Extremely annoying virus

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

thelamecoolguy

Thread Starter
Joined
Sep 16, 2006
Messages
79
I run Windows XP SP2 (WinNT 5.01.2600) on my P4 1.6GHz 128MB RAM (2MB shared with onboard graphics) machine. Recently, my machine has been infected by several worms and viruses (Win32:Dialer-542 [Trj], VBS:Malware [Gen], JS:ClassLoader-7, Win32:Brontok-AA [Wrm], Win32:Sality-O, Win32:Trojan-gen. {Other}, and some more). I used avast! Antivirus v1.7 Home edition (Current version of virus database: 0704-0, 01/08/07) to perform a all-system boot-time system scan. The virus is very annoying. Now that I've deleted all infected files, every time Windows starts, I get a error message that says "C:\WINDOWS\eksplorasi.exe" couldn't start. The virus has also disabled registry editing. The "Folder Options" in Control Panel is also missing (I can't view hidden files now). I have replaced Windows Task Manager with Process Explorer from sysinternals.com. (Before the scan, my computer would automatically shut down after opening "msconfig.exe", "cmd.exe", and some other applications.)

Please help me out.
 

thelamecoolguy

Thread Starter
Joined
Sep 16, 2006
Messages
79
Well I've already scanned my computer using HijackThis before I even posted my thread here. Unfornutaly though, I had fixed several ot the things it had shown. Here's the log file earlier this day...

Logfile of HijackThis v1.99.1
Scan saved at 9:49:27 AM, on 1/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\eksplorasi.exe"
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O3 - Toolbar: (no name) - {259F616C-A300-44F5-B04A-ED001A26C85C} - (no file)
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Movies Extractor Scout LITE - {69D44F23-CB51-4C79-A00A-5235837F6644} - C:\Program Files\Movies Extractor\flashextract.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
And here's the log file of now...

Logfile of HijackThis v1.99.1
Scan saved at 9:45:40 PM, on 1/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\JGsoft\EditPadLite\EditPadLite.exe
D:\HijackThis\HijackThis.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{551B1828-649B-403E-B17A-6B68AA5F63A7}: NameServer = 202.70.66.147 202.70.64.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{551B1828-649B-403E-B17A-6B68AA5F63A7}: NameServer = 202.70.66.147 202.70.64.5
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
 
Joined
Feb 15, 2004
Messages
12,302
Are you posting htis log from safe mode as there is virtually nothing in this log!


you don't appear to have a firewall, even if you have a router you still need
a software frewall, downlaod the one from the link below!


Comodo firewall. Sign up it's free!

http://www.personalfirewall.trustix.com/


Threads on comodo!

http://www.wilderssecurity.com/forumdisplay.php?f=31



go to start/run/type msconfig/tick the radial dial selective startup/click
the startup tab/ check all the boxes that are unchecked and click ok and then exit and reboot the computer!


Download the pocket killbox

http://www.bleepingcomputer.com/files/killbox.php



Download SDFix and save it to your desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode, right click the SDFix.zip folder and choose Extract All,
* Open the extracted folder and double click RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log



* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

* Doubleclick the drweb-cureit.exe file and Allow to run the express scan
* This will scan the files currently running in memory and when something is found,
click the yes button when it asks you if you want to cure it. This is only a short scan.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
* Back at the main window, mark the drives that you want to scan.
* Select all drives. A red dot shows which drives have been chosen.
* Click the green arrow at the right, and the scan will start.
* Click 'Yes to all' if it asks if you want to cure/move the file.
* When the scan has finished, look if you can click next icon next to the files found: IPB Image
* If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
IPB Image
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
* After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
* Save the report to your desktop. The report will be called DrWeb.csv
* Close Dr.Web Cureit.
* Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web you saved previously in your next reply together with a new Hijackthislog and the log from SDfix.


Also download anti vir, go to add/remove and uninstall Avast, anti vir has better heuristics and can clean infected files better! Once installed update anti vir and do a full system scan!



Anti-vir

http://www.free-av.com/


After running those scans run these ones!


Download AVG Anti-Spyware

http://www.ewido.net/en/


* Once you have downloaded AVG Anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
* Once the setup is complete you will need run AVG and update the definition files.
* On the main screen select the icon "Update" then select the "Update now" link.
* Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
* Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
* Once in the Settings screen click on "Recommended actions" and then select "Delete"
* Under "Reports"
* Select "Automatically generate report after every scan"
* Un-Select "Only if threats were found"


Close AVG Anti-Spyware. Anti-spyware, Do NOT run a scan yet. We will do that later in safe mode.



* Click here to download ATF Cleaner by Atribune and save it to your desktop.

http://majorgeeks.com/ATF_Cleaner_d4949.html


* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.
o If you use Firefox:
+ Click Firefox at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
o If you use Opera:
+ Click Opera at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
* Click Exit on the Main menu to close the program.


* Click here for info on how to boot to safe mode if you don't already know
how.

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam



* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in
safe mode:





Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.



Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.





C:\WINDOWS\eksplorasi.exe



Run AVG Anti-Spyware!

# IMPORTANT: Do not open any other windows or programs while AVG is scanning as it may interfere with the scanning process:
# Launch AVG Anti-spyware by double-clicking the icon on your desktop.
# Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
# AVG will now begin the scanning process. Be patient this may take a little time.
Once the scan is complete do the following:
# If you have any infections you will prompted, then select "Apply all actions"
# Next select the "Reports" icon at the top.
# Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
# Close AVG and reboot your system back into Normal Mode.


post another hijack this log, the drweb log, sdfix log,, anti vir and the AVG Anti-Spyware log.
 

thelamecoolguy

Thread Starter
Joined
Sep 16, 2006
Messages
79
Thanks for your help but unfornately I only have dial-up connection. So I couldn't download all the programs you suggested. Is it okay that I use DeleteDoctor (from http://www.diskcleaners.com/) for the purpose? I've also used Spybot - S&D instead of AVG Anti-Spyware.

Are you posting htis log from safe mode as there is virtually nothing in this log!
No, I haven't posted this from Safe Mode.

you don't appear to have a firewall, even if you have a router you still need
a software frewall, downlaod the one from the link below: http://www.personalfirewall.trustix.com/
I've now downloaded Comodo firewall. Thanks.

go to start/run/type msconfig/tick the radial dial selective startup/click
the startup tab/ check all the boxes that are unchecked and click ok and then exit and reboot the computer!
Why would I want to make my slower-than-hell system even slower by allowing all the apps to run on Startup? Please explain.

Download SDFix and save it to your desktop.
Thanks for the suggestion. It helped me solve many problems. Here's the logfile:
SDFix: Version 1.62

Thu 01/25/2007 - 20:05:11.35

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:

Path:


Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Files will be copied to Backups folder and removed:

C:\DOCUME~1\SPANDA~1\LOCALS~1\Temp\setup.exe - Deleted



Alternate Streams Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------



Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\NTDETECT.COM
C:\Documents and Settings\Spandan da' gr8st\My Documents\Nepalijasoos.com.np_files\Thumbs.db
C:\SwaRnima\SwaRnima .com_files\Picasa.ini
C:\klttd323.dll
C:\Program Files\Picasa2\setup.exe
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest

C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\WINDOWS\system32\6FEF8C78B0.sys
C:\WINDOWS\system32\KGyGaAvL.sys

C:\Documents and Settings\Spandan da' gr8st\Local Settings\Temp\WAS310A.tmp\Thumbs.db
C:\Documents and Settings\Spandan da' gr8st\Local Settings\Temp\WAS6FAC.tmp\Thumbs.db

Finished
Download Dr.Web CureIt to the desktop
It did found some viruses on my system. Though I didn't find the log files made by it. I've saved the drweb-cureit.exe file on E:\Downloads.

Also download anti vir, go to add/remove and uninstall Avast, anti vir has better heuristics and can clean infected files better! Once installed update anti vir and do a full system scan!

Download AVG Anti-Spyware. Close AVG Anti-Spyware. Anti-spyware, Do NOT run a scan yet. We will do that later in safe mode.
Is it a must? Before using avast! to scan my system, I had AVG. Doing a scan on AVG didn't show a single infected file even when I updated it. As for anti-spyware, I like Spybot. A spyware check showed some problems and I've all fixed it. (Again, I couldn't find the logs created by Spybot - S&D)

Finally, here's the lof created by HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 10:26:04 PM, on 1/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\JGsoft\EditPadLite\EditPadLite.exe
D:\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
 
Joined
Feb 15, 2004
Messages
12,302
yes you must run the scnas to make sure you are clean! If you don't have any security programs running in rela time you'll get infected, you should not see your computer slowing down unless you have little RAM. For running Xp you should relaly have 512 RAM!

Install anti vir and run a scan with it as it cna clean infected files, please post all the logs requested or your just wasting our time.


Also please post the logs without putting it into quotes, it makes it harder to read!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top