Author Topic: Virus: need help (Read 3241 times)

Arpan · « **on:** May 23, 2009, 04:33:30 AM »

I am having lot of viruses in my comp....pls help

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:00, on 2009-05-23
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)v\
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\3361\SVCHOST.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Online.com
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe update.com
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\AshEvtSvc.exe
C:\WINDOWS\dhcp\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
C:\WINDOWS\system32\sopidkc.exe
C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v133\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\SOFTWARE\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [svchost.exe] "C:\WINDOWS\system32\3361\SVCHOST.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [svchost.exe] "C:\WINDOWS\system32\3361\SVCHOST.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [svc] c:\program Files\ThunMail\testabd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: Adobe Online.com
O4 - Startup: Adobe update.com
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AshEvtSvc - Unknown owner - C:\WINDOWS\System32\AshEvtSvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Dhcp server (DhcpSrv) - Unknown owner - C:\WINDOWS\dhcp\svchost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\omtsreco.exe
O23 - Service: OracleServiceXE - Oracle Corporation - c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
O23 - Service: OracleXEClrAgent - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\bin\OraClrAgnt.exe
O23 - Service: OracleXETNSListener - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: sopidkc Service (sopidkc) - Unknown owner - C:\WINDOWS\system32\sopidkc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v133\WDM\STacSV.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6721 bytes

Arpan · « **Reply #1 on:** May 23, 2009, 08:18:37 AM »

After posting above logfile i installed a fresh copy of windows thinking it wud solve my problem but all my efforts gone in vain still those viruses pop up. please help me out

guestolo · « **Reply #2 on:** May 23, 2009, 10:05:56 AM »

Download ComboFix from one of these locations:

[color=\"#0000FF\"]Link 1[/color]
[color=\"#0000FF\"]Link 2[/color]
[color=\"#FF0000\"]Save it ONLY to your Desktop[/color]

--------------------------------------------------------------------
[color=\"#2E8B57\"]Temporarily Disable your AntiVirus/AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with this tool
[/color]
With Avast, you can Right click on it's icon by the clock and choose to "Stop On Access Protections"
Ok the prompt

Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

[color=\"#2e8b57\"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
[/color]

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply

NOTE: Do not mouseclick inside ComboFix window as it's running, it may cause it to stall
ComboFix will/may run again on startup, it will prompt that it's creating a log
This process could take up to 10 minutes, let it run uninterrupted please

Arpan · « **Reply #3 on:** May 23, 2009, 01:50:52 PM »

ComboFix 09-05-23.01 - sonal 05/24/2009 0:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3062.2672 [GMT 5.5:30]
Running from: c:\documents and settings\sonal\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\documents and settings\LocalService\Application Data\1259558419.exe
c:\documents and settings\sonal\reader_s.exe
c:\program files\Internet Explorer\setupapi.dll
c:\program files\ThunMail
c:\program files\ThunMail\testabd.dll
c:\program files\ThunMail\testabd.ex_
c:\windows\system32\3361
c:\windows\system32\3361\mlog
c:\windows\system32\AshEvtSvc.exe
c:\windows\system32\aston.mt
c:\windows\system32\comsa32.sys
c:\windows\system32\dpcxool64.sys
c:\windows\system32\FInstall.sys
c:\windows\system32\fxe.sp
c:\windows\system32\nvaux32.dll
c:\windows\system32\oezevmzi.dll
c:\windows\system32\paso.el
c:\windows\system32\reader_s.exe
c:\windows\system32\sysfldr.dll
c:\windows\system32\tpsaxyd.exe
c:\windows\system32\tpszxyd.sys
c:\windows\system32\wjneipfr.dll
c:\windows\system32\wjneipfr32.dll
c:\windows\ynh.dx
D:\Autorun.inf
E:\Autorun.inf

[color=\"blue\"]Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - c:\system volume information\_restore{95CC29D4-18EF-49B7-BF7D-D8E3820B4366}\RP3\A0000313.sys[/color]
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_ASC3360PR
-------\Legacy_ASHEVTSVC
-------\Legacy_DHCPSRV
-------\Legacy_SOPIDKC
-------\Service_6to4
-------\Service_asc3360pr
-------\Service_AshEvtSvc
-------\Service_DhcpSrv
-------\Service_restore
-------\Service_sopidkc

((((((((((((((((((((((((( Files Created from 2009-04-23 to 2009-05-23 )))))))))))))))))))))))))))))))
.

