Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

why does the icon of my computer (drive c) is changing to a red cross


  • This topic is locked This topic is locked

#1
nessya

nessya

    Member

  • Member
  • PipPip
  • 93 posts
hi, i think my computer has a quite serious problem, yesterday i tried to install a few programs n maybe one of them contains a virus, when i did the virus scanning, i found there's trojan virus there.
i cudn't open my c: or my documents, and almost all.

i tried to cleaned them up using my antivirus program (AVG 7.5, free ed)
and it works

after that, i tried to do another scanning, and the result shows that it has no viruses anymore,

fyi- before there was 8 file were infected, most of them are from system32

the new problem is, even though i can open all my drives like normal, but the icon of my drive c now has changed into a red cross symbol, as shown in the attachments, "screen"

and when i turn my laptop on, there's a box appears, shown in attachments, "error1"

can u please tell me what is going on with my laptop?
and what should i do?

thanks a lot.
waiting for ur reply
thx!
;p

nessya

Attached Thumbnails

  • screen2.GIF

Attached Files


  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello nessya

Welcome to G2Go. :)
You have a variant of Vundo.
=================
* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\Hijack This.
  • Click on I agree
  • Then Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

  • 0

#3
nessya

nessya

    Member

  • Topic Starter
  • Member
  • PipPip
  • 93 posts
hi, thanks for helping,

this is my hijack file
;p

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:59, on 2008-02-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\GADMEI TVHome Media\ScheduleTV.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\DOCUME~1\user\LOCALS~1\Temp\RtkBtMnt.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {98663E21-9CCE-4CF6-863C-911A9523A66F} - C:\WINDOWS\system32\efcaxuv.dll (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\hmuwdvoq.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: {14f08370-6aaa-ccea-fa24-ee2654dd6e7c} - {c7e6dd45-62ee-42af-aecc-aaa607380f41} - C:\WINDOWS\system32\howcaoqv.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {F754FB01-7C9D-4F7F-B59C-A0703B19BB52} - C:\WINDOWS\system32\ddaby.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [BroadcomWireless] C:\Program Files\Broadcom\Wireless\Utility\WlanUtil.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ScheduleTV] "C:\Program Files\GADMEI TVHome Media\ScheduleTV.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [5015bad3] rundll32.exe "C:\WINDOWS\system32\vlbfgjrv.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-18.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O20 - Winlogon Notify: efcaxuv - efcaxuv.dll (file missing)
O20 - Winlogon Notify: hmuwdvoq - hmuwdvoq.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 10259 bytes
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#5
nessya

nessya

    Member

  • Topic Starter
  • Member
  • PipPip
  • 93 posts
this is my combofix log

ComboFix 07-08-14.4 - "user" 2008-02-23 23:36:12.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.904 [GMT 8:00]


((((((((((((((((((((((((( Files Created from 2008-01-23 to 2008-02-23 )))))))))))))))))))))))))))))))


2008-02-23 22:15 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-23 22:15 <DIR> d-------- C:\2ec193cf7ab944320119d0c660621e
2008-02-23 17:59 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-22 14:09 86,016 --a------ C:\WINDOWS\unvise32qt.exe
2008-02-22 14:08 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-02-22 14:08 <DIR> d-------- C:\Program Files\QuickTime
2008-02-22 14:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\QuickTime
2008-02-22 13:01 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-02-21 21:48 195,080 --ahs---- C:\WINDOWS\system32\ybadd.ini2
2008-02-12 22:31 <DIR> d-------- C:\BackUpMsnCleaner
2008-01-28 20:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab Setup Files
2008-01-28 20:04 <DIR> d-------- C:\Program Files\NovaLogic


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-02-23 20:31 --------- d-------- C:\DOCUME~1\user\APPLIC~1\Skype
2008-02-23 18:42 --------- d-------- C:\Program Files\Winamp Remote
2008-02-22 14:09 --------- d-------- C:\Program Files\Opera
2008-01-31 23:12 --------- d-------- C:\DOCUME~1\user\APPLIC~1\U3
2008-01-28 20:22 --------- d--h----- C:\Program Files\InstallShield Installation Information
2008-01-11 13:53 44544 --a--c--- C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-01-06 18:11 --------- d-------- C:\Program Files\Nanny Mania
2008-01-06 16:58 --------- d-------- C:\Program Files\Common Files\Sandlot Shared
2008-01-05 00:04 --------- d-------- C:\Program Files\Sushi Frenzy
2007-12-20 07:01 347136 --a--c--- C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 17:51 179584 --a--c--- C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-08 13:21 3592192 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-07 10:21 824832 --a--c--- C:\WINDOWS\system32\dllcache\wininet.dll
2007-12-07 10:21 671232 --a--c--- C:\WINDOWS\system32\dllcache\mstime.dll
2007-12-07 10:21 63488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-07 10:21 6066176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-07 10:21 52224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-07 10:21 478208 --a--c--- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-12-07 10:21 459264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-07 10:21 44544 --a--c--- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-12-07 10:21 384512 --a--c--- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-12-07 10:21 383488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-07 10:21 27648 --a--c--- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-12-07 10:21 267776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-07 10:21 233472 --a--c--- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-12-07 10:21 230400 --a--c--- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-12-07 10:21 214528 --a--c--- C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-12-07 10:21 193024 --a--c--- C:\WINDOWS\system32\dllcache\msrating.dll
2007-12-07 10:21 153088 --a--c--- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-12-07 10:21 133120 --a--c--- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-12-07 10:21 124928 --a--c--- C:\WINDOWS\system32\dllcache\advpack.dll
2007-12-07 10:21 1159680 --a--c--- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-12-07 10:21 105984 --a--c--- C:\WINDOWS\system32\dllcache\url.dll
2007-12-07 10:21 102912 --a--c--- C:\WINDOWS\system32\dllcache\occache.dll
2007-12-06 19:01 625664 --a--c--- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-06 19:00 70656 --a--c--- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-12-06 19:00 13824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-06 12:59 161792 --a--c--- C:\WINDOWS\system32\dllcache\ieakui.dll
2007-12-05 02:38 550912 --a--c--- C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-12-05 02:38 550912 --a------ C:\WINDOWS\system32\oleaut32.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98663E21-9CCE-4CF6-863C-911A9523A66F}]
C:\WINDOWS\system32\efcaxuv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c7e6dd45-62ee-42af-aecc-aaa607380f41}]
C:\WINDOWS\system32\howcaoqv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F754FB01-7C9D-4F7F-B59C-A0703B19BB52}]
C:\WINDOWS\system32\ddaby.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-06-13 09:57]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-06-13 09:57]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-06-13 09:57]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-19 09:42 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-07-19 09:42 C:\WINDOWS\SkyTel.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 21:50 C:\WINDOWS\AGRSMMSG.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2006-07-19 09:41]
"BroadcomWireless"="C:\Program Files\Broadcom\Wireless\Utility\WlanUtil.exe" []
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-29 07:13]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 01:56 C:\WINDOWS\system32\bthprops.cpl]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-06-15 13:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2006-07-14 12:13]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-10 01:56]
"ScheduleTV"="C:\Program Files\GADMEI TVHome Media\ScheduleTV.exe" [2006-12-12 15:57]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 13:28]
"5015bad3"="C:\WINDOWS\system32\vlbfgjrv.dll" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-22 14:09]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-22 22:35]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 14:32]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-06-07 15:08]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 17:21]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-05-18 14:14]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-17 13:15]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2007-10-23 08:47]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 02:19:50]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-14 15:31:44]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-06-04 18:50:03]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{98663E21-9CCE-4CF6-863C-911A9523A66F}"= C:\WINDOWS\system32\efcaxuv.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcaxuv]
efcaxuv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hmuwdvoq]
hmuwdvoq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddaby.dll

R3 DKbFltr;Dritek Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC);C:\WINDOWS\system32\DRIVERS\snp2uvc.sys
S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows
S3 USB28xxBGA;USB 2861 Device;C:\WINDOWS\system32\DRIVERS\emBDA.sys
S3 USB28xxOEM;USB 28xx OEM Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b2161ab-5564-11dc-9e83-0019d275c81b}]
Auto\command- dllcache32.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL dllcache32.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6302c8df-6a85-11dc-9ecd-0019d275c81b}]
Auto\command- dllcache32.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL dllcache32.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ccb67a76-3b72-11dc-9e29-0019d275c81b}]
Auto\command- dllcache32.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL dllcache32.exe e


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 23:37:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2008-02-23 23:37:49

--- E O F ---


thx so much
  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
==========================================
Then:
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\ybadd.ini2
C:\WINDOWS\system32\ddaby.dll
C:\WINDOWS\system32\vlbfgjrv.dll
Folder::
C:\WINDOWS\system32\windows
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98663E21-9CCE-4CF6-863C-911A9523A66F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c7e6dd45-62ee-42af-aecc-aaa607380f41}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F754FB01-7C9D-4F7F-B59C-A0703B19BB52}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"5015bad3"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{98663E21-9CCE-4CF6-863C-911A9523A66F}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcaxuv] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hmuwdvoq]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b2161ab-5564-11dc-9e83-0019d275c81b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6302c8df-6a85-11dc-9ecd-0019d275c81b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ccb67a76-3b72-11dc-9e29-0019d275c81b}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons]
Driver::
MSControlService
Microsoft cache control


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Edited by kahdah, 23 February 2008 - 10:48 AM.

