Avast WEBforum
Other => Viruses and worms => Topic started by: joeni on May 02, 2009, 03:22:27 PM
-
I need help I just don't know how to eliminate this virus..
below on the spoiler is my avast log file.
01/05/2009 17:53:55 SYSTEM 1568 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\C5YRCH6N\Newer[1].Exe\[BeRoEXE]\[RLPack]" file.
01/05/2009 17:55:55 SYSTEM 1568 Sign of "Win32:Siveras [Expl]" has been found in "C:\WINDOWS\system32\Desktop\csrss.exe\[BeRoEXE]\[RLPack]" file.
01/05/2009 18:19:53 SYSTEM 236 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
01/05/2009 19:22:57 SYSTEM 236 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\41Y3WTIF\Newer[2].Exe\[BeRoEXE]\[RLPack]" file.
01/05/2009 20:25:27 SYSTEM 236 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CH274LIF\Newer[1].Exe\[BeRoEXE]\[RLPack]" file.
01/05/2009 21:28:04 SYSTEM 236 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\41Y3WTIF\Newer[1].Exe\[BeRoEXE]\[RLPack]" file.
01/05/2009 22:01:18 SYSTEM 1852 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CH274LIF\Newer[1].Exe\[BeRoEXE]\[RLPack]" file.
01/05/2009 22:02:14 SYSTEM 1852 Sign of "Win32:Siveras [Expl]" has been found in "C:\WINDOWS\system32\Desktop\csrss.exe\[BeRoEXE]\[RLPack]" file.
01/05/2009 23:02:53 SYSTEM 1852 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W1A38XYF\Newer[1].Exe\[BeRoEXE]\[RLPack]" file.
02/05/2009 0:04:42 SYSTEM 1852 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CH274LIF\Newer[1].Exe\[BeRoEXE]\[RLPack]" file.
02/05/2009 0:34:42 SYSTEM 1996 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W1A38XYF\Newer[1].Exe\[BeRoEXE]\[RLPack]" file.
02/05/2009 0:47:40 SYSTEM 1836 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CH274LIF\Newer[1].Exe\[BeRoEXE]\[RLPack]" file.
02/05/2009 1:48:38 SYSTEM 1836 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CH274LIF\Newer[1].Exe\[BeRoEXE]\[RLPack]" file.
02/05/2009 1:54:44 SYSTEM 1836 Sign of "Win32:Siveras [Expl]" has been found in "C:\WINDOWS\system32\Desktop\csrss.exe\[BeRoEXE]\[RLPack]" file.
02/05/2009 2:43:28 SYSTEM 1568 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\41Y3WTIF\Newer[1].Exe\[BeRoEXE]\[RLPack]" file.
02/05/2009 2:52:11 SYSTEM 1628 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CH274LIF\Newer[1].Exe\[BeRoEXE]\[RLPack]" file.
02/05/2009 2:53:06 SYSTEM 1628 Sign of "Win32:Siveras [Expl]" has been found in "C:\WINDOWS\system32\Desktop\csrss.exe\[BeRoEXE]\[RLPack]" file.
02/05/2009 3:17:00 SYSTEM 1600 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CH274LIF\Newer[1].Exe\[BeRoEXE]\[RLPack]" file.
02/05/2009 3:21:26 SYSTEM 1600 Sign of "Win32:Agent-AERY [trj]" has been found in "C:\WINDOWS\system32\bJPRqUsV\A001.exe\[UPX]" file.
02/05/2009 18:19:18 SYSTEM 1584 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CH274LIF\Newer[1].Exe\[BeRoEXE]\[RLPack]" file.
02/05/2009 18:28:02 SYSTEM 1584 Sign of "Win32:Agent-AERY [trj]" has been found in "C:\WINDOWS\system32\KqdpUoTk\A001.exe\[UPX]" file.
02/05/2009 19:20:41 SYSTEM 1620 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CH274LIF\Newer[1].Exe\[BeRoEXE]\[RLPack]" file.
02/05/2009 21:05:23 SYSTEM 1564 Sign of "Win32:Siveras [Expl]" has been found in "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\F2QTG3BU\Newer[1].Exe\[BeRoEXE]\[RLPack]" file.
02/05/2009 21:10:08 SYSTEM 1564 Sign of "Win32:Agent-AERY [trj]" has been found in "C:\WINDOWS\system32\fvOoJMUy\A001.exe\[UPX]" file.
02/05/2009 21:11:49 SYSTEM 1564 Sign of "Win32:Agent-UWD [trj]" has been found in "C:\WINDOWS\system32\fywd.dll" file.
02/05/2009 21:11:50 SYSTEM 1564 Sign of "Win32:Agent-UWD [trj]" has been found in "C:\WINDOWS\system32\fywd.dll" file.
THis virus come in random after I delete one it will come another with different name but same virus. I try to use zone alarm firewall and when this virus become active it will call c:\windows\ftp.exe
I also try to use bit defender dc cleaner
http://download.bitdefender.com/resources/files/Download/en/dcleaner.zip But it just not working.
I just can't found the mother of this virus.
I'm sorry for my terrible english and I hope I can found some CLEAR instruction here on how to eliminate this virus since I'm not very expert in english.
Thank you very much for your help and attention in advance.
-
Hijackthis log file
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Desktop\smss.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Sierra Wireless Inc\3G Watcher\Watcher.exe
C:\Program Files\Sierra Wireless Inc\3G Watcher\SwiApiMux.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
D:\Master\squid\sbin\squid.exe
c:\squid\libexec\unlinkd.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\ShowNetworkActivity.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Alwil Software\Avast4\ashChest.exe
C:\WINDOWS\system32\fvOoJMUy\J001.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashLogV.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Master\avast antivirus\HiJackThis.exe
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [SmartRAM] C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe /m
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpeedConnectStartUp] C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe -run
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_exclude
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_report
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\cssdll32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: fhds soft Service (fhds Service) - Unknown owner - C:\WINDOWS\system32\fvOoJMUy\J001.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MS Mediar Control eCenter (MediaeCenterrr) - Unknown owner - C:\WINDOWS\system32\goxp.exe
O23 - Service: Program Compatibility Assistan (PctaSvc) - Unknown owner - C:\Program Files\R_Server\Slsvc.exe
O23 - Service: Desktop Configuration (SesEnv) - Unknown owner - C:\WINDOWS\system32\Desktop\smss.exe
O23 - Service: SptSvc (SpSvc.exe) - Unknown owner - C:\WINDOWS\system32\svchost -k SpSvc.exe (file missing)
O23 - Service: Squid - SQUID Web Proxy Cache - http://www.squid-cache.org/ - D:\Master\squid\sbin\squid.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
If anyone want to download the virus sampe here it is
http://www.4shared.com/file/102831412/b752c213/Newer1.html
-
Welcome joeni
Please post a complete HijackThis log the next time as the header information is missing.
Looks like you have Ask tracking malware on your system so go th Add/Remove Programs and un-install it.
Download Malwarebytes' Anti-Malware then install it then get the updated definition by using its Update function then run a Quick scan and let it remove whatever it finds plus a reboot may be necessary to remove any locked files:
http://www.malwarebytes.org/mbam.php
This entry in the log is malware:
O23 - Service: fhds soft Service (fhds Service) - Unknown owner - C:\WINDOWS\system32\fvOoJMUy\J001.exe
-
Also the entry C:\WINDOWS\system32\fvOoJMUy\J001.exe
Yokenny what do you make of the entry C:\WINDOWS\system32\Desktop\smss.exe ?
This entry should not be running from program files O23 - Service: Program Compatibility Assistan (PctaSvc) - Unknown owner - C:\Program Files\R_Server\Slsvc.exe
Where are you running HJT from ? D:\Master\avast antivirus\HiJackThis.exe
-
Welcome joeni
Please post a complete HijackThis log the next time as the header information is missing.