2009-05-23 18:33 . 2009-05-23 18:37   95198   ----a-w   c:\windows\system32\drivers\31709f35.sys
2009-05-23 16:08 . 2004-08-03 22:58   5504   ----a-w   c:\windows\system32\drivers\MSTEE.sys
2009-05-23 16:08 . 2004-08-03 23:10   85376   ----a-w   c:\windows\system32\drivers\NABTSFEC.sys
2009-05-23 16:08 . 2004-08-03 23:10   17024   ----a-w   c:\windows\system32\drivers\CCDECODE.sys
2009-05-23 16:08 . 2004-08-03 23:10   19328   ----a-w   c:\windows\system32\drivers\WSTCODEC.SYS
2009-05-23 16:07 . 2001-08-17 13:59   3072   ----a-w   c:\windows\system32\drivers\audstub.sys
2009-05-23 16:07 . 2004-08-03 23:10   78464   ----a-w   c:\windows\system32\drivers\usbvideo.sys
2009-05-23 16:07 . 2004-08-03 19:26   53760   ----a-w   c:\windows\system32\vfwwdm32.dll
2009-05-23 16:07 . 2004-08-03 19:26   4096   ----a-w   c:\windows\system32\ksuser.dll
2009-05-23 16:07 . 2004-08-03 22:59   57472   ----a-w   c:\windows\system32\drivers\redbook.sys
2009-05-23 16:06 . 2001-08-17 13:46   6400   ----a-w   c:\windows\system32\drivers\enum1394.sys
2009-05-23 16:04 . 2004-08-04 01:07   19968   -c--a-w   c:\windows\system32\dllcache\agt040e.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-23 18:36 . 2004-08-04 01:07   182912   ----a-w   c:\windows\system32\drivers\ndis.sys
2009-05-23 18:35 . 2004-08-04 01:07   577024   ----a-w   c:\windows\system32\user32.dll
2009-05-23 18:11 . 2009-05-23 18:11   44   ----a-w   c:\windows\system32\4A.tmp
2009-05-23 15:48 . 2009-05-23 13:54   --------   d-----w   c:\documents and settings\All Users\Application Data\avg8
2009-05-23 15:43 . 2009-05-23 15:43   0   ----a-w   c:\windows\system32\38.tmp
2009-05-23 15:43 . 2009-05-23 15:43   80   ----a-w   c:\windows\system32\D.tmp
2009-05-23 15:39 . 2009-05-23 15:39   --------   d-----w   c:\documents and settings\sonal\Application Data\AVGTOOLBAR
2009-05-23 15:13 . 2009-05-23 10:52   22720   ----a-w   c:\windows\system32\emptyregdb.dat
2009-05-23 14:34 . 2009-05-23 14:34   44   ----a-w   c:\windows\system32\7.tmp
2009-05-23 14:19 . 2005-12-29 10:05   98304   ------r   C:\RECYCLER .scr
2009-05-23 14:19 . 2005-12-29 10:05   98304   ------r   C:\Qoobox .scr
2009-05-23 14:19 . 2005-12-29 10:05   98304   ------r   C:\Program Files .scr
2009-05-23 14:19 . 2005-12-29 10:05   98304   ------r   C:\Intel .scr
2009-05-23 14:19 . 2005-12-29 10:05   98304   ------r   C:\dell .scr
2009-05-23 14:19 . 2005-12-29 10:05   98304   ------r   C:\ComboFix .scr
2009-05-23 14:19 . 2005-12-29 10:05   98304   ------r   C:\cmdcons .scr
2009-05-23 14:19 . 2005-12-29 10:05   98304   ------r   C:\32788R22FWJFW .scr
2009-05-23 14:19 . 2005-12-29 10:05   98304   ------r   C:\$AVG8.VAULT$ .scr
2009-05-23 13:54 . 2009-05-23 13:54   --------   d-----w   c:\program files\AVG
2009-05-23 13:49 . 2009-05-23 13:49   44   ----a-w   c:\windows\system32\5C.tmp
2009-05-23 13:10 . 2009-05-23 13:10   44   ----a-w   c:\windows\system32\11.tmp
2009-05-23 13:10 . 2009-05-23 13:10   0   ----a-w   c:\windows\system32\F.tmp
2009-05-23 13:10 . 2009-05-23 13:10   44   ----a-w   c:\windows\system32\C.tmp
2009-05-23 12:03 . 2009-05-23 12:03   --------   d-----w   c:\program files\CONEXANT
2009-05-23 12:01 . 2009-05-23 12:01   --------   d-----w   c:\program files\SigmaTel
2009-05-23 12:01 . 2009-05-23 11:27   --------   d--h--w   c:\program files\InstallShield Installation Information
2009-05-23 11:56 . 2009-05-23 11:56   --------   d-----w   c:\program files\Modem Diagnostic Tool
2009-05-23 11:43 . 2009-05-23 11:43   426   ----a-w   c:\documents and settings\sonal\Autoexec.bat
2009-05-23 11:35 . 2009-05-23 11:15   --------   d-----w   c:\program files\Dell
2009-05-23 11:35 . 2009-05-23 11:35   --------   d-----w   c:\documents and settings\sonal\Application Data\InstallShield
2009-05-23 11:27 . 2009-05-23 11:27   --------   d-----w   c:\program files\Common Files\InstallShield
2009-05-23 11:25 . 2009-05-23 11:25   --------   d-----w   c:\program files\Intel
2009-05-23 11:15 . 2009-05-23 11:15   10134   ----a-r   c:\documents and settings\sonal\Application Data\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\ARPPRODUCTICON.exe
2009-05-23 10:56 . 2009-05-23 10:56   --------   d-----w   c:\program files\microsoft frontpage
2009-05-23 10:55 . 2009-05-23 10:55   86327   ----a-w   c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-23 02:50 . 2005-12-29 10:05   135168   ---h--r   C:\Thumbs.com
2009-04-23 02:50 . 2005-12-29 10:05   135168   ----a-r   C:\System Volume Information .scr
2009-04-23 02:50 . 2005-12-29 10:05   135168   ------r   C:\WINDOWS .scr
.
[color=\"blue\"]Infected c:\windows\system32\user32.dll hex repaired[/color]

------- Sigcheck -------

[-] 2004-08-04 01:07   25600   5C6331B64BF35DF76285B928FFE8501A   c:\windows\system32\svchost.exe
[-] 2004-08-04 01:07   14336   BDAC56658CBB4AFF9A3B7D13819710CD   c:\windows\system32\dllcache\svchost.exe

[-] 2004-08-04 01:07   1142272   29BEFA7658F8F73BECAABDD580E652B2   c:\windows\explorer.exe

[-] 2004-08-04 01:07   26624   64D5B4936BC20494D6F1DF50844D4610   c:\windows\system32\ctfmon.exe
[-] 2004-08-04 01:07   15360   07A84336C2761512D1D73036DC4C99E9   c:\windows\system32\dllcache\ctfmon.exe

[-] 2004-08-04 01:07   102400   3A50B165283AF164E0AE85E257A2799D   c:\windows\system32\spoolsv.exe

[-] 2004-08-04 01:07   155136   37095D5B2BBCAFB9332DEAA7097A86EF   c:\windows\system32\wuauclt.exe

[-] 2004-08-04 01:07   134144   B16BF187456B740E63DE4AB25032AD74   c:\windows\system32\userinit.exe
[-] 2004-08-04 01:07   24576   A7F66DDCEDC5BFCC20BD3599BB7FF5EB   c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-05 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-05 137752]

c:\documents and settings\sonal\Start Menu\Programs\Startup\
Adobe Online.com [2009-5-23 98304]
Adobe update.com [2009-5-23 98304]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[color=\"RED\"] SafeBoot registry key needs repairs. This machine cannot enter Safe Mode. [/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Thumbs.com"=
"c:\\Documents and Settings\\sonal\\Start Menu\\Programs\\Startup\\Adobe Online.com"=
"c:\\WINDOWS\\system32\\OEM02Srv.exe"=
"c:\\ComboFix\\NirCmd.cfexe"=

R?2 msncache;msncache;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 6:37 AM 25600]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [5/23/2009 4:59 PM 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [5/23/2009 4:59 PM 7424]
S3 OEM002Srv;Creative OEM002 RunApp Service;c:\windows\system32\OEM02Srv.exe [5/23/2009 4:59 PM 172032]
S3 sndintd;sndintd;\??\c:\windows\system32\sndintd.sys --> c:\windows\system32\sndintd.sys [?]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-OEM02Mon.exe - c:\windows\OEM02Mon.exe
HKLM-Run-Broadcom Wireless Manager UI - c:\windows\system32\WLTRAY.exe
HKLM-Run-SigmatelSysTrayApp - c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe
HKU-Default-Run-svc - c:\program files\ThunMail\testabd.exe
HKU-Default-Run-reader_s - c:\documents and settings\sonal\reader_s.exe

.
------- Supplementary Scan -------
.
mStart Page =
.
.
------- File Associations -------
.
scrfile=%1
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\stacsv.exe
c:\windows\system32\igfxsrvc.exe
c:\documents and settings\sonal\Start Menu\Programs\Startup\Adobe Online.com
c:\documents and settings\sonal\Start Menu\Programs\Startup\Adobe update.com
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-05-23 0:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-23 18:40

Pre-Run: 49,301,147,648 bytes free
Post-Run: 49,260,720,128 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

226

guestolo · « **Reply #4 on:** May 23, 2009, 03:48:02 PM »

Your computer is badly infected, I would of opted for a Clean Install of XP rather than a Reinstall over the top approach

Just to verify, let's see if we can clear some problems, see what we have left to deal with
If you do have a copy of this next tool, delete it as we need the latest
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Temporarily disable your AntiVirus software so it won't interfere with this scan

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured.
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Arpan · « **Reply #5 on:** May 23, 2009, 03:59:48 PM »

I tried removing these creepy viruses for the first time through AVG antivirus and because of which my imp folders in D: are no more visible as they detected positive. I mean it was really imp data.. Can i get that data back by any chance??

After performing full system scan through avg, it asked me to restart computer so i did that and now it is not showing desktop icons. I mean system restarted properly, xp welcome screen also showed up. As soon as my wallpaper was visible, system did not preactically hung up but icons are not coming up even if pc was kept idle for 15-30 min.

Shall i consider the option of installing fresh copy of windows one more time? But i m worried i may loose my imp data on D: which went missing only during avg system scan. Please show me the way to get my data back......

guestolo · « **Reply #6 on:** May 23, 2009, 04:55:01 PM »

I really wish you wouldn't of run AVG for this infection
What do you mean by Imp data?

Can you bring up the Task Manager?

Arpan · « **Reply #7 on:** May 23, 2009, 04:59:12 PM »

[quote name=\'guestolo\' post=\'462935\' date=\'May 24 2009, 03:25 AM\']I really wish you wouldn't of run AVG for this infection
What do you mean by Imp data?

Can you bring up the Task Manager?[/quote]

task manager, no chance......
I told you right now i cant even start my pc properly....it waits idle at wallpaper level without desktop icons

By Imp data means i meant pictures, very precious. can u get me back, pls dont say no...pls!!!

guestolo · « **Reply #8 on:** May 23, 2009, 05:08:13 PM »

I'm hoping we don't have to say No

Roll up your sleeves, you have a bit of work to do, but it won't be that bad
let me know the following
Do you have an external thumbdrive, or similiar that you can save your documents too?

Have you ever use a Linux distro to boot to windows?
I was thinking of Ubuntu, but let me know if you have your own version
Do you know how to get to your bios to change to boot order to start by CD on the infected computer?

You seem to have access to another computer, do you have a Blank CDR that you can burn an image file too?

Let me know the above and we'll take it from there

Do you have a Fast Internet connection?

Arpan · « **Reply #9 on:** May 23, 2009, 05:20:50 PM »

[quote name=\'guestolo\' post=\'462939\' date=\'May 24 2009, 03:38 AM\']I'm hoping we don't have to say No

Roll up your sleeves, you have a bit of work to do, but it won't be that bad[/quote]

I m ready to do anything to get those pictures back.

Quote

let me know the following
Do you have an external thumbdrive, or similiar that you can save your documents too?

I have a pen drive to store data. i have dvd's also.

Quote

Have you ever use a Linux distro to boot to windows?
I was thinking of Ubuntu, but let me know if you have your own version
Do you know how to get to your bios to change to boot order to start by CD on the infected computer?

No, i have never used linux in my entire life but i do own one copy of ubuntu linux. I have never evn opened it but i am ready to try my luck. I know how to change boot pref in BIOS.

Quote

You seem to have access to another computer, do you have a Blank CDR that you can burn an image file too?

Let me know the above and we'll take it from there

Do you have a Fast Internet connection?

This problem is with my laptop and i m replying you through my desktop. and i do have a avg isp connection..
lets rock n roll....

guestolo · « **Reply #10 on:** May 23, 2009, 05:32:44 PM »

Well, your copy of Ubuntu might be different than mine
Since it's the Laptop that has the problem, we'll have to stick with the Pendrive

Have you had the Pendrive inserted to the Desktop already? It could have infected files on it
Scan it with an updated AntiVirus to be safe
Then afterwards
On your laptop, set it to boot from CD first, it may already be set that way

Put your version of Ubuntu into the CD bay
Shut down the computer manually
Insert the Pendrive into the infected computer

Boot up the computer and boot into Ubuntu, depending on version, you should have a default option
To run it from CD and don't make any changes on the computer
Get to that part please, then post back

Edit>>Can you let me know what version of Ubuntu your running please

Arpan · « **Reply #11 on:** May 23, 2009, 05:44:29 PM »

[quote name=\'guestolo\' post=\'462941\' date=\'May 24 2009, 04:02 AM\']Well, your copy of Ubuntu might be different than mine
Since it's the Laptop that has the problem, we'll have to stick with the Pendrive

Have you had the Pendrive inserted to the Desktop already? It could have infected files on it
Scan it with an updated AntiVirus to be safe
Then afterwards
On your laptop, set it to boot from CD first, it may already be set that way

Put your version of Ubuntu into the CD bay
Shut down the computer manually
Insert the Pendrive into the infected computer

Boot up the computer and boot into Ubuntu, depending on version, you should have a default option
To run it from CD and don't make any changes on the computer
Get to that part please, then post back

Edit>>Can you let me know what version of Ubuntu your running please[/quote]

i have 6.06 LTS version of ubuntu.Rest i"ll do & let u know.Should i just format my pendrive thru desktop & then insert it in laptop.

guestolo · « **Reply #12 on:** May 23, 2009, 05:53:22 PM »

Go ahead and format the pendrive, I have never used that version of Ubuntu
But give it a shot, it should still run on CD and no need to install

Let me know if it gives you the option to Make NO changes to the computer

guestolo · « **Reply #13 on:** May 23, 2009, 06:01:59 PM »

I have to step out for a bit, I'll be back in a while to see how your making out

Arpan · « **Reply #14 on:** May 23, 2009, 06:02:34 PM »

[quote name=\'guestolo\' post=\'462944\' date=\'May 24 2009, 04:23 AM\']Go ahead and format the pendrive, I have never used that version of Ubuntu
But give it a shot, it should still run on CD and no need to install

Let me know if it gives you the option to Make NO changes to the computer[/quote]

I am facing problem while using ubuntu from cd. initially it gave me 4-5 options, i didnt do anything. it automatically started and shell has opened up now. no graphical interfae, is it fine???

Arpan · « **Reply #15 on:** May 23, 2009, 06:17:21 PM »

the exact text of problem is

"failed to start the X server{ur graphical interface}. it is likely that it is not setup correctly. wud u like to view the x server output to diagnos the problem?
yes no

tell me what should i do???

guestolo · « **Reply #16 on:** May 23, 2009, 09:07:09 PM »

Did you notice the following
Boot up the computer and boot into Ubuntu, depending on version, you should have a default option
To run it from CD and don't make any changes on the computer

Are you running from CD? You aren't trying to install it are you?

EDIT> keep in mind, I've never used the version of Ubuntu you have, so I don't know the exact boot options
At the screen for Alternative Startup modes, I believe you select F4
Then try selecting safe graphics mode
Afterwards, try booting to LiveCD

Arpan · « **Reply #17 on:** May 24, 2009, 03:38:14 AM »

[quote name=\'guestolo\' post=\'462949\' date=\'May 24 2009, 07:37 AM\']Did you notice the following
Boot up the computer and boot into Ubuntu, depending on version, you should have a default option
To run it from CD and don't make any changes on the computer

Are you running from CD? You aren't trying to install it are you?

EDIT> keep in mind, I've never used the version of Ubuntu you have, so I don't know the exact boot options
At the screen for Alternative Startup modes, I believe you select F4
Then try selecting safe graphics mode
Afterwards, try booting to LiveCD[/quote]

I cud start ubuntu thru safe graphics mode & even desktop icons showed up. Now what exactly need to be done to "boot to liveCD ".

guestolo · « **Reply #18 on:** May 24, 2009, 07:35:40 AM »

Sorry, meant, choose Safe graphics mode, you are just booting with the Live CD
My version, you choose safe graphics, then hit Enter to select to continue booting without making changes

Are you still on the Desktop of Ubuntu?
If you click on Places in the top menu bar, do you see your drives listed?
If you didn't name your volumes, they should be indicated by size

What exactly is your D: drive? A seperate partition?
Did you create this partition

Arpan · « **Reply #19 on:** May 24, 2009, 12:39:44 PM »

[quote name=\'guestolo\' post=\'462956\' date=\'May 24 2009, 06:05 PM\']Sorry, meant, choose Safe graphics mode, you are just booting with the Live CD[/quote]
What does booting with live cd mean??

Quote

My version, you choose safe graphics, then hit Enter to select to continue booting without making changes

even i had to do the same way but what does booting without changes mean in this ref??

Quote

Are you still on the Desktop of Ubuntu?
If you click on Places in the top menu bar, do you see your drives listed?
If you didn't name your volumes, they should be indicated by size

i do see them but when i tried opening them, error came stating "unable to mount the selected volume".
there was an option to seek more details on that error. it stated..
error:device/dev/sda5 is not removable
error:could not execute pmount

Quote

What exactly is your D: drive? A seperate partition?
Did you create this partition

Yes, i created this separate partition long back when i first installed win xp.

News:

Author Topic: Virus: need help (Read 3241 times)