Win32:Tiny-II [Trj]

Hi

I downloaded a file from the internet and run it (which obv I shouldn’t have). My comp got infected by this trojan. It pops up in different places no matter how many times I delete it.

It badly infected IE, opening all kinds of websites randomly. After I uninstalled IE, task manager shows IEXPLORE.EXE sometimes.

There are files named d.exe d1.exe porno.exe etc. in c:\ which keep returning.

System configuration shows one of these files in startup, it returns even if I remove it.

I have tried boot scan. It detected several infected file but is not able to remove the virus.

Please help. Is reinstalling windows the only way?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:40:07 PM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\DNA\btdna.exe
C:\Documents and Settings\B B Singh\Desktop\ipmsg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.icicidirect.com/
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM..\Run: [autoload] C:\Documents and Settings\B B Singh\cftmon.exe
O4 - HKCU..\Run: [BitTorrent DNA] “C:\Program Files\DNA\btdna.exe”
O4 - HKCU..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU..\Run: [autoload] C:\Documents and Settings\B B Singh\cftmon.exe
O4 - HKUS\S-1-5-18..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User ‘Default user’)
O4 - Startup: Shortcut to ipmsg.lnk = C:\Documents and Settings\B B Singh\Desktop\ipmsg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip..{C5EFA916-83D2-4E26-AB4F-B518808E8447}: NameServer = 202.56.240.5 202.56.250.6
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe


End of file - 4356 bytes

Try a boot time scan with avast! Right click the scanner screen, select ‘schedule a boot time scan’ and reboot when requested.

C:\WINDOWS\system32\drivers\spools.exe
C:\Documents and Settings\B B Singh\cftmon.exe

Please disable ‘Hide protected operating system files’ and enable ‘View Hidden Files and Folders’, and upload the above files to VirusTotal for analysis.

Post the results here.