Infected by worms and trojans

[mimo450]

Hello guys I really need your help here
After opening network sharing My AVG antivirus sent 5 pop ups for Trojan Horses I really forgot their names when I heal them they appear after 5-10min again
Task Manager and Regedit.exe are disabled when I enable them using the gpedit.msc trick I open them once and fix the entries and when I close them they are disabled again
HIJACK scan was done once and it can't be opened again,,,AVG antivirus scan and virus vault also can't be opened now
and it also created a shared file called XPcode with exe's of sex screensaver-sex games and such things
And I have found now that Autorun.BO worm is also detected and when I heal it ,it also reappears again
My HIjack log file is

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:13 PM, on 12/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Moderator Edit:
Pasted log removed, you must attach these logs not paste them in

Plz help me I rely on you

 

[gillianbrown]

Please go HERE and follow the instructions. Then, post the 3 log files as attachments.

Also, don't forget to rename HijackThis.exe as follows.

You need to rename HijackThis.exe to Crusty.exe. This is because some malware can hide from HijackThis.exe. Follow these instructions in order to do so.

Go to the C:\Program Files\Trend Micro\HijackThis\HijackThis.exe file and right click on HijackThis.exe. Choose rename. Click in the title box and hit the enter key to clear what`s there.

Now type Crusty.exe into the title box and hit the enter key. Right click on the Crusty.exe file and choose "Send to desktop Create Shortcut".

You can now close the HJT directory.

 

[mimo450]

First SuperAntispyware log is

SUPERAntiSpyware Scan Log


Generated 12/28/2008 at 02:27 AM

Application Version : 4.24.1004

Core Rules Database Version : 3686
Trace Rules Database Version: 1663

Scan type : Complete Scan
Total Scan Time : 00:33:41

Memory items scanned : 336
Memory threats detected : 0
Registry items scanned : 5912
Registry threats detected : 0
File items scanned : 18405
File threats detected : 0


Malware just gave me before that no threat is found so maybe it isn't important to post it

Java is up to date

AVG Antivirus gives only the following infection(my hard drive is divided into 3 compartments)

C:\Autorun.inf which is detected as Worm\Autorun.BO
D:\Autorun.inf which is detected as Worm\Autorun.BO
E:\Autorun.inf which is detected as Worm\Autorun.BO



HIJACKTHIS log file is attached

thnx for helping me

 

[gillianbrown]

Ok, please do the following.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager(if you can), by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

zaSetup_en.exe
gwrs.exe
winosrqhy.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide2] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,L,,4,N (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nltide2] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,L,,4,N (User 'NETWORK SERVICE')

O4 - Global Startup: Adobe Update.lnk = C:\Program Files\Common Files\AdobeUpdate.exe

O4 - Global Startup: AdobeUpdate.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or folders(if there).

C:\Documents and Settings\USER\Desktop\zaSetup_en.exe

C:\DOCUME~1\USER\LOCALS~1\Temp\gwrs.exe

C:\DOCUME~1\USER\LOCALS~1\Temp\winosrqhy.exe

Reboot into normal mode and rehide your protected OS files.

Check that you can now use Task manager and let me know.

Download combofix.exe to your desktop. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "1" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Combofix will automatically save the log file to C:\combofix.txt

Please post the Combofix log as well as a fresh HJT log as attachments.

 

[kimsland]

I'd say you need to un-install AVG7 (seeming it's obsolete now)
Best to download and install: Avira Antivirus

Also you should be following the guide properly and attaching the logs, it has helped thousands, perfectly well.
UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

 

[gillianbrown]

Sorry Kimsland, but mimo450 really needs to follow my instructions.

I know the 8 step instructions are good, but in this case I really want to see a Combofix log.

 

[mimo450]

I really appreciate your help , but when I went to manage Safe Mode from Msconfig,the computer restarted and gave me that he couldn't load the Safe Mode due to hardware or software failure,,but the worst was that I couldn't load normal mode either so the computer kept restarting .
I consulted my computer manager and he said that the computer was infected by an advanced mode of the known worm autorun.inf because it was BO this time and it shut off all the possible solutions and if it had more time it could cause severe damage to the hardware too
So I reformatted the computer and the problem's solved
thnx for your concern and if anything happens again I will consult you

 

[kimsland]

Thanks for the update :grinthumb
Actually with member gillianbrown now banned, it may have helped a lot too