Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: ladygaga345 on November 06, 2009, 02:17:01 PM

Title: pls help me i really dont know what im gonna do!!!!!!
Post by: ladygaga345 on November 06, 2009, 02:17:01 PM
My Computer has been infected by Win32:Sality and then i get a boot scan but then after it i get this message when i start FireFox:
    Windows cannot find C:\Program Files\Java\jre6\lib\deploy\jqs\ff\..\..\..\..\bin\jqsnotify.exe. Make sure you typed the name correctly, and then try again. To search for a file, click the start button, and then click Search.

and my Windows Messenger .exe file has been deleted!!!!!!

help me plsss
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: ladygaga345 on November 06, 2009, 02:17:54 PM
My Computer has been infected by Win32:Sality and then i get a boot scan but then after it i get this message when i start FireFox:
    Windows cannot find C:\Program Files\Java\jre6\lib\deploy\jqs\ff\..\..\..\..\bin\jqsnotify.exe. Make sure you typed the name correctly, and then try again. To search for a file, click the start button, and then click Search.

and after that boot scan too my Windows Messenger .exe file has been deleted!!!!!!bcoz it is infected

help me plss
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: bobo1 on November 06, 2009, 02:30:08 PM
Hi
Looks like that virus has destroyed the Java plugin. You can download the new Java plugin from the SUN WEBSITE.
Recreate windows messenger through add/remove programs / windows components /tick windows messenger and re install if that fails do a thorough scan with avast with archives ticked on boot time scan and move all to chest
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: Gopher John on November 06, 2009, 02:42:37 PM
http://www.google.com/search?q=jqsnotify.exe&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a (http://www.google.com/search?q=jqsnotify.exe&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a)

The first link of the search has the answer.
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: ladygaga345 on November 06, 2009, 02:51:09 PM
my problem is not yet solve...

messenger .exe file doesnt still work
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: .: L' arc :. on November 06, 2009, 02:59:23 PM
Hi ladygaga345 and welcome to the forums,

 Sad to say, Sality is a file infector and it would be hard t recover files it damages. All I could offer for now is to remove all those that are suspicious.

Step 1: Windows Disk Cleanup Utility ============

1   Press Windows Key + R
2   Type in: cleanmgr
3   Put a check beside: Temporary Internet Files and Temporary Files. Optionally, you may check other options too
4   Click OK

Step 2: avast! Boot Time Scan ============

1   Double click avast! antivirus desktop icon and wait for memory test to complete
2   avast GUI will appear. Right click anywhere on avast!'s window and select Schedule Boot Time Scan...
3   Click Advanced options and select Move infected file to Chest on the first dropdown list and leave the other one as it was. Click Schedule
4   You will be asked for a system restart. Click Yes to do it now or No to let avast wait for you to manually restart your PC
        NOTE: Optionally, you may enable scanning of archive files. If it is enabled, scanning would be more thorough but would take more time

Step 3: Malwarebytes Antimalware (MBAM) ============

1   Download Malwarebyes' Antimalware here (http://www.filehippo.com/download_malwarebytes_anti_malware/)
2   Proceed to installing MBAM after downloading
3   On the last dialog box, do not forget to leave Update Malwarebytes' Antimalware and Run Malwarebytes' Antimalware checked
4   Malwabytes' Antimalware GUI would appear, from there select Perform Quick Scan and click Scan
5   When scan is completed, click Show Results
6   Click Remove Selected and then, a notepad file will appear.
7   On the notepad window, click File > Save As and save it on your desktop. You may now close MBAM.

Step 4: Hijack This (HJT) ============

1   Download Trend Micro Hijack This here (http://www.filehippo.com/download_hijackthis/)
2   Install HJT in C:\Program Files\Trend Micro\HijackThis (the location is already displayed by default). Click Install
3   HJT Window will appear. Click Do a system scan and save a logfile. A notepad file will pop-up once the scan is completed
5   Click on the Notepad window and click File > Save As and save the file on your desktop
6   Go back here on your topic and start a reply. On the Reply window, click Additional Options
7   Attach the two .txt files that we created and saved on your desktop (click more attachments to have more slots for attaching files)
        NOTE: Do not have HJT fix anything yet.
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: ladygaga345 on November 07, 2009, 08:22:43 AM
here are the result of the MBAM scan

Malwarebytes' Anti-Malware 1.41
Database version: 3113
Windows 5.1.2600 Service Pack 3

11/7/2009 3:20:00 PM
mbam-log-2009-11-07 (15-20-00).txt

Scan type: Quick Scan
Objects scanned: 101907
Time elapsed: 18 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: ladygaga345 on November 07, 2009, 08:23:27 AM
the result of Hijackthis scan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:20:42 PM, on 11/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\Domino.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ph.yahoo.com/?fr=fp-yie8
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mirarsearch.com/?useie5=1&q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mirarsearch.com/?useie5=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {D84EB4B0-BFA9-4B0C-B75A-17ABAD45ABB7} (Friendster Image Uploader Control) - http://images.friendster.com/200910A-023/js/aurigma/FriendsterImageUploader.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: DfLogon - C:\WINDOWS\SYSTEM32\LogonDll.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: DF5Serv - Faronics Corporation - C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InCD Helper (InCDsrv) - Unknown owner - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8743 bytes
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: CharleyO on November 07, 2009, 09:07:27 AM
***

An analysis of your HJT log shows the following problems :

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)      
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
The above 2 entries show that the file is missing for Windows Messenger.

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
Remains of Panda av.

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
Remains of Symantec/Norton av.


***
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: superhacker on November 07, 2009, 09:22:41 AM
may be brothers you dont know that sality dont go by the great mbam or hijack this,it needs an anti virus can detect it like avast and av can repair avast unlike avast so try dr.web cure it.
until now i repair a lot of systems that have sality and dr.web cure it success in repair them very good
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: ladygaga345 on November 07, 2009, 09:37:15 AM
i think the virus is gone after i have a boot scan and deleted it.

but the thing is windows messenger .exe file and jsqnofity.exe got infected with that virus

so those files has been deleted and thats what is my problem
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: ladygaga345 on November 07, 2009, 09:42:25 AM
anyway .: L' arc :. so whats NOW??????
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: superhacker on November 07, 2009, 09:44:13 AM
may be you dont got its real f***ing things of sality i can ensure you your pc still infected and when sality enter can and will infect a lot of .exe files on your system and you say you delete them so happy new format. ;D
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: .: L' arc :. on November 07, 2009, 10:26:18 AM
Hello again ladygaga345,

 Last step we could do, download SalityKiller | Kaspersky (http://support.kaspersky.com/downloads/utils/salitykiller.zip) and follow the steps here (http://support.kaspersky.com/faq/?qid=208279889).

 After you done it, I could say, you got rid of some of the nasties, yet the real ones are sure to be left intact. I suggest you to backup those you are sure to be clean in a freshly formatted USB Flash Disk and start over, in other words, reformat. Sality is a file and infector, a really persistent files infector.

 So, for the Windows Messenger, consider using the bundled Messenger on XP's installation CD after the reformat. I'm sorry but I could be of no better help.


NOTES:

  • Before backing up a file, make sure that it is not infected. Consider scanning it with avast! and MBAM, and if possible, consider checking it in VirusTotal (http://www.virustotal.com).
  • DO NOT backup any executable files (softwares) and screensavers (*.scr) or any web pages (*.html or *.htm). It attempts to infect any accessed .exe or .scr or .html/.htm files by appending itself to the executable. Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Sality can penetrate and infect .exe files inside compressed files too.
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: ladygaga345 on November 07, 2009, 10:37:30 AM
superhacker what do u mean did u mean that the virus is still at the PC?????
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: ladygaga345 on November 07, 2009, 11:02:22 AM
how can i follow those steps if the steps is about the kaspersky antivirus????
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: Rumpel on November 07, 2009, 11:06:12 AM
how can i follow those steps if the steps is about the kaspersky antivirus????
L'arc was not mentioning Kaspersky Antivirus but a small program by Kaspersky to get rid of the malware.  So, please follow his instruction.
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: ladygaga345 on November 07, 2009, 11:12:08 AM
But I dont know how to reformat the PC.Should I do reformat even i follow those steps????
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: Rumpel on November 07, 2009, 11:15:29 AM
But I dont know how to reformat the PC.Should I do reformat even i follow those steps????
He was not saying the you need to reformat PC but USB stick before backing up files.
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: ladygaga345 on November 07, 2009, 11:20:44 AM
Why SHould I Back Up The FIles????
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: .: L' arc :. on November 07, 2009, 11:29:55 AM
 If you have any important files, I am suggesting you to back up them onto a clean USB Flash Disk since the best way to eliminate Sality completely is by a PC reformat. If we reformat the PC, everything on your HD would be gone. I asked you to perform those disinfection steps before to eliminate most of what we can, not to completely disinfect the PC. That way would help you get a better back up process and less hassle/errors, just less. Sorry but, this is all I could do to help.
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: Rumpel on November 07, 2009, 11:31:46 AM
Sorry, I guess you were right he was mentioning that you should reformat PC and start over since Salty is so nasty.  Alternatively, you may like to wait till some people with more specialist knowledge come to this forum.

PS @L'arc, if you think I misunderstood you, you can point it out.  I thought you had gone off line.  It is hard for me to read your comments since the smaller fonts.
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: Tarq57 on November 07, 2009, 11:33:10 AM
Hi ladygaga,
If the virus has infected (and continues to infect) more of the files in your computer, it may soon infect everything.
If you have important documents, pictures etc that can not be easily replaced, you should make a copy of it to a flash drive or CD's.
It is possible you will have to reformat and reinstall Windows. (Do you have the Windows CD?)

Reformat basically wipes everything from the computer hard drive. The virus included.(Your pictures/files/bookmarks/emails also.You loose the lot.)
I strongly recommend you follow the steps posted earlier, to run the extra tools suggested, and report what they find. It will give an idea of how widespread the virus is.
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: ladygaga345 on November 07, 2009, 11:48:34 AM
well i have finish the SalityKiller.exe scan and nothings find outs

and Tarq57 the virus had stop spreading after i did a boot scan on avast.
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: Rumpel on November 07, 2009, 11:53:55 AM
Hmmm...  @L'ark  Are you sure that the malware was so nasty...?  I'm not a specialist but it seems to be O.K...  Of course, to be sure, reformatting is probably the best way, though.
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: .: L' arc :. on November 07, 2009, 12:13:50 PM
Rumpel,

 Sality was very nasty, umm, I believe, devastative would be the better word to describe it since it may have been removed yet it leaves your computer damaged due to file infections.

 Hearing the word about messenger.exe and jqsnotify.exe being oddly gone could be a possible sign of spread of the infection. Anyhow, it would always be best to have a second opinion from someone else so I guess, it would better if we consider waiting for other ideas about this.

 Thank you for your help.

PS: Sorry, I can't keep up with the time. Good night to everyone.
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: ladygaga345 on November 07, 2009, 12:18:47 PM
Rumpel,

 Sality was very nasty, umm, I believe, devastative would be the better word to describe it since it may have been removed yet it leaves your computer damaged due to file infections.

 Hearing the word about messenger.exe and jqsnotify.exe being oddly gone could be a possible sign of spread of the infection. Anyhow, it would always be best to have a second opinion from someone else so I guess, it would better if we consider waiting for other ideas about this.

 Thank you for your help.

PS: Sorry, I can't keep up with the time. Good night to everyone.



L'arc messenger.exe and jqsnotify.exe is gone because avast detected it that it is infected and deleted it  when i have the boot scan so thats why it was gone



GOOD NIGHT TOO
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: Rumpel on November 07, 2009, 12:29:48 PM
Rumpel,

 Sality was very nasty, umm, I believe, devastative would be the better word to describe it since it may have been removed yet it leaves your computer damaged due to file infections.

 Hearing the word about messenger.exe and jqsnotify.exe being oddly gone could be a possible sign of spread of the infection. Anyhow, it would always be best to have a second opinion from someone else so I guess, it would better if we consider waiting for other ideas about this.

 Thank you for your help.

PS: Sorry, I can't keep up with the time. Good night to everyone.
I see.  Thank you, L'arc, good night.


@ladygaga345  I guess it all depends on you now.  I'd go for reformatting but if you are sure it's gone, you may like to download Windows Messenger and Java, you can download them:

http://www.microsoft.com/downloads/details.aspx?FamilyId=A8D9EB73-5F8C-4B9A-940F-9157A3B3D774&displaylang=en

http://www.java.com/en/download/manual.jsp

They may not work if other files are damaged, though.

Also, it would be suitable for you to get rid of the remains of Panda and Norton.
http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

As for Panda, please search the net with words "Panda Uninstall" and pick up an appropriate version from the official site.

I took it wrong.  Ladygaga345 must have let the computer through online Panda and Kaspersky scan, which won't conflict against Avast!.

Alternatively, you may like to wait till some people with more knowledge visit this forum.
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: ladygaga345 on November 07, 2009, 01:06:44 PM
but i didnt know what norton product has been installed on my pc
ahh awkie i will w8
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: Rumpel on November 07, 2009, 01:12:46 PM
but i didnt know what norton product has been installed on my pc
ahh awkie i will w8
Haha, sorry.  You may like turn on the mail notification function (http://forum.avast.com/index.php?&action=help;page=post#additional).  Just check the box of "Notify me of replies".  For there are many people here with more knowledge will visit this forum.
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: ladygaga345 on November 07, 2009, 01:33:50 PM
hey Rumpel Ive scan my system with Dr.Web Cure It and then find a file named pskill.exe is it a threat??????

the path of this file is C:Windows\system32
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: Rumpel on November 07, 2009, 01:55:47 PM
hey Rumpel Ive scan my system with Dr.Web Cure It and then find a file named pskill.exe is it a threat??????

the path of this file is C:Windows\system32
PsKill (http://technet.microsoft.com/en-us/sysinternals/bb896683.aspx) is a part of Systeminternals' PsTools (http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx).  As the explanation says, it basically kills processes but it can be used by malware...especially when seeing you don't know why it is there.
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: ladygaga345 on November 07, 2009, 01:56:19 PM
so shall i delete it or ignore it????
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: Rumpel on November 07, 2009, 01:59:47 PM
so shall i delete it or ignore it????
If you didn't know it was there, it would be suitable for you to delete it but...Now I see some people coming, especially essexboy is good at these kinds of thing.  I'd definitely ask him about these issues than myself.
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: ladygaga345 on November 07, 2009, 02:01:52 PM
Awkie ill w8 of someones suggestion if im gonna delete this file or ignore it
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: Shiw Liang on November 07, 2009, 02:31:02 PM
Hey be careful windows file are dangerous to delete or it will damage your whole system!
Just wait for experts don't delete it!
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: ladygaga345 on November 07, 2009, 02:32:23 PM
yeah ill w8 for some experts
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: essexboy on November 07, 2009, 03:18:22 PM
You can leave that file - If you have Virut you can repair it till the cows come home but windows will still be broken I am afraid

Read Miekiemoes blog http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html  she is one clever lady  ;D

This will explain what Virut does and why it is best to reformat

When I come across a Virut infection I clean it up just enough to recover personal data and then post this

Quote
Well, I'm afraid I have bad news for you.

You have been infected with a polymorphic file infector named Virut. This infection will spread to every executable file in your computer, and unfortunately the only cure for it is to Reformat and Reinstall.

Right now, the best thing you can do is to backup, preferably to CD, all your important data, documents, pictures, movies, and songs.

DO NOT backup any applications or installers and DO NOT backup any files with the following extensions:
  • .exe
  • .scr
  • .htm
  • .html
  • .xml
  • .zip
  • .rar
For more information on Virut, and why you need to reformat, have a read of miekiemoes blog here (http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html).

To find out how to carry out an XP  Reformat and Reinstall, please see this page (http://www.geekstogo.com/forum/Reformat-Install-Windows-t173729.html). If you are using Vista, then check this page (http://ist.mit.edu/services/software/windows/vista/clean-install) instead.

Once you have reformatted and reinstalled Windows, have a look at this page (http://rathat.geekstogo.com/StayingClean.html) for some useful tips on staying clean, along with links to some freeware to help.

To find out more information about how you may have got infected in the first place, you can read this article (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I).

I am sorry I cannot give any better news.
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: Rumpel on November 07, 2009, 03:42:48 PM
Yes.  I knew L'arc was right but I didn't know how to convince ladygaga345 due to my lack of knowledge.  I'm sure that pskill.exe is not the vital system file but it doesn't matter.  If even essexboy says that ladygaga345's computer needs reformatting, I don't think you have a better piece of advice here.  Thank you, essexboy.
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: bobo1 on November 07, 2009, 10:34:46 PM
Best to reinstall windows and format the hard drive only proven way fo get rid of stubborn viruses. Quick and easy! ;D
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: ladygaga345 on November 08, 2009, 08:13:57 AM
no its not a virut.and isnt the Win32:Sality is gone even if i use that tool of kaspersky and scan using avast and Dr.Web?????
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: .: L' arc :. on November 08, 2009, 08:31:44 AM
Sadly, while reading the blog, I encountered this:

Quote
The same applies for other File infectors such as Sality.

I guess. there won't be any better choice.
Sorry for yesterday if slept too early.
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: superhacker on November 08, 2009, 01:55:39 PM
brother ladygaga345:
avast is super av can remove trojans rootkits,....and can prevent viruses and trojans,......
BUT
when the virus enter your machine avast can just delete it"the file who has it"its cleaning routines is so weak.so sality may go from your system but alo t of files destroyed you should scan by dr.web cure it before avast it can repair a lot of files infector,and you got warning about java and messenger coz they run on system start up and the system dont find them so you warned about them.
format c: /q
then run a dr.web scan for other disks then have a good day.we are all here want help you,help your self.
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: ladygaga345 on November 08, 2009, 02:58:46 PM
yeah i have scaned my pc with Dr.Web Cure It and it didnt detect any and those errors are now solve..tnx to Rumpel!!!!!!!!!!
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: .: L' arc :. on November 08, 2009, 03:07:43 PM
  ladygaga345,

 Are you planning to reformat? If not, then I'll try to give you steps to repair at least those that are repairable can still be repaired.

 * Repairable is a military word for hardware components of a weapons system that are designated for repair. :)
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: ladygaga345 on November 08, 2009, 03:11:15 PM
im not planning to reformat...coz im only 14 years old and only my couzin can do that....

by the way Good night im going to sleep now...
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: .: L' arc :. on November 08, 2009, 03:25:30 PM
A. Ok. Toodle Pip.
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: Shiw Liang on November 08, 2009, 03:31:01 PM
L'arc do you think if we backup the windows file then we delete the infected file and we restore them it will be fix?
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: .: L' arc :. on November 08, 2009, 03:45:43 PM
The problem is if we could locate every single bad file. Moreover, segregating good ones from the bad ones would be pretty tough too.
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: Rumpel on November 08, 2009, 03:53:42 PM
The problem is if we could locate every single bad file. Moreover, segregating good ones from the bad ones would be pretty tough too.
Yea...it's really nasty malware, it seems.  What essexboy recommended was that to rescue the files which ladygaga345 wants to back up except files with those extensions before reformatting and starting from scratch.

The problem is that  ladygaga345 is not willing to go through it.  I hope there will be no problem with ladygaga345's computer.  If something happens again, ladygaga345 may come back, though.  Then, maybe, we can recommend ladygaga345 to ask his/her cousin to do that.
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: nmb on November 08, 2009, 03:56:39 PM
L'arc do you think if we backup the windows file then we delete the infected file and we restore them it will be fix?

Hello shiw laing,

although it was directed at L'arc, I will comment if you allow.

instead of backing up every other system file (since it is very tedious, as L'arc indicated.), there are many programs which can create images of drives exactly as you see and can also restore them exactly. one of them is : http://www.filehippo.com/download_oo_diskimage_express/

if you don't want to use disk image programs.., then there are some more applications which can reset all changes made to your system. one of them is returnil. but it needs a bit more understanding of how it works, when to use and when not use. so be careful before using such programs. if you need help, pm me.

sorry for off topic post.

nmb
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: .: L' arc :. on November 08, 2009, 04:19:58 PM
 I started Googling and found this program: Deep Freeze by Faronics (http://www.faronics.com/HTML/deepfreeze.asp).

Quote
Deep Freeze is a product that basically takes a snapshot of all settings on your pc. When changes (software installs, registry changes, etc.) are made to the pc, upon the reboot those changes are discarded and returned to its original settings that was taken from the snapshot.

 It can freeze all computer settings and state even after a restart while in frozen state and can return it into a customizable PC by thawing. Pretty much like in cryogenic engineering. This could probably help prevent severe system file modifications by malwares. The problem is, it's not a freeware.

 Anyhow, the best way to prevent malwares is still by the freeware, lifetime use and no-download-install-needed, Safe Computing (http://www.advent1.com/Tech/Support/BasicsofSafeComputing.aspx). :)

 Have a virus free day everyone and good night.
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: nmb on November 08, 2009, 04:27:55 PM
Hello my friend L'arc,

The reason for me to suggest Returnil is that it has a free version which does have some good features.

also, virus might not be the only reason for a person to back up files. who knows what happens to your hardware in next moment?.. that might not be the only reason and it follows that its always good to have back up. i have heard and read that disk image express by OO soft is a good app which is also free. It has many features as you can see in the link I have given. it is worth giving a try.

once again sorry for the off topic post.

nmb
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: Rumpel on November 08, 2009, 04:38:05 PM
I take it somehow the topic shifted from repairing the infested computer to pro-active defense and backing up.

@nmb  Are you actually using Returnil in daily-basis?  I'm asking this since I cannot find it on your signature.  I'm using Returnil Virtual System 2010, too, and found it quite good.  If anybody is interested, you can download manuals at the official site (http://www.returnilvirtualsystem.com/resource-center) for some basic information on this app.
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: nmb on November 08, 2009, 04:56:02 PM
Hello my friend rumpel,

I was talking about the free home version available in this page : http://www.returnilvirtualsystem.com/home-security

as I said it (returnil) does have some good features and have also seen a person use it. but I don't use it.

you can download manuals at the official site (http://www.returnilvirtualsystem.com/resource-center) for some basic information on this app.

sure I will try to take a look at it. is this because i posted something wrong? , please correct me. everyone does make mistakes. forgive me if I was.

nmb
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: Shiw Liang on November 08, 2009, 04:57:37 PM
But I don't think it is better than avast 5.0
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: Rumpel on November 08, 2009, 05:03:17 PM
sure I will try to take a look at it. is this because i posted something wrong? , please correct me. everyone does make mistakes. forgive me if I was.
No way.  ;)  I think you are usually thoughtful.  As I had edited to make it clear, it's for those who haven't tried it.

I'm currently using the Giveawayoftheday version, thanks to Tech, but I agree with you at that Free version is good enough.

But I don't think it is better than avast 5.0
Er...what should I say?  ;D
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: nmb on November 08, 2009, 05:13:31 PM
Thanks for the change in your post Rumpel. :) and.. shiw is still learning. he has some doubts.  ;)

nmb
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: Rumpel on November 08, 2009, 05:22:11 PM
Thanks for the change in your post Rumpel. :) and.. shiw is still learning. he has some doubts.  ;)
Actually, I think he may not be so far from truth.  After all, the public beta only has some limited features.  ;)
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: nmb on November 08, 2009, 05:51:22 PM
After all, the public beta only has some limited features.  ;)

I thought he was comparing returnil and avast.

nmb
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: Omega40 on November 08, 2009, 10:57:36 PM
After all, the public beta only has some limited features.  ;)

I thought he was comparing returnil and avast.

nmb
from what I read of the reviews of "Returnil" from the Brighthub review PDF file....it is better to use an AV program along with it.
Title: Re: pls help me i really dont know what im gonna do!!!!!!
Post by: Rumpel on November 09, 2009, 02:25:56 AM
I thought he was comparing returnil and avast.
I think you took it right except that he mentioned 5.0, of which I don't think we know everything.

from what I read of the reviews of "Returnil" from the Brighthub review PDF file....it is better to use an AV program along with it.
Guess you understood it right, then.  As far as Returnil is concerned, we need anti-virus and other protections as well since, basically, it's just ease of use virtualization app.  In fact, although 2010 version has a resident anti-virus protection called Virus Guard, I turned it off due to the common sense about resident scanners i.e. no two resident scanners.

Also, Returnil encourages its users to keep their data files to drives other than C drive, which is a good practice.  The quote below is quoted from the site L' arc linked (http://www.advent1.com/Tech/Support/BasicsofSafeComputing.aspx).
Quote
#1 Never put anything on your "C" drive that you can't afford to lose.
Sooner or later something really bad is going to happen to your computer. A virus, a misbehaving program, a hacker, or stupid mistake can leave your computer unable to start up. Often times tracking down and fixing the problem is more time consuming than flushing the drive and starting over (what we call the "Flush & Fill.") The operating system and programs can be easily reinstalled, but personal information or business files can be lost in the process if they're on the same drive as the operating system.
Our solution is to either partition the drive into two logical drives, or install a separate drive (or even redundant drive array) to hold your personal data. That way when the need arises, you can blow away your OS with impunity and be able to recover full use as painlessly as possible. (Partitioning a single drive protects you from OS failure, but not from hardware disk failure. Only a "disk image" backup can allow recovery of both OS and data files in the event of a dying disk.)