Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

C: Does not open via double click and right click


  • Please log in to reply

#1
Hurricane Andrew

Hurricane Andrew

    Member

  • Member
  • PipPip
  • 36 posts
Good day! I am ahaving a problem in opening C:\ through double-click or right-click > open and right-click > explore. I am getting a message that says ""This file does not have a program associated with it for performing this action. Create an association in the Folder Options control panel.". I can view the contents of C:\ thorugh Windows Explorer and Run > C:. Other folders are open as they open via double-click.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:00 AM, on 10/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Caffe-Client] c:\program files\Caffe\Client.exe
O4 - HKCU\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://my.levelupga...crypt/npkcx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECAC2FC2-892D-4EB4-873E-35DE494008C5}: NameServer = 202.95.226.77,202.52.163.6
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Blue Coat K9 Web Protection (WebFilter) - Unknown owner - C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe

--
End of file - 6073 bytes
  • 0

Advertisements


#2
sari

sari

    GeekU Admin

  • Community Leader
  • 21,805 posts
  • MVP
Being helped in chat.
  • 0

#3
sari

sari

    GeekU Admin

  • Community Leader
  • 21,805 posts
  • MVP
Hurricane_Andrew,

Please download and save http://www.techsuppo...Disinfector.exe

Doubleclick it to run it. It won't produce a report or anything - your background may go blank briefly.

1. Download ComboFix.exe using either of these links:

* bleepingcomputer.com

* techsupportforum.com

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Thanks,

sari
  • 0

#4
Hurricane Andrew

Hurricane Andrew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Hello Sari! Sorry for the delayed reply.

Here's the ComboFix log:

ComboFix 07-10-12.4 - Admin 2007-10-16 10:27:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.199 [GMT 8:00]
Running from: C:\Documents and Settings\Admin\My Documents\Taddwaller\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\smss.exe
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\imgkulot.reg

.
((((((((((((((((((((((((( Files Created from 2007-09-16 to 2007-10-16 )))))))))))))))))))))))))))))))
.

2007-10-16 10:25 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-15 15:35 <DIR> d-------- C:\Program Files\LogMeIn
2007-10-15 15:24 83,288 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll
2007-10-15 15:24 46,112 --a------ C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2007-10-15 15:24 21,496 --a------ C:\WINDOWS\system32\LMIport.dll
2007-10-15 15:23 75,064 --a------ C:\WINDOWS\system32\LMIinit.dll
2007-10-15 14:54 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Hamachi
2007-10-15 14:53 <DIR> d-------- C:\Program Files\Hamachi
2007-10-15 14:53 25,544 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-10-11 17:19 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-06 14:08 <DIR> d-------- C:\Program Files\Blue Coat K9 Web Protection
2007-10-05 13:34 <DIR> d-------- C:\Program Files\Macromedia
2007-10-05 13:34 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2007-10-05 13:33 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-10-05 12:18 <DIR> d-------- C:\Program Files\Pawsoft
2007-10-02 16:51 23,736 --a------ C:\WINDOWS\system32\lmimirr.dll
2007-10-02 16:51 10,040 --a------ C:\WINDOWS\system32\lmimirr2.dll
2007-09-23 13:12 544 -rahs---- C:\imgkulot.reg
2007-09-23 13:01 <DIR> d-------- C:\Program Files\Caffe
2007-09-23 08:37 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-09-21 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-21 10:42 <DIR> d-------- C:\Program Files\MSBuild
2007-09-21 10:39 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-09-21 10:38 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-09-21 10:37 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-09-21 10:37 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-09-21 10:36 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-09-21 10:34 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-09-21 10:34 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-09-21 10:21 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-09-21 10:21 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-09-21 10:21 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-09-19 13:05 <DIR> d-------- C:\Program Files\WinAce
2007-09-19 12:54 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-09-19 12:54 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-09-19 12:54 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-09-19 12:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-19 12:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-09-19 12:54 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\AVG7
2007-09-18 23:04 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-15 08:01 --------- d-----w C:\Program Files\mIRC
2007-10-15 08:01 --------- d-----w C:\Documents and Settings\Admin\Application Data\mIRC
2007-10-15 02:00 --------- d-----w C:\Program Files\SkyBlade Sword of the Heavens
2007-10-13 12:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-13 12:11 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo!
2007-09-13 12:11 --------- d-----w C:\Program Files\Trillian
2007-09-13 12:11 --------- d-----w C:\Program Files\Perfect World
2007-09-13 12:11 --------- d-----w C:\Documents and Settings\Admin\Application Data\Comodo
2007-09-13 12:08 --------- d-----w C:\Program Files\Yahoo!
2007-09-13 06:13 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-09-13 06:13 434,252 ----a-w C:\WINDOWS\system32\MSVCRTD.DLL
2007-09-13 06:13 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-09-13 06:13 216,576 ----a-w C:\WINDOWS\system32\monln.dll
2007-09-13 06:13 1,060,864 ----a-w C:\WINDOWS\system32\MFC71.dll
2007-09-13 06:13 --------- d-----w C:\Program Files\Comodo
2007-09-13 06:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comodo
2007-09-13 04:14 --------- d-----w C:\Program Files\Marvell
2007-09-13 04:14 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-13 04:13 --------- d-----w C:\Program Files\Analog Devices
2007-09-13 04:12 --------- d-----w C:\Program Files\Intel
2007-09-12 13:25 --------- d-----w C:\Program Files\microsoft frontpage
2007-09-12 02:20 10,144 ----a-w C:\WINDOWS\system32\drivers\lmimirr.sys
2007-09-12 02:19 8,784 ----a-w C:\WINDOWS\system32\ractrlkeyhook.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-08 12:02 235,008 ----a-w C:\WINDOWS\UNBOC.EXE
2007-07-30 11:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 11:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 11:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 11:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 11:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 11:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 11:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 11:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-03-30 10:09:40 69,632 --sh--w C:\WINDOWS\system32\msarti.com
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 09:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 12:41]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-09-13 13:26]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-19 12:56]
"VMSnap3"="C:\WINDOWS\VMSnap3.EXE" [2006-08-30 10:58]
"BigDog303"="C:\WINDOWS\VM303_STI.exe" []
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-09-12 10:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-03-29 06:10]
"Caffe-Client"="c:\program files\Caffe\Client.exe" [2007-09-23 13:01]
"Tweak UI"="TWEAKUI.CPL" [2007-09-23 13:01 C:\WINDOWS\system32\TWEAKUI.cpl]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
hamachi.lnk - C:\Program Files\Hamachi\hamachi.exe [2007-10-15 14:53:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"Run"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-10-02 16:51 75064 C:\WINDOWS\system32\LMIinit.dll

R1 cwmtdi;cwmtdi;C:\WINDOWS\system32\drivers\cwmtdi.sys
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\C:\Program Files\LogMeIn\x86\RaInfo.sys
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
R3 lmimirr;lmimirr;C:\WINDOWS\system32\DRIVERS\lmimirr.sys
R3 vmfilter303;vmfilter303;C:\WINDOWS\system32\drivers\vmfilter303.sys
R3 ZSMC303;A4 TECH PC Camera H;C:\WINDOWS\system32\Drivers\usbVM303.sys
S3 BOCDRIVE;BOClean Kernel Monitor.;\??\C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{15f895a2-6dd7-11dc-97f4-0017317f41d0}]
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa4dbd25-7091-11dc-97fa-0017317f41d0}]
AutoRun\command - E:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef404e52-6ea1-11dc-97f6-0017317f41d0}]
AutoRun\command - D:\
explore\Command - WScript.exe .\imgkulot.vbs
open\Command - WScript.exe .\imgkulot.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff1bea5c-71df-11dc-97fe-0017317f41d0}]
AutoRun\command - D:\auto.exe
explore\Command - D:\auto.exe
open\Command - D:\auto.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-16 10:30:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog303 = C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)????????????????0?????????@??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-16 10:30:46
.
--- E O F ---


Here is the new HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:03 AM, on 10/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\VMSnap3.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hamachi\hamachi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Caffe-Client] c:\program files\Caffe\Client.exe
O4 - HKCU\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://my.levelupga...crypt/npkcx.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECAC2FC2-892D-4EB4-873E-35DE494008C5}: NameServer = 202.95.226.77,202.52.163.6
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Blue Coat K9 Web Protection (WebFilter) - Unknown owner - C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe

--
End of file - 6580 bytes

C: opens via double-click now and right-click does not show the (imgkulot) on open and explore options. BUT I can see some "bad guys". Got Admin.exe (visible), auto.exe (hidden) and msarti.com
  • 0

#5
sari

sari

    GeekU Admin

  • Community Leader
  • 21,805 posts
  • MVP
Hurricane_Andrew,

I'm sorry for my delayed reply also.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\imgkulot.reg
D:\auto.exe
imgkulot.vbs

Folder::

Driver::

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{15f895a2-6dd7-11dc-97f4-0017317f41d0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa4dbd25-7091-11dc-97fa-0017317f41d0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef404e52-6ea1-11dc-97f6-0017317f41d0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff1bea5c-71df-11dc-97fe-0017317f41d0}]
[-HKEY_CLASSES_ROOT\CLSID\{15f895a2-6dd7-11dc-97f4-0017317f41d0}]
[-HKEY_CLASSES_ROOT\CLSID\{aa4dbd25-7091-11dc-97fa-0017317f41d0}]
[-HKEY_CLASSES_ROOT\CLSID\{ef404e52-6ea1-11dc-97f6-0017317f41d0}]
[-HKEY_CLASSES_ROOT\CLSID\{ff1bea5c-71df-11dc-97fe-0017317f41d0}]



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
Where are you seeing the admin.exe and the msarti.com?

Thanks,

sari
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP