I got a virus i guess !!!...... Help me guys !!!....i'm Screwed..!!

[coolendra]

Hi guys.....
i recently got a new Lappy ...

installed Win XP wth it...

then went to a frndz place to copy some dath frm his HDD.....

after copying the data nd stuff...

the moment i restarted the PC i got a error messege stating....coudnt open temp2.exe
when i tried accessing the D drive...it denied me stating xcopy.exe /copy.exe file not found nd etc..etc...

whc virus is this....
this is annoying me very much.....

Norton antivirus failed to delete this file....frm System32/tem1.exe , system32/temp2.exe....

then i started the computer in safemode nd manually deleted the file frm the
C drive....bt still coudnt remove nething frm D drive....[still cant access the D drive )...


ne1 having ne tools or suggestion for this case plz provide help for me ASAp...

plz plz plz....

Thanx...

[Kiran.dks]

A system processes report would be handy to solve:

1. Download HijackThis

2. Extract the zip content to Desktop

3. Close all Open windows if any including your browser

4. Run Hijackthis

A report will be produced. Copy & paste entire report here for analysis.

[Sparsh007]

i suppose u got a restore CD/DVD with yr Laptop or a Windows XP install disc.if yes reinstall it.That wld be the best way i suppose if its a virus.Then put antivirus software like Avast 4.7 and also a firewall wld be suggested
then scan and copy the stuff again

[coolendra]

i dnt hav ne recovery CD....
had a Vista Recovery partition....
but deleted it....as it sucked big time...
but windows Xp is stable so i put it....
but now this pain in the @$$...

[Sparsh007]

reinstall from the same disc u did the last time

[coolendra]

Here is the Report...!!

Logfile of HijackThis v1.99.1
Scan saved at 12:18:53 PM, on 5/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\WINDOWS\system32\temp1.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Documents and Settings\Administrator\My Documents\hijackthis_199\HijackThis.exe

F3 - REG:win.ini: load=C:\WINDOWS\svchost.exe
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7f61675d-4ea1-44b9-a1fb-25cce0b64b4d} - C:\WINDOWS\system32\modvdm.dll
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\system32\tmp20.tmp.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\xxyyvs.dll",realset
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{29B9C8E8-48E4-49A8-A100-ACFD158DE77B}: NameServer = 202.159.217.198,203.94.243.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{29B9C8E8-48E4-49A8-A100-ACFD158DE77B}: NameServer = 202.159.217.198,203.94.243.70
O17 - HKLM\System\CS2\Services\Tcpip\..\{29B9C8E8-48E4-49A8-A100-ACFD158DE77B}: NameServer = 202.159.217.198,203.94.243.70
O20 - AppInit_DLLs:
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: modvdm - C:\WINDOWS\SYSTEM32\modvdm.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

[abhijangda]

Scan with av and antispyware.

[Kiran.dks]

Coolendra,

I have analysed the report and found that your system is infected with W32.Mydoom.BG@mm worm.

This process is not legitimate.

Quote:

C:\WINDOWS\system32\temp1.exe

Quote:

It's a mass-mailing worm that uses its own SMTP engine to send out an email message that contains a link to a Web site containing a copy of W32.Mydoom.BG@mm. The worm then downloads Infostealer onto the compromised computer.

REMOVAL INSTRUCTIONS:

1. Download W32.Mytob@mm Removal Tool

2. Login as administrator

3. Turn off system restore in Windows.

4. Close all the applications and Windows if any open and scan the entire computer including all drives using the downloaded tool

5. After cleaning is complete, reboot windows

6. Run the tool once more to see that it is completely removed

7. Turn ON system restore

This should solve your problem.

[hrushij]

Attach ur HDD to some another comp.. and remove those virus files from it manually..I am not sure that it will work

[coolendra]

Quote:

Originally Posted by Kiran_tech_mania

Coolendra,


REMOVAL INSTRUCTIONS:

1. Download W32.Mytob@mm Removal Tool

2. Login as administrator

3. Turn off system restore in Windows.

4. Close all the applications and Windows if any open and scan the entire computer including all drives using the downloaded tool

5. After cleaning is complete, reboot windows

6. Run the tool once more to see that it is completely removed

7. Turn ON system restore

This should solve your problem.

dude......this tool dint work....it says... virus not found...!!

now wat to do ?

[Kiran.dks]

Quote:

Originally Posted by coolendra

dude......this tool dint work....it says... virus not found...!!

now wat to do ?

That's strange. I am sure that your PC is infected. Install any good free antivirus software, update its definitions and scan entire system in "safe mode".

Infections should be detected...

[anandk]

delete following files using deletedoctor from www.diskcleaners.com

C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\lsasss.exe
C:\WINDOWS\system32\temp1.exe

ensure that the mentioned files with the mentioned paths are deleted. deletedoctor may ask for a reboot. do so. then run ccleaner from www.ccleaner.com to clear registry and pc junk. and reboot again.