Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

kxvo.exe PLEASE HELP [RESOLVED]


  • This topic is locked This topic is locked

#1
amm007

amm007

    Member

  • Member
  • PipPipPip
  • 265 posts
One of the USB's inserted in my PC got a virus on it infecting my PC plus the external hard disk I have. I tried using the one on http://www.en.mygeekside.com/?p=18 desperately hoping it would help me. However, just when I thought it solved the problem it solved only a few symptoms (like showing hidden folders which the virus disabled previously). My external hard disk also has got volume information folder that is hidden plus another named "recycled" which got tons of files that are undeletable...I already tried some of the steps in http://www.geekstogo...amp;hl=kxvo.exe knowing I had a similar problem but it still wont clean all the infections.

Hoping someone could help. :) :) I badly need my computer up! Thanks in advance! here is my hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:05 PM, on 3/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AnalogX\NetStat Live\nsl.exe
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\SkyTel.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\EPoX\EPTP\EPTP.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\ieso0.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NetStat Live] C:\Program Files\AnalogX\NetStat Live\nsl.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [hwmdr] "C:\Program Files\EPoX\EPTP\EPTP.EXE" "5000"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [EPSON Stylus C90 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBZP.EXE /FU "C:\WINDOWS\TEMP\E_S5EE.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

--
End of file - 8744 bytes
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello amm007

Welcome to G2Go. :)
================
You have 2 anti virus programs running.
Please uninstall McAfee and leave AVG.
==============================
Please download ComboFix from Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
amm007

amm007

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 265 posts
Thank you so much for responding! Hope we can work this out. By the ay, are the steps we do here applicable to my laptop too? I believe it is also infected. Thanks a lot again!

COMBOFIX LOG:


ComboFix 08-03-05.3 - Adrian 2008-03-06 21:12:40.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.140 [GMT 8:00]
Running from: C:\Documents and Settings\Adrian\Desktop\Virus FIX\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-06 to 2008-03-06 )))))))))))))))))))))))))))))))
.

2008-03-05 21:55 . 2008-03-05 21:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-22 18:27 . 2008-02-22 18:27 1,409 --a------ C:\WINDOWS\system32\tmpFCD82.FOT
2008-02-22 02:09 . 2008-02-22 02:09 1,409 --a------ C:\WINDOWS\system32\tmp40E30.FOT
2008-02-19 18:39 . 2008-02-19 18:40 <DIR> d-------- C:\Program Files\Buddy Spy
2008-02-19 18:39 . 2006-01-29 10:36 152,848 --a------ C:\WINDOWS\system32\comdlg32.ocx
2008-02-19 18:39 . 2006-01-29 10:36 124,688 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-02-17 17:50 . 2008-02-17 17:50 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-02-15 22:16 . 2008-03-06 21:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-15 22:16 . 2008-02-15 22:16 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-09 19:16 . 2008-02-09 19:16 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-02-09 19:16 . 2004-05-11 08:14 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-02-09 19:16 . 2006-05-11 18:32 502,784 --a------ C:\WINDOWS\x2.64.exe
2008-02-09 19:16 . 2006-12-12 14:15 471,552 --a------ C:\WINDOWS\system32\Smab.dll
2008-02-09 19:16 . 2006-11-12 13:44 306,688 --a------ C:\WINDOWS\system32\avisynth.dll
2008-02-09 19:16 . 2005-11-10 13:16 240,128 --a------ C:\WINDOWS\system32\x.264.exe
2008-02-09 19:16 . 2006-04-12 09:47 217,073 --a------ C:\WINDOWS\meta4.exe
2008-02-09 19:16 . 2004-01-03 00:08 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll
2008-02-09 19:16 . 2004-01-03 00:08 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
2008-02-09 19:16 . 2006-04-05 08:09 66,560 --a------ C:\WINDOWS\MOTA113.exe
2008-02-09 19:16 . 2005-07-11 12:31 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2008-02-09 19:13 . 2008-02-09 19:13 <DIR> d-------- C:\Program Files\eRightSoft
2008-02-07 17:48 . 2008-02-07 17:48 <DIR> d-------- C:\WINDOWS\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 13:06 --------- d-----w C:\Program Files\McAfee.com
2008-03-06 13:04 --------- d-----w C:\Documents and Settings\Adrian\Application Data\DNA
2008-03-06 12:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-06 12:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-06 12:38 --------- d-----w C:\Documents and Settings\Adrian\Application Data\AVG7
2008-03-04 12:16 --------- d-----w C:\Program Files\Yahoo!
2008-02-19 10:35 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-02 14:27 --------- d-----w C:\Documents and Settings\Adrian\Application Data\Samsung
2008-02-02 12:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-02 12:25 --------- d-----w C:\Program Files\Samsung
2008-01-29 13:13 --------- d-----w C:\Program Files\Java
2008-01-29 12:47 --------- d-----w C:\Program Files\Common Files\Java
2008-01-29 10:27 --------- d-----w C:\Documents and Settings\Adrian\Application Data\McAfee.com Personal Firewall
2008-01-27 05:05 --------- d-----w C:\Program Files\MSXML 4.0
2008-01-26 13:09 --------- d-----w C:\Program Files\ChikkaV4
2008-01-26 11:47 --------- d-----w C:\Documents and Settings\Adrian\Application Data\Winamp
2008-01-26 10:49 --------- d-----w C:\Program Files\Hewlett-Packard
2008-01-26 08:10 --------- d-----w C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall
2008-01-26 06:32 --------- d-----w C:\Program Files\Microsoft Encarta
2008-01-26 06:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-26 06:24 --------- d-----w C:\Program Files\McAfee AntiSpyware 1.00 Install
2008-01-26 06:21 --------- d-----w C:\Documents and Settings\Adrian\Application Data\Ahead
2008-01-26 06:19 --------- d-----w C:\Program Files\Nero
2008-01-26 06:19 --------- d-----w C:\Program Files\Common Files\Ahead
2008-01-26 05:43 --------- d-----w C:\Documents and Settings\Adrian\Application Data\BitTorrent
2008-01-26 05:38 --------- d-----w C:\Program Files\ArcSoft
2008-01-26 05:36 --------- d-----w C:\Program Files\KODAK
2008-01-26 05:35 --------- d-----w C:\Program Files\Common Files\KODAK
2008-01-26 05:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-26 05:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-26 05:23 --------- d-----w C:\Documents and Settings\Adrian\Application Data\Apple Computer
2008-01-26 05:19 --------- d-----w C:\Program Files\iTunes
2008-01-26 05:19 --------- d-----w C:\Program Files\iPod
