:o >:(

I have a virus named with " semo2x.exe, autorun.inf " it’s killing me because " avast antivirus Pro Edition program: 4.7.1098 and VPS: 080105-0 " And " avast! Virus Cleaner " they can’t see it and its infected every drive on my pc , my flash memory and also my mobile card

http://C:\Documents and Settings\Bakkar\Desktop\My Scary Virus.jpg

I’ll be thankful if anyone could help me

Bakkar

Yes…same problem here, have tried every possible thing.
-Also because of that not able to un-hide hidden files.
-I don’t know if its related but since the infection, Sygate firewall and Yahoo Messenger aren’t working, thy just start-up and auto-exit within seconds.

Somebody please help

can you post a HJT log

http://www.trendsecure.com/portal/en-US/threat_analytics/quick_start_guide.php

here you go inspector Cloussau

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:40 PM, on 1/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Programs\Alwil Software\Avast4\aswUpdSv.exe
D:\Programs\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
D:\Programs\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
D:\Programs\Alwil Software\Avast4\ashMaiSv.exe
D:\Programs\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\System32\svchost.exe
D:\Programs\Alwil Software\Avast4\ashSimpl.exe
D:\Programs\Winamp\Winamp.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Windows Media Player\wmplayer.exe
D:\Programs\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programs\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {46279257-2463-2796-3683-279268379362} - D:\WINDOWS\system32\mshost.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM..\Run: [Acronis Scheduler2 Service] “D:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe”
O4 - HKCU..\Run: [SmcService] F:\Firewall\smc.exe -startgui
O4 - HKCU..\Run: [avast!] D:\Programs\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [amva] D:\WINDOWS\system32\amvo.exe
O4 - HKLM..\Policies\Explorer\Run: [status] present
O4 - HKUS\S-1-5-18..\RunOnce: [RunNarrator] Narrator.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\RunOnce: [RunNarrator] Narrator.exe (User ‘Default user’)
O8 - Extra context menu item: &Download with &DAP - D:\Programs\DAP\dapextie.htm
O8 - Extra context menu item: &Download with Download Accelerator Lite - D:\Programs\Download Accelerator Lite\dal.htm
O8 - Extra context menu item: Download &all with DAP - D:\Programs\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_09\bin\npjpi142_09.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_09\bin\npjpi142_09.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRAMS\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRAMS\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O17 - HKLM\System\CCS\Services\Tcpip..{9451CF16-E9CD-4609-9241-392595F30707}: NameServer = 192.168.1.1,61.1.96.69
O17 - HKLM\System\CCS\Services\Tcpip..{A5A9A925-C8F1-4620-87D7-A6BD9A8DE0E5}: NameServer = 192.168.1.1,61.1.96.69
O20 - Winlogon Notify: avgwlntf - D:\WINDOWS\SYSTEM32\avgwlntf.dll
O21 - SSODL: mshost.dll - {46279257-2463-2796-3683-279268379362} - D:\WINDOWS\system32\mshost.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - D:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Programs\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Programs\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Programs\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Programs\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - F:\Firewall\smc.exe

–
End of file - 4283 bytes

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:20 AM, on 1/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Parallels\Parallels Tools\ParallelsToolsCenter.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Parallels\Parallels Tools\cohrence.exe
C:\Program Files\Parallels\Parallels Tools\toolsrv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Trixie.Bho - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - mscoree.dll (file missing)
O4 - HKLM..\Run: [Parallels Tools] C:\Program Files\Parallels\Parallels Tools\ParallelsToolsCenter.exe
O4 - HKLM..\Run: [SharedInternetApplication] “C:\Program Files\Parallels\Parallels Tools\SIA\sharedintapp.exe” /start
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [GrooveMonitor] “C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra ‘Tools’ menuitem: Tri&xie Options… - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip..{91D5EEC3-9704-4974-94DC-DFB7DCE6DC9B}: NameServer = 4.2.2.2,4.2.2.3
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Parallels Coherence Service (cohrence) - Parallels Software International, Inc. - C:\Program Files\Parallels\Parallels Tools\cohrence.exe
O23 - Service: Parallels Tools Utility Service (toolsrv) - Parallels Software International, Inc. - C:\Program Files\Parallels\Parallels Tools\toolsrv.exe

–
End of file - 7080 bytes

what is this i didn’t see semo2x.exe on this list

Bakkar

Hi guys we need to separate these problems because they are not for the same problem . Gandalf, I will start a new thread for you and add a link

http://forum.avast.com/index.php?topic=32467.0

Bakkar are you able to run a scan with AVG A/S and if so could you and post the log also update your Java as both you and Gandalf are way out of date.

Do you have a location/ full path for the file you mentioned?

Hi Cloussau …

sorry but what is " AVG A/S "

if it avast i did boot scan many times after i update it

i think full path for the file is :

C:\semo2x.exe
C:\autorun.inf
D:\semo2x.exe
D:\autorun.inf

And every partition on my pc

i hope this will be helpful

i had an autorun virus before and i cleened it by avast but i thought this might be a new virus

Hi Cloussau,

Thanks for the link…its in progress now.But my problem description is same as Bakkar too.I too have the semo2x.exe and Autorun.inf in all my drives.So i’ve got two problems now?!!

And about installing java.what did you mean by “Delete the old entry when you have the latest version.” ??

It will be good if you download, install, update and run SUPERantispyware. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster (for XP/Vista). For XP: Panda.

@ Gandalf

The latest version of Java is 1.06.03 and has been for some time. When its updated its done because the old version is or has been vulnerable to exploits like the one you have. When a new version is loaded the old one needs to be uninstalled otherwise it (and the vulnerability) remains on your system. If you go to add-remove programs via control panel and look you will possibly see multiple versions. uninstall all except the 1.06.03.

Please continue on the other thread otherwise this one will become a mess.

If you have no luck with the BD scan then try the rootkit scans suggested by Tech

hey Cloussau,
The BT test worked…comp is fine now.Thanks a lot! just posting it here so that Bakkar can try it out.Any idea why Avast let it pass??

hi Cloussau , Gandalf And Tech

Sorry again What BT test means ;D

And of course Thanks a lot! for your help guys

The test referred to by Gandalf is actually BD = Bit Defender online scan referred to on the post linked in reply no 5
Here is a direct link http://www.bitdefender.com/scan8/
Post back the results

Hi Cloussau,

thanks a lot

I tried BD scan it’s awesome my PC is cleaned now but I still have a little problem : when I clean autorun virus I always have to setup a new fresh copy of win XP because of hidden problems

If you now how to fix this problem I well be happy too much … I’m tired from installing XP many more

Can you describe the “hidden problems” ,there are many tools available to analyze your system and bring information out depending on what you need to know.

Did you update your Java?

Can you run another scan with HJT and post the log.

Hi bakkar,

Download free rootkit detective here: http://download.nai.com/products/mcafee-avert/McafeeRootkitDetective.zip

Make a folder for it by the name McafeeRootkit Detective in C: Program Files, and
unzip it there, and the run it,

Scan and see whether you have hidden files or hooks,

polonus

( hidden problems ) means that I can’t show my hidden files because of the previous virus. Now every time I try to activate “show hidden files” option . it deactivated again automatically. What can I do ?

This is a reccomendation I found with mr google`s help . If you are not confident working with your registry then seek professional help. Errors can be critical for your pc.
Click start then run ; key in regedit
Go to the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL

DELETE the value CheckedValue in the right window. (Its type should be REG_SZ and data should be 2.)

Now create a new DWORD value called CheckedValue (same as above, except that the type is REG_DWORD). Modify the value data to 1 (0x00000001).

This should let you change the “Hidden Files and Folders” option.
The attached file is how it should look when finished
Good luck