Author Topic: C drive display (Read 27295 times)

NNEagle · « **on:** October 09, 2008, 07:17:18 PM »

When I went to my computer last evening. It showed and still showing my C drive as %$thb$%(C). and a picture with thb creation. Is this a virus or what is it. Kindly help

Carbon Dudeoxide · « **Reply #1 on:** October 10, 2008, 03:14:40 AM »

If you suspect a virus (sounds like it), look here:
http://www.computerhope.com/forum/index.php/topic,46313.0.html

NNEagle · « **Reply #2 on:** October 11, 2008, 07:15:40 AM »

Your link to the file: http://www.savefile.com/files/1832974

Your link to the file: http://www.savefile.com/files/1832975

Your link to the file: http://www.savefile.com/files/1832976

Hope this is what you need and thank you for your time

NNEagle · « **Reply #3 on:** October 12, 2008, 04:44:09 PM »

Here are my logs
Malwarebytes' Anti-Malware 1.28
Database version: 1253
Windows 5.1.2600 Service Pack 3

10/11/2008 8:14:07 AM
mbam-log-2008-10-11 (08-14-07).txt

Scan type: Quick Scan
Objects scanned: 53579
Time elapsed: 4 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/11/2008 at 07:43 AM

Application Version : 4.21.1004

Core Rules Database Version : 3594
Trace Rules Database Version: 1581

Scan type : Complete Scan
Total Scan Time : 00:44:14

Memory items scanned : 373
Memory threats detected : 0
Registry items scanned : 5289
Registry threats detected : 0
File items scanned : 41173Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:30:13 PM, on 10/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\TweakNow PowerPack Pro\VirDesk.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\Sniper.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [VirtualDesk] C:\Program Files\TweakNow PowerPack Pro\VirDesk.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD2B188B-527C-47DE-884F-C1CEEDEEA75D}: NameServer = 202.54.6.60,202.54.29.5
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 5882 bytes

File threats detected : 0

m_elashry74 · « **Reply #4 on:** October 13, 2008, 01:04:58 PM »

WHAT CAN I DO

NNEagle · « **Reply #5 on:** October 13, 2008, 01:30:54 PM »

Don't understand that question. I am trying to get someone to tell me something and would appreciate the help and time taken

Carbon Dudeoxide · « **Reply #6 on:** October 14, 2008, 02:40:36 AM »

Quote from: m_elashry74 on October 13, 2008, 01:04:58 PM

WHAT CAN I DO

What???

NNEagle, one of our Malware Specialists will be along shortly

CBMatt · « **Reply #7 on:** October 20, 2008, 07:34:20 PM »

Sorry for the long wait, NNEagle. Things have been busy and we're stretched pretty thin here right now. If you still need help with this computer, please take a look at this thread and post a new HJT log along with the requested SAS and MBAM logs...
http://www.computerhope.com/forum/index.php/topic,46313.0.html

I know you posted a couple of logs already, but malware evolves and grows, so if this is a virus issue, we need to see if your situation has changed. Also, I see that you have TweakNow installed on your computer. I'm not entirely familiar with this program, but I'm wondering...how long have you had this installed? Tweaking software is always a bit fishy to me.

NNEagle · « **Reply #8 on:** October 22, 2008, 04:58:49 AM »

Thank you. Currently I am not home but will be there in a day or two. Will do as you have asked me to and will re post the logs. Will remove that tweak software. Not used it in a long time.

CBMatt · « **Reply #9 on:** October 22, 2008, 08:43:01 PM »

Alrighty, I will await your next reply. And you can expect a faster response from the malware team this time.

NNEagle · « **Reply #10 on:** October 23, 2008, 07:37:18 PM »

I could not uninstall Tweaknow Powerpack fully.There is a prog attached to this called VirDesk which does not allow me to delete.

Here are my logs:-

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/24/2008 at 06:20 AM

Application Version : 4.21.1004

Core Rules Database Version : 3607
Trace Rules Database Version: 1593

Scan type : Complete Scan
Total Scan Time : 00:52:03

Memory items scanned : 397
Memory threats detected : 0
Registry items scanned : 5312
Registry threats detected : 0
File items scanned : 47453
File threats detected : 0

Malwarebytes' Anti-Malware 1.30
Database version: 1311
Windows 5.1.2600 Service Pack 3

10/24/2008 6:40:00 AM
mbam-log-2008-10-24 (06-40-00).txt

Scan type: Quick Scan
Objects scanned: 55137
Time elapsed: 4 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:56:44 AM, on 10/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\TweakNow PowerPack Pro\VirDesk.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\sol.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\sniper.exe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [VirtualDesk] C:\Program Files\TweakNow PowerPack Pro\VirDesk.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD2B188B-527C-47DE-884F-C1CEEDEEA75D}: NameServer = 202.54.6.60,202.54.29.5
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6473 bytes

CBMatt · « **Reply #11 on:** October 24, 2008, 02:17:15 AM »

I wouldn't worry about the TweakNow at the moment. There aren't too many results, but your issue definitely does appear to be part of an infection. I currently can't find much about a successful removal of this particular infection, but let's give this a try...

Run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

Click on SCAN NOW
Click Accept.
The program will then begin downloading the latest definition files.
Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
The scan will take a while, so be patient and let it finish.

.
When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop.
In the File name area use KScan, or something similar.
In Save as type: click the drop arrow and select: Text file [*.txt]
Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

NNEagle · « **Reply #12 on:** October 24, 2008, 08:46:05 AM »

Here is the results.Thanks for the help

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, October 24, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, October 24, 2008 11:13:08
Records in database: 1341958
--------------------------------------------------------------------------------

Scan settings:
   Scan using the following database: extended
   Scan archives: yes
   Scan mail databases: yes

Scan area - My Computer:
   A:\
   C:\
   D:\
   E:\

Scan statistics:
   Files scanned: 50973
   Threat name: 1
   Infected objects: 1
   Suspicious objects: 0
   Duration of the scan: 01:45:59

File name / Threat name / Threats count
C:\WINDOWS\system32\win.dll\reg.bkp\autorun.inf   Infected: Backdoor.Win32.Hupigon.cfeh   1

The selected area was scanned.

CBMatt · « **Reply #13 on:** October 25, 2008, 12:51:47 AM »

I could be wrong, but I believe the file found by Kaspersky is related to your issue. Was it removed? If not, you may need to boot into Safe Mode, enable hidden files and folders, and delete C:\WINDOWS\system32\win.dll. Or if the file was already removed...has your C drive's label gone back to normal?

NNEagle · « **Reply #14 on:** October 25, 2008, 08:42:25 PM »

I could not find the file C:\WINDOWS\system32\win.dll. And nothing has changed.Tried to manually search as well as in the Search. No luck.

CBMatt · « **Reply #15 on:** October 26, 2008, 03:17:23 AM »

A couple of things...
1. You can try changing the C drive icon with TweakUI. Simply download it and install it. When you run the program, click on Repair and then Rebuild Icons. Click on Repair Now and wait patiently while it goes to work. NOTE: this may change any custom icon settings you have (i.e. if you've changed the system icons to another theme).

2. Out of curiosity, I would like for you to try the Kaspersky scan again, if you don't mind. I'm fairly certain that file is what changed your icon, so I want to make sure it is gone.

NNEagle · « **Reply #16 on:** October 26, 2008, 08:10:18 PM »

No change in the C drive icon after running TweakUI. Performed a Kaspersky scan and here is the report. Appreciate the time taken to sort this out.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, October 27, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, October 26, 2008 20:40:15
Records in database: 1349057
--------------------------------------------------------------------------------

Scan settings:
   Scan using the following database: extended
   Scan archives: yes
   Scan mail databases: yes

Scan area - My Computer:
   A:\
   C:\
   D:\
   E:\

Scan statistics:
   Files scanned: 59553
   Threat name: 1
   Infected objects: 1
   Suspicious objects: 0
   Duration of the scan: 01:40:10

File name / Threat name / Threats count
C:\WINDOWS\system32\win.dll\reg.bkp\autorun.inf   Infected: Backdoor.Win32.Hupigon.cfeh   1

The selected area was scanned.

CBMatt · « **Reply #17 on:** October 26, 2008, 08:53:55 PM »

Okay, Kaspersky is showing that the file is still there. I'll have you try deleting the file manually. First, download Pocket KillBox and save it to your desktop. Although it's not necessary, I would suggest booting into Safe Mode (typically done by restarting your computer and repeatedly hitting the F8 key before it loads). Either way, run KillBox. You should get this screen:

(stolen from MalwareRemoval.com)

In the Full Path of File to Delete box, enter C:\WINDOWS\system32\win.dll click on the red X button. When prompted for backup, click on Yes. If that doesn't work (you'll receive an error message), try repeating the process, but select Delete on Reboot.

