Author Topic: virus in my c drive (Read 14665 times)

akila · « **on:** October 07, 2008, 07:29:21 PM »

my c drive is infected with virus,i tried running many anti virus softwares,but still am not able to delete the virus,its some trojan virus i think and its says system 32 something.....
when i want to open c drive it does not open in normal manner and its asks me whether i want to open with internet explorer,word ....etc
the open and search funtion is displayed as spam when i right click on the c drive.

kindly help me,this virus is really creating problems to my PC

Carbon Dudeoxide · « **Reply #1 on:** October 07, 2008, 08:03:07 PM »

Virus = Go Here:
http://www.computerhope.com/forum/index.php/topic,46313.0.html

We need the three logs (steps 3, 4 and 6)

akila · « **Reply #2 on:** October 08, 2008, 06:57:56 AM »

hi I had done the three steps u have asked me to do,and am posting all the log files,now the problem is worse am completely not able to open c drive,kindly help me.
regarding the hijackthis,since i was not able to open c drive,i never renamed it to snipper,exe,i just run it as hijack and have got the log.pls help me,my PC is really in trouble

[Saving space - attachment deleted by admin]

evilfantasy · « **Reply #3 on:** October 08, 2008, 11:38:19 AM »

You didn't completely follow the guide because your Java is still out of date.

Please print these instructions as they will be needed later when Internet access is not available.

Download SDFix by AndyManchesta and save it to your desktop.

When using this tool, you must use the Administrator's account or an account with Administrative rights

Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix).
DO NOT use it just yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log.

akila · « **Reply #4 on:** October 10, 2008, 06:29:08 AM »

I have updated my java,I have also loaded the SDfix and extracted the files,but when i restart am not able to open in safe mode,its does not allow me to open in safe mode? wht should i do now?

evilfantasy · « **Reply #5 on:** October 10, 2008, 11:42:42 AM »

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

akila · « **Reply #6 on:** October 10, 2008, 11:58:16 PM »

I had run combo fix and also hijack this after that,is the problem solved in my pc,or still anything left.....am able to open c drive now.but am not sure whether all problems are solved,kindly check the logs and let me know.

evilfantasy · « **Reply #7 on:** October 12, 2008, 12:00:31 AM »

You have to post the logs for me to check them.

akila · « **Reply #8 on:** October 12, 2008, 12:16:03 AM »

not able to post,says uploader full,even when i try to post each log seperately also cannot post,anyother way to send u my combolog and hijackthis log files

evilfantasy · « **Reply #9 on:** October 12, 2008, 12:33:59 AM »

Just post it directly into the reply. Copy /paste.

akila · « **Reply #10 on:** October 12, 2008, 12:36:58 AM »

com bo log:

ComboFix 08-10-10.09 - user 2008-10-11 13:28:39.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.68 [GMT 8:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\TG.PIF
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\ciodms.dll
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\gprmsgse.axz
C:\WINDOWS\system32\gscpx32r.det
C:\WINDOWS\system32\musz1s.dll
C:\WINDOWS\system32\musz2s.dll
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ACPIDISK
-------\Legacy_NPF
-------\Legacy_RESSDT
-------\Legacy_ZESOFT
-------\Service_npf
-------\Service_RESSDT

((((((((((((((((((((((((( Files Created from 2008-09-11 to 2008-10-11 )))))))))))))))))))))))))))))))
.

2008-10-09 23:15 . 2008-10-09 01:33   <DIR>   d--------   C:\SDFix
2008-10-09 20:21 . 2008-06-10 02:32   73,728   --a------   C:\WINDOWS\system32\javacpl.cpl
2008-10-09 20:12 . 2008-10-09 20:12   <DIR>   d--------   C:\Program Files\Trend Micro
2008-10-08 23:24 . 2008-10-08 23:24   <DIR>   d--------   C:\Program Files\Symantec
2008-10-08 23:24 . 2008-10-08 23:24   124,464   --a------   C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-10-08 23:24 . 2008-10-08 23:24   60,808   --a------   C:\WINDOWS\system32\S32EVNT1.DLL
2008-10-08 23:24 . 2008-10-08 23:24   35,888   -ra------   C:\WINDOWS\system32\drivers\SymIM.sys
2008-10-08 23:24 . 2008-10-08 23:24   10,635   --a------   C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-10-08 23:24 . 2008-10-08 23:24   806   --a------   C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-10-08 23:23 . 2008-10-08 23:23   <DIR>   d--------   C:\WINDOWS\system32\drivers\NAV
2008-10-08 23:23 . 2008-10-08 23:23   <DIR>   d--------   C:\Program Files\Windows Sidebar
2008-10-08 23:23 . 2008-10-08 23:23   <DIR>   d--------   C:\Program Files\Norton AntiVirus
2008-10-08 23:23 . 2008-10-08 23:23   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Norton
2008-10-08 23:17 . 2008-10-08 23:17   <DIR>   d--------   C:\Program Files\NortonInstaller
2008-10-08 23:17 . 2008-10-08 23:17   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\PCSettings
2008-10-08 23:17 . 2008-10-08 23:17   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\NortonInstaller
2008-10-08 21:22 . 2008-10-08 21:22   <DIR>   d--------   C:\WINDOWS\system32\scripting
2008-10-08 21:22 . 2008-10-08 21:22   <DIR>   d--------   C:\WINDOWS\system32\en
2008-10-08 21:22 . 2008-10-08 21:22   <DIR>   d--------   C:\WINDOWS\system32\bits
2008-10-08 21:22 . 2008-10-08 21:22   <DIR>   d--------   C:\WINDOWS\l2schemas
2008-10-08 20:17 . 2008-10-08 20:17   <DIR>   d--------   C:\Documents and Settings\user\Application Data\Malwarebytes
2008-10-08 20:16 . 2008-10-08 20:16   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-08 19:21 . 2008-10-08 19:21   <DIR>   d--------   C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
2008-10-08 19:21 . 2008-10-08 19:21   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-08 00:06 . 2008-04-14 08:12   897,024   ---------   C:\WINDOWS\system32\dllcache\wmspdmoe.dll
2008-10-08 00:05 . 2008-04-14 08:12   786,432   ---------   C:\WINDOWS\system32\dllcache\migrate.exe
2008-10-08 00:04 . 2008-04-14 08:12   774,144   ---------   C:\WINDOWS\system32\dllcache\setup_wm.exe
2008-10-08 00:04 . 2008-04-14 08:12   259,072   ---------   C:\WINDOWS\system32\dllcache\msnetobj.dll
2008-10-08 00:04 . 2008-04-14 08:12   233,472   ---------   C:\WINDOWS\system32\dllcache\wmpdxm.dll
2008-10-08 00:04 . 2008-04-14 08:12   226,816   ---------   C:\WINDOWS\system32\dllcache\npdrmv2.dll
2008-10-08 00:04 . 2008-04-14 02:40   10,240   ---------   C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-10-08 00:04 . 2008-04-14 08:11   9,216   ---------   C:\WINDOWS\system32\dot3dlg.dll
2008-10-08 00:04 . 2008-04-14 08:11   7,168   ---------   C:\WINDOWS\system32\bitsprx4.dll
2008-10-08 00:04 . 2008-04-14 08:09   6,144   ---------   C:\WINDOWS\system32\kbdpash.dll
2008-10-08 00:04 . 2008-04-14 08:09   6,144   ---------   C:\WINDOWS\system32\kbdnepr.dll
2008-10-08 00:04 . 2008-04-14 08:09   6,144   ---------   C:\WINDOWS\system32\kbdiultn.dll
2008-10-08 00:04 . 2008-04-14 08:09   6,144   ---------   C:\WINDOWS\system32\kbdbhc.dll
2008-10-08 00:02 . 2008-04-14 01:28   2,940,928   ---------   C:\WINDOWS\system32\dllcache\wmploc.dll
2008-10-08 00:01 . 2008-04-14 08:10   844,314   ---------   C:\WINDOWS\system32\dllcache\msdxm.ocx
2008-10-08 00:00 . 2002-11-04 19:02   613,334   ---------   C:\WINDOWS\system32\dllcache\wmplayer.chm
2008-10-07 23:59 . 2001-08-18 20:00   572,557   ---------   C:\WINDOWS\system32\dllcache\rtuner.wmv
2008-10-06 23:45 . 2007-08-13 18:54   33,792   --a------   C:\WINDOWS\system32\dllcache\custsat.dll
2008-10-06 21:24 . 2008-10-06 21:24   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\ESET
2008-10-06 21:21 . 2008-10-06 21:21   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Avg8
2008-10-04 11:56 . 2008-06-13 19:05   272,128   ---------   C:\WINDOWS\system32\dllcache\bthport.sys
2008-10-04 11:55 . 2008-04-12 03:04   691,712   ---------   C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-10-04 11:55 . 2008-05-08 22:02   203,136   ---------   C:\WINDOWS\system32\dllcache\rmcast.sys
2008-10-04 11:53 . 2008-05-01 22:33   331,776   ---------   C:\WINDOWS\system32\dllcache\msadce.dll
2008-10-03 21:02 . 2008-10-03 21:02   <DIR>   d--h-----   C:\WINDOWS\$hf_mig$
2008-10-03 20:38 . 2008-04-14 08:12   59,392   ---------   C:\WINDOWS\system32\logman.exe
2008-10-03 20:38 . 2008-04-14 08:12   9,216   ---------   C:\WINDOWS\system32\proxycfg.exe
2008-10-03 20:35 . 2008-10-03 20:35   <DIR>   d--------   C:\WINDOWS\ServicePackFiles
2008-10-03 20:32 . 2007-08-10 20:46   26,488   --a------   C:\WINDOWS\system32\spupdsvc.exe
2008-10-03 20:32 . 2004-07-17 11:40   19,528   --a------   C:\WINDOWS\002296_.tmp
2008-10-03 20:29 . 2008-10-03 20:29   <DIR>   d--------   C:\WINDOWS\EHome
2008-10-02 21:48 . 2008-10-02 21:48   <DIR>   d--------   C:\WINDOWS\BDOSCAN8
2008-10-02 20:59 . 2003-03-19 05:20   1,060,864   --a------   C:\WINDOWS\system32\MFC71.dll
2008-10-01 22:38 . 2008-10-01 22:38   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-01 17:33 . 2008-10-01 17:35   25,994   --a------   C:\WINDOWS\rdlll.exe
2008-10-01 16:53 . 2008-10-01 17:07   79,722   --a------   C:\WINDOWS\iggbq.exe
2008-09-27 17:51 . 2003-04-17 21:26   79   --a------   C:\WINDOWS\delay.reg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-25 13:36   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\TVU Networks
2008-08-24 08:59   ---------   d-----w   C:\Program Files\Axis Communications
2008-08-05 15:27   451,984   ----a-w   C:\msgr8sg.exe
2008-07-23 16:48   200,704   ----a-w   C:\WINDOWS\system32\ssldivx.dll
2008-07-23 16:48   1,044,480   ----a-w   C:\WINDOWS\system32\libdivx.dll
2008-07-18 14:10   94,920   ----a-w   C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-18 14:10   94,920   ----a-w   C:\WINDOWS\system32\cdm.dll
2008-07-18 14:10   53,448   ----a-w   C:\WINDOWS\system32\wuauclt.exe
2008-07-18 14:10   53,448   ----a-w   C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-18 14:10   45,768   ----a-w   C:\WINDOWS\system32\wups2.dll
2008-07-18 14:10   36,552   ----a-w   C:\WINDOWS\system32\wups.dll
2008-07-18 14:09   563,912   ----a-w   C:\WINDOWS\system32\wuapi.dll
2008-07-18 14:09   325,832   ----a-w   C:\WINDOWS\system32\wucltui.dll
2008-07-18 14:09   205,000   ----a-w   C:\WINDOWS\system32\wuweb.dll
2008-07-18 14:09   1,811,656   ----a-w   C:\WINDOWS\system32\wuaueng.dll
2008-07-18 14:09   1,811,656   ----a-w   C:\WINDOWS\system32\dllcache\wuaueng.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 106496]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-07-23 4616192]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-16 479232]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 3739648]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 C:\WINDOWS\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2003-07-23 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-07-23 49152]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-11-18 106560]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2005-04-15 65588]
TL-WN321G Wireless Utility.lnk - C:\Program Files\TP-LINK\TL-WN321G Wireless Utility\Installer\WINXP\TWCU.exe [2008-08-03 622592]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 SymEFA;Symantec Extended File Attributes;C:\WINDOWS\system32\drivers\NAV\1000000.07D\SYMEFA.SYS [2008-10-08 309296]
R1 BHDrvx86;Symantec Heuristics Driver;C:\WINDOWS\system32\drivers\NAV\1000000.07D\BHDrvx86.sys [2008-10-08 254512]
R1 ccHP;Symantec Hash Provider;C:\WINDOWS\system32\drivers\NAV\1000000.07D\ccHPx86.sys [2008-10-08 362544]
R1 IDSxpx86;IDSxpx86;C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081009.001\IDSxpx86.sys [2008-10-08 274808]
R2 Norton AntiVirus;Norton AntiVirus;C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe /s Norton AntiVirus /m C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll [ ]
R3 C4C_BSC2;C4C_BSC2;C:\WINDOWS\system32\DRIVERS\C4C_BSC2.sys [2002-07-08 84788]
.
- - - - ORPHANS REMOVED - - - -

BHO-{230027AB-F81C-4C23-966D-F8475133F487} - C:\WINDOWS\System32\ibli.dll
HKLM-Explorer_Run-kvtrwkcc.exe - C:\WINDOWS\System32\kvtrwkcc.exe
HKLM-Explorer_Run-pksetexd.exe - C:\WINDOWS\System32\pksetexd.exe

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
R0 -: HKLM-Main,Search Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-SearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O8 -: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 -: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 -: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 -: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 -: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 -: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 -: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 -: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O18 -: Filter: text/plain - {DAC9A865-0B0B-4F31-A899-434CFF920B7C} - %~$path:i

O16 -: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://61.17.186.182/activex/AMC.cab
C:\WINDOWS\Downloaded Program Files\setup.inf
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-11 13:32:39
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\NORTON ANTIVIRUS\NORTON ANTIVIRUS\ENGINE\16.0.0.125\CCSVCHST.EXE
C:\WINDOWS\SYSTEM32\USTORSRV.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRAM FILES\NORTON ANTIVIRUS\NORTON ANTIVIRUS\ENGINE\16.0.0.125\CCSVCHST.EXE
.
**************************************************************************
.
Completion time: 2008-10-11 13:38:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-11 05:37:56

Pre-Run: 67,597,926,400 bytes free
Post-Run: 67,812,327,424 bytes free

201   --- E O F ---   2008-10-09 15:33:55

akila · « **Reply #11 on:** October 12, 2008, 12:40:56 AM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:41:44 PM, on 10/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\TP-LINK\TL-WN321G Wireless Utility\Installer\WINXP\TWCU.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.0.0.125\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TL-WN321G Wireless Utility.lnk = C:\Program Files\TP-LINK\TL-WN321G Wireless Utility\Installer\WINXP\TWCU.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://61.17.186.182/activex/AMC.cab
O18 - Filter: text/plain - {DAC9A865-0B0B-4F31-A899-434CFF920B7C} - C:\WINDOWS\System32\ibli.dll
O23 - Service: DefWatch - Unknown owner - C:\PROGRA~1\Navnt\defwatch.exe (file missing)
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\PROGRA~1\Navnt\rtvscan.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

--
End of file - 8206 bytes

evilfantasy · « **Reply #12 on:** October 12, 2008, 02:14:07 PM »

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
- O18 - Filter: text/plain - {DAC9A865-0B0B-4F31-A899-434CFF920B7C} - C:\WINDOWS\System32\ibli.dll

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

File::
C:\WINDOWS\rdlll.exe
C:\WINDOWS\iggbq.exe
C:\WINDOWS\System32\ibli.dll

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

akila · « **Reply #13 on:** October 13, 2008, 08:12:17 AM »

I did place the notepad u ask me to place in the combo fix,later it executed,but it didnt continue to do anything,so again i doubled clicked on the combo fix icon and below is the log produced afer that.check if everything os ok and let me know.
I followed the hijack this and completed that also.

ComboFix 08-10-10.09 - user 2008-10-13 21:39:30.2 - FAT32x86
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-09-13 to 2008-10-13 )))))))))))))))))))))))))))))))
.

2008-10-11 15:27 . 2008-10-11 15:27   <DIR>   d--h-----   C:\$AVG8.VAULT$
2008-10-11 14:33 . 2008-10-11 14:33   <DIR>   d--------   C:\WINDOWS\system32\drivers\Avg
2008-10-11 14:33 . 2008-10-11 14:33   <DIR>   d--------   C:\Documents and Settings\user\Application Data\AVGTOOLBAR
2008-10-11 14:33 . 2008-10-11 14:33   97,928   --a------   C:\WINDOWS\system32\drivers\avgldx86.sys
2008-10-11 14:33 . 2008-10-11 14:33   76,040   --a------   C:\WINDOWS\system32\drivers\avgtdix.sys
2008-10-11 14:33 . 2008-10-11 14:33   10,520   --a------   C:\WINDOWS\system32\avgrsstx.dll
2008-10-11 14:32 . 2008-10-11 14:33   <DIR>   d--------   C:\Program Files\AVG
2008-10-09 23:15 . 2008-10-09 01:33   <DIR>   d--------   C:\SDFix
2008-10-09 20:21 . 2008-06-10 02:32   73,728   --a------   C:\WINDOWS\system32\javacpl.cpl
2008-10-09 20:12 . 2008-10-09 20:12   <DIR>   d--------   C:\Program Files\Trend Micro
2008-10-08 23:23 . 2008-10-08 23:23   <DIR>   d--------   C:\Program Files\Norton AntiVirus
2008-10-08 23:23 . 2008-10-08 23:23   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Norton
2008-10-08 23:17 . 2008-10-08 23:17   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\PCSettings
2008-10-08 23:17 . 2008-10-08 23:17   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\NortonInstaller
2008-10-08 21:22 . 2008-10-08 21:22   <DIR>   d--------   C:\WINDOWS\system32\scripting
2008-10-08 21:22 . 2008-10-08 21:22   <DIR>   d--------   C:\WINDOWS\system32\en
2008-10-08 21:22 . 2008-10-08 21:22   <DIR>   d--------   C:\WINDOWS\system32\bits
2008-10-08 21:22 . 2008-10-08 21:22   <DIR>   d--------   C:\WINDOWS\l2schemas
2008-10-08 20:17 . 2008-10-08 20:17   <DIR>   d--------   C:\Documents and Settings\user\Application Data\Malwarebytes
2008-10-08 20:16 . 2008-10-08 20:16   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-08 19:21 . 2008-10-08 19:21   <DIR>   d--------   C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
2008-10-08 19:21 . 2008-10-08 19:21   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-08 00:06 . 2008-04-14 08:12   897,024   ---------   C:\WINDOWS\system32\dllcache\wmspdmoe.dll
2008-10-08 00:05 . 2008-04-14 08:12   786,432   ---------   C:\WINDOWS\system32\dllcache\migrate.exe
2008-10-08 00:04 . 2008-04-14 08:12   774,144   ---------   C:\WINDOWS\system32\dllcache\setup_wm.exe

akila · « **Reply #14 on:** October 13, 2008, 08:13:15 AM »

2008-10-08 00:04 . 2008-04-14 08:12   774,144   ---------   C:\WINDOWS\system32\dllcache\setup_wm.exe
2008-10-08 00:04 . 2008-04-14 08:12   259,072   ---------   C:\WINDOWS\system32\dllcache\msnetobj.dll
2008-10-08 00:04 . 2008-04-14 08:12   233,472   ---------   C:\WINDOWS\system32\dllcache\wmpdxm.dll
2008-10-08 00:04 . 2008-04-14 08:12   226,816   ---------   C:\WINDOWS\system32\dllcache\npdrmv2.dll
2008-10-08 00:04 . 2008-04-14 02:40   10,240   ---------   C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-10-08 00:04 . 2008-04-14 08:11   9,216   ---------   C:\WINDOWS\system32\dot3dlg.dll
2008-10-08 00:04 . 2008-04-14 08:11   7,168   ---------   C:\WINDOWS\system32\bitsprx4.dll
2008-10-08 00:04 . 2008-04-14 08:09   6,144   ---------   C:\WINDOWS\system32\kbdpash.dll
2008-10-08 00:04 . 2008-04-14 08:09   6,144   ---------   C:\WINDOWS\system32\kbdnepr.dll
2008-10-08 00:04 . 2008-04-14 08:09   6,144   ---------   C:\WINDOWS\system32\kbdiultn.dll
2008-10-08 00:04 . 2008-04-14 08:09   6,144   ---------   C:\WINDOWS\system32\kbdbhc.dll
2008-10-08 00:02 . 2008-04-14 01:28   2,940,928   ---------   C:\WINDOWS\system32\dllcache\wmploc.dll
2008-10-08 00:01 . 2008-04-14 08:10   844,314   ---------   C:\WINDOWS\system32\dllcache\msdxm.ocx
2008-10-08 00:00 . 2002-11-04 19:02   613,334   ---------   C:\WINDOWS\system32\dllcache\wmplayer.chm
2008-10-07 23:59 . 2001-08-18 20:00   572,557   ---------   C:\WINDOWS\system32\dllcache\rtuner.wmv
2008-10-06 23:45 . 2007-08-13 18:54   33,792   --a------   C:\WINDOWS\system32\dllcache\custsat.dll
2008-10-06 21:24 . 2008-10-06 21:24   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\ESET
2008-10-06 21:21 . 2008-10-06 21:21   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Avg8
2008-10-04 11:56 . 2008-06-13 19:05   272,128   ---------   C:\WINDOWS\system32\dllcache\bthport.sys
2008-10-04 11:55 . 2008-04-12 03:04   691,712   ---------   C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-10-04 11:55 . 2008-05-08 22:02   203,136   ---------   C:\WINDOWS\system32\dllcache\rmcast.sys
2008-10-04 11:53 . 2008-05-01 22:33   331,776   ---------   C:\WINDOWS\system32\dllcache\msadce.dll
2008-10-03 21:02 . 2008-10-03 21:02   <DIR>   d--h-----   C:\WINDOWS\$hf_mig$
2008-10-03 20:38 . 2008-04-14 08:12   59,392   ---------   C:\WINDOWS\system32\logman.exe
2008-10-03 20:38 . 2008-04-14 08:12   9,216   ---------   C:\WINDOWS\system32\proxycfg.exe
2008-10-03 20:35 . 2008-10-03 20:35   <DIR>   d--------   C:\WINDOWS\ServicePackFiles
2008-10-03 20:32 . 2007-08-10 20:46   26,488   --a------   C:\WINDOWS\system32\spupdsvc.exe
2008-10-03 20:32 . 2004-07-17 11:40   19,528   --a------   C:\WINDOWS\002296_.tmp
2008-10-03 20:29 . 2008-10-03 20:29   <DIR>   d--------   C:\WINDOWS\EHome
2008-10-02 21:48 . 2008-10-02 21:48   <DIR>   d--------   C:\WINDOWS\BDOSCAN8
2008-10-02 20:59 . 2003-03-19 05:20   1,060,864   --a------   C:\WINDOWS\system32\MFC71.dll
2008-10-01 22:38 . 2008-10-01 22:38   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-01 17:33 . 2008-10-01 17:35   25,994   --a------   C:\WINDOWS\rdlll.exe
2008-10-01 16:53 . 2008-10-01 17:07   79,722   --a------   C:\WINDOWS\iggbq.exe

Computer Hope Forum

News:

Author Topic: virus in my c drive (Read 14665 times)

akila

virus in my c drive

Carbon Dudeoxide

Re: virus in my c drive

akila

Re: virus in my c drive

evilfantasy

Re: virus in my c drive

akila

Re: virus in my c drive

evilfantasy

Re: virus in my c drive

akila

Re: virus in my c drive

evilfantasy

Re: virus in my c drive

akila

Re: virus in my c drive

evilfantasy

Re: virus in my c drive

akila

Re: virus in my c drive

akila

Re: virus in my c drive

evilfantasy

Re: virus in my c drive

akila

Re: virus in my c drive

akila

Re: virus in my c drive