2008-01-26 05:18 --------- d-----w C:\Program Files\QuickTime
2008-01-26 05:18 --------- d-----w C:\Program Files\Bonjour
2008-01-26 05:15 --------- d-----w C:\Program Files\Apple Software Update
2008-01-26 04:50 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-26 04:49 --------- d-----w C:\Program Files\EPSON
2008-01-26 04:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\UDL
2008-01-26 04:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\EPSON
2008-01-26 04:41 --------- d-----w C:\Program Files\Winamp Remote
2008-01-26 04:41 --------- d-----w C:\Program Files\Winamp
2008-01-26 04:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\OrbNetworks
2008-01-26 04:36 --------- d-----w C:\Program Files\Realtek
2008-01-26 04:36 --------- d-----w C:\Program Files\AMD
2008-01-26 04:17 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-01-26 04:17 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-01-26 04:17 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-26 04:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-26 04:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-01-26 04:10 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-01-26 04:06 --------- d-----w C:\Program Files\Ocean Technology
2008-01-26 04:06 --------- d-----w C:\Documents and Settings\Adrian\Application Data\InstallShield
2008-01-26 03:57 --------- d-----w C:\Program Files\DNA
2008-01-26 03:57 --------- d-----w C:\Program Files\Common Files\Apple
2008-01-26 03:57 --------- d-----w C:\Program Files\BitTorrent
2008-01-26 03:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-26 03:55 --------- d-----w C:\Program Files\AnalogX
2008-01-26 03:49 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-26 03:49 --------- d-----w C:\Program Files\Common Files\L&H
2008-01-26 03:48 --------- d-----w C:\Program Files\Microsoft Works
2008-01-26 03:46 --------- d-----w C:\Program Files\Microsoft.NET
2008-01-26 03:34 --------- d-----w C:\Documents and Settings\Adrian\Application Data\ATI
2008-01-26 03:33 --------- d-----w C:\Documents and Settings\Adrian\Application Data\Talkback
2008-01-26 03:32 --------- d-----w C:\Program Files\Common Files\ATI Technologies
2008-01-26 03:30 --------- d-----w C:\Program Files\ATI Technologies
2008-01-26 03:24 --------- d-----w C:\Program Files\EPoX
2008-01-26 02:49 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:56 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49 4662776]
"EPSON Stylus C90 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBZP.exe" [2006-09-27 12:00 139264]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-02-12 21:14 287040]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2008-01-08 04:02 495616]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24 1694208]
"kxva"="C:\WINDOWS\system32\kxvo.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetStat Live"="C:\Program Files\AnalogX\NetStat Live\nsl.exe" [2008-01-26 11:55 126980]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-16 06:54 37376]
"SkyTel"="SkyTel.EXE" [2006-04-24 15:20 1448960 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-04 15:59 16206848 C:\WINDOWS\RTHDCPL.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2005-10-20 14:45 871936]
"hwmdr"="C:\Program Files\EPoX\EPTP\EPTP.exe" [2006-04-24 11:50 984576]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-26 12:16 579072]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 06:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-26 12:16 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R2 epcpuid;epcpuid;C:\WINDOWS\system32\drivers\epcpuid.sys [2005-03-18 10:32]
R2 GetBINFile;GetBINFile;C:\WINDOWS\system32\drivers\GetBINFile.sys [2004-11-26 10:08]
R2 hwmdr;hwmdr;C:\WINDOWS\system32\drivers\hwmdr.sys [2005-12-09 17:30]
R3 EPScanMemory;EPScanMemory;C:\Program Files\EPoX\EPTP\ScanMemory32.sys [2005-06-21 16:27]
R3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2004-05-05 09:25]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 05:15:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-06 21:13:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-06 21:14:11
ComboFix2.txt 2008-03-06 13:10:52
.
2008-02-17 09:30:46 --- E O F ---

HJT LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:54 PM, on 3/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AnalogX\NetStat Live\nsl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\SkyTel.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\EPoX\EPTP\EPTP.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NetStat Live] C:\Program Files\AnalogX\NetStat Live\nsl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [hwmdr] "C:\Program Files\EPoX\EPTP\EPTP.EXE" "5000"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [EPSON Stylus C90 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBZP.EXE /FU "C:\WINDOWS\TEMP\E_S5EE.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 7330 bytes
  • 0

#4
amm007

amm007

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 265 posts
By the way, I also found out that the virus creeps on small networks...Another computer I have just got infected without any contact to the USB where all this originated. Hope you can suggest a general solution to all of this....
  • 0

#5
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Disconnect the other Computer from the network Temporarily.
We will reconnect it in a bit.

When we are done with this log I will clean your laptop.
==================================
Make sure that you paste the following file paths under the yellow bar within the OTMoveit2 program or it will not work correctly.


Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\kxvo.exe
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\kxva
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
==============================================================
Then::

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
  • 0

#6
amm007

amm007

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 265 posts
[Custom Input]
< C:\WINDOWS\system32\kxvo.exe >
File/Folder C:\WINDOWS\system32\kxvo.exe not found.
< HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\kxva >
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\kxva deleted successfully.

OTMoveIt2 v1.0.20 log created on 03072008_072008
  • 0

#7
amm007

amm007

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 265 posts
Malwarebytes' Anti-Malware 1.07
Database version: 460

Scan type: Full Scan (A:\|C:\|G:\|)
Objects scanned: 103974
Time elapsed: 42 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ce7c3cf0-4b15-11d1-abed-709549c10000} (Worm.OnlineG) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Thanks again for the help!
  • 0

#8
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You are welcome :)

Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#9
amm007

amm007

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 265 posts
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 08, 2008 10:07:22 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/03/2008
Kaspersky Anti-Virus database records: 611526
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
G:\

Scan Statistics:
Total number of scanned objects: 79209
Number of viruses found: 10
Number of infected objects: 32
Number of suspicious objects: 0
Duration of the scan process: 01:30:55

Infected Object Name / Virus Name / Last Action
C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
C:\Documents and Settings\Adrian\Application Data\AVG7\l_000118.log Object is locked skipped
C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\ggmx9r7i.default\cert8.db Object is locked skipped
C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\ggmx9r7i.default\history.dat Object is locked skipped
C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\ggmx9r7i.default\key3.db Object is locked skipped
C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\ggmx9r7i.default\parent.lock Object is locked skipped
C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\ggmx9r7i.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\ggmx9r7i.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\ggmx9r7i.default\urlclassifier2.sqlite-journal Object is locked skipped
C:\Documents and Settings\Adrian\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Adrian\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Adrian\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Adrian\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Adrian\Local Settings\Application Data\Yahoo\Y!Msgr\merlin.log Object is locked skipped
C:\Documents and Settings\Adrian\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Adrian\Local Settings\History\History.IE5\MSHist012008030820080309\index.dat Object is locked skipped
C:\Documents and Settings\Adrian\Local Settings\Temp\Perflib_Perfdata_288.dat Object is locked skipped
C:\Documents and Settings\Adrian\Local Settings\Temp\Perflib_Perfdata_5b4.dat Object is locked skipped
C:\Documents and Settings\Adrian\Local Settings\Temp\Perflib_Perfdata_60c.dat Object is locked skipped
C:\Documents and Settings\Adrian\Local Settings\Temp\Perflib_Perfdata_dc.dat Object is locked skipped
C:\Documents and Settings\Adrian\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Adrian\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Adrian\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{98E32788-62AF-4CAA-9CE2-F5CBD86C4D5A}\RP58\A0039796.cmd Infected: Trojan-PSW.Win32.OnLineGames.srg skipped
C:\System Volume Information\_restore{98E32788-62AF-4CAA-9CE2-F5CBD86C4D5A}\RP58\A0039798.exe Infected: Trojan-PSW.Win32.OnLineGames.srg skipped
C:\System Volume Information\_restore{98E32788-62AF-4CAA-9CE2-F5CBD86C4D5A}\RP58\A0040799.inf Infected: Worm.Win32.AutoRun.cwx skipped
C:\System Volume Information\_restore{98E32788-62AF-4CAA-9CE2-F5CBD86C4D5A}\RP58\A0040831.inf Infected: Worm.Win32.AutoRun.cwx skipped
C:\System Volume Information\_restore{98E32788-62AF-4CAA-9CE2-F5CBD86C4D5A}\RP58\A0040865.inf Infected: Worm.Win32.AutoRun.cwx skipped
C:\System Volume Information\_restore{98E32788-62AF-4CAA-9CE2-F5CBD86C4D5A}\RP58\A0040879.inf Infected: Worm.Win32.AutoRun.cwx skipped
C:\System Volume Information\_restore{98E32788-62AF-4CAA-9CE2-F5CBD86C4D5A}\RP59\A0040885.inf Infected: Worm.Win32.AutoRun.cwx skipped
C:\System Volume Information\_restore{98E32788-62AF-4CAA-9CE2-F5CBD86C4D5A}\RP59\A0041882.inf Infected: Worm.Win32.AutoRun.cwx skipped
C:\System Volume Information\_restore{98E32788-62AF-4CAA-9CE2-F5CBD86C4D5A}\RP59\A0041883.cmd Infected: Trojan-PSW.Win32.OnLineGames.srg skipped
C:\System Volume Information\_restore{98E32788-62AF-4CAA-9CE2-F5CBD86C4D5A}\RP63\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
G:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
G:\My Documents2\Adrian's Folder\Others\Comp_Installers\imesh_mp3_downloader(d).exe/file66/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
G:\My Documents2\Adrian's Folder\Others\Comp_Installers\imesh_mp3_downloader(d).exe/file66/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.b skipped
G:\My Documents2\Adrian's Folder\Others\Comp_Installers\imesh_mp3_downloader(d).exe/file66/data.rar/whSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
G:\My Documents2\Adrian's Folder\Others\Comp_Installers\imesh_mp3_downloader(d).exe/file66/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.370 skipped
G:\My Documents2\Adrian's Folder\Others\Comp_Installers\imesh_mp3_downloader(d).exe/file66/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
G:\My Documents2\Adrian's Folder\Others\Comp_Installers\imesh_mp3_downloader(d).exe/file66/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer skipped
G:\My Documents2\Adrian's Folder\Others\Comp_Installers\imesh_mp3_downloader(d).exe/file66 Infected: not-a-virus:AdWare.Win32.WebHancer skipped
G:\My Documents2\Adrian's Folder\Others\Comp_Installers\imesh_mp3_downloader(d).exe Inno: infected - 7 skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\_restore{01F8CF90-7813-42EC-8B86-C51975B57067}\RP74\A0065581.exe/WISE0016.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
G:\System Volume Information\_restore{01F8CF90-7813-42EC-8B86-C51975B57067}\RP74\A0065581.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
G:\System Volume Information\_restore{01F8CF90-7813-42EC-8B86-C51975B57067}\RP74\A0065581.exe/WISE0018.BIN Infected: Trojan-Downloader.Win32.Small.bke skipped
G:\System Volume Information\_restore{01F8CF90-7813-42EC-8B86-C51975B57067}\RP74\A0065581.exe WiseSFX: infected - 3 skipped
G:\System Volume Information\_restore{01F8CF90-7813-42EC-8B86-C51975B57067}\RP74\A0065581.exe WiseSFXDropper: infected - 3 skipped
G:\System Volume Information\_restore{01F8CF90-7813-42EC-8B86-C51975B57067}\RP77\A0065808.exe/WISE0015.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
G:\System Volume Information\_restore{01F8CF90-7813-42EC-8B86-C51975B57067}\RP77\A0065808.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
G:\System Volume Information\_restore{01F8CF90-7813-42EC-8B86-C51975B57067}\RP77\A0065808.exe/WISE0017.BIN/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped
G:\System Volume Information\_restore{01F8CF90-7813-42EC-8B86-C51975B57067}\RP77\A0065808.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped
G:\System Volume Information\_restore{01F8CF90-7813-42EC-8B86-C51975B57067}\RP77\A0065808.exe WiseSFX: infected - 4 skipped
G:\System Volume Information\_restore{01F8CF90-7813-42EC-8B86-C51975B57067}\RP77\A0065808.exe WiseSFXDropper: infected - 4 skipped
G:\System Volume Information\_restore{98E32788-62AF-4CAA-9CE2-F5CBD86C4D5A}\RP58\A0040833.inf Infected: Worm.Win32.AutoRun.cwx skipped
G:\System Volume Information\_restore{98E32788-62AF-4CAA-9CE2-F5CBD86C4D5A}\RP59\A0040890.inf Infected: Worm.Win32.AutoRun.cwx skipped
G:\System Volume Information\_restore{98E32788-62AF-4CAA-9CE2-F5CBD86C4D5A}\RP59\A0040924.inf Infected: Worm.Win32.AutoRun.cwx skipped
G:\System Volume Information\_restore{98E32788-62AF-4CAA-9CE2-F5CBD86C4D5A}\RP59\A0041884.inf Infected: Worm.Win32.AutoRun.cwx skipped
G:\System Volume Information\_restore{98E32788-62AF-4CAA-9CE2-F5CBD86C4D5A}\RP63\change.log Object is locked skipped

