Author Topic: help needed (virus) (Read 681 times)

Arpan · « **on:** March 30, 2009, 10:52:35 AM »

Virus called win32:sality is present. I found it when i was scanning system scan. Though i did system scan 2-3 times, status in my avast av programs shows "Full system scan not done yet".

Please help me remove this virus as it is destroying my exe files.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:42 PM, on 3/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Softwares\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 4434 bytes

guestolo · « **Reply #1 on:** March 30, 2009, 09:26:47 PM »

Download ComboFix from one of these locations:

[color=\"#0000FF\"]Link 1[/color]
[color=\"#0000FF\"]Link 2[/color]
[color=\"#0000FF\"]Link 3[/color]
[color=\"#FF0000\"]Save it ONLY to your Desktop[/color]

--------------------------------------------------------------------
[color=\"#2E8B57\"]Temporarily Disable your AntiVirus/AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with this tool
[/color]

Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

[color=\"#2e8b57\"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
[/color]

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply

NOTE: Do not mouseclick inside ComboFix window as it's running, it may cause it to stall
ComboFix will/may run again on startup, it will prompt that it's creating a log
This process could take up to 10 minutes, let it run uninterrupted please

With the log from ComboFix, can you also include a fresh log from Hijackthis

Arpan · « **Reply #2 on:** March 31, 2009, 02:54:52 PM »

ComboFix 09-03-31.01 - Administrator 2009-04-01 1:19:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.617 [GMT 5.5:30]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090330-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013
c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))
.

2009-03-31 00:26 . 2009-03-31 00:26   <DIR>   d--------   c:\program files\uTorrent
2009-03-30 20:34 . 2009-03-30 20:34   <DIR>   d--------   c:\program files\proDAD
2009-03-30 20:34 . 2009-03-30 20:34   <DIR>   d--------   c:\documents and settings\Administrator\Application Data\proDAD
2009-03-30 20:33 . 2003-06-26 10:04   237,568   -ra------   c:\windows\system32\qtmlClient.dll
2009-03-30 20:33 . 2003-07-01 16:49   69,632   --a------   c:\windows\system32\MtxPreview.dll
2009-03-30 20:33 . 2003-07-01 16:49   49,152   --a------   c:\windows\system32\MtxParhBFXPreview.dll
2009-03-30 20:33 . 2003-01-20 09:08   49,152   --a------   c:\windows\system32\CvoAPI.dll
2009-03-30 20:33 . 2003-07-09 10:43   45,056   --a------   c:\windows\system32\BFXSrcFilter.ax
2009-03-30 20:33 . 2007-12-12 19:02   0   --a------   c:\windows\Graffiti5.2Pin.ini
2009-03-30 20:32 . 2009-03-30 20:33   <DIR>   d--------   c:\program files\Boris FX, Inc
2009-03-30 20:17 . 2009-03-30 20:17   <DIR>   d--------   c:\program files\Common Files\Pinnacle
2009-03-30 20:17 . 2009-03-30 20:17   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Pinnacle Studio Ultimate
2009-03-30 20:11 . 2009-03-30 20:11   <DIR>   d--------   c:\program files\Common Files\Yahoo!
2009-03-30 20:11 . 2009-03-30 20:11   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Studio 12
2009-03-30 20:11 . 2009-03-30 20:11   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Pinnacle Studio Plus
2009-03-27 23:46 . 2009-03-27 23:46   <DIR>   d--h-----   c:\windows\PIF
2009-03-23 08:37 . 2009-03-23 10:10   <DIR>   d--------   C:\Arpan
2009-03-23 08:27 . 2009-03-23 10:15   <DIR>   d--------   C:\TC
2009-03-22 03:48 . 2009-03-22 03:49   <DIR>   d--------   c:\windows\system32\NtmsData
2009-03-20 00:55 . 2009-03-20 00:55   <DIR>   d--------   c:\program files\Alwil Software
2009-03-17 23:29 . 2009-03-17 23:29   <DIR>   d--------   c:\program files\Pinnacle Systems
2009-03-17 22:59 . 2009-03-17 22:59   <DIR>   d--------   c:\program files\DIFX
2009-03-17 22:58 . 2009-03-30 20:18   <DIR>   d----c---   c:\windows\system32\DRVSTORE
2009-03-17 07:53 . 2009-04-01 01:20   <DIR>   dr-hs----   C:\RESTORE
2009-03-16 21:44 . 2009-03-16 21:44   <DIR>   d--------   c:\windows\system32\Quicktime
2009-03-16 21:44 . 2009-03-16 21:44   <DIR>   d--------   c:\program files\SmartSound Software
2009-03-16 21:44 . 2009-03-16 21:44   <DIR>   d--------   c:\documents and settings\All Users\Application Data\SmartSound Software Inc
2009-03-16 21:44 . 2004-09-28 13:08   458,112   --a------   c:\windows\system32\drivers\MarvinUsb.sys
2009-03-16 14:03 . 2009-03-16 14:03   <DIR>   d--------   c:\windows\system32\IOSUBSYS
2009-03-15 21:39 . 2002-04-26 10:47   524,868   -ra------   c:\windows\system32\SET137.tmp
2009-03-15 21:39 . 2002-03-11 18:48   524,288   -ra------   c:\windows\system32\SET149.tmp
2009-03-15 21:39 . 2002-03-11 18:49   294,912   -ra------   c:\windows\system32\SET13B.tmp
2009-03-15 21:39 . 2002-03-11 18:57   200,704   -ra------   c:\windows\system32\SET13C.tmp
2009-03-15 21:39 . 2002-04-26 10:48   163,901   -ra------   c:\windows\system32\SET136.tmp
2009-03-15 21:39 . 2002-03-11 18:58   155,648   -ra------   c:\windows\system32\SET146.tmp
2009-03-15 21:39 . 2002-03-11 18:48   139,264   -ra------   c:\windows\system32\SET142.tmp
2009-03-15 21:39 . 2002-03-11 18:48   114,688   -ra------   c:\windows\system32\SET13A.tmp
2009-03-15 21:39 . 2002-03-11 18:49   110,592   -ra------   c:\windows\system32\SET147.tmp
2009-03-15 21:39 . 2002-03-11 18:50   106,496   -ra------   c:\windows\system32\SET148.tmp
2009-03-15 21:39 . 2002-04-26 10:48   74,814   -ra------   c:\windows\system32\SET135.tmp
2009-03-15 21:39 . 2002-04-26 10:49   28,672   -ra------   c:\windows\system32\SET134.tmp
2009-03-15 21:37 . 2009-03-15 21:37   1,409   --a------   c:\windows\system32\tmpFF9F7.FOT
2009-03-15 21:37 . 2009-03-15 21:37   1,409   --a------   c:\windows\system32\tmpF59F7.FOT
2009-03-15 21:37 . 2009-03-15 21:37   1,409   --a------   c:\windows\system32\tmpD29F7.FOT
2009-03-15 21:37 . 2009-03-15 21:37   1,409   --a------   c:\windows\system32\tmp789F7.FOT
2009-03-15 21:37 . 2009-03-15 21:37   1,409   --a------   c:\windows\system32\tmp72AF7.FOT
2009-03-15 21:33 . 2009-03-15 21:33   <DIR>   d--------   c:\documents and settings\Administrator\Application Data\AdobeUM
2009-03-15 21:30 . 2009-03-16 21:52   17   --a------   c:\windows\MovingPicture.ini
2009-03-15 21:28 . 2002-03-11 18:48   151,552   -ra------   c:\windows\system32\igfxres.dll
2009-03-15 20:51 . 2004-03-10 16:26   406,016   --a------   c:\windows\system32\PSDrvCheck.exe
2009-03-15 20:50 . 2004-03-10 16:26   26,112   --a------   c:\windows\system32\PSDrvCheck.CHT
2009-03-15 20:50 . 2004-03-10 16:26   26,112   --a------   c:\windows\system32\PSDrvCheck.CHS
2009-03-15 20:50 . 2004-03-10 16:27   19,456   --a------   c:\windows\system32\asapi.dll
2009-03-15 20:48 . 2002-03-19 10:29   14,165   ---------   c:\windows\system32\drivers\Pclepci.sys
2009-03-15 20:08 . 2004-08-03 23:10   51,328   --a------   c:\windows\system32\drivers\msdv.sys
2009-03-15 20:08 . 2004-08-03 23:10   51,328   --a--c---   c:\windows\system32\dllcache\msdv.sys
2009-03-15 20:07 . 2004-08-03 23:10   48,128   --a------   c:\windows\system32\drivers\61883.sys
2009-03-15 20:07 . 2004-08-03 23:10   48,128   --a--c---   c:\windows\system32\dllcache\61883.sys
2009-03-15 20:07 . 2004-08-03 23:10   38,912   --a------   c:\windows\system32\drivers\avc.sys
2009-03-15 20:07 . 2004-08-03 23:10   38,912   --a--c---   c:\windows\system32\dllcache\avc.sys
2009-03-15 17:05 . 2009-03-15 17:05   <DIR>   d--------   c:\documents and settings\Administrator\Application Data\Media Player Classic
2009-03-15 11:40 . 2009-03-15 11:40   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-03-14 21:53 . 2009-03-19 00:14   <DIR>   d--------   c:\documents and settings\Administrator\Application Data\Ahead
2009-03-13 08:27 . 2004-08-03 23:08   26,496   --a--c---   c:\windows\system32\dllcache\usbstor.sys
2009-03-13 06:23 . 2009-04-01 00:05   116   --a------   c:\windows\NeroDigital.ini
2009-03-13 01:27 . 2009-03-27 08:50   <DIR>   d--------   c:\documents and settings\Administrator\Application Data\Winamp
2009-03-13 01:16 . 2009-03-13 01:16   <DIR>   d--------   c:\documents and settings\Administrator\Application Data\bsplayer
2009-03-13 00:58 . 2009-04-01 00:28   <DIR>   d--------   c:\documents and settings\Administrator\Application Data\uTorrent
2009-03-13 00:55 . 2009-03-22 19:23   <DIR>   d--------   c:\documents and settings\Administrator\Application Data\Ulead Systems

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-31 19:32   ---------   d---a-w   c:\documents and settings\All Users\Application Data\TEMP
2009-03-31 00:00   ---------   d-----w   c:\program files\DivX
2009-03-30 15:02   ---------   d--h--w   c:\program files\InstallShield Installation Information
2009-03-30 15:01   ---------   d-----w   c:\program files\Pinnacle
2009-03-30 14:41   ---------   d-----w   c:\documents and settings\All Users\Application Data\Pinnacle
2009-03-16 16:06   ---------   d-----w   c:\program files\Common Files\InstallShield
2009-03-16 11:53   ---------   d-----w   c:\program files\Google
2009-03-16 08:08   ---------   d-----w   c:\documents and settings\All Users\Application Data\Yahoo!
2009-03-12 20:22   ---------   d-----w   c:\program files\DAP
2009-03-12 20:17   50,688   ----a-w   c:\windows\system32\wbhelp2.dll
2009-03-12 20:17   ---------   d-----w   c:\documents and settings\All Users\Application Data\SpeedBit
2009-03-12 20:13   ---------   d-----w   c:\program files\Common Files\Adobe
2009-03-12 20:12   ---------   d-----w   c:\documents and settings\All Users\Application Data\Adobe Systems
2009-03-12 20:11   ---------   d-----w   c:\program files\Common Files\Adobe Systems Shared
2009-03-12 19:58   ---------   d-----w   c:\program files\Winamp
2009-03-12 19:47   ---------   d-----w   c:\program files\Power Video Converter
2009-03-12 19:46   ---------   d-----w   c:\program files\K-Lite Codec Pack
2009-03-12 19:46   ---------   d-----w   c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-12 19:28   ---------   d-----w   c:\program files\Yahoo!
2009-03-12 19:10   ---------   d-----w   c:\program files\Common Files\InterVideo
2009-03-12 19:10   ---------   d-----w   c:\documents and settings\All Users\Application Data\InterVideo
2009-03-12 19:09   53,693   ----a-w   c:\windows\UNDPX2A.sys
2009-03-12 19:09   15,429   ----a-w   c:\windows\system32\drivers\Sacm2A.sys
2009-03-12 19:09   135,168   ----a-w   c:\windows\UNDPX2A.exe
2009-03-12 19:09   ---------   d-----w   c:\program files\Common Files\LightScribe
2009-03-12 19:09   ---------   d-----w   c:\documents and settings\All Users\Application Data\Ulead Systems
2009-03-12 19:08   ---------   d-----w   c:\program files\Ulead Systems
2009-03-12 19:08   ---------   d-----w   c:\program files\Common Files\Ulead Systems
2009-03-12 18:59   ---------   d-----w   c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-12 18:57   ---------   d-----w   c:\program files\MSBuild
2009-03-12 18:57   ---------   d-----w   c:\program files\Microsoft Works
2009-03-12 18:39   ---------   d-----w   c:\program files\Common Files\Nero
2009-03-12 18:39   ---------   d-----w   c:\program files\Ahead
2009-03-12 18:39   ---------   d-----w   c:\documents and settings\All Users\Application Data\Ahead
2009-03-12 18:37   ---------   d-----w   c:\program files\Common Files\Ahead
2009-03-12 18:32   ---------   d-----w   c:\program files\MiraScan
2009-03-12 18:07   ---------   d-----w   c:\program files\microsoft frontpage
2004-08-04 12:00   166,048   --sha-r   c:\windows\system32\rtanq.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2009-03-13 3114496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2002-03-11 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2002-03-11 106496]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-02 3739648]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-06 81000]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"VIDC.VP31"= vp31vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.imc"= imc32.acm
"VIDC.MJPG"= pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll
"vidc.mjpx"= Pvmjpg21.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3873:TCP"= 3873:TCP:ludxs

