Author Topic: Viruses infection and endless viruses alerts  (Read 11925 times)

0 Members and 1 Guest are viewing this topic.

shai234

  • Guest
Viruses infection and endless viruses alerts
« on: December 03, 2009, 09:07:31 AM »
Dear sir,

last week somebody came to me and I connect my external portable disk to his laptop, and when I connected the extenal disk back to my computer 3 avast viruses alert appered. I scan my computer with boot time scan of avast, with SAS and Malwarebytes, but yesterday the computer internet explorer did not work, and after a boot time scan avast removed the infected file and the comuter works again. Now I get endless viruses alerts: see below

Thank you,
Shai


27/11/2009 16:24:58   SYSTEM   1372   Sign of "VBS:Malware-gen" has been found in "J:\Autorun.inf" file. 
27/11/2009 16:39:28   SYSTEM   1372   Sign of "VBS:Malware-gen" has been found in "I:\Autorun.inf" file. 
27/11/2009 16:39:48   SYSTEM   1372   Sign of "VBS:Malware-gen" has been found in "I:\AutoRun.inf" file. 
27/11/2009 16:40:01   SYSTEM   1372   Sign of "VBS:Malware-gen" has been found in "I:\AutoRun.inf" file. 
27/11/2009 17:53:43   SYSTEM   1388   Sign of "VBS:Malware-gen" has been found in "J:\Autorun.inf" file. 
27/11/2009 19:39:58   Owner   384   Sign of "VBS:Malware-gen" has been found in "I:\System Volume Information\_restore{700E328D-C716-401E-90DF-9C9419CB2097}\RP659\A0168262.inf" file. 
27/11/2009 19:55:39   Owner   384   Sign of "Win32:Kavos [Trj]" has been found in "I:\System Volume Information\_restore{74B03159-57AE-4F3D-A4EF-DC063EB0C797}\RP24\A0007753.bat" file. 
27/11/2009 19:55:46   Owner   384   Sign of "VBS:Malware-gen" has been found in "I:\System Volume Information\_restore{74B03159-57AE-4F3D-A4EF-DC063EB0C797}\RP24\A0007754.inf" file. 
28/11/2009 03:50:21   Owner   384   Sign of "Win32:Keenval-J [Trj]" has been found in "I:\תוכנות\תוכנות מהרשת\kazaa271_en.exe" file. 
28/11/2009 08:53:28   SYSTEM   1388   Sign of "Win32:Exchanger-M [Trj]" has been found in "C:\DOCUME~1\Owner\LOCALS~1\Temp\WER8f4a.dir00\SUPERAntiSpyware.exe.hdmp" file. 
28/11/2009 08:53:54   SYSTEM   1388   Sign of "Win32:Exchanger-M [Trj]" has been found in "C:\DOCUME~1\Owner\LOCALS~1\Temp\WERaf26.dir00\SUPERAntiSpyware.exe.hdmp" file. 
28/11/2009 10:12:34   SYSTEM   1388   Sign of "Win32:Kavos [Trj]" has been found in "I:\ABK.BAT" file. 
28/11/2009 10:15:18   SYSTEM   1388   Sign of "Win32:Keenval-J [Trj]" has been found in "I:\system volume information\_restore{700e328d-c716-401e-90df-9c9419cb2097}\rp660\A0168292.exe" file. 
28/11/2009 10:15:45   SYSTEM   1388   Sign of "Win32:Kavos [Trj]" has been found in "I:\system volume information\_restore{700e328d-c716-401e-90df-9c9419cb2097}\rp660\A0168303.BAT" file.   
01/12/2009 07:35:16   SYSTEM   1372   Sign of "Win32:Malware-gen" has been found in "http://crackstorage.net/get_uploaded_file.php\5thBirthTro.exe" file.  
01/12/2009 11:53:39   Owner   3876   Sign of "Win32:Trojan-gen" has been found in "I:\torrent downloads\Aid4MailPro1.987F.zip\Aid4MailPro1.987F\Aid4Mail.exe" file.  
02/12/2009 12:41:21   Owner   1376   Sign of "Win32:Trojan-gen" has been found in "C:\documents and settings\owner\local settings\temp\sshnas.dll" file.  
02/12/2009 16:04:22   Owner   1324   Sign of "Win32:Trojan-gen" has been found in "C:\system volume information\_restore{700e328d-c716-401e-90df-9c9419cb2097}\rp661\A0176506.dll" file.  
02/12/2009 16:35:06   Owner   1324   Sign of "Win32:Keenval-J [Trj]" has been found in "G:\system volume information\_restore{700e328d-c716-401e-90df-9c9419cb2097}\rp661\A0176507.exe" file.  
02/12/2009 23:43:07   SYSTEM   1344   Sign of "Win32:Trojan-gen" has been found in "C:\DOCUME~1\Owner\LOCALS~1\Temp\c.exe" file 

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Viruses infection and endless viruses alerts
« Reply #1 on: December 03, 2009, 09:09:25 AM »
These definitely look real.
If at first you don't succeed, then skydiving's not for you.

shai234

  • Guest
Re: Viruses infection and endless viruses alerts
« Reply #2 on: December 03, 2009, 09:10:19 AM »
.  
03/12/2009 03:22:19   SYSTEM   1344   Sign of "Win32:Trojan-gen" has been found in "C:\Documents and Settings\Owner\Local Settings\Temp\a.exe" file.  
03/12/2009 03:22:33   SYSTEM   1344   Sign of "Win32:Trojan-gen" has been found in "C:\Documents and Settings\Owner\Local Settings\Temp\b.exe" file.  
03/12/2009 03:22:47   SYSTEM   1344   Sign of "Win32:Trojan-gen" has been found in "C:\Documents and Settings\Owner\Local Settings\Temp\trz19.tmp" file.  
03/12/2009 03:22:52   SYSTEM   1344   Sign of "Win32:Trojan-gen" has been found in "C:\Documents and Settings\Owner\Local Settings\Temp\d.exe" file.  
03/12/2009 03:22:57   SYSTEM   1344   Sign of "Win32:Trojan-gen" has been found in "C:\Documents and Settings\Owner\Local Settings\Temp\e.exe" file.  
03/12/2009 03:23:02   SYSTEM   1344   Sign of "Win32:Trojan-gen" has been found in "C:\Documents and Settings\Owner\Local Settings\Temp\f.exe" file.  
03/12/2009 03:43:43   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "C:\Program Files\EatCam\Webcam Recorder for MSN\Recorder.exe" file.  
03/12/2009 04:21:11   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "C:\Program Files\EatCam\Webcam Recorder for MSN\winhook.dll" file.  
03/12/2009 04:21:30   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "C:\Program Files\FeedReader\feedreader.exe\[UPX]" file.  
03/12/2009 04:23:33   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "C:\Program Files\K-Lite Codec Pack\Filters\madFlac.ax" file.  
03/12/2009 04:23:55   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "C:\Program Files\K-Lite Codec Pack\Tools\mediainfo.exe" file.  
03/12/2009 04:25:42   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "C:\Program Files\Lavalys\EVEREST Home Edition\everest.bin\[UPX]" file.  
03/12/2009 04:26:00   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "C:\Program Files\Lavalys\EVEREST Home Edition\everest_cpl.cpl" file.  
03/12/2009 04:26:07   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "C:\Program Files\Lavalys\EVEREST Home Edition\everest_icons.dll\[UPX]" file.  
03/12/2009 04:26:13   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "C:\Program Files\Lavalys\EVEREST Home Edition\everest_xpicons.dll\[UPX]" file.  
03/12/2009 04:28:06   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "C:\System Volume Information\_restore{700E328D-C716-401E-90DF-9C9419CB2097}\RP658\A0168128.exe" file.  
03/12/2009 04:28:37   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "C:\System Volume Information\_restore{700E328D-C716-401E-90DF-9C9419CB2097}\RP661\A0168472.exe\[UPX]" file.  
03/12/2009 04:28:43   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "C:\System Volume Information\_restore{700E328D-C716-401E-90DF-9C9419CB2097}\RP661\A0168475.dll\[ASProtect]" file.  
03/12/2009 04:29:53   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "C:\System Volume Information\_restore{700E328D-C716-401E-90DF-9C9419CB2097}\RP662\A0176569.exe" file.  
03/12/2009 04:30:04   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "C:\System Volume Information\_restore{700E328D-C716-401E-90DF-9C9419CB2097}\RP662\A0176570.dll" file.  
03/12/2009 04:30:13   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "C:\System Volume Information\_restore{700E328D-C716-401E-90DF-9C9419CB2097}\RP662\A0176571.exe\[UPX]" file.  
03/12/2009 04:30:20   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "C:\System Volume Information\_restore{700E328D-C716-401E-90DF-9C9419CB2097}\RP662\A0176572.ax" file.  
03/12/2009 04:30:29   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "C:\System Volume Information\_restore{700E328D-C716-401E-90DF-9C9419CB2097}\RP662\A0176573.exe" file.  
03/12/2009 04:30:39   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "C:\System Volume Information\_restore{700E328D-C716-401E-90DF-9C9419CB2097}\RP662\A0176574.cpl" file.  
03/12/2009 04:30:46   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "C:\System Volume Information\_restore{700E328D-C716-401E-90DF-9C9419CB2097}\RP662\A0176575.dll\[UPX]" file.  
03/12/2009 04:30:53   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "C:\System Volume Information\_restore{700E328D-C716-401E-90DF-9C9419CB2097}\RP662\A0176576.dll\[UPX]" file.  
03/12/2009 05:01:39   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "http://download.softpedia.ro/dl/bf22c4b2da1b09e379d1af688bc022e9/4b17297c/100016369/software/SYSTEM/INFO/everesthome220.zip\everest.bin\[UPX]" file.  
03/12/2009 05:05:33   Owner   3684   Sign of "Win32:Delf-MZG [Trj]" has been found in "D:\Owner's documents\תוכנות מהרשת\everesthome220(everest).exe\{app}\everest.bin\[UPX]" file.  
03/12/2009 05:05:56   Owner   3684   Sign of "Win32:Delf-MZG [Trj]" has been found in "D:\Owner's documents\תוכנות מהרשת\everesthome220(everest).exe\{app}\everest_cpl.cpl" file.  
 

shai234

  • Guest
Re: Viruses infection and endless viruses alerts
« Reply #3 on: December 03, 2009, 09:10:59 AM »
03/12/2009 05:06:03   Owner   3684   Sign of "Win32:Delf-MZG [Trj]" has been found in "D:\Owner's documents\תוכנות מהרשת\everesthome220(everest).exe\{app}\everest_icons.dll\[UPX]" file. 
03/12/2009 05:06:05   Owner   3684   Sign of "Win32:Delf-MZG [Trj]" has been found in "D:\Owner's documents\תוכנות מהרשת\everesthome220(everest).exe\{app}\everest_xpicons.dll\[UPX]" file. 
03/12/2009 05:09:24   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "http://files3.brothersoft.com/EVEREST-Home-Edition-2.20.exe\{app}\everest.bin\[UPX]" file. 
03/12/2009 05:20:20   SYSTEM   1344   Sign of "Win32:Zbot-MKK [Trj]" has been found in "D:\System Volume Information\_restore{700E328D-C716-401E-90DF-9C9419CB2097}\RP634\A0160495.exe" file. 
03/12/2009 09:31:20   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "D:\Owner's documents\תוכנות מהרשת\outlook express mail alret.exe\{app}\oema.exe" file. 
03/12/2009 09:32:26   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "D:\Owner's documents\תוכנות מהרשת\TextMe_V26_Setup.exe" file. 
03/12/2009 09:32:41   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "D:\Owner's documents\תוכנות מהרשת\Alcohol.ExE\[UPX]" file. 
03/12/2009 09:33:16   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "D:\Owner's documents\תוכנות מהרשת\Aid4Mail Professional v1.987F by SND\Aid4Mail.exe" file. 
03/12/2009 09:33:35   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "D:\Owner's documents\תוכנות מהרשת\DVD Decrypter\DVDDecrypter.exe\[UPX]" file. 
03/12/2009 09:35:55   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "G:\System Volume Information\_restore{700E328D-C716-401E-90DF-9C9419CB2097}\RP641\A0160847.exe\{app}\oema.exe" file. 
03/12/2009 09:36:23   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "G:\System Volume Information\_restore{700E328D-C716-401E-90DF-9C9419CB2097}\RP641\A0160852.exe" file. 
03/12/2009 09:36:50   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "G:\System Volume Information\_restore{700E328D-C716-401E-90DF-9C9419CB2097}\RP641\A0160888.exe\[UPX]" file. 
03/12/2009 09:39:50   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "G:\תוכנות\DVD software\AviSub.exe\[UPX]" file. 
03/12/2009 09:40:25   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "G:\תוכנות\DVD software\VSO\pcsetup\PcSetup.exe" file. 
03/12/2009 09:40:30   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "G:\תוכנות\DVD software\VSO\common\VsoVprev.ax" file. 
03/12/2009 09:40:37   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "G:\תוכנות\DVD software\VSO\DivxToDVD\DivxToDvd.exe" file. 
03/12/2009 09:40:41   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "G:\תוכנות\DVD software\VSO\DivxToDVD\VsoVprev.ax" file. 
03/12/2009 09:40:47   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "G:\תוכנות\DVD software\VSO\DivxToDVD\vso_hwe.dll" file. 
03/12/2009 09:40:51   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "G:\תוכנות\DVD software\VSO\DivxToDVD\lang\Lang_Editor.exe" file. 
03/12/2009 09:40:55   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "G:\תוכנות\DVD software\VSO\ConvertXtoDVD\ConvertXtoDvd.exe" file. 
03/12/2009 09:41:01   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "G:\תוכנות\DVD software\VSO\ConvertXtoDVD\vso_hwe.dll" file. 
03/12/2009 09:41:05   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "G:\תוכנות\DVD software\VSO\ConvertXtoDVD\lang\Lang_Editor.exe" file. 
03/12/2009 09:41:10   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "G:\תוכנות\DVD software\VirtualDubMod.1.5.4.1 All inclusive\AviSynthLexer.lexer\[UPX]" file. 
03/12/2009 09:41:17   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "G:\תוכנות\DVD software\VirtualDubMod.1.5.4.1 All inclusive\VirtualDubMod_1_5_10_2_b2542\AviSynthLexer.lexer\[UPX]" file. 
03/12/2009 09:41:29   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "G:\תוכנות\DVD software\DVD Region+CSS Free\DVD43.EXE\[ASProtect]" file. 
03/12/2009 09:41:34   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "G:\תוכנות\DVD software\DVD Decrypter\DVDDecrypter.exe\[UPX]" file. 
03/12/2009 09:41:38   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "G:\תוכנות\DVD software\AutoGK\AutoGK.exe\[UPX]" file. 
03/12/2009 09:41:44   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "G:\תוכנות\DVD software\AutoGK\TOOLS\vstrip_ifo.exe\[UPX]" file. 
03/12/2009 09:41:49   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "G:\תוכנות\DVD software\AutoGK\VDubMod\AviSynthLexer.lexer\[UPX]" file. 
03/12/2009 09:43:47   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "G:\תוכנות\תוכנות מהרשת\outlook express mail alret.exe\{app}\oema.exe" file. 
03/12/2009 09:44:52   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "G:\תוכנות\תוכנות מהרשת\TextMe_V26_Setup.exe" file. 
03/12/2009 09:45:16   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "G:\תוכנות\תוכנות מהרשת\SMSenderV24_Setup.exe" file. 
03/12/2009 09:45:50   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "G:\תוכנות\תוכנות מהרשת\Alcohol.ExE\[UPX]" file. 
03/12/2009 09:46:07   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "G:\תוכנות\תוכנות מהרשת\DVD Decrypter\DVDDecrypter.exe\[UPX]" file. 
03/12/2009 09:47:01   SYSTEM   1344   Sign of "Win32:Zbot-MKK [Trj]" has been found in "G:\GAMES\cevosetup.exe" file. 
03/12/2009 09:49:58   SYSTEM   1344   Sign of "Win32:Delf-MZG [Trj]" has been found in "G:\GAMES\civilization 4\sd4hide.exe\[UPX]" file. 
03/12/2009 09:52:20   SYSTEM   1344   Sign of "Win32:Zbot-MKK [Trj]" has been found in "G:\GAMES\RidgeRacer64\Plugin\Jabo_DInput.dll" file. 
03/12/2009 09:52:26   SYSTEM   1344   Sign of "Win32:Zbot-MKK [Trj]" has been found in "G:\GAMES\RidgeRacer64\Plugin\Jabo_Direct3D6.dll" file. 
03/12/2009 09:52:31   SYSTEM   1344   Sign of "Win32:Zbot-MKK [Trj]" has been found in "G:\GAMES\RidgeRacer64\Plugin\Jabo_Direct3D8.dll" file. 
03/12/2009 09:52:35   SYSTEM   1344   Sign of "Win32:Zbot-MKK [Trj]" has been found in "G:\GAMES\RidgeRacer64\Plugin\Jabo_Dsound.dll" file. 
03/12/2009 09:52:38   SYSTEM   1344   Sign of "Win32:Zbot-MKK [Trj]" has been found in "G:\GAMES\RidgeRacer64\Plugin\NRage_DInput8_V2.dll" file. 
03/12/2009 09:52:42   SYSTEM   1344   Sign of "Win32:Zbot-MKK [Trj]" has been found in "G:\GAMES\RidgeRacer64\Plugin\RSP.dll" file.

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: Viruses infection and endless viruses alerts
« Reply #4 on: December 03, 2009, 02:16:22 PM »
Only Win32:Delf-MZG [Trj]" and "Win32:Zbot-MKK [Trj]" were in the bad VPS 091203-0 and are fixed in 091203-1

Milos

shai234

  • Guest
Re: Viruses infection and endless viruses alerts
« Reply #5 on: December 03, 2009, 04:07:40 PM »
Thank you Milos, but I got many other viruses after I updated the avast: here are the scan results:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/03/2009 at 12:28 PM

Application Version : 4.31.1000

Core Rules Database Version : 4330
Trace Rules Database Version: 2185

Scan type       : Complete Scan
Total Scan Time : 01:43:50

Memory items scanned      : 504
Memory threats detected   : 1
Registry items scanned    : 6473
Registry threats detected : 17
File items scanned        : 25344
File threats detected     : 10

Trojan.Dropper/Gen-C
   C:\DOCUME~1\OWNER\LOCALS~1\TEMP\C.EXE
   C:\DOCUME~1\OWNER\LOCALS~1\TEMP\C.EXE
   C:\WINDOWS\Prefetch\C.EXE-230FCEA5.pf

Adware.Tracking Cookie
   C:\Documents and Settings\Owner\Cookies\owner@ads.techguy[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt

Trojan.Agent/Gen
   HKU\S-1-5-21-776561741-920026266-839522115-1003\Software\Videohost
   HKU\S-1-5-21-776561741-920026266-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run#Videohost [ C:\DOCUME~1\Owner\LOCALS~1\Temp\c.exe ]

Trojan.Dropper/Win-NV
   HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS
   HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS#Type
   HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS#Start
   HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS#ErrorControl
   HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS#ImagePath
   HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS#DisplayName
   HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS#ObjectName
   HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters
   HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters#ServiceDll
   HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\Security
   HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\Security#Security
   HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\Enum
   HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\Enum#0
   HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\Enum#Count
   HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\Enum#NextInstance

Trojan.Agent/Gen-HackPatch
   C:\PROGRAM FILES\DOWNLOAD DIRECT\DOWNLOAD.DIRECT.V1.04-PATCH.EXE
   D:\OWNER'S DOCUMENTS\תוכנות מהרשת\DOWNLOAD_DIRECT_1.04_PATCH_AT4RE\DOWNLOAD.DIRECT.V1.04-PATCH.EXE
   G:\OWNER'S DOCUMENTS\תוכנות מהרשת\DOWNLOAD_DIRECT_1.04_PATCH_AT4RE\DOWNLOAD.DIRECT.V1.04-PATCH.EXE
   I:\OWNER'S DOCUMENTS\תוכנות מהרשת\DOWNLOAD_DIRECT_1.04_PATCH_AT4RE\DOWNLOAD.DIRECT.V1.04-PATCH.EXE

Trojan.Agent/Gen-Nullo[Short]
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{700E328D-C716-401E-90DF-9C9419CB2097}\RP661\A0176526.EXE
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{700E328D-C716-401E-90DF-9C9419CB2097}\RP661\A0176527.EXE


Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

03/12/2009 10:40:11
mbam-log-2009-12-03 (10-40-11).txt

Scan type: Full Scan (C:\|D:\|G:\|I:\|)
Objects scanned: 281231
Time elapsed: 7 hour(s), 19 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

shai234

  • Guest
Re: Viruses infection and endless viruses alerts
« Reply #6 on: December 03, 2009, 04:09:29 PM »

12/03/2009 12:38
Scan of all local drives

File D:\Owner's documents\תוכנות מהרשת\smf(simple machines forum-build forum)_1-1-10_install.zip\Themes\default\images\icons\login_sm.gif Error 42125 {ZIP archive is corrupted.}
File D:\Owner's documents\תוכנות מהרשת\77.72_win2kxp_english_whql(nvidia geforce mx 440 driver).exe\\nv4_disp.dl_ Error 42127 {CAB archive is corrupted.}
File G:\System Volume Information\_restore{700E328D-C716-401E-90DF-9C9419CB2097}\RP641\A0160858.exe\\nv4_disp.dl_ Error 42127 {CAB archive is corrupted.}
File G:\תוכנות\תוכנות מהרשת\smf(simple machines forum-build forum)_1-1-10_install.zip\Themes\default\images\icons\login_sm.gif Error 42125 {ZIP archive is corrupted.}
File G:\תוכנות\תוכנות מהרשת\77.72_win2kxp_english_whql(nvidia geforce mx 440 driver).exe\\nv4_disp.dl_ Error 42127 {CAB archive is corrupted.}
File G:\iomega zip\APPS_GAMES\~GAMES\COMANCHE\DISK3\OVERKILL.000\c3.dta Error 42135 {LHA archive is corrupted.}
File G:\iomega zip\APPS_GAMES\QP5\DISK2\HELP1.CA1\qpw.hlp Error 42135 {LHA archive is corrupted.}
File G:\iomega zip\APPS_GAMES\QP5\DISK2\QPW.CA1\qpw.exe Error 42135 {LHA archive is corrupted.}
File G:\iomega zip\APPS_GAMES\QP5\DISK1\ODAPI.CA1\odapi01.dll Error 42135 {LHA archive is corrupted.}
File G:\games\VolvoRacing.zip\GameData\Miles\mssvoice.asi Error 42125 {ZIP archive is corrupted.}
File G:\Owner's documents\תוכנות מהרשת\smf(simple machines forum-build forum)_1-1-10_install.zip\Themes\default\images\icons\login_sm.gif Error 42125 {ZIP archive is corrupted.}
File G:\Owner's documents\תוכנות מהרשת\77.72_win2kxp_english_whql(nvidia geforce mx 440 driver).exe\\nv4_disp.dl_ Error 42127 {CAB archive is corrupted.}
File I:\System Volume Information\_restore{700E328D-C716-401E-90DF-9C9419CB2097}\RP644\A0161237.exe\\nv4_disp.dl_ Error 42127 {CAB archive is corrupted.}
File I:\games\VolvoRacing.zip\GameData\Miles\mssvoice.asi Error 42125 {ZIP archive is corrupted.}
File I:\iomega zip\APPS_GAMES\QP5\DISK1\ODAPI.CA1\odapi01.dll Error 42135 {LHA archive is corrupted.}
File I:\iomega zip\APPS_GAMES\QP5\DISK2\HELP1.CA1\qpw.hlp Error 42135 {LHA archive is corrupted.}
File I:\iomega zip\APPS_GAMES\QP5\DISK2\QPW.CA1\qpw.exe Error 42135 {LHA archive is corrupted.}
File I:\iomega zip\APPS_GAMES\~GAMES\COMANCHE\DISK3\OVERKILL.000\c3.dta Error 42135 {LHA archive is corrupted.}
File I:\תוכנות\תוכנות מהרשת\smf(simple machines forum-build forum)_1-1-10_install.zip\Themes\default\images\icons\login_sm.gif Error 42125 {ZIP archive is corrupted.}
File I:\תוכנות\תוכנות מהרשת\77.72_win2kxp_english_whql(nvidia geforce mx 440 driver).exe\\nv4_disp.dl_ Error 42127 {CAB archive is corrupted.}
File I:\Owner's documents\תוכנות מהרשת\smf(simple machines forum-build forum)_1-1-10_install.zip\Themes\default\images\icons\login_sm.gif Error 42125 {ZIP archive is corrupted.}
File I:\Owner's documents\תוכנות מהרשת\77.72_win2kxp_english_whql(nvidia geforce mx 440 driver).exe\\nv4_disp.dl_ Error 42127 {CAB archive is corrupted.}
Number of searched folders: 10335
Number of tested files: 1337871
Number of infected files: 0

shai234

  • Guest
Re: Viruses infection and endless viruses alerts
« Reply #7 on: December 03, 2009, 04:11:48 PM »
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:10:44, on 03/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Barak013\Barak013_L2TP\fts.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\vVX1000.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: עוזר הכניסה של Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [%FP%Barak013 L2TP fts.exe] "C:\Program Files\Barak013\Barak013_L2TP\fts.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{31D27BC6-C643-4768-B9FD-A599C2CCED05}: NameServer = 192.168.2.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 8145 bytes