  • 0

#7
nessya

nessya

    Member

  • Topic Starter
  • Member
  • PipPip
  • 93 posts
i really thank u for helping me through the process
;p

this is the new combofix log

ComboFix 07-08-14.4 - "user" 2008-02-24 10:37:10.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.999 [GMT 8:00]
Command switches used :: C:\Nessya\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\ybadd.ini2
C:\WINDOWS\system32\ddaby.dll
C:\WINDOWS\system32\vlbfgjrv.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ybadd.ini2


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_MSCONTROLSERVICE
-------\MSControlService


((((((((((((((((((((((((( Files Created from 2008-01-24 to 2008-02-24 )))))))))))))))))))))))))))))))


2008-02-24 10:21 <DIR> drahs---- C:\autorun.inf
2008-02-23 17:59 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-22 14:09 86,016 --a------ C:\WINDOWS\unvise32qt.exe
2008-02-22 14:08 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-02-22 14:08 <DIR> d-------- C:\Program Files\QuickTime
2008-02-22 14:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\QuickTime
2008-02-22 13:01 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-02-12 22:31 <DIR> d-------- C:\BackUpMsnCleaner
2008-01-28 20:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab Setup Files
2008-01-28 20:04 <DIR> d-------- C:\Program Files\NovaLogic


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-02-24 10:30 --------- d-------- C:\DOCUME~1\user\APPLIC~1\Skype
2008-02-24 08:01 --------- d-------- C:\Program Files\Winamp
2008-02-24 07:57 --------- d-------- C:\Program Files\MSN Messenger
2008-02-24 07:55 --------- d-------- C:\Program Files\Launch Manager
2008-02-24 07:54 --------- d-------- C:\Program Files\Google
2008-02-24 07:54 --------- d-------- C:\Program Files\GADMEI TVHome Media
2008-02-23 18:42 --------- d-------- C:\Program Files\Winamp Remote
2008-02-22 14:09 --------- d-------- C:\Program Files\Opera
2008-01-31 23:12 --------- d-------- C:\DOCUME~1\user\APPLIC~1\U3
2008-01-28 20:22 --------- d--h----- C:\Program Files\InstallShield Installation Information
2008-01-11 13:53 44544 --a--c--- C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-01-06 18:11 --------- d-------- C:\Program Files\Nanny Mania
2008-01-06 16:58 --------- d-------- C:\Program Files\Common Files\Sandlot Shared
2008-01-05 00:04 --------- d-------- C:\Program Files\Sushi Frenzy
2007-12-20 07:01 347136 --a--c--- C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 17:51 179584 --a--c--- C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-08 13:21 3592192 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-07 10:21 824832 --a--c--- C:\WINDOWS\system32\dllcache\wininet.dll
2007-12-07 10:21 671232 --a--c--- C:\WINDOWS\system32\dllcache\mstime.dll
2007-12-07 10:21 63488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-07 10:21 6066176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-07 10:21 52224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-07 10:21 478208 --a--c--- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-12-07 10:21 459264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-07 10:21 44544 --a--c--- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-12-07 10:21 384512 --a--c--- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-12-07 10:21 383488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-07 10:21 27648 --a--c--- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-12-07 10:21 267776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-07 10:21 233472 --a--c--- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-12-07 10:21 230400 --a--c--- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-12-07 10:21 214528 --a--c--- C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-12-07 10:21 193024 --a--c--- C:\WINDOWS\system32\dllcache\msrating.dll
2007-12-07 10:21 153088 --a--c--- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-12-07 10:21 133120 --a--c--- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-12-07 10:21 124928 --a--c--- C:\WINDOWS\system32\dllcache\advpack.dll
2007-12-07 10:21 1159680 --a--c--- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-12-07 10:21 105984 --a--c--- C:\WINDOWS\system32\dllcache\url.dll
2007-12-07 10:21 102912 --a--c--- C:\WINDOWS\system32\dllcache\occache.dll
2007-12-06 19:01 625664 --a--c--- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-06 19:00 70656 --a--c--- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-12-06 19:00 13824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-06 12:59 161792 --a--c--- C:\WINDOWS\system32\dllcache\ieakui.dll
2007-12-05 02:38 550912 --a--c--- C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-12-05 02:38 550912 --a------ C:\WINDOWS\system32\oleaut32.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-06-13 09:57]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-06-13 09:57]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-06-13 09:57]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-19 09:42 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-07-19 09:42 C:\WINDOWS\SkyTel.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 21:50 C:\WINDOWS\AGRSMMSG.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2006-07-19 09:41]
"BroadcomWireless"="C:\Program Files\Broadcom\Wireless\Utility\WlanUtil.exe" []
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-29 07:13]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 01:56 C:\WINDOWS\system32\bthprops.cpl]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-06-15 13:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2006-07-14 12:13]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-10 01:56]
"ScheduleTV"="C:\Program Files\GADMEI TVHome Media\ScheduleTV.exe" [2006-12-12 15:57]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 13:28]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-22 14:09]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-22 22:35]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 14:32]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-06-07 15:08]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 17:21]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-05-18 14:14]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-17 13:15]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2007-10-23 08:47]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 02:19:50]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-14 15:31:44]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-06-04 18:50:03]

R3 DKbFltr;Dritek Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC);C:\WINDOWS\system32\DRIVERS\snp2uvc.sys
S3 USB28xxBGA;USB 2861 Device;C:\WINDOWS\system32\DRIVERS\emBDA.sys
S3 USB28xxOEM;USB 28xx OEM Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-24 10:40:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2008-02-24 10:42:35 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2008-02-24 10:42
C:\ComboFix2.txt ... 2008-02-23 23:37

--- E O F ---


i'll send the other one in my next reply
;p

thanks so much

;p
nessya
  • 0

#8
nessya

nessya

    Member

  • Topic Starter
  • Member
  • PipPip
  • 93 posts
this is my hijackthis log

anw how serious is this problem gonna infect my laptop?

i really appreciate ur kindness

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46:49 AM, on 2/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\GADMEI TVHome Media\ScheduleTV.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\DOCUME~1\user\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [BroadcomWireless] C:\Program Files\Broadcom\Wireless\Utility\WlanUtil.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ScheduleTV] "C:\Program Files\GADMEI TVHome Media\ScheduleTV.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-18.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 9406 bytes
  • 0

#9
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Shouldn't be a problem after the malware is gone. :)
Has the red X disappeared?

=====================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
  • 0

#10
nessya

nessya

    Member

  • Topic Starter
  • Member
  • PipPip
  • 93 posts
wow! great great greatt!!!! the red x has disappeared and now back to normal!!!
thx so much

:) :) :) :) :)

still got a lot malware here in my laptop?

this is the log

Malwarebytes' Anti-Malware 1.05
Database version: 400

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 86818
Time elapsed: 20 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\hmuwdvoq.dllbox (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Desktop\Help and Support Center.lnk (Rogue.Link) -> Quarantined and deleted successfully.
  • 0

Advertisements


#11
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#12
nessya

nessya

    Member

  • Topic Starter
  • Member
  • PipPip
  • 93 posts
hi, i counter problem with the kaspersky online test, it says:

"Failed to load Kaspersky Online Scanner ActiveX control!

You must have administrative rights on this computer;
you also must have the IE security settings to the Medium level."

what am i supposed to do?

i send u the picture of the page
thanks

Attached Files


  • 0

#13
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok may be problem with the scanner:
Try this one:

Please go HERE to run Panda's TotalScan
  • Select the bubble for Full scan
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • Then the scan will begin
  • When the scan completes, click the Save button on the right of Scan details
  • Save it to a convenient location. Post the contents of the TotalScan report

  • 0

#14
nessya

nessya

    Member

  • Topic Starter
  • Member
  • PipPip
  • 93 posts
wow, i took me so long to open d page, even now is still not yet opened.

anw is it the same one as the panda online scanning?

can i open d panda's web page n try to do the scan from that page?

actually i did the scan last night but i didn save the note.
it says that my laptop has 1 infected file

:)
  • 0

#15
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok some times online scans don't work very well.

Le's do this instead as I think you are pretty much cleaned up.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Post that log in your next reply.

(Note if you cannot open the log it produces then right click on it and choose rename.
Rename it to .txt and you will be able to open it)

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP