Urgent help required

[Hari_04415]

I'm using Windows XP with SP2 installed in my system.

yesterday i hav formatted it and reinstalled WindowsXP

I hav an internet connection(LAN) which is always connected to my system.When i installed opera and started browsing net(without any antivirus installed) some strange program was coming quite frequently it was named Delsim Dialer (i don't know frm where this program got installed in my computer).It is similar to internet dialer.and moreover the LAN icon which is generally shown in quick launch(beside clock that one)is also not being displayed.I hav noticed that even if i don't use the net some packet are always sent in that LAN status dialog box.My net speed had reduced to a large extent.*www.thinkdigit.com/forum/C:%5CDocuments%20and%20Settings%5CHarish%20Kumar%5CDesktop%5Cerr.jpg
I hav installed KAP7 antivirus.But It's making my system to hangout (during startup).So i hav disabled it.
*********I am attaching some captures plz see below********
Now wat is all this happening to my system.Somebody plz help me

 

[piyush gupta]

goto hijackthis and post your hijackthis log file here

 

[Batistabomb]

This is a spyware dude,try gupta's step if not see this :

You should copy these instructions to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download, install and update Avg anti spyware 7.5 from *www.ewido.net/en/download/ and dont perform scan yet


Print out the Avg install and scan Instructions from
*castlecops.com/t137442-CCSP_Ewido_Install_and_Scan_Instructions.html

Please download ATF Cleaner from *www.atribune.org/ccount/click.php?id=1 DO NOT use yet..

Reboot your computer in Safemode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.]

now Scan with Avg per the "Safe Mode" instructions you printed out.
IMPORTANT: Do not open any other windows or programs while Avg is scanning, it may interfere with the scanning proccess.

Reboot back to normal mode .

 

[Hari_04415]

Here is the log file contents Gupta

Logfile of HijackThis v1.99.1
Scan saved at 11:15:58 AM, on 8/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\Program Files\Styler\Styler.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\PowerArchiver\POWERARC.EXE
C:\DOCUME~1\HARISH~1\LOCALS~1\Temp\_PA617\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\QuickTime.exe
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: wbsys.dll,C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r (file missing)
O23 - Service: Microsoft Agent - Unknown owner - C:\WINDOWS\System32\dllcache\qxchost.exe
O23 - Service: Microsoft Media - Unknown owner - C:\WINDOWS\System32\dllcache\Rtsecar.exe

and one more thing piysuh a process called quiktime.exe was always running which i saw in task manager.I don't hav any quick time player installed in my system so i hav terminated that process then then outgoing packets sent were stopped.But it is frequently loading again and again

 

[piyush gupta]

Following entries are looking doubtful

C:\DOCUME~1\HARISH~1\LOCALS~1\Temp\_PA617\HijackTh is.exe
remove this file

F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\QuickTime.exe
Search your windows directory and remove file caller QuickTime.exe
or simply search using Start->Search option and delete file called QuickTime.exe

Also remove QuickTime entry present in Registry

O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
Delete this Cyberoam client Application

O23 - Service: Microsoft Media - Unknown owner - C:\WINDOWS\System32\dllcache\Rtsecar.exe
O23 - Service: Microsoft Agent - Unknown owner - C:\WINDOWS\System32\dllcache\qxchost.exe

Also above two entires.

After doing that
Start your system in safe mode and scan using a gud antivirus and antispyware

i recommmend use KAV or NOD32 and AVG or SPyBot as antispyware

After that use CCleaner to clean your PC and TuneUp Utilities to Optimize your XP