Looks like you have Ask tracking malware on your system so go th Add/Remove Programs and un-install it.
Download Malwarebytes' Anti-Malware then install it then get the updated definition by using its Update function then run a Quick scan and let it remove whatever it finds plus a reboot may be necessary to remove any locked files:
http://www.malwarebytes.org/mbam.php
This entry in the log is malware:
O23 - Service: fhds soft Service (fhds Service) - Unknown owner - C:\WINDOWS\system32\fvOoJMUy\J001.exe
This is the complete Hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:33:04, on 02/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP3 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Desktop\smss.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Sierra Wireless Inc\3G Watcher\Watcher.exe
C:\Program Files\Sierra Wireless Inc\3G Watcher\SwiApiMux.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
D:\Master\squid\sbin\squid.exe
c:\squid\libexec\unlinkd.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\ShowNetworkActivity.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ping.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
D:\Master\avast antivirus\HiJackThis.exe
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [SmartRAM] C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe /m
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpeedConnectStartUp] C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe -run
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_exclude
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_report
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\cssdll32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: fhds soft Service (fhds Service) - Unknown owner - C:\WINDOWS\system32\fvOoJMUy\J001.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MS Mediar Control eCenter (MediaeCenterrr) - Unknown owner - C:\WINDOWS\system32\goxp.exe
O23 - Service: Program Compatibility Assistan (PctaSvc) - Unknown owner - C:\Program Files\R_Server\Slsvc.exe
O23 - Service: Desktop Configuration (SesEnv) - Unknown owner - C:\WINDOWS\system32\Desktop\smss.exe
O23 - Service: SptSvc (SpSvc.exe) - Unknown owner - C:\WINDOWS\system32\svchost -k SpSvc.exe (file missing)
O23 - Service: Squid - SQUID Web Proxy Cache - http://www.squid-cache.org/ - D:\Master\squid\sbin\squid.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: svchost (svchosts) - Unknown owner - C:\Program Files\PROGRAM\sver.com.cn.exe
--
End of file - 6307 bytes
I've tried to fix this one O23 - Service: svchost (svchosts) - Unknown owner - C:\Program Files\PROGRAM\sver.com.cn.exe on hijackthis but it just keep coming back and avast seems can't do anything about it and not detecting it as virus. Maybe my avast is damage?
-
Also the entry C:\WINDOWS\system32\fvOoJMUy\J001.exe
Yokenny what do you make of the entry C:\WINDOWS\system32\Desktop\smss.exe ?
This entry should not be running from program files O23 - Service: Program Compatibility Assistan (PctaSvc) - Unknown owner - C:\Program Files\R_Server\Slsvc.exe
Where are you running HJT from ? D:\Master\avast antivirus\HiJackThis.exe
Yes I run hijackthis from drive D since this tool is stand alone exe
I don't make all of those entries. I've clicking fix on hijackthis tools and it seems no effect on the virus it changing name only. I always update my avast regularly everyday and maybe every 2 hours when i'm online.
-
Send these files to virustotal
smss.exe C:\WINDOWS\system32\Desktop\smss.exe
goxp.exe C:\WINDOWS\system32\goxp.exe
Slsvc.exe C:\Program Files\R_Server\Slsvc.exe
cn.exe C:\Program Files\PROGRAM\sver.com.cn.exe
http://www.virustotal.com/
-
Send this file to virustotal smss.exe C:\WINDOWS\system32\Desktop\smss.exe
http://www.virustotal.com/
File smss.exe received on 05.02.2009 17:09:41 (CET)
Current status: finished
Result: 7/38 (18.42%)
a-squared 4.0.0.101 2009.05.02 -
AhnLab-V3 5.0.0.2 2009.05.01 -
AntiVir 7.9.0.160 2009.05.02 TR/Dropper.Gen
Antiy-AVL 2.0.3.1 2009.04.30 -
Authentium 5.1.2.4 2009.05.01 -
Avast 4.8.1335.0 2009.05.01 -
AVG 8.5.0.327 2009.05.01 -
BitDefender 7.2 2009.05.02 -
CAT-QuickHeal 10.00 2009.05.02 (Suspicious) - DNAScan
ClamAV 0.94.1 2009.05.02 -
Comodo 1147 2009.05.02 -
DrWeb 4.44.0.09170 2009.05.02 -
eSafe 7.0.17.0 2009.04.30 Suspicious File
eTrust-Vet 31.6.6487 2009.05.02 -
F-Prot 4.4.4.56 2009.05.01 -
Fortinet 3.117.0.0 2009.05.02 -
GData 19 2009.05.02 -
Ikarus T3.1.1.49.0 2009.05.02 -
K7AntiVirus 7.10.722 2009.05.02 -
Kaspersky 7.0.0.125 2009.05.02 -
McAfee 5602 2009.05.01 -
McAfee+Artemis 5602 2009.05.01 -
McAfee-GW-Edition 6.7.6 2009.05.02 Trojan.Dropper.Gen
Microsoft 1.4602 2009.05.02 -
NOD32 4049 2009.05.01 probably unknown NewHeur_PE
Norman 6.01.05 2009.04.30 -
nProtect 2009.1.8.0 2009.05.02 -
Panda 10.0.0.14 2009.05.02 Suspicious file
Prevx1 3.0 2009.05.02 -
Rising 21.27.41.00 2009.05.01 -
Sophos 4.41.0 2009.05.02 -
Sunbelt 3.2.1858.2 2009.05.02 -
Symantec 1.4.4.12 2009.05.02 -
TheHacker 6.3.4.1.317 2009.05.02 -
TrendMicro 8.950.0.1092 2009.05.01 PAK_Generic.001
VBA32 3.12.10.4 2009.05.02 -
ViRobot 2009.5.1.1717 2009.05.01 -
VirusBuster 4.6.5.0 2009.05.01 -
-
File sver.com.cn.exe received on 05.02.2009 17:16:27 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 21/40 (52.5%)
a-squared 4.0.0.101 2009.05.02 Backdoor.Win32.Hupigon!IK
AhnLab-V3 5.0.0.2 2009.05.01 Win-Trojan/Hupigon.317122
AntiVir 7.9.0.160 2009.05.02 BDS/Hupigon.bhi
Antiy-AVL 2.0.3.1 2009.04.30 -
Authentium 5.1.2.4 2009.05.01 W32/Hupigon.J.gen!Eldorado
Avast 4.8.1335.0 2009.05.01 -
AVG 8.5.0.327 2009.05.01 -
BitDefender 7.2 2009.05.02 GenPack:Backdoor.Hupigon.AYUZ
CAT-QuickHeal 10.00 2009.05.02 Backdoor.Hupigon.gen
ClamAV 0.94.1 2009.05.02 Trojan.Packed-18
Comodo 1147 2009.05.02 -
DrWeb 4.44.0.09170 2009.05.02 BackDoor.Pigeon.194
eSafe 7.0.17.0 2009.04.30 Suspicious File
eTrust-Vet 31.6.6487 2009.05.02 -
F-Prot 4.4.4.56 2009.05.01 W32/Hupigon.J.gen!Eldorado
F-Secure 8.0.14470.0 2009.05.02 -
Fortinet 3.117.0.0 2009.05.02 -
GData 19 2009.05.02 GenPack:Backdoor.Hupigon.AYUZ
Ikarus T3.1.1.49.0 2009.05.02 Backdoor.Win32.Hupigon
K7AntiVirus 7.10.722 2009.05.02 -
Kaspersky 7.0.0.125 2009.05.02 -
McAfee 5603 2009.05.02 BackDoor-AWQ!hv.c
McAfee+Artemis 5602 2009.05.01 BackDoor-AWQ!hv.c
McAfee-GW-Edition 6.7.6 2009.05.02 Trojan.Backdoor.Hupigon.bhi
Microsoft 1.4602 2009.05.02 Backdoor:Win32/Hupigon.gen!B
NOD32 4049 2009.05.01 -
Norman 6.01.05 2009.04.30 -
nProtect 2009.1.8.0 2009.05.02 Backdoor/W32.Hupigon.322312.C
Panda 10.0.0.14 2009.05.02 Suspicious file
PCTools 4.4.2.0 2009.05.02 Packed/NSPack
Prevx1 3.0 2009.05.02 -
Rising 21.27.41.00 2009.05.01 -
Sophos 4.41.0 2009.05.02 -
Sunbelt 3.2.1858.2 2009.05.02 -
Symantec 1.4.4.12 2009.05.02 -
TheHacker 6.3.4.1.317 2009.05.02 -
TrendMicro 8.950.0.1092 2009.05.01 Possible_HPGN-2
VBA32 3.12.10.4 2009.05.02 suspected of Win32.BrokenEmbeddedSignature (paranoid heuristics)
ViRobot 2009.5.1.1717 2009.05.01 -
VirusBuster 4.6.5.0 2009.05.01 -
wow... I am virus farmer :o
-
Send these Slsvc.exe C:\Program Files\R_Server\Slsvc.exe
goxp.exe C:\WINDOWS\system32\goxp.exe
-
Send these Slsvc.exe C:\Program Files\R_Server\Slsvc.exe
goxp.exe C:\WINDOWS\system32\goxp.exe
Slsvc
http://www.virustotal.com/analisis/b533d29d9d0b62f447a320b550823278
for goxp file is already deleting itself and no longer available when i'm restarting my comp
-
Fix
C:\WINDOWS\system32\Desktop\smss.exe
O23 - Service: fhds soft Service (fhds Service) - Unknown owner - C:\WINDOWS\system32\fvOoJMUy\J001.exe
O23 - Service: Program Compatibility Assistan (PctaSvc) - Unknown owner - C:\Program Files\R_Server\Slsvc.exe
O23 - Service: Desktop Configuration (SesEnv) - Unknown owner - C:\WINDOWS\system32\Desktop\smss.exe
Unknown
O23 - Service: SptSvc (SpSvc.exe) - Unknown owner - C:\WINDOWS\system32\svchost -k SpSvc.exe (file missing)
O23 - Service: svchost (svchosts) - Unknown owner - C:\Program Files\PROGRAM\sver.com.cn.exe
Reboot
Then read the instructions very clearly and run Combofix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
-
Fix
C:\WINDOWS\system32\Desktop\smss.exe
O23 - Service: fhds soft Service (fhds Service) - Unknown owner - C:\WINDOWS\system32\fvOoJMUy\J001.exe
O23 - Service: Program Compatibility Assistan (PctaSvc) - Unknown owner - C:\Program Files\R_Server\Slsvc.exe
O23 - Service: Desktop Configuration (SesEnv) - Unknown owner - C:\WINDOWS\system32\Desktop\smss.exe
Unknown
O23 - Service: SptSvc (SpSvc.exe) - Unknown owner - C:\WINDOWS\system32\svchost -k SpSvc.exe (file missing)
O23 - Service: svchost (svchosts) - Unknown owner - C:\Program Files\PROGRAM\sver.com.cn.exe
Reboot
Then read the instructions very clearly and run Combofix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
It just can't be deleted, keep coming and spreading more of itself. ???
-
Ok , I have no more answers, did you try Combofix ?My only other suggestion is trying Avira rescue disc
http://www.free-av.com/en/products/12/avira_antivir_rescue_system.html (http://www.free-av.com/en/products/12/avira_antivir_rescue_system.html)
tutorial http://forum.avira.com/wbb/index.php?page=Thread&postID=730130#post730130 (http://forum.avira.com/wbb/index.php?page=Thread&postID=730130#post730130)
If you have no success with those two programs, hopefully someone else may help you :)
-
Hi joeni,
Removal instructions,
The malcode will then create the following registry entry so that its dropped copy will be executed upon system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft DNSx = “%System%\mdnex.exe"
1. Terminate the following malcode process:
mdnex.exe
Note: Since the malcode also attempts to terminate the task manager, the task manager program (%System%\taskmgr.exe) can be copied to a different file-name and then executed. Also, several process management tools are available from the Internet: An example is Process Explorer from Sysinternals: http://www.sysinternals.com/Utilities/ProcessExplorer.html
2. Delete the following malcode file:
%System%\mdnex.exe
(Where %System% refers to the Windows system folder. On Windows XP and 2003, the Windows system folder is usually C:\Windows\System32, on Windows 2000 it is usually C:\WINNT\System32)
If found also Delete the following file: %systemdir%\winsvcx.exe
Delete the following registry value: stoner
polonus
-
Hi joeni,
Removal instructions,
The malcode will then create the following registry entry so that its dropped copy will be executed upon system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft DNSx = “%System%\mdnex.exe"
1. Terminate the following malcode process:
mdnex.exe
Note: Since the malcode also attempts to terminate the task manager, the task manager program (%System%\taskmgr.exe) can be copied to a different file-name and then executed. Also, several process management tools are available from the Internet: An example is Process Explorer from Sysinternals: http://www.sysinternals.com/Utilities/ProcessExplorer.html
There is no file called mdnex.exe in drive c: also in windows. I've search all over the place including hidden files.
2. Delete the following malcode file:
%System%\mdnex.exe
(Where %System% refers to the Windows system folder. On Windows XP and 2003, the Windows system folder is usually C:\Windows\System32, on Windows 2000 it is usually C:\WINNT\System32)
If found also Delete the following file: %systemdir%\winsvcx.exe
Delete the following registry value: stoner
polonus
there is no winsvcx.exe, same as above.
Searching the registry 10 times there is no entry stoner.
by the way thank you very much for the help and for anyone in this forum... maybe I should wait untill the cure for this virus founded.
-
Hi joeni,
You might have another variety of the malcode then. Is your taskmanager working properly and does that come up when you press Ctrl + Alt + Del,
can you run this tool and give the contents of the result file txt as an attached txt file:
http://www.niksoft.at/download/startdreck.htm
polonus
-
I have seen a very similar program: goxp.exe... It claims to be part of the product " Rising AntiVirus 2009" although i've never heard or used that product. I ran it on a virtual pc and logged what it did and i'm pretty certain it's a virus although avast doesn't detect it. It moves itself to c:\windows\system32\goxp.exe and starts itself from a self created service. It then reads registry keys and sends packets to some server in china. to top it off, this sucker eats 100% cpu after a while.