Give these steps a try and then post back here with your results and another Kaspersky scan.

NNEagle · « **Reply #18 on:** October 27, 2008, 04:55:47 AM »

Used the kill box to kill that file twice,just to make sure. Then I performed a Kaspersky scan . Finding that file still there, I repeated kill box and performed another scan and have submitted both reports. The virus is still there.

CBMatt · « **Reply #19 on:** October 27, 2008, 05:38:57 PM »

Okay, this one's a bit tricky. I believe this particular infection may have keylogger capabilities, so I strongly advise against using your computer for online banking or anything of that nature. You actually may even want to consider backing up your personal files and reformatting the computer.

However, if you'd like to continue with this, we can try a couple more things... Download and save Blacklight to your desktop. Then download a free trial of Kaspersky. Install Kaspersky and update it completely. Reboot into Safe Mode.

Run Kaspersky and run a full scan and allow it to remove any threats it finds. If it produces a log, post that here. Afterwards, double-click fsbl.exe on the desktop, then accept the agreement and click on Scan. Once it's complete, click on Next.

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

NNEagle · « **Reply #20 on:** October 28, 2008, 05:41:13 PM »

While trying to install Kaspersky, I come up against a wall. I am prompted to remove AVG 8 and then try to install. I have removed AVG through add and remove prog, through search, kill box and also through Revo uninstaller. Cannot find anymore the AVG anti virus but Kaspersky still stops at the prompt to remove AVG 8 while installing.

I am sorry, this is taking up so much of your time.

NNEagle · « **Reply #21 on:** October 28, 2008, 09:27:45 PM »

I subscribe to WXPnews letter and today I found this in my in box. I had purchased earlier their sunbelt product but never updated my subscription. Anyway they offered a free 15 day trial and so I downloaded the same and ran a scan. Below is the link to the download

http://www.wxpnews.com/8JJRE7/081028-Get-VIPRE

Here is the scan report:

Risk name:   INF.Autorun (v)
Source:      Scanner
Risk level:   High
Risk category:   Trojan

Advice:      This is a high risk and should be removed immediately as it may compromise your privacy and security, make dangerous changes to your computer's settings without your knowledge and consent, or severely degrade your computer's performance and stability.

File C:\Windows\system32\win.dll

I removed it and performed another scan. This file did not show up again. My C drive icon although remains the same.

CBMatt · « **Reply #22 on:** October 29, 2008, 01:18:09 AM »

Quote from: NNEagle on October 28, 2008, 05:41:13 PM

I am sorry, this is taking up so much of your time.

No need to apologize to me. I'm the one who's sorry that this thing is being so stubborn. In any case, I'm glad the file has finally stopped showing up. I'm not entirely sure what to make of the AVG/Kaspersky situation. You may want to head over to AVG's site and re-download the newest AVG. See if it will let you install properly.

As for the icon...now that the file isn't coming back, you can give TweakUI another try to see if it helps. If not, you can also try opening My Computer and right-clicking on the C drive. Click on Properties. There is a white text box near the top of the window. Is there any writing in it? If so, erase it all (leave it blank) and click on OK. It's a longshot, but worth a try.

Also...I was refraining from having you try this because the program was taken offline recently, but it appears to be up and running again. Although not always advised, it's a powerful malware tool that I am quite partial to. Go ahead and download ComboFix and save it to your desktop. Run the program and read its disclaimer (it's fairly short) and make sure you really pay attention to what it says. Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt. Go ahead and post that here. Note: Don't click on the window while it's running; this may cause stalls.

This will help us figure out if anything else might be lurking about.

NNEagle · « **Reply #23 on:** October 29, 2008, 07:56:36 PM »

Posted with regard to the combox log,but it went into cyber space. Guess it is because I am so excited to see my C drive icon back to normal. Here is the log

ComboFix 08-10-30.04 - Administrator 2008-10-30 7:09:15.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1192 [GMT 5.5:30]
Running from: C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-30 )))))))))))))))))))))))))))))))
.

2008-10-29 06:03 . 2008-10-29 06:03   <DIR>   d--------   C:\Documents and Settings\All Users.WINDOWS\Application Data\Sunbelt
2008-10-27 23:19 . 2008-10-27 23:19   <DIR>   d--------   C:\Program Files\VS Revo Group
2008-10-27 23:12 . 2008-10-28 09:13   23,392   --a------   C:\WINDOWS\system32\nscompat.tlb
2008-10-27 23:12 . 2008-10-28 09:13   16,832   --a------   C:\WINDOWS\system32\amcompat.tlb
2008-10-27 10:02 . 2008-10-29 05:59   <DIR>   d--------   C:\!KillBox
2008-10-27 05:22 . 2003-06-25 16:05   266,360   --a------   C:\WINDOWS\system32\TweakUI.exe
2008-10-27 05:22 . 2002-06-21 15:09   160,217   --a------   C:\WINDOWS\system32\PowerToysLicense.rtf
2008-10-26 14:53 . 2008-10-26 14:53   <DIR>   d--------   C:\Program Files\Common Files\Adobe Systems Shared
2008-10-26 14:06 . 2008-10-26 14:06   <DIR>   d--------   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\TERMINAL Studio
2008-10-26 14:05 . 2008-10-26 14:05   <DIR>   d--------   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\Astro Gemini Software
2008-10-26 06:49 . 2008-10-28 09:18   <DIR>   d--------   C:\Program Files\Avira
2008-10-26 04:36 . 2008-10-26 04:36   <DIR>   d--------   C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab Setup Files
2008-10-26 03:44 . 2008-10-26 03:46   10,752   --ahs----   C:\WINDOWS\system32\Thumbs.db
2008-10-26 03:43 . 2008-10-26 03:43   7,680   --ahs----   C:\WINDOWS\Thumbs.db
2008-10-26 03:43 . 2008-10-26 03:43   5,632   --ahs----   C:\Thumbs.db
2008-10-24 10:06 . 2008-10-15 22:04   337,408   -----c---   C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-24 06:52 . 2008-10-24 06:54   <DIR>   d--------   C:\Program Files\Trend Micro
2008-10-24 06:45 . 2008-10-24 06:45   410,976   --a------   C:\WINDOWS\system32\deploytk.dll
2008-10-24 05:15 . 2008-10-24 05:16   <DIR>   d--------   C:\Program Files\CCleaner
2008-10-24 04:50 . 2008-10-24 04:50   <DIR>   d--------   C:\Program Files\BinaryMark
2008-10-24 04:41 . 2008-10-26 14:54   <DIR>   d--------   C:\Program Files\Common Files\Adobe
2008-10-20 12:19 . 2008-09-08 16:11   333,824   -----c---   C:\WINDOWS\system32\dllcache\srv.sys
2008-10-20 12:17 . 2008-08-14 15:41   2,189,184   -----c---   C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-20 12:17 . 2008-08-14 15:39   2,145,280   -----c---   C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-20 12:17 . 2008-08-14 15:03   2,066,048   -----c---   C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-20 12:17 . 2008-08-14 15:03   2,023,936   -----c---   C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-20 12:17 . 2008-09-15 17:42   1,846,400   -----c---   C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 08:49 . 2008-10-15 08:49   <DIR>   d--------   C:\Program Files\123 Free Solitaire
2008-10-15 00:02 . 2008-10-15 00:02   <DIR>   d--------   C:\swsetup
2008-10-14 23:26 . 2008-10-14 23:26   <DIR>   d--------   C:\Documents and Settings\All Users.WINDOWS\Application Data\PC Drivers Headquarters
2008-10-14 00:46 . 2008-10-14 00:46   <DIR>   d--------   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\Auslogics
2008-10-10 23:56 . 2008-10-10 23:56   <DIR>   d--------   C:\Program Files\Sun
2008-10-02 12:57 . 2008-10-02 12:59   <DIR>   d--------   C:\WINDOWS\system32\Adobe
2008-09-30 13:16 . 2008-10-14 23:11   <DIR>   d--------   C:\WINDOWS\system32\win.dll
2008-09-05 16:53 . 2008-09-05 16:53   <DIR>   d--------   C:\Program Files\Litsoft
2008-09-05 16:53 . 1997-07-03 09:35   109,056   --a------   C:\WINDOWS\UNWISE.EXE
2008-09-05 01:00 . 2008-09-05 01:00   432   --a------   C:\WINDOWS\system32\iolo.ini
2008-09-05 01:00 . 2008-09-05 01:00   406   --a------   C:\WINDOWS\system32\ioloBootDefrag.cfg
