PDA

View Full Version : Possible Malware Attack..Please Help!!



davikut
2009-12-14, 17:37
Hi i'm a newbie.I have Windows XP Professional SP3.My laptop is infected and I think the source is a pen drive which was not scanned properly.
I'm neither able to access the Task Manager nor the registry editor.It says that they have been disabled by the administrator,though I'm the administrator.Many of the applications which I installed before the attack, like G-Talk,Far Cry,Total Video Convertor do not work now.I could not find the application (.exe)files in the respective folders where i had installed it.
I installed NFS Shift Demo after the attack.It does open but instead of starting the race,the computer restarts itself.The game resides in the E: Drive which is not my primary partition.
But my Media players,MS Office and browsers work properly(fortunately).
I tried scanning with Windows Defender and Avast antivirus.They found infections and I could not remove them(though I was surprised to find that progman.exe was tagged as an infection).
Also I was not able to start the computer in Safe mode as it restarted every time I tried to do so.But the Ubuntu Linux in the same laptop does work fine.
This is my HijackThis log file.Any help is greatly appreciated.Thanks in advance...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:06:47 PM, on 12/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lenovo\ATK Hotkey\GFNEXSrv.exe
C:\Program Files\Lenovo\ATK Hotkey\LFKAS.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Huawei\MT841\dslagent.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webshots\Webshots.scr
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\ADMIN\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\ADMIN\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\ADMIN\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

Blade81
2009-12-18, 16:28
I tried scanning with Windows Defender and Avast antivirus.They found infections and I could not remove them(though I was surprised to find that progman.exe was tagged as an infection).
Hi,

Do you have scan results of either program? What infections were found?

davikut
2009-12-19, 17:07
Hi,thanks for the reply.I did a scan with Windows Defender but it did not report any attacks this time.I think I removed it last time when I scanned.Avast got stuck up in the middle while scanning.:spider:

davikut
2009-12-19, 17:30
I also noted that two folders namely 'RECYCLER' and 'System Volume Information' reappears even though I delete them.These two folders are in all my Hard Disk Partitions.
I first noted these folders in my cell phone which is a Linux-based phone and I think they migrated from my cell.Both these folders contain files and some of them are .dll files.

Blade81
2009-12-19, 17:30
Hi,

Let's run an online scanner.

* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Tick the box next to YES, I accept the Terms of Use.
Click Start
Make sure that the option Remove found threats is not checked.
Click Scan
Wait for the scan to finish
Copy and paste the report as a reply to this topic

davikut
2009-12-22, 04:32
Hi,sorry for the delay.Here's the scan result you had asked for.By the way,I updated Windows before the online scan.

C:\Documents and Settings\All Users\Documents\wyknco.exe Win32/Packed.Autoit.Gen application
C:\WINDOWS\Debug\k,.exe a variant of Win32/Virut.NBK virus
C:\WINDOWS\Debug\winllg.exe Win32/Sality.NAU virus
C:\WINDOWS\Debug\winlng.exe Win32/Sality.NAU virus
D:\Naruto\autorun.inf Win32/AutoRun.Agent.PF worm

Blade81
2009-12-22, 10:48
Delete those five found items.

Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.

davikut
2009-12-22, 12:07
Hi, I deleted wyknco.exe.. But I couldn't find the other four.They were not hidden either,I checked it.Here are the logs you had asked for.

DDS.txt


DDS (Ver_09-12-01.01) - NTFSx86
Run by ADMIN at 15:26:02.21 on Wed 12/23/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2013.1533 [GMT 5.5:30]

AV: avast! antivirus 4.8.1356 [VPS 091222-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lenovo\ATK Hotkey\GFNEXSrv.exe
C:\Program Files\Lenovo\ATK Hotkey\LFKAS.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Huawei\MT841\dslagent.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webshots\Webshots.scr
C:\Documents and Settings\ADMIN\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\ADMIN\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\ADMIN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\ADMIN\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32*\smss.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\rpbrowserrecordplugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Sumanya] c:\windows\debug\winllg.exe
uRun: [Google Update] "c:\documents and settings\admin\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [DSLAGENTEXE] c:\program files\huawei\mt841\dslagent.exe
mRun: [NWTRAY] NWTRAY.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Sumanya] c:\windows\debug\winlng.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\admin\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245148268265
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1245221188109
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {6B5B4B3D-DC5A-45C9-A01F-0666C367EF2C} = 218.248.240.208 61.1.96.69
Notify: ACNotify - ACNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
LSA: Authentication Packages = msv1_0 nwv1_0 nwprovau
LSA: Notification Packages = scecli ACGina
mASetup: {23KLN5J0-4OPM-11WE-AAX5-24EF1F387232} - c:\recycler\k-1-3542-4232123213-7676767-8888886\hn.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\8u5rik1g.default\
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\admin\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\admin\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\real\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\netscape6\nprpjplug.dll
FF - plugin: c:\program files\vlc\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-17 114768]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2008-5-12 13480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-17 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-11-17 138680]
R2 LFKAS;Service of LFKA;c:\program files\lenovo\atk hotkey\LFKAS.exe [2009-6-16 208896]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2009-6-18 53248]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-4-29 108032]
S3 asc3360pr;asc3360pr;\??\c:\windows\system32\drivers\ilmsmm.sys --> c:\windows\system32\drivers\ilmsmm.sys [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-11-17 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-11-17 352920]
S3 AVPsys;AVPsys;\??\c:\windows\system32\drivers\cdaudio.sys --> c:\windows\system32\drivers\cdaudio.sys [?]
S3 PAC207;zebronics webcamera model zeb-100k;c:\windows\system32\drivers\pfc027.sys [2005-5-27 162304]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe --> c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe [?]

=============== Created Last 30 ================

2009-12-23 01:46:44 0 d-----w- c:\program files\ESET
2009-12-23 01:38:56 1435 ----a-w- c:\windows\system32\MRT.INI
2009-12-23 01:28:12 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-23 01:27:55 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-12-23 01:27:55 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-23 01:27:55 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-23 01:27:55 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-12-23 01:27:54 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-12-23 01:27:52 11069952 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-12-23 01:22:18 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-12-23 01:20:38 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2009-12-23 01:17:30 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-12-21 07:08:31 0 d-----w- c:\docume~1\admin\applic~1\Sahmon Games
2009-12-21 07:07:45 0 d-----w- c:\program files\Voyage Puzzle
2009-12-20 16:23:54 230432 ----a-w- C:\StiImg.dat
2009-12-20 15:19:58 53248 ----a-w- c:\windows\system32\PAStiSvc.exe
2009-12-20 15:19:49 91136 -c--a-w- c:\windows\system32\dllcache\kswdmcap.ax
2009-12-20 15:19:49 91136 ----a-w- c:\windows\system32\kswdmcap.ax
2009-12-20 15:19:49 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2009-12-20 15:19:49 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2009-12-20 15:19:49 43008 -c--a-w- c:\windows\system32\dllcache\ksxbar.ax
2009-12-20 15:19:49 43008 ----a-w- c:\windows\system32\ksxbar.ax
2009-12-20 15:19:48 61952 -c--a-w- c:\windows\system32\dllcache\kstvtune.ax
2009-12-20 15:19:48 61952 ----a-w- c:\windows\system32\kstvtune.ax
2009-12-20 15:17:56 0 d-----w- c:\windows\PixArt
2009-12-20 15:17:56 0 d-----w- c:\program files\zebronics webcamera model zeb-100k
2009-12-20 15:17:56 0 d-----w- c:\program files\common files\PCCamera
2009-11-24 01:28:33 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-24 01:18:55 0 d-----w- c:\program files\bfgclient
2009-11-24 01:13:08 0 d-----w- c:\docume~1\alluse~1\applic~1\BigFishGamesCache
2009-11-24 01:11:48 207880 ----a-w- c:\program files\righteous-kill-2_s1_l1_gF5041T1L1_d701615298.exe

==================== Find3M ====================

2009-11-13 12:07:57 389120 ----a-w- c:\windows\system32\cmd.exe
2009-11-12 05:04:26 33280 ----a-w- c:\windows\system32\rundll32.exe
2009-11-11 15:31:56 26112 ----a-w- c:\windows\system32\userinit.exe
2009-11-08 12:23:07 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

============= FINISH: 15:26:25.50 ===============

[B]Attach.txt


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/16/2009 5:19:36 PM
System Uptime: 12/23/2009 3:07:58 PM (0 hours ago)

Motherboard: LENOVO | | 2743A61
Processor: Intel(R) Core(TM)2 Duo CPU T5870 @ 2.00GHz | Socket 478 | 1995/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 58 GiB total, 38.327 GiB free.
D: is FIXED (NTFS) - 58 GiB total, 31.606 GiB free.
E: is FIXED (NTFS) - 59 GiB total, 49.53 GiB free.
F: is CDROM ()
G: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 12/13/2009 5:31:45 PM - System Checkpoint
RP2: 12/16/2009 7:43:55 PM - Software Distribution Service 3.0
RP3: 12/18/2009 8:21:08 PM - Software Distribution Service 3.0
RP4: 12/20/2009 8:47:37 PM - Installed zebronics webcamera model zeb-100k
RP5: 12/20/2009 8:49:47 PM - Unsigned driver install
RP6: 12/23/2009 6:58:39 AM - Software Distribution Service 3.0

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
Adobe Shockwave Player 11.5
Apple Software Update
Avanquest update
avast! Antivirus
Big Fish Games Client
Bonjour
Conexant HD Audio
Critical Update for Windows Media Player 11 (KB959772)
ESET Online Scanner v3
Ghost Town Mysteries - Bodie
Google Chrome
Google Earth
Google Talk (remove only)
Google Talk Plugin
HDAUDIO Soft Data Fax Modem with SmartCP
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Huawei MT841
Intel PROSet Wireless
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless WiFi Software
Karunya University
Lenovo System Interface Driver
Lenovo System Toolbox
Lenovo_ATK_Package
LiveUpdate 3.3 (Symantec Corporation)
Message Center Plus
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Motorola Driver Installation
Motorola Phone Tools
Mozilla Firefox (3.5)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Need for Speed™ SHIFT Demo
neroxml
NICI (Shared) U.S./Worldwide (128 bit) (2.7.0-2)
NMAS Challenge Response Method
NMAS Client
Novell Client for Windows
NVIDIA Drivers
NVIDIA PhysX
OGA Notifier 2.0.0048.0
On Screen Display
Picasa 3
Presentation Director
RealPlayer
REALTEK GbE & FE Ethernet PCI-E NIC Driver
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.55.01
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Startup Delayer v2.5 (build 138)
ThinkPad FullScreen Magnifier
ThinkPad Hotkey Features Setup
ThinkPad Power Management Driver for SL Series
ThinkPad Power Manager
ThinkPad UltraNav Driver
ThinkPad UltraNav Utility
ThinkVantage Access Connections
Total Video Converter 3.10
UltraISO Premium V9.33
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb976884)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VLC media player 0.9.9
Voyage Puzzle
WebFldrs XP
Webshots Desktop
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Messenger
zebronics webcamera model zeb-100k

==== Event Viewer Messages From Past Week ========

12/19/2009 8:07:30 PM, error: Service Control Manager [7000] - The MAC Bridge Miniport service failed to start due to the following error: The system cannot find the file specified.

==== End Of File ===========================

Blade81
2009-12-22, 16:20
Hi,

You seem to have Sality file infector there and that unfortunately means reformat is the only sensible solution there. Fellow malware fighter miekiemoes has written good blog post about file infectors (http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html).

If you insist on trying to fix this infection instead of following my advice to reformat and reinstall your operating system, there are various rescue disks available from major anti-virus vendors which you can try. Keep in mind, even the vendors like Kaspersky say there is no quarantee that some files will not get corrupted during the disinfection process. In the end most folks end up reformatting out of frustration after spending hours attempting to repair and remove infected files. IMO the safest and easiest thing to do is just reformat and reinstall Windows.

I DO NOT assume any responsibility for your attempt to repair this infection using any of the following tools. You do this at your own risk and against our advice.

These are links to Anti-virus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image (http://en.wikipedia.org/wiki/ISO_image) file format. Avira uses an EXE that has built-in CD burning capability.
Avira AntiVir Rescue System (http://www.raymond.cc/blog/archives/2008/06/28/free-avira-antivir-rescue-system-cd-to-clean-unremovable-virus/) - Avira's download page (http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html).
If you encounter problems running the Rescue Disk, you can get further assistance at the Avira Tools Support Forum (http://forum.avira.com/wbb/index.php?page=Board&boardID=210).
Dr Web LiveCD (http://www.freedrweb.com/livecd/). Be sure to print out and follow the instructions provided in the User Manual (ftp://ftp.drweb.com/pub/drweb/livecd/LiveCD-en.pdf).
F-Secure Rescue CD (http://www.techmixer.com/free-f-secure-rescue-bootable-cd-to-clean-virus-and-malware/) - Rescue CD 3.01 released (http://www.f-secure.com/linux-weblog/2008/06/).
Video: How to Remove Malware with F-Secure Rescue CD (http://blog.misec.net/2008/09/19/removing-malware-with-f-secure-rescue-cd/)
If you encounter problems running the Rescue CD, you can get further assistance at the F-Secure Support Forum (http://forum.f-secure.com/default.asp?sectionid=0).
BitDefender LiveCD (http://www.techmixer.com/bitdefender-rescue-cd-with-auto-update-virus-definition-features/) - Index of /rescue_cd (http://download.bitdefender.com/rescue_cd/)
If you encounter problems running the Rescue CD, you can get further assistance at the BitDefender Support Forum (http://forum.bitdefender.com/index.php?showforum=185).
Kaspersky RescueDisk (http://www.techmixer.com/kaspersky-rescue-disk-load-kaspersky-antivirus-2009-using-dos/) - Index of /devbuilds/RescueDisk/ (http://ftp.kaspersky.com/devbuilds/RescueDisk/)
If you encounter problems running the RescueDisk, you can get further assistance at the Kaspersky Support Forum (http://forum.kaspersky.com/index.php?showforum=4).
If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO (http://www.bleepingcomputer.com/tutorials/tutorial114.html). If you need a FREE utility to burn the ISO image, download and use ImgBurn (http://www.imgburn.com/).

davikut
2009-12-22, 17:14
Hey,thanks for the advice man.I am gonna reformat.Thanks for all your help.

Blade81
2009-12-22, 17:23
You're welcome. Make sure that removable drives used with this system get cleaned too (safest would be reformat). If such infected drive is plugged in to clean system it may get infected too.

Blade81
2009-12-29, 19:56
Since this issue appears to be resolved ... this Topic has been closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.