if someone wants to investigate it then I can upload it somewhere.
Result: 8/20 (40%)
A-Squared Found Packed.Win32.Krap!IK
AntiVir Found TR/Crypt.XPACK.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Win32/Heur
BitDefender Found Packer.Malware.Pohernah.H
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Packed.Win32.Krap.c
Ikarus Found Packed.Win32.Krap
Kaspersky Anti-Virus Found Packed.Win32.Krap.c
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found Mal/EncPk-GT
VirusBuster Found nothing
VBA32 Found nothing
File goxp.zip received on 05.03.2009 11:39:19 (CET)
Result: 20/40 (50%)
a-squared 4.0.0.101 2009.05.03 Packed.Win32.Krap!IK
AhnLab-V3 5.0.0.2 2009.05.01 -
AntiVir 7.9.0.160 2009.05.02 TR/Crypt.XPACK.Gen
Antiy-AVL 2.0.3.1 2009.04.30 -
Authentium 5.1.2.4 2009.05.02 -
Avast 4.8.1335.0 2009.05.02 -
AVG 8.5.0.327 2009.05.02 Win32/Heur
BitDefender 7.2 2009.05.03 Packer.Malware.Pohernah.H
CAT-QuickHeal 10.00 2009.05.02 Trojan.Krap.c
ClamAV 0.94.1 2009.05.03 -
Comodo 1147 2009.05.02 -
DrWeb 4.44.0.09170 2009.05.03 -
eSafe 7.0.17.0 2009.04.30 Win32.TRCrypt.XPACK
eTrust-Vet 31.6.6487 2009.05.02 -
F-Prot 4.4.4.56 2009.05.02 -
F-Secure 8.0.14470.0 2009.05.02 Packed.Win32.Krap.c
Fortinet 3.117.0.0 2009.05.02 W32/Krap.C
GData 19 2009.05.03 Packer.Malware.Pohernah.H
Ikarus T3.1.1.49.0 2009.05.03 Packed.Win32.Krap
K7AntiVirus 7.10.722 2009.05.02 Packed.Win32.Krap.c
Kaspersky 7.0.0.125 2009.05.03 Packed.Win32.Krap.c
McAfee 5603 2009.05.02 Generic.dx!be
McAfee+Artemis 5603 2009.05.02 Generic.dx!be
McAfee-GW-Edition 6.7.6 2009.05.02 Trojan.Crypt.XPACK.Gen
Microsoft 1.4602 2009.05.03 Trojan:Win32/SystemHijack.gen!C
NOD32 4049 2009.05.01 -
Norman 6.01.05 2009.04.30 -
nProtect 2009.1.8.0 2009.05.03 -
Panda 10.0.0.14 2009.05.02 Trj/CI.A
PCTools 4.4.2.0 2009.05.02 -
Prevx1 3.0 2009.05.03 -
Rising 21.27.41.00 2009.05.01 Packer.Win32.UnkPacker.c [Suspicious]
Sophos 4.41.0 2009.05.03 Mal/EncPk-GT
Sunbelt 3.2.1858.2 2009.05.02 Packed.Win32.Krap.c
Symantec 1.4.4.12 2009.05.03 -
TheHacker 6.3.4.1.317 2009.05.02 -
TrendMicro 8.950.0.1092 2009.05.01 -
VBA32 3.12.10.4 2009.05.03 -
ViRobot 2009.5.1.1717 2009.05.01 -
VirusBuster 4.6.5.0 2009.05.02 -
Scanner results : 42% Scanner(16/38) found malware!
a-squared 4.0.0.32 20090503080126 2009-05-03 Packed.Win32.Krap!IK 5.301
AhnLab V3 2009.05.01.01 2009.05.01 2009-05-01 - 1.676
AntiVir 7.9.0.160 7.1.3.141 2009-05-02 TR/Crypt.XPACK.Gen 2.216
Antiy 2.0.18 20090503.2333071 2009-05-03 - 0.120
Arcavir 2009 200905021130 2009-05-02 - 3.005
Authentium 5.1.1 200905021543 2009-05-02 - 1.222
AVAST! 3.0.1 090502-0 2009-05-02 - 0.931
AVG 7.5.52.442 270.12.11/2089 2009-04-30 - 2.114
BitDefender 7.81008.2901615 7.25166 2009-05-03 Packer.Malware.Pohernah.H 2.694
CA (VET) 9.0.0.143 31.6.6486 2009-05-02 - 19.516
ClamAV 0.95 9319 2009-05-03 - 0.013
Comodo 3.8 1147 2009-05-02 - 1.882
CP Secure 1.1.0.715 2009.05.03 2009-05-03 - 8.890
Dr.Web 4.44.0.9170 2009.05.03 2009-05-03 - 4.707
F-Prot 4.4.4.56 20090502 2009-05-02 - 1.264
F-Secure 5.51.6100 2009.05.02.01 2009-05-02 Packed.Win32.Krap.c [AVP] 0.062
Fortinet 2.81-3.117 10.345 2009-05-02 W32/Krap.C 0.915
GData 19.4991/19.317 20090503 2009-05-03 Packed.Win32.Krap.c [Engine:A] 14.893
Ikarus T3.1.01.49 2009.05.03.72663 2009-05-03 Packed.Win32.Krap 2.809
JiangMin 11.0.706 2009.05.03 2009-05-03 Packed.Krap.lvu 2.781
Kaspersky 5.5.10 2009.05.03 2009-05-03 Packed.Win32.Krap.c 0.047
KingSoft 2009.2.5.15 2009.5.2.21 2009-05-02 - 0.521
McAfee 5.3.00 5603 2009-05-02 Generic.dx!be 3.246
Microsoft 1.4602 2009.05.03 2009-05-03 Trojan:Win32/SystemHijack.gen!C 17.485
mks_vir 2.01 2009.05.02 2009-05-02 - 2.773
Norman 6.00.06 6.00.00 2009-04-28 - 10.011
nProtect 20090501.01 3562396 2009-05-01 Packer.Malware.Pohernah.H 28.398
Panda 9.05.01 2009.05.02 2009-05-02 - 22.673
Quick Heal 10.00 2009.05.02 2009-05-02 Trojan.Krap.c 2.721
Rising 20.0 21.27.41.00 2009-05-01 Packer.Win32.UnkPacker.c [Suspicious] 2.984
Sophos 2.86.0 4.41 2009-05-03 Mal/EncPk-GT 2.260
Sunbelt 5118 5118 2009-05-02 Packed.Win32.Krap.c 1.675
Symantec 1.3.0.24 20090502.002 2009-05-02 - 0.093
The Hacker 6.3.4.1 v00317 2009-05-01 - 1.648
Trend Micro 8.700-1004 6.104.35 2009-05-02 - 0.034
VBA32 3.12.10.4 20090502.1751 2009-05-02 - 1.932
ViRobot 20090501 2009.05.01 2009-05-01 - 1.980
VirusBuster 4.5.11.10 10.105.13/1315160 2009-05-02 - 1.627
-
I believe risining AV is a legit AV from China
-
I believe risining AV is a legit AV from China
Yes, the antivirus is legitimate however I don't believe that file is. I also don't have Rising AV, so I don't know why I would have a file claiming to be part of it. Also, Rising AntiVirus also found the file to be "suspicious", which I don't think it would do if it were one of the scanners components.
-
Hi i'm sorry for taking too long to answer the questions i'm kinda busy.
Ok here is my problem solver.. I use other anti virus b** d*f**d*r and this av delete all the virus. And by the way I use the trial 30 days version and working well. here is my new hijackthislog
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:25:32, on 04/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP3 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe
C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\ShowNetworkActivity.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sierra Wireless Inc\3G Watcher\Watcher.exe
C:\Program Files\Sierra Wireless Inc\3G Watcher\SwiApiMux.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
D:\Master\squid\sbin\squid.exe
c:\squid\libexec\unlinkd.exe
C:\WINDOWS\system32\ping.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Master\avast antivirus\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:3128
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [SmartRAM] C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe /m
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpeedConnectStartUp] C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe -run
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_exclude
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_report
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\cssdll32.dll
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: fhds soft Service (fhds Service) - Unknown owner - C:\WINDOWS\system32\fvOoJMUy\J001.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Program Compatibility Assistan (PctaSvc) - Unknown owner - C:\Program Files\R_Server\Slsvc.exe (file missing)
O23 - Service: Desktop Configuration (SesEnv) - Unknown owner - C:\WINDOWS\system32\Desktop\smss.exe (file missing)
O23 - Service: SptSvc (SpSvc.exe) - Unknown owner - C:\WINDOWS\system32\svchost -k SpSvc.exe (file missing)
O23 - Service: Squid - SQUID Web Proxy Cache - http://www.squid-cache.org/ - D:\Master\squid\sbin\squid.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: svchost (svchosts) - Unknown owner - C:\Program Files\PROGRAM\sver.com.cn.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
--
End of file - 7305 bytes
all the files that stated as virus is now file missing.
-
Thanks for the feedback,glad BitDefender sorted your problem :)