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-03-20 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-03-20 20560]
R3 BENDER;Pinnacle AV/DV2 Capture;c:\windows\system32\drivers\bender.sys [2009-03-12 203264]
S2 rnybhbyg;Security Driver;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
rnybhbyg

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6ca0491-125c-11de-adb4-001ac35bf8a1}]
\Shell\AutoRun\command - i:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe
\Shell\open\command - i:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl

.
------- Supplementary Scan -------
.
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ashni2bh.default\
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-01 01:20:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\rnybhbyg]
"ServiceDll"="c:\windows\system32\rtanq.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,32,88,7e,e2,03,
3a,56,aa,c8,28,51,af,b0,29,a3,98,c0,84,5b,3f,ec,56,30,e2,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,59,b7,78,37,13,
f3,8f,8a,71,3b,04,66,8b,46,0d,96,f0,5c,b8,1a,1b,60,32,d1,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,1c,59,a0,51,ea,
58,fb,24,25,da,ec,7e,55,20,c9,26,7d,74,da,c3,87,6a,cc,5e,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,1c,2c,de,68,3b,
02,4c,9d,3e,1e,9e,e0,57,5a,93,61,03,42,cb,5d,b1,67,1d,8f,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:e9,02,6c,fa,fb,1d,47,57,9d,89,20,c6,7e,
22,d9,55,cd,44,cd,b9,a6,33,6c,cd,dd,d6,a2,7d,3f,ae,15,5d,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,5b,7a,a1,0e,b7,
d7,bb,fb,b0,18,ed,a7,3f,8d,37,a4,e9,41,4a,a1,dc,18,69,87,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,b2,b0,06,62,49,
da,92,57,31,77,e1,ba,b1,f8,68,02,93,65,90,6c,0c,58,f9,6b,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,0c,99,cb,2e,45,
66,d3,ef,83,6c,56,8b,a0,85,96,ab,08,b3,85,8c,6a,38,5f,b5,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,44,6d,bf,a6,0c,
58,6e,8e,51,fa,6e,91,28,9e,14,cc,93,46,73,a7,20,b9,e6,db,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,18,41,7a,14,ba,
1b,f5,9c,b1,cd,45,5a,a8,c4,f8,b9,dc,50,0f,c0,80,ba,64,59,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,51,1f,76,02,8d,
79,77,ea,e3,0e,66,d5,eb,bc,2f,6b,c9,8e,ad,03,91,72,30,77,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,e1,d5,b4,3c,fb,
91,ee,4b,fa,ea,66,7f,d4,3b,6b,70,f6,25,fc,75,54,36,1b,86,6c,43,2d,1e,aa,22,\
.
Completion time: 2009-04-01 1:21:53
ComboFix-quarantined-files.txt 2009-03-31 19:51:50

Pre-Run: 4,885,295,104 bytes free
Post-Run: 7,665,242,112 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

280

guestolo · « **Reply #3 on:** March 31, 2009, 10:10:33 PM »

Download [color=\"#FF0000\"]> ATF Cleaner <[/color] by Atribune and save it to your Desktop.

