zinblog.com Virus

Dear Sirs,

Recently our PC's got infected with virus (around 3 PC's). It started spreading through usb drives. This virus hijacked the browser homepage and chaged to zinblog.com. Also run command and task manager is disabled.
We are not able edit the registry as it says registry is locked by the administrator. The system became very slow.
We have ran kaspersky anti virus and it removed all the virus and now the system is fast.

But how to restore the task manger , run command and also getting access to the registry editing.

Thanks in advance

 

Hi and welcome to the Windows BBS Forums.

For us to help you, it would be best if we had a better idea as to what was on your system.

If you could provide us with the specific names and all the info which was provided to you by your av.

It would also help us to see what may be remaining, if anything on the system via a HijackThis! log file.

Please download HijackThis! SetUp from here. Save the file to your desktop.

Double-click the HijackThis! SetUp icon to begin the installation. Follow the prompts for the default install location of:'C:\Program Files\HijackThis'. Tick the 'Create a desktop' button when the option appears. Select next, then allow HijackThis! to start.

Then press the [Scan] button. You will notice the [Scan] button will turn into a [Save Log] button. Click the [Save Log] button and notepad will open up with the contents of the scan. Right-click in the saved log, and select 'copy'. Then proceed to your original thread, unless otherwise instructed and click the '[Reply]' button and paste the saved contents to be reviewed. Do not make any modifications to the log or perform any 'fixes' until told to do so.

 

Dear sir,

Here is the log of hijackthis.



Logfile of HijackThis v1.99.1
Scan saved at 12:36:29 PM, on 3/1/2007
Platform: Windows XP SP2, v.2149 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2149)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
G:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://zinblog.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.emiratesnet.ae:8080
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\system\lsass.exe
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system\lsass.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe






Here is the virus description as detected by great "kaspersky ".

deleted: virus Worm.Win32.VB.ck File: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MSconfig.exe//PE_Patch.UPX//UPX
not found: virus Worm.Win32.VB.ck Running module: lsass.exe\lsass.exe
deleted: virus Worm.Win32.VB.ck File: C:\WINDOWS\lsass.exe//PE_Patch.UPX//UPX
deleted: virus Worm.Win32.VB.ck File: c:\windows\system\lsass.exe//PE_Patch.UPX//UPX
deleted: virus Worm.Win32.VB.ck File: G:\New Folder.exe//PE_Patch.UPX//UPX
deleted: virus Worm.Win32.VB.ck File: G:\boot.exe//PE_Patch.UPX//UPX
not found: virus Worm.Win32.VB.ck File: G:\boot.exe//PE_Patch.UPX//UPX
detected: riskware Hidden install Running process: C:\Program Files\AutoCAD 2006\acad.exe
deleted: virus Worm.Win32.VB.ck File: C:\System Volume Information\_restore{93D7B5FE-E5E7-42E0-93C9-5B59199D8E05}\RP2\A0000204.exe//PE_Patch.UPX//UPX
deleted: virus Worm.Win32.VB.ck File: C:\System Volume Information\_restore{93D7B5FE-E5E7-42E0-93C9-5B59199D8E05}\RP2\A0000207.exe//PE_Patch.UPX//UPX
deleted: virus Worm.Win32.VB.ck File: C:\System Volume Information\_restore{93D7B5FE-E5E7-42E0-93C9-5B59199D8E05}\RP2\A0000209.EXE//PE_Patch.UPX//UPX
deleted: virus IM-Worm.Win32.Sohanad.u File: C:\WINDOWS\system\111.exe//PE_Patch.UPX//UPX//script.au3
deleted: virus Worm.Win32.VB.ck File: C:\Documents and Settings\Planning\Local Settings\Temp\svhost.exe//PE_Patch.UPX//UPX
deleted: virus IM-Worm.Win32.Sohanad.u File: C:\Documents and Settings\Planning\Local Settings\Temp\svhost_32.exe//PE_Patch.UPX//UPX
deleted: virus IM-Worm.Win32.Sohanad.u File: C:\Documents and Settings\Planning\Local Settings\Temp\svhost_32.exe//PE_Patch.UPX//UPX//script.au3
deleted: virus Worm.Win32.VB.ck File: C:\Documents and Settings\Planning\Local Settings\Temporary Internet Files\Content.IE5\HO00IVZZ\zun[1].exe//PE_Patch.UPX//UPX
deleted: virus IM-Worm.Win32.Sohanad.u File: C:\Documents and Settings\Planning\Local Settings\Temporary Internet Files\Content.IE5\HO00IVZZ\zin[1].exe//PE_Patch.UPX//UPX
deleted: virus IM-Worm.Win32.Sohanad.u File: C:\Documents and Settings\Planning\Local Settings\Temporary Internet Files\Content.IE5\HO00IVZZ\zin[1].exe//PE_Patch.UPX//UPX//script.au3
deleted: virus IM-Worm.Win32.Sohanad.u File: C:\Documents and Settings\Planning\Local Settings\Temporary Internet Files\Content.IE5\K0DFTREB\zin[1].exe//PE_Patch.UPX//UPX
deleted: virus IM-Worm.Win32.Sohanad.u File: C:\Documents and Settings\Planning\Local Settings\Temporary Internet Files\Content.IE5\K0DFTREB\zin[1].exe//PE_Patch.UPX//UPX//script.au3
deleted: virus IM-Worm.Win32.Sohanad.u File: C:\System Volume Information\_restore{93D7B5FE-E5E7-42E0-93C9-5B59199D8E05}\RP2\A0000234.exe//PE_Patch.UPX//UPX
deleted: virus IM-Worm.Win32.Sohanad.u File: C:\System Volume Information\_restore{93D7B5FE-E5E7-42E0-93C9-5B59199D8E05}\RP2\A0000234.exe//PE_Patch.UPX//UPX//script.au3



The visible damage after removing the virus are task manager is disabled, run display command is not available in the display menu. Editing of the registry is not possible.

Could you please identify whether any other part of the system got affected from the log and possible restoration of the above damages.

Thanks