Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bad Virus...


  • This topic is locked This topic is locked
14 replies to this topic

#1 anirudh215

anirudh215

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 05 March 2007 - 12:29 AM

My name is anirudh and I'm from India. I don't know how I got this thing. I have done what its tells me to do in the forum guidelines but I think the problem has persisted. Here is my HijackThis log :


Logfile of HijackThis v1.99.1
Scan saved at 10:55:09 AM, on 3/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\messenger\MsgPlus.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\adirss.exe
C:\WINDOWS\system32\lnwin.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - D:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\messenger\MsgPlus.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe
O4 - HKLM\..\Run: [lnwin.exe] C:\WINDOWS\system32\lnwin.exe
O4 - Startup: VonageRestart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download with Star Downloader - D:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C7294F5-3F64-43B0-86B5-1F6E4091DC2A}: NameServer = 198.231.23.102
O17 - HKLM\System\CCS\Services\Tcpip\..\{95973231-F090-460E-B087-63A1AA1C2A39}: NameServer = 198.231.23.102
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F2A4713-7955-4F61-9A1B-C0DBF12B6873}: NameServer = 198.231.23.102
O17 - HKLM\System\CCS\Services\Tcpip\..\{D99BD224-5962-4703-B2C1-E70391BC7ED9}: NameServer = 198.231.23.102
O18 - Protocol: msnim - 0 - (no file)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Whats good and whats not?

PS - I am not good with these computer gizmos ..please explain to me like a 5 year old. Thank You.

BC AdBot (Login to Remove)

 


m

#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 05 March 2007 - 10:20 AM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
From your log it appears that you are missing one important program: an antivirus. This is somewhat suicidal in today's digital world. Without one you are at a high-risk of reinfection; while I can try to sort your problem out, if you have no protection, the infections will keep resurfacing.
Here are some great free antivirus programs:
Antivir, Avast!, AVG, Bitdefender Free
Install one of these, then run a full scan, letting it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Now, please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.

Open the extracted SDFix folder and double click runThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any key and it will restart the PC.
When the PC restarts the fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Post this in your next reply, along with a new HijackThis log.
Thanks,
Charles

Edited by rookie147, 05 March 2007 - 10:20 AM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 anirudh215

anirudh215
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 05 March 2007 - 10:46 AM

Here's the log of SDFix :

SDFix: Version 1.69

Run by Narayan - Mon 03/05/2007 @ 21:07:25.45

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:





Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\adir.dll - Deleted
C:\WINDOWS\system32\adirss.exe - Deleted
C:\WINDOWS\system32\dd.exe - Deleted
C:\WINDOWS\system32\lnwin.exe - Deleted
C:\WINDOWS\system32\peers.ini - Deleted
C:\WINDOWS\system32\sm.exe - Deleted
C:\WINDOWS\system32\wincom32.sys - Deleted
C:\WINDOWS\system32\zlbw.dll - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Disabled:Yahoo! Messenger"
"C:\\Program Files\\UltraVNC\\winvnc.exe"="C:\\Program Files\\UltraVNC\\winvnc.exe:*:Enabled:VNC server for Win32"
"C:\\Program Files\\Messenger\\MSMSGS.EXE"="C:\\Program Files\\Messenger\\MSMSGS.EXE:*:Enabled:Windows Messenger"
"E:\\Program Files\\Serv-U\\ServUDaemon.exe"="E:\\Program Files\\Serv-U\\ServUDaemon.exe:*:Enabled:FTP Serv-U Daemon"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"D:\\Program Files\\limewire\\LimeWire.exe"="D:\\Program Files\\limewire\\LimeWire.exe:*:Enabled:LimeWire"
"D:\\Program Files\\morphues\\Morpheus\\Morpheus.exe"="D:\\Program Files\\morphues\\Morpheus\\Morpheus.exe:*:Enabled:M5Shell"
"D:\\Program Files\\TVU\\TVU Player\\TVUPlayer.exe"="D:\\Program Files\\TVU\\TVU Player\\TVUPlayer.exe:*:Enabled:TVUPlayer"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"E:\\Program Files\\Skype\\Phone\\Skype.exe"="E:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\WINDOWS\\System32\\dd.exe"="C:\\WINDOWS\\System32\\dd.exe:*:Enabled:enable"
"C:\\WINDOWS\\System32\\sm.exe"="C:\\WINDOWS\\System32\\sm.exe:*:Enabled:enable"
"C:\\WINDOWS\\system32\\adirss.exe"="C:\\WINDOWS\\system32\\adirss.exe:*:Enabled:enable"
"C:\\WINDOWS\\system32\\lnwin.exe"="C:\\WINDOWS\\system32\\lnwin.exe:*:Enabled:enable"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"


Remaining Files:
---------------
C:\WINDOWS\system32\rsvp32_2.dll Found - LSP!

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\Program Files\Windows Media Player\mplayer2.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Narayan\Desktop\~WRL4064.tmp
C:\Documents and Settings\Narayan\Application Data\Microsoft\Word\~WRL0004.tmp
C:\Documents and Settings\Narayan\Application Data\Microsoft\Word\~WRL2305.tmp
C:\Documents and Settings\Narayan\Application Data\Microsoft\Word\~WRL1830.tmp

Add/Remove Programs List:

Adobe Acrobat 5.0
Adobe Photoshop 7.0
Ares 1.9.9
BitLord 1.1
Carmageddon II Carpocalypse Now (Demo)
DivX 5.0.3 Bundle
HijackThis 1.99.1
iTunes
QuickTime
High Definition Audio Driver Package - KB888111
LimeWire 4.10.9
Mozilla Firefox (1.5.0.4)
Messenger Plus! 3
MSN
Nero OEM
NVIDIA Drivers
Macromedia Flash Player 8
Skype 2.0
Spybot - Search & Destroy 1.4
Star Downloader Free
TVUPlayer 1.5.12
VideoLAN VLC media player 0.8.5
WinRAR archiver
WinZip
Yahoo! Toolbar for Internet Explorer
Yahoo! Browser Services
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
Yahoo! Install Manager
Microsoft Office 2000 Premium
J2SE Runtime Environment 5.0 Update 6
SmartCam CIF
iTunes
MSXML 4.0 SP2 Parser and SDK
Macromedia Flash Player 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8 Plugin
QuickTime
REALTEK Gigabit and Fast Ethernet NIC Driver
SmartCamera Ver 2.1
MSN Messenger 7.5
Realtek High Definition Audio Driver

Finished

And here's the HijackThis log ::

Logfile of HijackThis v1.99.1
Scan saved at 9:32:19 PM, on 3/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\messenger\MsgPlus.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - D:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\messenger\MsgPlus.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\Avast!\ashDisp.exe
O4 - Startup: VonageRestart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download with Star Downloader - D:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C7294F5-3F64-43B0-86B5-1F6E4091DC2A}: NameServer = 198.231.23.102
O17 - HKLM\System\CCS\Services\Tcpip\..\{95973231-F090-460E-B087-63A1AA1C2A39}: NameServer = 198.231.23.102
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F2A4713-7955-4F61-9A1B-C0DBF12B6873}: NameServer = 198.231.23.102
O17 - HKLM\System\CCS\Services\Tcpip\..\{D99BD224-5962-4703-B2C1-E70391BC7ED9}: NameServer = 198.231.23.102
O18 - Protocol: msnim - 0 - (no file)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Avast!\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Avast!\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Avast!\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Avast!\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

I installed 'Avast!' the anti-virus.

Edited by anirudh215, 05 March 2007 - 11:04 AM.


#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 05 March 2007 - 02:29 PM

Hello anirudh,
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

You are using peer-to-peer programs.
These are what we call an optional removal. However, anytime you are running any type of peer-to-peer application, you are more prone to infection by malware, and this is probably how you became infected in the first place. The choice to remove them is entirely up to you, but I would strongly recommend that you do.
If you do not want to, please at least refrain from using any peer-to-peer programs for the remainder of my fix.
For more information about infections as a result of p2p programs, take a look here: http://p2p.malwareremoval.com/

You're using an outdated version of Java (latest one is Java Runtime Environment (JRE) 6). Please update and remove the older versions. Do the following:
Go to Start | Control Panel | Add/Remove Programs
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
Select it and click Remove.
Then download and install the newest version from here:
Java Runtime Environment (JRE) 6

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O18 - Protocol: msnim - 0 - (no file)


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Next, please find and delete the following files (if present):

C:\Windows\system32\ALCMTR.EXE
C:\WINDOWS\System32\dd.exe
C:\WINDOWS\System32\sm.exe
C:\WINDOWS\system32\adirss.exe
C:\WINDOWS\system32\lnwin.exe

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

Backup the Registry:
Navigate to Start | Run and paste the following:
regedit /e c:\registrybackup.reg
Now click OK
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

Open Notepad and copy and paste the following quotebox into a new text document. (Don't forget to copy and paste REGEDIT4!)

