Win32:Rootkit-gen [Rtk]/Win32:Virut-C/Win32:Virtob/Win32:Trojan-Gen {Other}

[Fnord]

Avast Has detected these viruses and after trying for two days trawling through the internet I cannot find a way to rid my system of these infections. I will post the Hijack this log in a min but for now I would like to know if these four are related and if there is a way to find out who created these things and why, failing that trace them.

BTW Avast Admin the repair function is far to generic when it cannot fix the problem, I want to know why it cannot be repaired.

Apologies in advanced for the tone but this problem simply won't go away and I don't quite understand what program they are being generated from. I only hope you guys can help me as I have not got a clue how to destroy these viruses.
Oh may or may not be important but avast only detects them when I'm online.
Spybot SD Diddn't Detect them and neither did DrWeb Cure It or Rootkit Buster.

Hijack this report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:05:00, on 23/03/2009
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Tools\Avast4\aswUpdSv.exe
C:\Tools\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Tools\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\DNA\btdna.exe
C:\Tools\3\3Connect\AutoUpdateSrv.exe
C:\Tools\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Tools\3\3Connect\Wilog.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\Tools\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Tools\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\Tools\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Tools\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [LanguageShortcut] C:\Tools\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Tools\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Tools\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Update Agent.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\Tools\DAP\dapextie.htm
O8 - Extra context menu item: &NeoTrace It! - C:\Tools\NEOTRA~1\NTXcontext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\Tools\DAP\DAP.EXE
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Games\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Games\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Tools\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Tools\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\Tools\NEOTRA~1\NTXtoolbar.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E921E96-5507-4AFD-9905-C00CA8B1AA7A}: NameServer = 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{7979E5C4-D6ED-4BD1-8699-2A067797A768}: NameServer = 4.2.2.3 4.2.2.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD563D1B-7E82-48F9-8A51-9F526A1B0148}: NameServer = 127.0.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{3E921E96-5507-4AFD-9905-C00CA8B1AA7A}: NameServer = 127.0.0.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{3E921E96-5507-4AFD-9905-C00CA8B1AA7A}: NameServer = 127.0.0.1
O20 - AppInit_DLLs: 
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Tools\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Tools\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Tools\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Tools\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6717 bytes

------------------------------

Thanks in advance people.
Fnord...

-----------------------------

"Help me Obi-Wan Kenobi you're my only hope"

 

[graveash]

Welcome to the forums fnord,

There is currently an ongoing discussion about this infection located here:
http://forum.avast.com/index.php?topic=42709.0

[CharleyO]

***

An Analysis of your HJT log shows the below :

We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
We recommend you to use a firewall. 

Platform: Windows XP (WinNT 5.01.2600)
A newer version of service pack is available. Service packs increase the safety of your system. Visit Microsoft's windowsupdate site to download the newest version of the service pack. In fact, there have been 3 service packs released and you have none of them! This is considered very unsafe.

MSIE: Internet Explorer v6.00 (6.00.2600.0000)
The version (6.00.2600.0000) is out of date. Check Windowsupdate to update the Internet Explorer.

O17 - HKLM\System\CCS\Services\Tcpip\..\{7979E5C4-D6ED-4BD1-8699-2A067797A768}: NameServer = 4.2.2.3 4.2.2.4
Do you know the IP or Domain '4.2.2.3 4.2.2.4'? If not, fix this entry.
Researching {7979E5C4-D6ED-4BD1-8699-2A067797A768} produced no results.

O20 - AppInit_DLLs:
Must be fixed.


With such a very unpatched OS, I am surprised this was all that was found. You are lucky.

Please follow the link graveash suppled above.



***

[Jtaylor83]

The only option is to format + reinstall because Win32:Virut/Win32:Virtob is a dangerous file infector.

http://www.avast.com/eng/win32-virut.html