Free Malware Removal Forum

[NonSuch]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:42:52 AM, on 7/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\services.exe
C:\WINDOWS\System32\reader_s.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\TEMP\tor2.tmp
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Upasana\reader_s.exe
C:\WINDOWS\system32\C.tmp
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O1 - Hosts: 92.241.176.188 advanced-virus-remover2009.com
O1 - Hosts: 92.241.176.188 hxxp://www.advanced-virus-remover2009.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: MJCore - {D88E1558-7C2D-407A-953A-C044F5607CEA} - C:\Program Files\Jcore\Jcore2.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [RRT-Auto] C:\DOCUME~1\Upasana\LOCALS~1\Temp\Temporary Directory 10 for RRT.zip\RRT.exe auto
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Upasana\reader_s.exe
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Upasana\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Upasana\reader_s.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4652C345-128D-4205-87C2-2770A02D503D}: NameServer = 202.56.215.54,202.56.215.55
O17 - HKLM\System\CS1\Services\Tcpip\..\{4652C345-128D-4205-87C2-2770A02D503D}: NameServer = 202.56.215.54,202.56.215.55
O17 - HKLM\System\CS2\Services\Tcpip\..\{4652C345-128D-4205-87C2-2770A02D503D}: NameServer = 202.56.215.54,202.56.215.55
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe

--
End of file - 3678 bytes

[MWR 3 day Mod]

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.

[Dakeyras]

Hi,

I have bad news I'm afraid

One or more of the identified infections is a severe Polymorphic File Infector

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Unfortunately no attempt could be made to clean this machine, it could never be considered to be truly clean, secure, or trustworthy. We could not say definitively that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, nor can we repair the damage it may possibly have caused to vital system files. Additionally, it is quite possible that changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat. Therefore, your best and only course of action is a reformat and reinstallation of the Windows operating system, and that is the course we strongly recommend.

Please read these for more information:

Virut and other Other File Infectors

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Next:

I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc..
Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This is because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.

Should you have any questions, please feel free to ask.

[upasanaa]

Thanks for the advise..
Now I have formatted my pc.. but only c drive as i have a lot of data in my d drive. i formatted it earlier also coz this virus has been affecting me for long.. but then i did a mistake that i forgot to immediately install an anti virus and connected to internet first so then afterward no anti virus was able to run..
but at that time 4 of the folder in my d drive got encrypted i cant copy cut or paste or even view the content from that folder.
I was planning to write a dvd to take a backup of my data in d drive as the data is approx 5 gb.

after the current formatting i immediately installed norton anti virus 2005 it detected and repaired virus named " win32.sality.pe" in few folders in my d drive.

i had already changed my passwords of mails i generally open : gmail and yahoo .. from some other pc.. adn after that only i formatted my pc and logged in those accounts only after formatting and full system scanning..


i deleted the files also from the folder in d drive where virus was but the empty folder in not getting deleted..

so .. whats the next step?

thanks..

[Dakeyras]

Hi

Thanks for the advise

Your welcome!

Is your D drive a extra internal/external Hard-Drive and or a partition?

What you have described found may pose a problem and we may have to consider another complete format. As win32.sality.pe is another file infector variation.

OK as I do not know at this stage what your D drive actually is, if it is external please attach it to your system.

Run Kaspersky Online AV Scanner:

Go to this Kaspersky website and perform an online antivirus scan.

Note: Use Internet Explorer for this scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

This online tuturial will help explain how to use the aforementioned online scan.

When completed the above, please post back the following:

• How is you computer performing now? Any problems encountered and or any further symptoms?
• Kaspersky report.

[upasanaa]

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, July 24, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, July 24, 2009 15:59:03
Records in database: 2526216
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 25666
Threat name: 3
Infected objects: 13
Suspicious objects: 0
Duration of the scan: 00:38:15


File name / Threat name / Threats count
C:\Program Files\Norton AntiVirus\Quarantine\5EC91BD0.exe Infected: Virus.Win32.Sality.aa 1
C:\Program Files\Norton AntiVirus\Quarantine\626F03CD.EXE Infected: Virus.Win32.Sality.aa 1
C:\Program Files\Norton AntiVirus\Quarantine\62CD4564.EXE Infected: Virus.Win32.Sality.aa 1
C:\Program Files\Norton AntiVirus\Quarantine\63083924.EXE Infected: Virus.Win32.Sality.aa 1
C:\Program Files\Norton AntiVirus\Quarantine\63432CE3.EXE Infected: Virus.Win32.Sality.aa 1
C:\Program Files\Norton AntiVirus\Quarantine\67B01604.EXE Infected: Virus.Win32.Sality.aa 1
C:\Program Files\Norton AntiVirus\Quarantine\67DB37D5.EXE Infected: Virus.Win32.Sality.aa 1
C:\Program Files\Norton AntiVirus\Quarantine\680559A7.EXE Infected: Virus.Win32.Sality.aa 1
C:\Program Files\Norton AntiVirus\Quarantine\6829277F.EXE Infected: Virus.Win32.Sality.aa 1
C:\Program Files\Norton AntiVirus\Quarantine\6857734D.exe Infected: Virus.Win32.Sality.aa 1
C:\Program Files\Norton AntiVirus\Quarantine\68FA2699.exe Infected: Virus.Win32.Sality.aa 1
D:\My Documents\Chirag Arora\My Documents\Chetan\xvi32\XVI32.exe Infected: Virus.Win32.Virut.ce 1
D:\My Documents\FromK\Ashirvad24thMay\family 001.INF Infected: Worm.Win32.Small.i 1

The selected area was scanned.

[Dakeyras]

Hi

Bad news again I'm afraid, the D drive is infected with Virut also.

I am sorry to have to inform your good self, but you will need to format this drive along with the main C Drive again, as otherwise the chance of this infection either already being in-place and as yet undetected and or crossing over is to high a risk not too perform what I have advised.

The below is what I advise you consider installing after carrying out my advice.

Reformat and Reinstallation Advice:

• Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  Here are some free Anti Virus programs which I recommend to use:
  
  • Antivir PersonalEditionClassic
    
    • Free anti-virus software for Windows.
    • Detects and removes more than 50,000 viruses. Free support.
  • avast! 4 Home Edition
    
    • Anti-virus program for Windows.
      
    • The home edition is freeware for noncommercial users.
  • Update your Anti Virus Software - It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.
    Here are some free Firewalls which I recommend to use:
    (Use only one, and disable your Windows Firewall)
    
    • Sunbelt Kerio
    • Outpost
    • Jetico Personal Firewall
  Note: Only ever have installed/use one Anti-Virus application and Software Firewall. Otherwise a system conflict will occur and this also lessens overall online protection!
• Keep your system updated-Microsoft releases patches for Windows and other products regularly:
  
  • I advise you visit: http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us
  • Install the Active X
  • Once installed it will advise set Auto-Updates if not set and you then you will be able to manually check for updates also via:
  • Start >> All Programs >> Microsoft Updates
• Make your Internet Explorer more secure - This can be done by following these simple instructions:
  
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialise and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
• Malwarebytes' Anti-Malware - Download it from here
  The tutorial on how to use MBAM is located here
• Install WinPatrol - Download it from here
  You can find information about how WinPatrol works here
• Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
  Download it from here
  The tutorial on how to use Spyware Blaster is located here
• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for your computer becoming infected again will reduce dramatically. Any questions feel free to ask OK!

[upasanaa]

Thank for the advice...

I have formatted whole pc now..
have installed avast anti virus and jetico firewall.
have also installed spyware blaster,winpatrol and maywarebytes too..
have run scanning also and it didn't show any threat.
but there is one problem..
right now i have put allow all status for jetico as i dont know what to block..

so whats next...???

[Dakeyras]

Hi

Sorry for the delay replying, had a hectic day.

but there is one problem..
right now i have put allow all status for jetico as i dont know what to block..

I suggest you put the firewall into Learning Mode

How to is explained here or you can download the help file here

Make sure you do visit Microsoft updates and install any relevant security updates, service packs etc.

Otherwise you should be good to go

Any further Jetico related questions feel free to ask, if not stay safe!

[upasanaa]

Hey thanks for the advice.
I tried running the firewall on learning mode but other than allow all my internet stops working in rest of the policies ..
one more thing.. there are many programs that are windows programs or anti virus program or winpatrol programs .. firewall keeps popping up to ask if those should be allowed or not.. how can i be aware of i should allow them permanently or once.. or so... ??

[Dakeyras]

Hi

The applications you mentioned are safe to allow access online permanently. For example your Anti-Virus will periodically check for updates if a internet connection is active.

Rule of thumb if is is a application you do not recorgnise and or installed yourself do not allow it access. If it is a windows based process read up on the Jetico warning and this should help determine if it is a legal process or not.

The only other suggestion I have is try one of the other firewalls I posted about until you find one that suits etc.

[upasanaa]

Hi,
Thanks for the advice.. sorry for late reply.. i wasn't well.. so couldn't use comp for 1-2 days..
anyways..
i have unsinstalled jetico and now have installed outpost.
I have put it on rules wizard policy,self protection mode..
it has automatically included in exculsion for 3 files of avast named :
ashmaisv.exe
ashserv.exe
ashwebsv.exe

is it fine like this?

any changes that should be made in outpost settings??

[Dakeyras]

Hi

Thanks for the advice.. sorry for late reply.. i wasn't well.. so couldn't use comp for 1-2 days..
anyways..

Not a problem and you're welcome!

I have put it on rules wizard policy,self protection mode..
it has automatically included in exculsion for 3 files of avast named :
ashmaisv.exe
ashserv.exe
ashwebsv.exe

is it fine like this?

The overall setting is fine but I would remove those three Avast AV related files from the exclusion as otherwise any automatic updates will not be downloaded plus part of the overall protection will be rendered inert.

This will help explain about Using the Rules Wizard and the support forum for the firewall is here if ever the need in the future.

Otherwise you should be good to go

[upasanaa]

Thanks for the response.. ... i have removed the files from exculsion...

one more thing i wanted to ask.. i saved some of my data in few cds before formatting the pc.. idid not save any html or rar or zip file. .. is it fine if i restore those files in my pc??
i have not started saving or storing any data right now.. for that matter i have not even installed drivers and ms office till now.. as i am not aware of drivers which drivers are safe to install?? as i searched on google that many of the viruses come through drivers only...

Thanks.

[Dakeyras]

Hi

Thanks for the response.. ... i have removed the files from exculsion...

You're welcome!

one more thing i wanted to ask.. i saved some of my data in few cds before formatting the pc.. idid not save any html or rar or zip file. .. is it fine if i restore those files in my pc??

Aye fine to do so now

for that matter i have not even installed drivers and ms office till now.. as i am not aware of drivers which drivers are safe to install?? as i searched on google that many of the viruses come through drivers only...

What ever is on the installation CD-ROM(s) for the aforementioned is fine to use and if any updates required for MS Office, you will be able to retrieve them via Microsoft Update.

Apart from that if further issues regarding the aforementioned software not really my forte I'm afraid as primarily both myself and this forum only provide Anti-Malware support.

If you wish to seek further advice about software such as MS Office my best advice would be to create a account at one of the following forums and post in the appropriate section.

I am a member of both of the below myself and they have outstanding IT Tech Support Staff:

Specific Software/Hardware Support:

• PC Pitstop
• What the Tech