to this at the top of this forum.Post the logs from the Panda and MBAM scans please, along with a log from this program HiJack This! You will post three logs. 1. MBAM scan. 2. Panda Active Scan. 3. HiJack This scan. Please run and post the scans in this order. You will finish the MBAM first so go ahead and post that log, then move on to Panda and so forth.I will analyze the logs and give you further instructions. Be sure to set your email to allow mail from Malwarebytes.org and your personal settings to send an email on reply to your topic. This will let you know when there has been an update to your topic and you can come and see what has been said. Be patient and persistent. These things can take time and many procedures. Link to post Share on other sites More sharing options...
irakli_san Posted September 27, 2008 Author ID:29212 Share Posted September 27, 2008 here it is. i will send the log files laterosama.pif Link to post Share on other sites More sharing options...
irakli_san Posted September 27, 2008 Author ID:29227 Share Posted September 27, 2008 can you tell me the way to explore the fake recycler or system info forder. i could upload files from there too Link to post Share on other sites More sharing options...
irakli_san Posted September 27, 2008 Author ID:29228 Share Posted September 27, 2008 oh and i found another one on my second computer. should i post it here? or start another topic.autorun:;i35KqiALakD1s4DkSo9272laD2sKpad5rw04KI1ksdmlcSad4k4338osssiCLoLLf6wSe0DDjqiAAa4sj3r3dklfw7DrJlLwqaicsK3Lso40nw4qK74pa23lis3kAD[AutoRun];4ddo0akaas33eDic20o3KkisqjJl34mawkfKif53Ho8aASSljj4o3eDaAdKalfUAkr412iKD6jdrDa5Jopen=idjx0e.exe;losshell\open\Command=idjx0e.exe;s3shell\open\Default=1;wISKOilCdDKaA52wLko3d7340rLaUi7sL8ksL53iDZ2pDshell\explore\Command=idjx0e.exe;slar3JJaAs5i can upload idjx0e.exe too Link to post Share on other sites More sharing options...
JeanInMontana Posted September 27, 2008 ID:29236 Share Posted September 27, 2008 I need you to follow the initial instructions you were given. Update MBAM run a quick scan, post that log. Get the proper version of HJT run a scan post that log. Link to post Share on other sites More sharing options...
irakli_san Posted September 27, 2008 Author ID:29240 Share Posted September 27, 2008 (edited) oh, and there is scheduled task named system.job with path "C:\Docume~1\ADMINI~1\Locals~1\Temp\osama.pif"Malwarebytes' Anti-Malware 1.28Database version: 1214Windows 5.2.3790 Service Pack 29/27/2008 9:43:17 PMmbam-log-2008-09-27 (21-43-17).txtScan type: Full Scan (C:\|)Objects scanned: 154445Time elapsed: 43 minute(s), 17 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:05:50 PM, on 9/27/2008Platform: Windows 2003 SP2 (WinNT 5.02.3790)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\Program Files (x86)\DAEMON Tools Lite\daemon.exeC:\WINDOWS\SysWOW64\ctfmon.exeC:\Program Files (x86)\Analog Devices\Core\smax4pnp.exeC:\Program Files (x86)\Analog Devices\SoundMAX\Smax4.exeC:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exeC:\Program Files (x86)\Bonjour\mDNSResponder.exeC:\Program Files\ESET\ESET Smart Security\x86\ekrn.exeC:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_64server.exeC:\WINDOWS\SysWOW64\PnkBstrA.exeC:\Program Files (x86)\Mozilla Firefox\firefox.exeC:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localF2 - REG:system.ini: UserInit=userinitO2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dllO2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files (x86)\FlashGet\jccatch.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files (x86)\FlashGet\getflash.dllO4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [soundMAX] "C:\Program Files (x86)\Analog Devices\SoundMAX\Smax4.exe" /trayO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [RemoteControl] "C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\daemon.exe" -autorunO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files (x86)\FlashGet\jc_all.htmO8 - Extra context menu item: &Download with FlashGet - C:\Program Files (x86)\FlashGet\jc_link.htmO9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dllO9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files (x86)\FlashGet\FlashGet.exeO9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files (x86)\FlashGet\FlashGet.exeO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO15 - ESC Trusted Zone: http://runonce.msn.comO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{5BAB9EB3-A15E-48AA-8921-FE4C5B41E3CD}: NameServer = 217.147.227.67,217.147.227.68O17 - HKLM\System\CCS\Services\Tcpip\..\{B1FE713F-7EC7-4C71-B62F-D440E09F48AF}: NameServer = 217.147.227.67,87.253.32.131O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLLO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exeO23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exeO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exeO23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exeO23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2009 64-bit 64-bit (mi-raysat_3dsMax2009_64) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_64server.exeO23 - Service: mental ray 3.5 Satellite (64-bit) (mi-raysat_3dsmax9_64) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_64server.exeO23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)O23 - Service: NMIndexingService - Unknown owner - C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe (file missing)O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)O23 - Service: SPM License Server (spmd) - mental images GmbH - C:\spm\spmdib.exeO23 - Service: TabletServicePen - Unknown owner - C:\WINDOWS\system32\Pen_Tablet.exe (file missing)O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)--End of file - 8558 bytesSpybotSD.Results.txtmbam_log_2008_09_27__21_43_17_.txthijackthis.txthijackthis.txtSpybotSD.Results.txtmbam_log_2008_09_27__21_43_17_.txthijackthis.txthijackthis.txt Edited September 27, 2008 by JeanInMontana add logs in line Link to post Share on other sites More sharing options...
irakli_san Posted September 27, 2008 Author ID:29244 Share Posted September 27, 2008 here is log from another computer infected with same virusmbam_log_2008_09_27__17_15_59_.txtActiveScan.txthijackthis.txtmbam_log_2008_09_27__17_15_59_.txtActiveScan.txthijackthis.txt Link to post Share on other sites More sharing options...
irakli_san Posted September 27, 2008 Author ID:29250 Share Posted September 27, 2008 i just finished scanning first computer with panda so here it is;***********************************************************************************************************************************************************************************ANALYSIS: 2008-09-28 00:17:44PROTECTIONS: 1MALWARE: 11SUSPECTS: 0;***********************************************************************************************************************************************************************************PROTECTIONSDescription Version Active Updated;===================================================================================================================================================================================ESET Smart Security 3.0 3.0 Yes Yes;===================================================================================================================================================================================MALWAREId Description Type Active Severity Disinfectable Disinfected Location;===================================================================================================================================================================================00055560 Exploit/LoadImage HackTools No 0 Yes No C:\Program Files (x86)\Codemasters\GRID\audio\speech\en\08_accidents\team9Term_2.raw00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[2].txt00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@bs.serving-sys[1].txt00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt00286736 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@www6.addfreestats[1].txt00385653 W32/Lineage.JUX.worm Virus/Worm No 0 Yes No E:\virusebi\idjx0e.zip[autorun.inf]01895148 Malicious Packer SecRisk No 0 No No E:\Install\3D soft\Modo302\KEYGEN\XF-Modo301-KG.exe[E:\Install\3D soft\Modo302\KEYGEN\XF-Modo301-KG.exe][is152047.exe]02940722 Trj/Downloader.MDW Virus/Trojan No 1 No No E:\Install\2D Soft\photomatix_pro_v3.rar[Photomatix Pro v3.0\Photomatix.Pro.v3.0.Keygen.exe]03009106 W32/Xor-encoded.A Virus No 0 Yes No E:\virusebi\osama.pif.zip[stub.exe]03709072 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\Rar$DR00.453\idjx0e.exe03709072 Generic Malware Virus/Trojan No 0 Yes No E:\virusebi\idjx0e.zip[idjx0e.exe];===================================================================================================================================================================================SUSPECTSSent Location 2t@xs5;===================================================================================================================================================================================;===================================================================================================================================================================================VULNERABILITIESId Severity Description 2t@xs5;===================================================================================================================================================================================;=================================================================================================================================================================================== Link to post Share on other sites More sharing options...
JeanInMontana Posted September 30, 2008 ID:29337 Share Posted September 30, 2008 Look I don't know what your up to but your running an infected server with illegal software showing in your logs. Posting stuff from other machines also infected. Did they get that way from your server? Get that thing offline and get rid of your cracks and key gens. Those lines below show the keygens.00385653 W32/Lineage.JUX.worm Virus/Worm No 0 Yes No E:\virusebi\idjx0e.zip[autorun.inf]01895148 Malicious Packer SecRisk No 0 No No E:\Install\3D soft\Modo302\KEYGEN\XF-Modo301-KG.exe[E:\Install\3D soft\Modo302\KEYGEN\XF-Modo301-KG.exe][is152047.exe]02940722 Trj/Downloader.MDW Virus/Trojan No 1 No No E:\Install\2D Soft\photomatix_pro_v3.rar[Photomatix Pro v3.0\Photomatix.Pro.v3.0.Keygen.exe]03009106 W32/Xor-encoded.A Virus No 0 Yes No E:\virusebi\osama.pif.zip[stub.exe] All logs need to be posted in the reply not as attachments. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 30, 2008 Root Admin ID:29360 Share Posted September 30, 2008 Hello irakli_san,I will be taking over for Jean. She has some other commitments to take care of right now.Please go through your data and remove all of the illegal software and we'll be glad to assist you with cleaning up the system.It's okay to work on multiple systems, but not in the same post. However if you're running a Repair Shop then you should be using a special license that grants you the right to use it on multiple systems as part of your business. You can contact Marcin for further details, his username is RubberDuckySo, moving forward please remove the items requested. STEP 1Run MB and go to the UPDATE tab and update the programSTEP 2Remove the network cable connection to the InternetSTEP 3Do a Quick Scan with MB and make sure you allow it to remove anything it finds.STEP 4Reboot the computerSTEP 5Run HJT and do a scan only STEP 6Post back the MB log and the HJT log directly {do not attach it as a file}. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 1, 2008 Root Admin ID:29417 Share Posted October 1, 2008 Hi,Please post a status update and the logs so that we can continue and finish up.Thanks Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 3, 2008 Root Admin ID:29602 Share Posted October 3, 2008 Since there has been no response in over 5 days I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post InstructionsAlso don't forget that we offer FREE assistance with General PC questions and repair here PC Help If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org. Link to post Share on other sites More sharing options...
Recommended Posts