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\System32\\dd.exe"=-
"C:\\WINDOWS\\System32\\sm.exe"=-
"C:\\WINDOWS\\system32\\adirss.exe"=-
"C:\\WINDOWS\\system32\\lnwin.exe"=-

Save this as fix.reg Choose to save as *all files and place it on your Desktop.
It should look like this: Posted Image
Double-click on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.

Let's clean out your temporary internet files:
Close all open windows before we start.
Go to Start | Control Panel | Internet Options | General.
Click the Delete Cookies button.
Next to it, click the Delete Files button.
When prompted, place a check in: 'Delete all offline content', click OK

If you have Firefox installed, we need to clean out these temporary files as well:
Go to Tools | Options.
Click Privacy.
Press the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to finish, before closing it.
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

Now we'll clean other temporary files and your Recycle Bin:
Go to Start | Run | type: cleanmgr | OK.
Let it scan your system for files to remove.
Make sure 'Temporary Files', 'Temporary Internet Files', and 'Recycle Bin' are the only things checked.
Press OK to remove them.

Reboot into Normal Mode again.

Please do an online scan with Kaspersky WebScanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on Next
Select a target to scan; click on My Computer
The scan will take a while so be patient and let it run.
Once the scan is complete choose the option to Save as Text
Post these results in your next reply.

Please include the Kaspersky report and a new HijackThis log in your next post.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 anirudh215

anirudh215
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 07 March 2007 - 10:15 AM

No I am sure it is not from the p2p programs. I beleive a member called 'samfwz' had a similar problem to mine as we both caught the same virus. I have done everything you told me except for the Kaskepersky check which I shall do tommorow morning (I am 12 hours ahead of you). I shall tell you th results then.

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 08 March 2007 - 02:32 AM

I look forward to your reply :thumbsup:

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 anirudh215

anirudh215
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 10 March 2007 - 10:23 AM

Sorry rookie147,
I just haven't had the time to post . I shall give you the virus report tommorow morning.

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 10 March 2007 - 02:06 PM

Take your time, I'm not going anywhere :thumbsup:

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 anirudh215

anirudh215
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 13 March 2007 - 09:33 PM

I give up. I can't understand Kaspersky. Here is the HijackThis log :

Logfile of HijackThis v1.99.1
Scan saved at 8:01:09 AM, on 3/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Avast!\aswUpdSv.exe
D:\Program Files\messenger\MsgPlus.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
D:\PROGRA~1\Avast!\ashDisp.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
D:\Program Files\Avast!\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Avast!\ashMaiSv.exe
C:\WINDOWS\system32\WgaTray.exe
D:\Program Files\Avast!\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchkindly.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - D:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\messenger\MsgPlus.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\Avast!\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - Startup: VonageRestart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download with Star Downloader - D:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C7294F5-3F64-43B0-86B5-1F6E4091DC2A}: NameServer = 198.231.23.102
O17 - HKLM\System\CCS\Services\Tcpip\..\{95973231-F090-460E-B087-63A1AA1C2A39}: NameServer = 198.231.23.102
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F2A4713-7955-4F61-9A1B-C0DBF12B6873}: NameServer = 198.231.23.102
O17 - HKLM\System\CCS\Services\Tcpip\..\{D99BD224-5962-4703-B2C1-E70391BC7ED9}: NameServer = 198.231.23.102
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Avast!\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Avast!\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Avast!\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Avast!\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Sorry for the delay. I had my exams going on.

#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 14 March 2007 - 02:38 AM

What do you not understand about Kaspersky? Would you like me to go into more detail on how to scan with it?
If you want, we can run another online scan instead: Panda's ActiveScan.
Once you are on the Panda site click the Scan your PC button
A new window will open, click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan completes, click the See Report button.
Click Save Report and save the file to your Desktop, so you can post this log in your next reply.

Edited by rookie147, 14 March 2007 - 02:39 AM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 anirudh215

anirudh215
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 14 March 2007 - 09:35 PM

Avast! detected Panda as a 'malware'. But somehow Kaspersky worked today. Here are the results (I scanned my C:\ and D:\ drives seperately.) :

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, March 15, 2007 7:38:46 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 15/03/2007
Kaspersky Anti-Virus database records: 265844
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\

Scan Statistics:
Total number of scanned objects: 26063
Number of viruses found: 7
Number of infected objects: 71 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:18:43

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\rsvp32_2.dll435 Infected: Email-Worm.Win32.Zhelatin.al skipped
C:\WINDOWS\system32\rsvp32_2.dll534g Infected: Email-Worm.Win32.Zhelatin.al skipped
C:\WINDOWS\system32\rsvp32_2.dll Infected: Email-Worm.Win32.Zhelatin.al skipped
C:\WINDOWS\system32\msi.exe Infected: Email-Worm.Win32.Zhelatin.al skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_678.dat Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\pp.exe Infected: Email-Worm.Win32.Zhelatin.ax skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IA23ME6G\sm[1].exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IA23ME6G\msi[1].exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IA23ME6G\pp[2].exe Infected: Email-Worm.Win32.Zhelatin.ax skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IA23ME6G\msi[2].exe Infected: Email-Worm.Win32.Zhelatin.ay skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IA23ME6G\pp[1].exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IA23ME6G\msi[4].exe Infected: Email-Worm.Win32.Zhelatin.al skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IA23ME6G\msi[3].exe Infected: Email-Worm.Win32.Zhelatin.al skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NWE6Z53S\dd[1].exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NWE6Z53S\msi[1].exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NWE6Z53S\sm[1].exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NWE6Z53S\msi[2].exe Infected: Email-Worm.Win32.Zhelatin.aw skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2Q51WNCE\dd[1].exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2Q51WNCE\msi[1].exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2Q51WNCE\msi[2].exe Infected: Email-Worm.Win32.Zhelatin.aw skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Narayan\ntuser.dat Object is locked skipped
C:\Documents and Settings\Narayan\Local Settings\Temp\~DF79B.tmp Object is locked skipped
C:\Documents and Settings\Narayan\Local Settings\Temp\~DF4F4B.tmp Object is locked skipped
C:\Documents and Settings\Narayan\Local Settings\Temp\Acr2D7.tmp Object is locked skipped
C:\Documents and Settings\Narayan\Local Settings\Temp\Acr316.tmp Object is locked skipped
C:\Documents and Settings\Narayan\Local Settings\Temp\Acr490.tmp Object is locked skipped
C:\Documents and Settings\Narayan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Narayan\Local Settings\History\History.IE5\MSHist012007031520070316\index.dat Object is locked skipped
C:\Documents and Settings\Narayan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Narayan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Narayan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Narayan\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/11 Sep 2006 02:02 to kngsw@md4.vsnl.net.in:Mail server report./Update-KB9406-x86.exe Infected: Email-Worm.Win32.Warezov.u skipped
C:\Documents and Settings\Narayan\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/11 Sep 2006 02:27 to kngsw@md4.vsnl.net.in:Server Report/doc.txt.cmd Infected: Email-Worm.Win32.Warezov.u skipped
C:\Documents and Settings\Narayan\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Mail MS Mail: infected - 2 skipped
C:\Documents and Settings\Narayan\Local Settings\Application Data\Mozilla\Firefox\Profiles\40d3rwub.default\Cache\DDA5EA06d01 Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\Documents and Settings\Narayan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Narayan\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP284\A0033748.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP284\A0033749.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP284\A0033769.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP284\A0033770.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP285\A0033787.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP285\A0033793.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP285\A0033794.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP285\A0033799.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP285\A0033804.sys Infected: Email-Worm.Win32.Zhelatin.d skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP285\A0033812.EXE Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP285\A0033819.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP285\A0033820.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP285\A0033822.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP285\A0033823.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP285\A0033824.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP285\A0033825.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP286\A0033866.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP286\A0033867.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP286\A0033877.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP286\A0033882.sys Infected: Email-Worm.Win32.Zhelatin.d skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP286\A0035871.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP286\A0035872.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP286\A0035880.exe Infected: Email-Worm.Win32.Zhelatin.aw skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP286\A0035881.exe Infected: Email-Worm.Win32.Zhelatin.aw skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP287\A0035892.exe Infected: Email-Worm.Win32.Zhelatin.aw skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP287\A0035911.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP287\A0035916.sys Infected: Email-Worm.Win32.Zhelatin.d skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP287\A0035923.exe Infected: Email-Worm.Win32.Zhelatin.aw skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP287\A0035924.exe Infected: Email-Worm.Win32.Zhelatin.aw skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP289\A0035966.exe Infected: Email-Worm.Win32.Zhelatin.ax skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP289\A0035967.exe Infected: Email-Worm.Win32.Zhelatin.ax skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP289\A0035988.exe Infected: Email-Worm.Win32.Zhelatin.ay skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP289\A0035989.exe Infected: Email-Worm.Win32.Zhelatin.ay skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP290\A0035992.exe Infected: Email-Worm.Win32.Zhelatin.ay skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP290\A0037000.exe Infected: Email-Worm.Win32.Zhelatin.ay skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP290\A0038014.exe Infected: Email-Worm.Win32.Zhelatin.al skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP290\A0038015.exe Infected: Email-Worm.Win32.Zhelatin.ay skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP291\A0038071.EXE Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP291\A0038072.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP291\A0038073.EXE Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP291\A0038075.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP291\A0038076.SYS Infected: Email-Worm.Win32.Zhelatin.d skipped
C:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP299\change.log Object is locked skipped
C:\SDFix\backups\backups.zip/backups/adirss.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\SDFix\backups\backups.zip/backups/dd.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\SDFix\backups\backups.zip/backups/lnwin.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\SDFix\backups\backups.zip/backups/sm.exe Infected: Email-Worm.Win32.Zhelatin.as skipped
C:\SDFix\backups\backups.zip/backups/wincom32.sys Infected: Email-Worm.Win32.Zhelatin.d skipped
C:\SDFix\backups\backups.zip ZIP: infected - 5 skipped

Scan process completed.


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, March 15, 2007 8:01:39 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 15/03/2007
Kaspersky Anti-Virus database records: 265844
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
D:\

Scan Statistics:
Total number of scanned objects: 23425
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:21:13

Infected Object Name / Virus Name / Last Action
D:\Program Files\Avast!\DATA\aswResp.dat Object is locked skipped
D:\Program Files\Avast!\DATA\Avast4.db Object is locked skipped
D:\Program Files\Avast!\DATA\integ\avast.int Object is locked skipped
D:\Program Files\Avast!\DATA\log\AshWebSv.ws Object is locked skipped
D:\Program Files\Avast!\DATA\log\aswMaiSv.log Object is locked skipped
D:\Program Files\Avast!\DATA\log\nshield.log Object is locked skipped
D:\Program Files\Avast!\DATA\report\Resident protection.txt Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{40344A84-2207-4841-9FEC-71A08D8F6D21}\RP299\change.log Object is locked skipped

Scan process completed.

And HijackThis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 8:04:37 AM, on 3/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avast!\aswUpdSv.exe
D:\Program Files\Avast!\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Avast!\ashMaiSv.exe
D:\Program Files\Avast!\ashWebSv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\messenger\MsgPlus.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
D:\PROGRA~1\Avast!\ashDisp.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchkindly.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - D:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\messenger\MsgPlus.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\Avast!\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: VonageRestart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download with Star Downloader - D:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C7294F5-3F64-43B0-86B5-1F6E4091DC2A}: NameServer = 198.231.23.102
O17 - HKLM\System\CCS\Services\Tcpip\..\{95973231-F090-460E-B087-63A1AA1C2A39}: NameServer = 198.231.23.102
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F2A4713-7955-4F61-9A1B-C0DBF12B6873}: NameServer = 198.231.23.102
O17 - HKLM\System\CCS\Services\Tcpip\..\{D99BD224-5962-4703-B2C1-E70391BC7ED9}: NameServer = 198.231.23.102
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Avast!\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Avast!\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Avast!\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Avast!\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Now Kaspersky detected a virus or something on my computer. Whats this all about? I couldn't even delete them.

Edited by anirudh215, 14 March 2007 - 09:40 PM.


#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 15 March 2007 - 12:19 PM

Hello again,
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

It looks to me like we were right that you have a lot of infected emails, and this could have been where your infection came from in the first place. Therefore, I would recommend you go through all your emails and delete any unknown ones, or any that you don't trust the sender 100%.

Please download ATF Cleaner.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.

Double click ATF-Cleaner.exe to run the program.
Under Main choose Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose Select All
Click the Empty Selected button.
Note: If you would like to keep your saved passwords, please click "No" at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
Note: If you would like to keep your saved passwords, please click "No" at the prompt.

Click Exit on the main menu to close the program.

Next, please find and delete the following files (if present):

C:\WINDOWS\system32\rsvp32_2.dll435
C:\WINDOWS\system32\rsvp32_2.dll534g
C:\WINDOWS\system32\rsvp32_2.dll
C:\WINDOWS\system32\msi.exe
C:\WINDOWS\pp.exe

And delete the following folder:

C:\SDFix

Reboot into Normal Mode again.

We need to purge your infected system restore points.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Check Turn off System Restore, click Apply, and then click OK.
More information on how to disable your system restore can be found here.

We want to create a new, clean restore point. Please first reboot your computer.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Uncheck "Turn off System Restore", click Apply, and then click OK.

Click Start | All Programs | Accessories | System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point - Something like "After trojan/spyware cleanup".
Click Create, and after it has created the restore point, click "Close".
Further instructions on creating a restore point can be found here

Let me know in your next post how things seem to be running now.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 anirudh215

anirudh215
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 17 March 2007 - 12:19 AM

Superb! Things are working great now except for the slow startup due to 'Avast!' I think. Thank you.

Anirudh

#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 17 March 2007 - 03:25 AM

Hello again, great job!
There are a few steps I want you to complete to try and resolve the slow down on your computer.
A whole host of reasons might account for this slow down, but I will highlight the most prominent ones below.
On most computers malware is the most common cause, but at the moment I do not think this is the case.
You might like to limit the programs that are loading when your computer starts; you might have unnecessary software loading when you boot your computer which is eating away at your CPU and ultimately slowing down your computer. Many programs install a quick launch feature which is not needed; if you want to use the program you can start it up manually. The easiest way to see whether a program is needed at startup, you can use bleeping computer's own list, which gives an indication of whether the program is required/optional etc. Note that essential processes such as those for your anti-virus or your modem must be kept.
So, firstly click on start, then run and type msconfig. Then hit enter.
Click on the startup tab and a list of programs will appear.
You can compare the startup name with those on the startup list. The link is below:
www.bleepingcomputer.com/startups

To stop a program loading at boot, just remove the tick.
Click "OK", and choose to restart.

You might like to try and clear clutter off your computer, and free up some space on your hard drive.
Old games, unwanted photos and unused programs could be a starting point.
You can also clear clutter such as temporary files by doing the following:
Go to Start | Run.
Type the following in the box --> cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
Press OK to remove them.

Next you can defragment your hard-drive...when was the last time you did this?
Windows puts new files in any available open space and defragging will cluster files closer together making your hard drive more efficient.
This saves wear and tear while speeding up programs.
1. Open My Computer.
2. Right-click the local disk volume that you want to defragment, and then click Properties.
3. On the Tools tab, click Defragment Now.
4. Click Defragment.
5. This process takes quite a long time, so be patient.

You might also like to read the following tutorial as additional information to the above:
These self-help instructions can be found here

Also try running the Windows repair facility:
Go to Start | Run and type in "sfc.exe /scannow" (without the quotes) and press Enter. It may ask for your XP Installation CD. Once it's done, please visit Windows Update to ensure that you've got the latest hotfixes and updates (sfc.exe replaces system files when it runs).

Now that you're free from malware, please follow these simple steps to decrease the likelihood of getting re-infected again:

Set your system to not show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.
Either enable 'Automatic Updates' under Start | Control Panel | Automatic Updates, or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

In order to protect yourself against spyware, you should consider installing and running the following free programs:
AVG AntiSpyware
Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.
Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.
SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.
Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
Thanks and happy computing,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#15 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:50 AM

Posted 23 March 2007 - 01:28 PM

Since this issue appears resolved, this topic is now closed.

If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter.

Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users