[prasad1987]

Hi my name is Prashanth kumar and my system has been attacked by virus. below is the hijackthis logfile.pls help me and tell the procedures

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:59:48 PM, on 7/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\DrWeb\spiderml.exe
D:\Program Files\DrWeb\DRWEBSCD.EXE
D:\PROGRA~1\DrWeb\spidernt.exe
D:\Program Files\PC Tools Internet Security\pctsTray.exe
D:\Program Files\Google\Google Talk\googletalk.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\WordWeb\wweb32.exe
D:\WINDOWS\Integrator.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\PC Tools Internet Security\pctsAuxs.exe
D:\Program Files\PC Tools Internet Security\pctsSvc.exe
D:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\PC Tools Internet Security\TFEngine\TFService.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\reader_s.exe
D:\WINDOWS\system32\25.tmp
D:\Documents and Settings\Prasad\reader_s.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\2B.tmp
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://c:/rapidhacker.dll
O1 - Hosts: 92.241.176.188 advanced-virus-remover2009.com
O1 - Hosts: 92.241.176.188 www.advanced-virus-remover2009.com
O1 - Hosts: 92.241.176.188 advanced-virus-remover2009.com
O1 - Hosts: 92.241.176.188 www.advanced-virus-remover2009.com
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - D:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ParetoLogic Anti-Virus PLUS] "D:\Program Files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.lnk" -NM -hidesplash
O4 - HKLM\..\Run: [SpIDerMail] "D:\Program Files\DrWeb\spiderml.exe"
O4 - HKLM\..\Run: [DrWebScheduler] "D:\Program Files\DrWeb\DRWEBSCD.EXE"
O4 - HKLM\..\Run: [SpIDerNT] D:\PROGRA~1\DrWeb\spidernt.exe /agent
O4 - HKLM\..\Run: [ISTray] "D:\Program Files\PC Tools Internet Security\pctsTray.exe"
O4 - HKLM\..\Run: [reader_s] D:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [servises] D:\WINDOWS\System32\servises.exe
O4 - HKCU\..\Run: [googletalk] "D:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\Prasad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [RegistryMechanic] D:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKLM\..\Policies\Explorer\Run: [servises] D:\WINDOWS\System32\servises.exe
O4 - HKUS\S-1-5-18\..\Run: [reader_s] D:\Documents and Settings\Prasad\reader_s.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [servises] D:\WINDOWS\System32\servises.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [servises] D:\WINDOWS\System32\servises.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] D:\Documents and Settings\Prasad\reader_s.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [servises] D:\WINDOWS\System32\servises.exe (User 'Default user')
O4 - Startup: Battery Doubler.lnk = C:\Program Files\Dachshund Software\Battery Doubler\Battery Doubler.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{BEA53C79-7C0E-44DB-882A-497CA015EF2E}: NameServer = 192.168.2.2
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Update Service (gupdate1c9deb698b2ad87) (gupdate1c9deb698b2ad87) - Google Inc. - D:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\PC Tools Internet Security\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\PC Tools Internet Security\pctsSvc.exe
O23 - Service: SpIDer Guard for Windows NT (spidernt) - Doctor Web, Ltd. - D:\PROGRA~1\DrWeb\SpiderNT.exe
O23 - Service: ThreatFire - PC Tools - D:\Program Files\PC Tools Internet Security\TFEngine\TFService.exe
O23 - Service: plasservice (ZeppelinService) - ParetoLogic Inc. - D:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe

--
End of file - 8002 bytes
_________________
Prashanth

[HJT Analyzer]

Hello, visitor!

The Hijack This log analyzer has analyzed your log. Please take a closer look on the results.

Your log does not indicate any spyware or virus infection. However, there are some entries that you might want to fix. Please follow the steps below.

The following entries are not malicious, but some of them are not used anymore. You may use HijackThis to fix a few of them. However, please keep in mind that some of the entries marked as Questionable or Not Needed are fully legitimate and might be required by installed software to work properly, while some others might be related to certain parasites. It is up to you to decide whether you need any of them, or not.
D:\WINDOWS\system32\services.exe
O1 - Hosts: 92.241.176.188 advanced-virus-remover2009.com
O1 - Hosts: 92.241.176.188 www.advanced-virus-remover2009.com
O1 - Hosts: 92.241.176.188 advanced-virus-remover2009.com
O1 - Hosts: 92.241.176.188 www.advanced-virus-remover2009.com
O4 - HKLM\..\Run: [ISUSPM Startup] D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Policies\Explorer\Run: [servises] D:\WINDOWS\System32\servises.exe
O4 - HKUS\S-1-5-18\..\Run: [reader_s] D:\Documents and Settings\Prasad\reader_s.exe (User ''SYSTEM'')
O4 - HKUS\S-1-5-18\..\Run: [servises] D:\WINDOWS\System32\servises.exe (User ''SYSTEM'')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [servises] D:\WINDOWS\System32\servises.exe (User ''SYSTEM'')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] D:\Documents and Settings\Prasad\reader_s.exe (User ''Default user'')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [servises] D:\WINDOWS\System32\servises.exe (User ''Default user'')
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra ''Tools'' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{BEA53C79-7C0E-44DB-882A-497CA015EF2E}: NameServer = 192.168.2.2


The following files and Windows registry entries are marked as "unknown". Currently, the HijackThis Log Analyzer cannot provide required information on these items. The files and entries in the list below can be both malicious and fully legitimate. Because of this, please do not take any action! Wait for the forum responders or other forum users to provide you with necessary details and further instructions.
D:\Program Files\DrWeb\spiderml.exe
D:\Program Files\DrWeb\DRWEBSCD.EXE
D:\PROGRA~1\DrWeb\spidernt.exe
D:\Program Files\PC Tools Internet Security\pctsTray.exe
C:\Program Files\WordWeb\wweb32.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\PC Tools Internet Security\pctsAuxs.exe
D:\Program Files\PC Tools Internet Security\pctsSvc.exe
D:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe
D:\Program Files\PC Tools Internet Security\TFEngine\TFService.exe
D:\WINDOWS\System32\reader_s.exe
D:\WINDOWS\system32\25.tmp
D:\Documents and Settings\Prasad\reader_s.exe
D:\WINDOWS\system32\2B.tmp
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://c:/rapidhacker.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - D:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [ParetoLogic Anti-Virus PLUS] "D:\Program Files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.lnk" -NM -hidesplash
O4 - HKLM\..\Run: [SpIDerMail] "D:\Program Files\DrWeb\spiderml.exe"
O4 - HKLM\..\Run: [DrWebScheduler] "D:\Program Files\DrWeb\DRWEBSCD.EXE"
O4 - HKLM\..\Run: [SpIDerNT] D:\PROGRA~1\DrWeb\spidernt.exe /agent
O4 - HKLM\..\Run: [ISTray] "D:\Program Files\PC Tools Internet Security\pctsTray.exe"
O4 - HKLM\..\Run: [reader_s] D:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [servises] D:\WINDOWS\System32\servises.exe
O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\Prasad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: Battery Doubler.lnk = C:\Program Files\Dachshund Software\Battery Doubler\Battery Doubler.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Update Service (gupdate1c9deb698b2ad87) (gupdate1c9deb698b2ad87) - Google Inc. - D:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\PC Tools Internet Security\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\PC Tools Internet Security\pctsSvc.exe
O23 - Service: SpIDer Guard for Windows NT (spidernt) - Doctor Web, Ltd. - D:\PROGRA~1\DrWeb\SpiderNT.exe
O23 - Service: ThreatFire - PC Tools - D:\Program Files\PC Tools Internet Security\TFEngine\TFService.exe
O23 - Service: plasservice (ZeppelinService) - ParetoLogic Inc. - D:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe

If you want to see more detailed analysis of your log, click here.

Thank you for using the 2-Spyware.com HijackThis log analyzer beta 2!

[rodi]

G'day Prashanth,

your computer is infected with virus called Virut. It might be difficult to remove this virus, that's why I recommend you to use Spuware Doctor.
http://www.2-spyware.com/review-spyware-doctor.html

Manual removal is potentially dangerous to your system if mistakes are made while performing it. Do it at your own risk. Now, first of all, you must kill these processes:

reader_s.exe
servises.exe

If you can't stop these processes normally, then use Killbox tool.

Navigate and delete the following files:

D:\WINDOWS\System32\reader_s.exe
D:\Documents and Settings\Prasad\reader_s.exe
D:\WINDOWS\system32\2B.tmp

Navigate to your Windows HOST file and remove these entries:

92.241.176.188 advanced-virus-remover2009.com
92.241.176.188 www.advanced-virus-remover2009.com
92.241.176.188 advanced-virus-remover2009.com
92.241.176.188 www.advanced-virus-remover2009.com

Navigate to and delete the following registry entry:

O4 - HKLM\..\Run: [reader_s] D:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [servises] D:\WINDOWS\System32\servises.exe
O4 - HKLM\..\Policies\Explorer\Run: [servises] D:\WINDOWS\System32\servises.exe
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [servises] D:\WINDOWS\System32\servises.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [servises] D:\WINDOWS\System32\servises.exe (User 'Default user')

How does your computer work after these steps?

[prasad1987]

Thx... but will i get the full version of spyware doctor???
_________________
Prashanth

[prasad1987]

I didn't try the manual procedure yet
_________________
Prashanth

[prasad1987]

I did all the steps how to see those registry entry: the last step u had given
_________________
Prashanth

[rodi]

Manual removal of malicious registry entries:
http://www.2-spyware.com/news/post226.html

In short, press Win+R then type "regedit", hit OK button. In the Registry Editor window press Ctrl+F and search for example reader_s.exe.