Scan process completed.
  • 0

#10
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    G:\My Documents2\Adrian's Folder\Others\Comp_Installers\imesh_mp3_downloader(d).exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=================
Please post that log and a new Hijackthis log.
Also let me know how things are running?
  • 0

Advertisements


#11
amm007

amm007

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 265 posts
LOGS

G:\My Documents2\Adrian's Folder\Others\Comp_Installers\imesh_mp3_downloader(d).exe moved successfully.

OTMoveIt2 v1.0.20 log created on 03092008_155931

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:00:31 PM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AnalogX\NetStat Live\nsl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\SkyTel.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\EPoX\EPTP\EPTP.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVG7\avginet.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\ChikkaV4\ChikkaLauncher.exe
C:\Program Files\ChikkaV4\ChikkaUpdater.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Adrian\Desktop\Virus FIX\OTMoveIt2.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NetStat Live] C:\Program Files\AnalogX\NetStat Live\nsl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [hwmdr] "C:\Program Files\EPoX\EPTP\EPTP.EXE" "5000"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [EPSON Stylus C90 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBZP.EXE /FU "C:\WINDOWS\TEMP\E_S5EE.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 7653 bytes
  • 0

#12
amm007

amm007

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 265 posts
COMMENTS ON COMPUTER'S PERFORMANCE:

I think system is now running good. I checked msconfig and discovered that kxvo.exe is now removed. However I still got problems on my two hard disks: one internal and the other external (usb connected). It both contains two folders which I think are both residues of the virus. It is named System Volume Information and RECYCLER which got file sizes amounting to gigabytes. When I click/delete on System Volume Information, it says access denied. In RECYCLER, I tried deleting files and they are now deletable. Previous kaspersky scan tells that these are infected files, how do I get rid of these? Do I need to reformat to make sure these things are removed? And last thing, I think this virus came from one of my flash drives, how do I clean it or know it's clean? Thanks!
  • 0

#13
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Update AVG and pug in the flash drive to your computer.
Run a full scan on it and let it delete what it finds.
=================================
Then do the following:Cleanup::
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
=========================================

It both contains two folders which I think are both residues of the virus. It is named System Volume Information and RECYCLER which got file sizes amounting to gigabytes. When I click/delete on System Volume Information, it says access denied. In RECYCLER, I tried deleting files and they are now deletable. Previous kaspersky scan tells that these are infected files, how do I get rid of these? Do I need to reformat to make sure these things are removed? And last thing, I think this virus came from one of my flash drives, how do I clean it or know it's clean? Thanks!

Those two folders are supposed to be there.
You can open the recycler and delete what is in there.
As for the other one plug the external Hard drive into your computer and do the following:
Then I will need you to reset your System Restore points, please note that you will need to log into your computer with an account which has full administrator access.
You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
Click on *Start
Right-click *My Computer
Click *Properties
Click the *System Restore tab
Check *Turn off System Restore
Click *Apply, and then click *OK.

2. Reboot.

3. Turn ON System Restore.
Click on *Start
Right-click *My Computer
Click *Properties
*UN-Check *Turn off System Restore*
Check *Turn on System Restore
Click *Apply, and then click *OK.


How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb/310405/en-us
=====================================================================
Then you should be rid of what was on your external Hard drive after that let me know how it goes?
  • 0

#14
amm007

amm007

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 265 posts

Update AVG and pug in the flash drive to your computer.
Run a full scan on it and let it delete what it finds.


You sure AVG is reliable enough for the scan? Coz previously it wasn't able to protect my computer from the virus...
  • 0

#15
amm007

amm007

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 265 posts
And another thing, any precautionary measure before I plug my flash disk in? Should I activate my AVG Resident Shield now? Thanks again for helping me this far!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP