Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Can someone please help me removing this malware

Started by akhe123 , Aug 07 2005 07:09 AM

  • Please log in to reply

#1
akhe123
Posted 07 August 2005 - 07:09 AM

akhe123

    New Member

  • Member
  • Pip
  • 1 posts
Hello people at Geeks to Go can someone help me please. I have found this new malware when i used mcAfee Virus Scan called drives.exe which was found in my system32 folder in windows. I've tried everything and i have just formatted my computer and i don't look forward to doing it again. i Have used Spybot search and Destroy, Ad Aware CWSShredder, Trojan Hunter and ewido security suite so please can someone help me. None of the other programs deleted it except Mcafee virus scan and ewido security suite which both detected it but couldn't delete it. Here is my Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 13:45:01, on 07/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drives.exe
C:\Program Files\SlimBrowser\sbrowser.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Sygate Personal Firewall] wins.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\iexplore.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAFInstaller_mskins.ui] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MCAC348.tmp\MCAPPINS.exe /v=3 /start=mskins.ui::default.htm
O4 - HKLM\..\Run: [hostserv] svchosts.exe
O4 - HKLM\..\Run: [Windows Update Drive] drives.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] wins.exe
O4 - HKLM\..\RunServices: [hostserv] svchosts.exe
O4 - HKLM\..\RunServices: [Windows Update Drive] drives.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Sygate Personal Firewall] wins.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows File mgnrt] xdfmnrtk.exe
O4 - HKCU\..\Run: [hostserv] svchosts.exe
O4 - HKCU\..\Run: [Windows Update Drive] drives.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Net Functions Monitoring (Netmon) - Unknown owner - C:\WINDOWS\system32\drives.exe :tazz:

Please can someone help me!!!

Edited by akhe123, 07 August 2005 - 07:16 AM.

  • 0

Advertisements

#2
bricat
Posted 08 August 2005 - 07:20 AM

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
Welcome to the Geeks To Go forum.:tazz:


Click Start > Run > type services.msc, then click OK
Scroll down and right click on 'Net Functions Monitoring (Netmon)'
Select 'Properties' and set the "Service Status" option to "Stop"
Set "Startup type" to "Disabled", click Apply, then OK.


Rerun HJT,and put a checkmark beside these :-


O4 - HKLM\..\Run: [Sygate Personal Firewall] wins.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\iexplore.exe
O4 - HKLM\..\Run: [MCAFInstaller_mskins.ui] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MCAC348.tmp\MCAPPINS.exe /v=3 /start=mskins.ui::default.htm
O4 - HKLM\..\Run: [hostserv] svchosts.exe
O4 - HKLM\..\Run: [Windows Update Drive] drives.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] wins.exe
O4 - HKLM\..\RunServices: [hostserv] svchosts.exe
O4 - HKLM\..\RunServices: [Windows Update Drive] drives.exe
O4 - HKCU\..\Run: [Sygate Personal Firewall] wins.exe
O4 - HKCU\..\Run: [Windows File mgnrt] xdfmnrtk.exe
O4 - HKCU\..\Run: [hostserv] svchosts.exe
O4 - HKCU\..\Run: [Windows Update Drive] drives.exe
O23 - Service: Net Functions Monitoring (Netmon) - Unknown owner - C:\WINDOWS\system32\drives.exe thumbsup.gif


now close all windows and browsers and click FIX CHECKED


Then boot up in SAFE MODE

Then navigate to and delete these files\folders in BOLD


C:\WINDOWS\system32\drives.exe


then reboot and post a fresh Hijackthis log. (in normal mode)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP