My Computer has been infected by Win32:Sality and then i get a boot scan but then after it i get this message when i start FireFox:
Windows cannot find C:\Program Files\Java\jre6\lib\deploy\jqs\ff........\bin\jqsnotify.exe. Make sure you typed the name correctly, and then try again. To search for a file, click the start button, and then click Search.
and my Windows Messenger .exe file has been deleted!!!
help me plsss
[quote author=ladygaga345 link=topic=50649.msg428876#msg428876 date=1257513421]
My Computer has been infected by Win32:Sality and then i get a boot scan but then after it i get this message when i start FireFox:
Windows cannot find C:\Program Files\Java\jre6\lib\deploy\jqs\ff........\bin\jqsnotify.exe. Make sure you typed the name correctly, and then try again. To search for a file, click the start button, and then click Search.
and after that boot scan too my Windows Messenger .exe file has been deleted!!!bcoz it is infected
help me plss
Hi
Looks like that virus has destroyed the Java plugin. You can download the new Java plugin from the SUN WEBSITE.
Recreate windows messenger through add/remove programs / windows components /tick windows messenger and re install if that fails do a thorough scan with avast with archives ticked on boot time scan and move all to chest
The first link of the search has the answer.
my problem is not yet solve…
messenger .exe file doesnt still work
[font=Segoe UI] Hi ladygaga345 and welcome to the forums,
Sad to say, Sality is a file infector and it would be hard t recover files it damages. All I could offer for now is to remove all those that are suspicious.
Step 1: Windows Disk Cleanup Utility ============
1 Press Windows Key + R
2 Type in: cleanmgr
3 Put a check beside: Temporary Internet Files and Temporary Files. Optionally, you may check other options too
4 Click OK
Step 2: avast! Boot Time Scan ============
1 Double click avast! antivirus desktop icon and wait for memory test to complete
2 avast GUI will appear. Right click anywhere on avast!'s window and select Schedule Boot Time Scan…
3 Click Advanced options and select Move infected file to Chest on the first dropdown list and leave the other one as it was. Click Schedule
4 You will be asked for a system restart. Click Yes to do it now or No to let avast wait for you to manually restart your PC
NOTE: Optionally, you may enable scanning of archive files. If it is enabled, scanning would be more thorough but would take more time
Step 3: Malwarebytes Antimalware (MBAM) ============
1 Download Malwarebyes’ Antimalware here
2 Proceed to installing MBAM after downloading
3 On the last dialog box, do not forget to leave Update Malwarebytes’ Antimalware and Run Malwarebytes’ Antimalware checked
4 Malwabytes’ Antimalware GUI would appear, from there select Perform Quick Scan and click Scan
5 When scan is completed, click Show Results
6 Click Remove Selected and then, a notepad file will appear.
7 On the notepad window, click File > Save As and save it on your desktop. You may now close MBAM.
Step 4: Hijack This (HJT) ============
1 Download Trend Micro Hijack This here
2 Install HJT in C:\Program Files\Trend Micro\HijackThis (the location is already displayed by default). Click Install
3 HJT Window will appear. Click Do a system scan and save a logfile. A notepad file will pop-up once the scan is completed
5 Click on the Notepad window and click File > Save As and save the file on your desktop
6 Go back here on your topic and start a reply. On the Reply window, click Additional Options
7 Attach the two .txt files that we created and saved on your desktop (click more attachments to have more slots for attaching files)
NOTE: Do not have HJT fix anything yet.
here are the result of the MBAM scan
Malwarebytes’ Anti-Malware 1.41
Database version: 3113
Windows 5.1.2600 Service Pack 3
11/7/2009 3:20:00 PM
mbam-log-2009-11-07 (15-20-00).txt
Scan type: Quick Scan
Objects scanned: 101907
Time elapsed: 18 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
the result of Hijackthis scan
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:20:42 PM, on 11/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\Domino.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0_$Df\FrzState2k.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ph.yahoo.com/?fr=fp-yie8
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mirarsearch.com/?useie5=1&q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mirarsearch.com/?useie5=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM..\Run: [Domino] C:\WINDOWS\Domino.EXE
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] “C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe” /runcleanupscript
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM..\RunOnce: [Malwarebytes’ Anti-Malware] C:\Program Files\Malwarebytes’ Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {D84EB4B0-BFA9-4B0C-B75A-17ABAD45ABB7} (Friendster Image Uploader Control) - http://images.friendster.com/200910A-023/js/aurigma/FriendsterImageUploader.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: DfLogon - C:\WINDOWS\SYSTEM32\LogonDll.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: DF5Serv - Faronics Corporation - C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InCD Helper (InCDsrv) - Unknown owner - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
–
End of file - 8743 bytes
An analysis of your HJT log shows the following problems :
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
The above 2 entries show that the file is missing for Windows Messenger.
[b]O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab[/b]
Remains of Panda av.
[b]O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/b]
Remains of Symantec/Norton av.
may be brothers you dont know that sality dont go by the great mbam or hijack this,it needs an anti virus can detect it like avast and av can repair avast unlike avast so try dr.web cure it.
until now i repair a lot of systems that have sality and dr.web cure it success in repair them very good
i think the virus is gone after i have a boot scan and deleted it.
but the thing is windows messenger .exe file and jsqnofity.exe got infected with that virus
so those files has been deleted and thats what is my problem
anyway .: L’ arc :. so whats NOW???
may be you dont got its real f***ing things of sality i can ensure you your pc still infected and when sality enter can and will infect a lot of .exe files on your system and you say you delete them so happy new format. ;D
[font=Segoe UI] Hello again ladygaga345,
Last step we could do, download SalityKiller | Kaspersky and follow the steps here.
After you done it, I could say, you got rid of some of the nasties, yet the real ones are sure to be left intact. I suggest you to backup those you are sure to be clean in a freshly formatted USB Flash Disk and start over, in other words, reformat. Sality is a file and infector, a really persistent files infector.
So, for the Windows Messenger, consider using the bundled Messenger on XP’s installation CD after the reformat. I’m sorry but I could be of no better help.
NOTES:
[font=Segoe UI]
[] Before backing up a file, make sure that it is not infected. Consider scanning it with avast! and MBAM, and if possible, consider checking it in VirusTotal.
[] DO NOT backup any executable files (softwares) and screensavers (.scr) or any web pages (.html or *.htm). It attempts to infect any accessed .exe or .scr or .html/.htm files by appending itself to the executable. Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Sality can penetrate and infect .exe files inside compressed files too.
superhacker what do u mean did u mean that the virus is still at the PC???
how can i follow those steps if the steps is about the kaspersky antivirus???
L’arc was not mentioning Kaspersky Antivirus but a small program by Kaspersky to get rid of the malware. So, please follow his instruction.
But I dont know how to reformat the PC.Should I do reformat even i follow those steps???
He was not saying the you need to reformat PC but USB stick before backing up files.
Why SHould I Back Up The FIles???