PLEASE PLEASE HELP

suddenly my avast is detecting virus/worm in almost everything…these detections cannot be moved to chest but only be detected…
here’s my hijack this log…

PLEASE HELP

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:48:04 PM, on 2009-07-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Desksware\Desktop iCal\Calendar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\HP\DIGITA~1\PRODUC~1\bin\hprblog.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe
E:\HiJackThis.exe
C:\Program Files\Alwil Software\Avast4\ashAvast.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://server.toolbar.rediff.com/toolbar/3.0/sidesearch.html?mode=toolbar
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {47836122-9D2E-476C-9763-B1D366F704E1} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6CC05F1C-F4A7-49C0-AC7A-9B94097D5103} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\RunOnce: [SpybotDeletingA7726] command /c del “C:\WINDOWS\system32\kr_done1”
O4 - HKLM..\RunOnce: [SpybotDeletingC4891] cmd /c del “C:\WINDOWS\system32\kr_done1”
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [iCalendar] C:\Program Files\Desksware\Desktop iCal\Calendar.exe
O4 - HKCU..\Run: [Calendar] C:\Program Files\Desksware\Desktop iCal\Calendar.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe
O4 - HKCU..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe
O4 - HKUS\S-1-5-18..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\Run: [servises] C:\WINDOWS\system32\servises.exe (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\Run: [reader_s] C:\Documents and Settings\COMPAQ\reader_s.exe (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User ‘Default user’)
O4 - HKUS.DEFAULT..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe (User ‘Default user’)
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip..{BC699F2B-515B-43AC-98EC-58235B4DD84A}: NameServer = 218.248.255.162 218.248.255.194
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: fbt32.dll,fbt32.dll,iznvhn.dll
O20 - Winlogon Notify: iifdeDWo - C:\WINDOWS
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe


End of file - 8307 bytes

Hi kalpajit,

Can you post the contents of the avast! log please? (Files detected, location, name of malware.)

Try a boot time scan with avast! Right click the scanner screen, select ‘schedule a boot time scan’ and reboot when requested. (Or open the tab at the top left of the scanner screen and select the boot time option from there.)

Try a scan with DrWeb CureIT!

Try the usual free adware/spyware scanners.

SUPERAntiSpyware Free
Malwarebytes’ Anti-Malware
a-Squared Free

Download, install and update the programs.
Always select the option to quarantine any malware found rather than delete it, then you will be able to restore files or registry entries wrongly identified as malware- a rare but not unknown event for any malware scanner.

Well first, make sure HJT is installed in its own folder, if you fix items incorrectly, you may not be able to undo this,if it was being run from a pen drive.

I would start by fixing

O4 - HKLM..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe

O4 - HKCU..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe

O4 - HKUS\S-1-5-18..\Run: [servises] C:\WINDOWS\system32\servises.exe (User ‘SYSTEM’)

O4 - HKUS\S-1-5-18..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe (User ‘SYSTEM’)

O4 - HKUS.DEFAULT..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe (User ‘Default user’)

O20 - AppInit_DLLs: fbt32.dll,fbt32.dll,iznvhn.dll

You then have several questionable entries

O4 - HKLM..\RunOnce: [SpybotDeletingA7726] command /c del “C:\WINDOWS\system32\kr_done1”

O4 - HKLM..\RunOnce: [SpybotDeletingC4891] cmd /c del “C:\WINDOWS\system32\kr_done1”

kr_done1 is malware related, is this something Spybot removed ?

[b]O20 - Winlogon Notify: iifdeDWo - C:\WINDOWS[/b]

I don’t know what this is, I would fix it

Then lastly O4 - HKUS\S-1-5-18..\Run: [reader_s] C:\Documents and Settings\COMPAQ\reader_s.exe (User ‘SYSTEM’)
I believe this is a very bad entry,

reader_s.exe is almost certainly bad, but this is in a strange location. I would send it to virustotal and post the results. It may be to do with the file infector Virut, which is as bad as it gets. If it is, you are looking at totally reinstalling windowshttp://www.virustotal.com/

Remember what i said about installing HJT in its own folder

Sorry Frank I was not butting in, I will butt out now ;D

No problem!

A lot of stuff in the log is likely to be injected into Windows processes, protected by hidden files, even rootkits.

avast!'s boot time scan, MBAM, SAS and CureIT! all have more sophisticated methods of removing these files than HijackThis!, which is why I always recommend running them first.

A second HijackThis! log after the scans will be a good way of checking that they are all gone, though.

It’s not uncommon to find a sneaky Trojan that has slipped through!