Unable to remove Win32 viruses! please help me out

Hi guys,
i have microsoft XP media center edition version 2002 service pack2 OS installed in my laptop and scanned with avast antivirus and found Win32 viruses - Win32: Rootkit-gen[Rtk], Win32:OnLineGames-CGL[trj], VBS: Malware-gen, Win32:Rbot-GGC[trj], Win32:AutoRun-KF, Win32: AutoRun- RJ[wrm]. Around 241 files are infected with following viruses.
Can anyone please please help me what should i do to remove these viruses as im unable to clean with avast antivirus 4.8 home edition.

attached screenshot

thanks in advance
Sid

Those are in System Restore, If you follow the instructions here: http://www.pchell.com/virus/systemrestore.shtml

That should get rid of them. System restore makes copies of files so you can restore them later. ( even infected ones)

That’s why most people here will tell you to disable system restore before cleaning you computer, Then turn it back on.

Before turning on System Restore, You might want to run Rootkit Buster: http://www.trendmicro.com/download/rbuster.asp

and Malwarebytes’ Anti-Malware: http://www.malwarebytes.org/mbam.php

and another scan by Avast

Just to be sure you’re clean.

Welcome to the forums.

Thanxs alot marc57 for the reply and followed the steps you have mentioned, but unfortunately still im able to see 320 files infected with the viruses i had mentioned in my earlier post.
After disabling systemrestore and scanned with rootkit buster, it showed no viruses and when scanned with Malwarebytes antimalware software it showed one file infected and below is the log file with details

Malwarebytes’ Anti-Malware 1.26
Database version: 1112
Windows 5.1.2600 Service Pack 2

9/4/2008 9:27:04 PM
mbam-log-2008-09-04 (21-27-00).txt

Scan type: Full Scan (C:|D:|E:|F:|)
Objects scanned: 70065
Time elapsed: 24 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\suresh\My Documents\Downloads\Documents\A0005413.exe (Backdoor.Bot) → No action taken.

Also posting the log file got from combofix

ComboFix Log File :
ComboFix 08-09-01.05 - suresh 2008-09-03 21:02:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.248 [GMT 5.5:30]
Running from: C:\Documents and Settings\suresh\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\suresh\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

  • Created a new restore point
    .

((((((((((((((((((((((((( Files Created from 2008-08-03 to 2008-09-03 )))))))))))))))))))))))))))))))
.

2008-09-03 20:25 . 2008-09-03 20:25 d-------- C:\Program Files\MSXML 4.0
2008-09-03 19:52 . 2008-09-03 19:52 d-------- C:\Program Files\Google
2008-09-03 19:51 . 2008-09-03 19:51 d-------- C:\Program Files\Java
2008-09-03 19:51 . 2008-09-03 19:51 d-------- C:\Program Files\Common Files\Java
2008-09-03 19:51 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-03 19:49 . 2008-09-03 19:49 d-------- C:\WINDOWS\system32\bits
2008-09-03 19:49 . 2008-05-15 16:15 53,168 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys
2008-09-03 19:48 . 2007-03-29 18:26 7,168 -----c— C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-09-03 19:48 . 2007-03-29 18:26 7,168 --------- C:\WINDOWS\system32\bitsprx4.dll
2008-09-03 12:14 . 2008-06-13 18:40 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-09-03 12:14 . 2008-06-13 18:40 272,128 -----c— C:\WINDOWS\system32\dllcache\bthport.sys
2008-09-03 11:26 . 2008-09-03 20:28 d–h----- C:\WINDOWS$hf_mig$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-25 08:34 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-07-25 08:34 683,520 ----a-w C:\WINDOWS\system32\divx.dll
2008-07-23 16:50 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-12 18:36 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
.

------- Sigcheck -------

2002-08-31 20:29 502272 6e8ca4fcb30282f216f5db9dd58a5f81 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe” [2005-11-24 94208]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\1.2.911.3380\GoogleToolbarNotifier.exe” [2008-09-03 162744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ehTray”=“C:\WINDOWS\ehome\ehtray.exe” [2004-08-10 59392]
“QlbCtrl”=“C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe” [2007-05-07 159744]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 155648]
“Sony Ericsson PC Suite”=“C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” [2005-10-26 159744]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2002-08-10 155648]
“SynTPLpr”=“C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [2001-07-27 94208]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2001-07-27 282624]
“igfxtray”=“C:\WINDOWS\system32\igfxtray.exe” [2005-11-27 98304]
“igfxhkcmd”=“C:\WINDOWS\system32\hkcmd.exe” [2005-11-27 77824]
“igfxpers”=“C:\WINDOWS\system32\igfxpers.exe” [2005-11-27 118784]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-07-19 78008]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe” [2008-06-10 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
BlueSoleil VoIP Plugin.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil VoIP Plugin.exe [2006-02-17 148992]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-04-28 1441792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“InstallVisualStyle”= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
“InstallTheme”= C:\WINDOWS\Resources\Themes\Royale.theme
“DisableStatusMessages”= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“VIDC.YV12”= yv12vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@=“Service”

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“UpdatesDisableNotify”=dword:00000001
“AntiVirusOverride”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe”=
“C:\Program Files\Messenger\msmsgs.exe”=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{08adf6ad-af8e-11d6-877b-0006c990021d}]
\shell\explore\command - explorer.exe
\shell\open\Command - explorer.exe

Newly Created Service - CATCHME
Newly Created Service - PROCEXP90
.

        • ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Search Page = hxxp://www.google.com
R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie
.
.
------- File Associations (Beta) -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.


catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-03 21:03:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

C:\DOCUME~1\suresh\LOCALS~1\Temp\RGI1.tmp

scan completed successfully
hidden files: 1


.
Completion time: 2008-09-03 21:04:56
ComboFix-quarantined-files.txt 2008-09-03 15:34:52

Pre-Run: 16,269,099,008 bytes free
Post-Run: 16,255,094,784 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Windows XP Media Center Edition” /noexecute=optin /fastdetect

118 — E O F — 2008-09-03 14:59:02

can anyone pls help me out in removing these viruses … :frowning:

Thanks in advance
Sid

Here is HijackThis Log Details :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:24 PM, on 9/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [Sony Ericsson PC Suite] “C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” /startoptions
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe”
O4 - HKLM..\Run: [ISTray] “C:\Program Files\Spyware Doctor\pctsTray.exe”
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe”
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU..\Run: [Yahoo! Pager] “C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” -quiet
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: OneCare AntiSpyware and AntiVirus (OneCareMP) - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe


End of file - 7272 bytes

Thanks
Sid

Marc asked me to take a look into your HijackThis.
I’ve submitted it to automatic analysis and found nothing, but I’m far from being an expert on it… sorry.

It looked as if those 320 hits were all in system restor
is anything in the wild on your pc
I would think that flushing system restore would be in order
then running ATF cleaner or CCleaner
run a couple of various scans
defrag
set a new restore point

can you tell me how to flush the restore system.

also, please let me know if it wud effect my pc when i try to restore to my previous point?

Thanks,
Sids

Maybe a sticky is needed to document flushing system restore so that it does not have to be constantly repeated?

for flushing system restore see marc57 post 1 line 1
do the things in post 1
no one asked for a combo fix- it can be a powerful yet dangerous tool to run and very few of us- not me- would know how to recover

if restored those items you would be infected all over again
the file found by MBAM - you could delete that download

since you use Ie I suggest you install javacool’s SPYWAREBLASTER- uses no resources
and also Spybot Search and Destroy, update every Wednesday and IMMUNIZE
when installing turn on sd-helper
If spyware doctor is active do NOT activate T-timer
run a scan when you get a chance

you need a third party firewall like Comodo or PC tools- turn xp off when you install
you need to run
secunia software inspector and update everything- install service packs

java looks ok but remove all old versions- they are vulnerable
you have a lot of unnecessary crap loading at bootime which will not enhance your computer experience