Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Can someone please help me removing this malware


  • Please log in to reply

#1
akhe123

akhe123

    New Member

  • Member
  • Pip
  • 1 posts
Hello people at Geeks to Go can someone help me please. I have found this new malware when i used mcAfee Virus Scan called drives.exe which was found in my system32 folder in windows. I've tried everything and i have just formatted my computer and i don't look forward to doing it again. i Have used Spybot search and Destroy, Ad Aware CWSShredder, Trojan Hunter and ewido security suite so please can someone help me. None of the other programs deleted it except Mcafee virus scan and ewido security suite which both detected it but couldn't delete it. Here is my Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 13:45:01, on 07/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drives.exe
C:\Program Files\SlimBrowser\sbrowser.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Sygate Personal Firewall] wins.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\iexplore.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAFInstaller_mskins.ui] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MCAC348.tmp\MCAPPINS.exe /v=3 /start=mskins.ui::default.htm
O4 - HKLM\..\Run: [hostserv] svchosts.exe
O4 - HKLM\..\Run: [Windows Update Drive] drives.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] wins.exe
O4 - HKLM\..\RunServices: [hostserv] svchosts.exe
O4 - HKLM\..\RunServices: [Windows Update Drive] drives.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Sygate Personal Firewall] wins.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows File mgnrt] xdfmnrtk.exe
O4 - HKCU\..\Run: [hostserv] svchosts.exe
O4 - HKCU\..\Run: [Windows Update Drive] drives.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Net Functions Monitoring (Netmon) - Unknown owner - C:\WINDOWS\system32\drives.exe :tazz:

Please can someone help me!!!

Edited by akhe123, 07 August 2005 - 07:16 AM.

  • 0

Advertisements


#2
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
Welcome to the Geeks To Go forum.:tazz:


Click Start > Run > type services.msc, then click OK
Scroll down and right click on 'Net Functions Monitoring (Netmon)'
Select 'Properties' and set the "Service Status" option to "Stop"
Set "Startup type" to "Disabled", click Apply, then OK.


Rerun HJT,and put a checkmark beside these :-


O4 - HKLM\..\Run: [Sygate Personal Firewall] wins.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\iexplore.exe
O4 - HKLM\..\Run: [MCAFInstaller_mskins.ui] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MCAC348.tmp\MCAPPINS.exe /v=3 /start=mskins.ui::default.htm
O4 - HKLM\..\Run: [hostserv] svchosts.exe
O4 - HKLM\..\Run: [Windows Update Drive] drives.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] wins.exe
O4 - HKLM\..\RunServices: [hostserv] svchosts.exe
O4 - HKLM\..\RunServices: [Windows Update Drive] drives.exe
O4 - HKCU\..\Run: [Sygate Personal Firewall] wins.exe
O4 - HKCU\..\Run: [Windows File mgnrt] xdfmnrtk.exe
O4 - HKCU\..\Run: [hostserv] svchosts.exe
O4 - HKCU\..\Run: [Windows Update Drive] drives.exe
O23 - Service: Net Functions Monitoring (Netmon) - Unknown owner - C:\WINDOWS\system32\drives.exe thumbsup.gif


now close all windows and browsers and click FIX CHECKED


Then boot up in SAFE MODE

Then navigate to and delete these files\folders in BOLD


C:\WINDOWS\system32\drives.exe


then reboot and post a fresh Hijackthis log. (in normal mode)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP