hello someday,

this profile : http://forum.avast.com/index.php?action=profile;u=11091

send him a pm. with the link to this forum. he is good at removing rootkits. just message him.

nmb

hello nmb…
i am not allowed to PM anyone!!! are there any rules??
and one more thing now i cant connect to my internet in the normal mode…i replying while in the safe mode with networking…y so???is that becoz of that malware??this is really creating a problem…plz help before my pc is dead!!! ??? ???

yes it is a forum rule.

sorry

oki i’ll message him. hold on.

edit : i have sent him a message. he might come here around 6 pm(think so). be here at that time.

thanks a lot…nmb…

Hi there lets have a look see and see what I can find

To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:
[*]Reg - Shell Spawning
[*]Reg - NetSvcs
[*]File - Lop Check
[*]File - Purity Scan
[*]Evnt - EvtViewer (last 10)
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

@essexboy

thanks for replying…i uploaded the scanfile to Mediafire and here is the sharing link…
http://www.mediafire.com/?sharekey=75cfe340ef6c60dcc2b435915e8821d7e04e75f6e8ebb871

Prior to running this fix please create a restore point. During the fix you will lose your taskbar and a reboot will be requested - this is normal

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Driver Services - Safe List]
YY -> (synsend) synsend [Kernel | System | Running] -> 
[Registry - Safe List]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{93f0a613-9e14-11de-8550-00e04c360659} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{93f0a613-9e14-11de-8550-00e04c360659}\Shell\AutoRun\command -> 
YN -> \{93f0a613-9e14-11de-8550-00e04c360659}\Shell\AutoRun\command\\"" -> [lcw.exe]
YN -> \{93f0a613-9e14-11de-8550-00e04c360659} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{93f0a613-9e14-11de-8550-00e04c360659}\Shell\open\Command -> 
YN -> \{93f0a613-9e14-11de-8550-00e04c360659}\Shell\open\Command\\"" -> [lcw.exe]
YN -> \{93f0a614-9e14-11de-8550-00e04c360659} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{93f0a614-9e14-11de-8550-00e04c360659}\Shell\AutoRun\command -> 
YN -> \{93f0a614-9e14-11de-8550-00e04c360659}\Shell\AutoRun\command\\"" -> H:\lcw.exe [H:\lcw.exe]
YN -> \{93f0a614-9e14-11de-8550-00e04c360659} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{93f0a614-9e14-11de-8550-00e04c360659}\Shell\open\Command -> 
YN -> \{93f0a614-9e14-11de-8550-00e04c360659}\Shell\open\Command\\"" -> H:\lcw.exe [H:\lcw.exe]
YN -> \{93f0a61b-9e14-11de-8550-00e04c360659} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{93f0a61b-9e14-11de-8550-00e04c360659}\Shell\AutoRun\command -> 
YN -> \{93f0a61b-9e14-11de-8550-00e04c360659}\Shell\AutoRun\command\\"" -> [lcw.exe]
YN -> \{93f0a61b-9e14-11de-8550-00e04c360659} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{93f0a61b-9e14-11de-8550-00e04c360659}\Shell\open\Command -> 
YN -> \{93f0a61b-9e14-11de-8550-00e04c360659}\Shell\open\Command\\"" -> [lcw.exe]
[Files/Folders - Modified Within 30 Days]
NY -> Winset.drv -> C:\WINDOWS\Winset.drv
NY -> winkey.drv -> C:\WINDOWS\winkey.drv
NY -> sayspqx -> C:\WINDOWS\System32\sayspqx
NY -> anaunda -> C:\WINDOWS\System32\anaunda
NY -> undatch -> C:\WINDOWS\System32\undatch
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

@essexboy

i did as u told…here is log file created after Fix…

http://www.mediafire.com/file/jymoiint2qw/10102009_111117.log

and this is the scanfile created after using OTS(after reboot)

http://www.mediafire.com/file/zozoq3td2nt/OTS2.Txt

This process went as you said…and about the problem with my computer that i will post when i will get one…
thanks…

OK that was not strong enough to kill the rootkit

Download Combofix from any of the links below. You must rename it before saving rename it to Gotcha before saving it to your desktop.

Link 1
Link 2

==================================

Double click on the renamed ComboFix.exe & follow the prompts.

When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt so we can continue cleaning the system.

hello sir…
i downloaded and renamed it…when i had run the prog a blue window popped out and few sec later one more window saying…

“This machine doesnt have Microsoft windows Recovery console installed, without it the combofix cant fix serious infections…click yes to download/install”

what should i do??should i click yes??(just now i clicked no and then the cross button)

Yes download the recovery console as it is for your safety - should not take long

hello sir…

here is the log file…

(i had run the prog from the safemode with n/w as in normal mode my net connection is not working…is it ok??)

What error do you get when you try to connect in safe mode ?

1. Please open Notepad
   [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\System32\drivers\c636aaeb.sys 
c:\windows\System32\drivers\vitra.sys 

Driver::
Cmdmpa
vitra
c636aaeb

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
   [*]Combofix.txt .

hello sir…

i encountered internet problem in normal mode not in safe mode…it showed that i was connnected but either the net was very very slow or gets disconnected after a while…this wasnt in the safe mode,it was running smoothly there.
so i had run combofix in the safe mode as it required an active connection to download Miicrosoft recovery console.

Sir,i have got avast 4.8 proffesional and since 4-5 days(when my pc encountered these problems) a red icon has been on the ‘a’ ball(On Access protection has been stopped)…i had tried to update ,repair it but it didnt worked so i thought i will reinstall it after all these fixes…

(I had also uninstalled MBAM,Hijackthis, SuperAntispyware thinking they might be interfering with avast)

But after running combofix and restarting my pc today(after 5-6 hours) the red icon has gone and its Access protection is now working…

and when i did this

It gave a warning to stop all active scanners–Avast antivirus…to not to interfere in the working of combofix…
i do stopped it and it ran as before, when combofix restarted it didnt created any log file ???.. now where it is??i cheched in the drive and i couldnt find it?? plz help (what to post)…

thanks…

The file should be at C:\ComboFix.txt

Download and run winsock xp fix from here http://majorgeeks.com/WinSock_XP_Fix_d4372.html then try to connect in normal mode - let me know of any problems experienced and/or any warning messages you get

hello sir…

i coudnt find C:\ComboFix.txt (it wasnt there)… so i did that dragging CFScript.txt again and this time it created the log file… here it is…

http://www.mediafire.com/?sharekey=75cfe340ef6c60dcc2b435915e8821d7e04e75f6e8ebb871

and now the net connection is working in the normal mode…so should i run Winsock_XP_Fix or not…
thanks…

No that was a fall back in case the CF script did not work

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…Run OTS and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

[*]Select Start > All Programs > Accessories > System tools > System Restore.
[*]On the dialogue box that appears select Create a Restore Point
[*]Click NEXT
[*]Enter a name e.g. Clean
[*]Click CREATE

You now have a clean restore point, to get rid of the bad ones:

[*]Select Start > All Programs > Accessories > System tools > Disk Cleanup.
[*]In the Drop down box that appears select your main drive e.g. C
[*]Click OK
[*]The System will do some calculation and the display a dialogue box with TABS
[*]Select the More Options Tab.
[*]At the bottom will be a system restore box with a CLEANUP button click this
[*]Accept the Warning and select OK again, the program will close and you are done

SPRING CLEAN

Download TFC to your desktop

[*]Open the file and close any other windows.
[*]It will close all programs itself when run, make sure to let it run uninterrupted.
[*]Click the Start button to begin the process. The program should not take long to finish its job
[*]Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download and run Auslogics Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[]SpywareBlaster to help prevent spyware from installing in the first place.
[]SuperAntispyware Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe

@someday

One important question as you have not updated to XP SP3 yet?
http://forum.avast.com/index.php?topic=49266.msg416421#msg416421

Is Windows genuine?
http://www.microsoft.com/genuine/ProgramInfo.aspx?displaylang=en&sGuid=a059bfc1-f1a2-4469-92ef-26790fdbacc2

@essexboy

Thanks a lot sir…my pc seems to work fine…I am so relaxed now…you were a great help…a very grateful to you sir…and now i will try to keep it safe…
thanku…

let me welcome him - if you allow sir essexboy.

welcome. hope one of my forum friend who I suggested helped you.

nmb