Double Click on ATF-Cleaner.exe to Run it
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
*Prefetch (Windows XP) only.
Java Cache

The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit from the Main menu

download Malwarebytes' Anti-Malware from Here or Here
Save the installer to desktop

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to [color=\"#006400\"]Update Malwarebytes' Anti-Malware[/color] and [color=\"#006400\"]Launch Malwarebytes' Anti-Malware[/color], then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Also post a fresh Hijackthis log please

Arpan · « **Reply #4 on:** April 01, 2009, 12:19:52 PM »

Malwarebytes' Anti-Malware 1.35
Database version: 1904
Windows 5.1.2600 Service Pack 2

4/1/2009 10:33:44 PM
mbam-log-2009-04-01 (22-33-44).txt

Scan type: Quick Scan
Objects scanned: 63812
Time elapsed: 5 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook.1 (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\pguard.ini (Rogue.InternetAntivirus) -> Delete on reboot.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\pg32.exe (Rogue.InternetAntivirus) -> Delete on reboot.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\sav.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\services.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\procgdwh32.exe (Rogue.InternetAntivirus) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:25 PM, on 4/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
E:\Softwares\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SBCONVERT - {A1056498-D09A-41E4-864B-505EDD640D9E} - C:\Program Files\SpeedBit Video Downloader\Toolbar\SpeedBitVideoDownloader.dll
O2 - BHO: DAPIELoader Class - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\DAP\DAPIEL~1.DLL
O2 - BHO: GrabberObj Class - {FF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\SPEEDB~1\Toolbar\grabber.dll
O3 - Toolbar: SpeedBit Video Downloader - {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - C:\Program Files\SpeedBit Video Downloader\Toolbar\SpeedBitVideoDownloader.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 5750 bytes

guestolo · « **Reply #5 on:** April 02, 2009, 07:13:00 AM »

Can you temporarily disable Avast's protection
Right click on the Avast icon by the clock and "Stop on Access protections"

Please do a scan with [color=\"#3333FF\"]Kaspersky Online Scanner[/color]

[color=\"green\"]Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.[/color]

Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
In the drop down box labeled Files of type change the type to Text file.
Save the file to your desktop.
Copy and paste that information in your next post

Ensure you "Start on Access protections" for Avast after the scan

Arpan · « **Reply #6 on:** April 02, 2009, 02:44:30 PM »

Unfortunately i have not been able to open websites like avast even before asking for help here. Now kaspersky cant not also be opened. Firefox gives msg that page load error.

guestolo · « **Reply #7 on:** April 02, 2009, 10:30:03 PM »

Do the following
Download HostsXpert [color=\"red\"]Here[/color] and unzip it to your desktop.
Next, open HostsXpert

Make sure that the "make hosts writable?" button in the upper left corner is checked>>Should read 'Make Readonly'
then click on 'Restore MS host files'>>OK
Close HostsXpert.

Try the scan again, Use Internet Explorer, Firefox may have problems

Arpan · « **Reply #8 on:** April 03, 2009, 01:30:56 AM »

Quote

Do the following
Download HostsXpert Here and unzip it to your desktop.
Next, open HostsXpert

* Make sure that the "make hosts writable?" button in the upper left corner is checked>>Should read 'Make Readonly'
* then click on 'Restore MS host files'>>OK
* Close HostsXpert.

I followed your above instruction but this have not helped me open kaspersky website either from firefox or IE. I cant open avast also.
Is virus in my PC stopping me open these websites??

guestolo · « **Reply #9 on:** April 03, 2009, 11:33:23 PM »

Can you delete your copy of ComboFix
REDownload a fresh copy of ComboFix from one of these locations:

[color=\"#0000FF\"]Link 1[/color]
[color=\"#0000FF\"]Link 2[/color]
[color=\"#0000FF\"]Link 3[/color]
[color=\"#FF0000\"]Save it ONLY to your Desktop[/color]

Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work

[color=\"#0000FF\"]KillAll::
Driver::
rnybhbyg
NetSvcs::
rnybhbyg
File::
c:\windows\system32\rtanq.dll
Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\rnybhbyg]
[/color]
Save this as txtfile on your desktop, with the exact name of
CFScript

Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When finished, it shall produce a log for you with the same name C:\ComboFix.txt..
Can you post that log please

Try running that Kaspersky scan again, see if it will run, if it will, post the report from it

In addition, post a fresh Hijackthis log and keep me informed how things are now running

Arpan · « **Reply #10 on:** April 05, 2009, 06:31:38 AM »

Today when i was trying to start my computer, it was getting freeze everytime when winxp logo comes. I could not understand the reason why it was happening. If you can, please explain me.

Since I was unable to start my computer, I tried to repair my windows copy with the winxp cd but even there after copying necessary files, system used to freeze at the xp logo during first system restart of xp installation. So I installed fresh copy of windows after formatting C drive. Now atleast I can start the system. but i am not sure now which of ur instruction to follow. So please advice me acoordingly.

I am enclosing fresh hijack copy just in case you want to have a look.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:21 PM, on 4/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\DAP\DAP.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 6\Ulead DVD MovieFactory 6\DMFLauncher.exe
C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 6\Ulead DVD MovieFactory 6\DiscDup.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Pinnacle\Studio 12\Programs\Studio.exe
C:\Program Files\Pinnacle\Studio 12\Programs\PER.exe
C:\Program Files\Pinnacle\Studio 12\Programs\UMI.EXE
C:\Program Files\Pinnacle\Studio 12\Programs\RM.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
E:\Softwares\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.speedbit.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://oca.microsoft.com/resredir.aspx?sid....2.00010100.2.0
R3 - URLSearchHook: SrchHook Class - {F4F10C1D-87C7-404A-B4B3-000000000000} - C:\PROGRA~1\DAP\SBSearch.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: DAPIELoader Class - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\DAP\DAPIEL~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 5420 bytes

guestolo · « **Reply #11 on:** April 05, 2009, 08:59:36 AM »

win32:sality is a nasty virus, the best course of action is the clean install you have just done

I suggest that you ensure you visit Windows Updates and get all Latest Express security updates
Get an Anti-Virus software installed

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
[color=\"blue\"]Updating Java:[/color]

Download the latest version of Java SE Runtime Environment (JRE).
Scroll down to where it says "JRE 6 Update 13".
Click the "Download" button to the right.
In the Window that opens, select Windows, beside Platform:>>Check the "agree" box and click Continue.
Click on the link to download Windows Offline Installation and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.

- Examples of older versions in Add or Remove Programs:

Java 2 Runtime Environment, SE v1.4.2
J2SE Runtime Environment 5.0
J2SE Runtime Environment 6.0 Update 7

Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u13-windows-i586-p.exe that you downloaded to install the newest version.

I suggest that you add SpywareBlaster to your protection software
SpywareBlaster by JavaCool
At the link you can read more about it then continue with
Free Download on the right>>Continue Download at next page
Basically it

Select Manual updating when installing
After installation, Check for updates
After updating, select "Protection Status" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
or again, click on Protection Startus>>enable all protection

Take a look at miekiemoes site with other ideas on How to prevent Malware:

TheTechGuide Forum

News:

Author Topic: help needed (virus) (Read 681 times)

Arpan

help needed (virus)

guestolo

help needed (virus)

Arpan

help needed (virus)

guestolo

help needed (virus)

Arpan

help needed (virus)

guestolo

help needed (virus)

Arpan

help needed (virus)

guestolo

help needed (virus)

Arpan

help needed (virus)

guestolo

help needed (virus)

Arpan

help needed (virus)

guestolo

help needed (virus)