2008-09-05 00:57 . 2008-09-14 15:01   <DIR>   d--------   C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\iolo
2008-09-05 00:57 . 2008-08-26 15:23   118,784   --a------   C:\WINDOWS\system32\iavlsp.dll
2008-09-05 00:44 . 2008-09-05 00:44   74,703   --a------   C:\WINDOWS\system32\mfc45.dll
2008-09-05 00:43 . 2008-10-10 04:37   <DIR>   d--------   C:\Documents and Settings\All Users.WINDOWS\Application Data\iolo
2008-09-05 00:43 . 2008-09-05 09:50   <DIR>   d--------   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\iolo
2008-09-01 01:50 . 2008-09-01 01:50   2,812   --a------   C:\Settings.ini
2008-09-01 01:50 . 2008-09-01 01:50   2,617   --a------   C:\Commands.cfg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-27 17:40   ---------   d-----w   C:\Program Files\Windows Media Connect 2
2008-10-25 23:14   ---------   d-----w   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\SUPERAntiSpyware.com
2008-10-24 01:15   ---------   d-----w   C:\Program Files\Java
2008-10-22 07:06   ---------   d-----w   C:\Program Files\Microsoft Silverlight
2008-10-15 01:21   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-10-10 11:14   ---------   d-----w   C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-10-09 07:38   ---------   d-----w   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\LimeWire
2008-10-02 07:28   ---------   d-----w   C:\Program Files\Google
2008-09-15 12:12   1,846,400   ----a-w   C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41   333,824   ----a-w   C:\WINDOWS\system32\drivers\srv.sys
2008-08-31 10:26   ---------   d---a-w   C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-08-31 10:26   ---------   d-----w   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\EAST Technologies
2008-08-29 10:50   ---------   d-----w   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\Windows Search
2008-08-29 04:02   ---------   d-----w   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\Windows Desktop Search
2008-08-29 04:01   ---------   d-----w   C:\Program Files\Windows Desktop Search
2008-08-28 08:44   98,304   ----a-w   C:\WINDOWS\system32\JkDefragScreenSaver.scr
2008-08-28 08:44   237,056   ----a-w   C:\WINDOWS\system32\JkDefragScreenSaver.exe
2008-08-26 07:24   826,368   ----a-w   C:\WINDOWS\system32\wininet.dll
2008-08-14 10:11   2,189,184   ----a-w   C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33   2,066,048   ----a-w   C:\WINDOWS\system32\ntkrnlpa.exe
2008-07-18 16:40   94,920   ----a-w   C:\WINDOWS\system32\cdm.dll
2008-07-18 16:40   53,448   ----a-w   C:\WINDOWS\system32\wuauclt.exe
2008-07-18 16:40   45,768   ----a-w   C:\WINDOWS\system32\wups2.dll
2008-07-18 16:40   36,552   ----a-w   C:\WINDOWS\system32\wups.dll
2008-07-18 16:39   563,912   ----a-w   C:\WINDOWS\system32\wuapi.dll
2008-07-18 16:39   325,832   ----a-w   C:\WINDOWS\system32\wucltui.dll
2008-07-18 16:39   205,000   ----a-w   C:\WINDOWS\system32\wuweb.dll
2008-07-18 16:39   1,811,656   ----a-w   C:\WINDOWS\system32\wuaueng.dll
2008-07-18 16:37   270,880   ----a-w   C:\WINDOWS\system32\mucltui.dll
2008-07-18 16:37   210,976   ----a-w   C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26   253,952   ----a-w   C:\WINDOWS\system32\es.dll
2008-03-27 05:09   14,523,983   ----a-w   C:\Program Files\klcodec385f.exe
2008-03-26 08:09   2,400,784   ----a-w   C:\Program Files\WLinstaller.exe
2003-03-21 08:07   16,056   ----a-w   C:\Program Files\owcstp16.dll
2008-05-15 15:26   32,768   --sha-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051520080516\index.dat
2008-03-08 09:47   681,474   --sha-w   C:\WINDOWS\system32\win.dll\reg.bkp\winthb.exe
.

((((((((((((((((((((((((((((( snapshot@2008-10-30_ 6.30.55.75 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-30 01:36:56   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2002-10-15 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2002-10-15 114688]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-09-11 53248]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-10-24 136600]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 286720]
"CTHelper"="CTHELPER.EXE" [2007-04-09 C:\WINDOWS\system32\CtHelper.exe]
"EssSpkPhone"="essspk.exe" [2002-05-30 C:\WINDOWS\essspk.exe]

C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2008-01-11 39792]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-05-11 738968]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-05-10 282624]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-06-23 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=

R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-10-24 152984]
R3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys [2002-12-30 12160]
S3 SBRE;SBRE;C:\WINDOWS\system32\drivers\SBREdrv.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8882d75a-7cf3-11dd-a5ca-0008a174a0ac}]
\Shell\AutoRun\command - F:\System\DriveGuard\DriveProtect.exe -run
\Shell\Explore\Command - F:\System\DriveGuard\DriveProtect.exe -run
\Shell\Open\Command - F:\System\DriveGuard\DriveProtect.exe -run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{93b6f101-cc8c-11dc-acfc-aa8fad93d89f}]
\Shell\AutoRun\command - setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1EC04D97-5F10-DD1B-0306-020403060503}]
C:\WINDOWS\system32\SecSystem.exe
.
Contents of the 'Scheduled Tasks' folder

2008-10-30 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe []

2008-10-29 C:\WINDOWS\Tasks\At1.job
- C:\WINDOWS\system32\svchost []

2008-10-27 C:\WINDOWS\Tasks\EasyShare Registration Task.job
- C:\WINDOWS\system32\rundll32.exe [2008-04-14 05:42]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\Mozilla\Firefox\Profiles\vjez9wmu.default\
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-30 07:11:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-30 7:14:22
ComboFix-quarantined-files.txt 2008-10-30 01:43:58
ComboFix2.txt 2008-10-30 01:01:50

Pre-Run: 4,599,820,288 bytes free
Post-Run: 4,577,411,072 bytes free

180   --- E O F ---   2008-10-29 18:45:52

CBMatt · « **Reply #24 on:** October 29, 2008, 08:27:28 PM »

I'm glad to hear that the icon has finally gone back to normal. And your ComboFix looks good...but that win.dll file is still showing up. Let's try one more thing, which should [hopefully] get rid of the infection...

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Folder::
C:\WINDOWS\system32\win.dll

File::
C:\WINDOWS\system32\win.dll
C:\WINDOWS\system32\win.dll\reg.bkp\winthb.exe

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

NNEagle · « **Reply #25 on:** October 30, 2008, 02:19:46 AM »

Here is the Combofix text log. Did notice that the files in question was being deleted during the process. Anyway you will know better when you see the log.

ComboFix 08-10-30.04 - Administrator 2008-10-30 13:18:49.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1103 [GMT 5.5:30]
Running from: C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\win.dll
C:\WINDOWS\system32\win.dll\reg.bkp\winthb.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\win.dll
C:\WINDOWS\system32\win.dll\Desktop.ini
C:\WINDOWS\system32\win.dll\DLL.ico
C:\WINDOWS\system32\win.dll\drivelist.txt
C:\WINDOWS\system32\win.dll\Icon.ico
C:\WINDOWS\system32\win.dll\reg.bkp\winthb.exe
C:\WINDOWS\system32\win.dll\reproduce.txt
C:\WINDOWS\system32\win.dll\script1.txt
C:\WINDOWS\system32\win.dll\std.txt
C:\WINDOWS\system32\win.dll\thb.ico
C:\WINDOWS\system32\win.dll\win.mp3

.
((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-30 )))))))))))))))))))))))))))))))
.

2008-10-30 07:38 . 2008-10-30 07:38   <DIR>   d--------   C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira
2008-10-29 06:03 . 2008-10-29 06:03   <DIR>   d--------   C:\Documents and Settings\All Users.WINDOWS\Application Data\Sunbelt
2008-10-27 23:19 . 2008-10-27 23:19   <DIR>   d--------   C:\Program Files\VS Revo Group
2008-10-27 23:12 . 2008-10-28 09:13   23,392   --a------   C:\WINDOWS\system32\nscompat.tlb
2008-10-27 23:12 . 2008-10-28 09:13   16,832   --a------   C:\WINDOWS\system32\amcompat.tlb
2008-10-27 10:02 . 2008-10-30 13:11   <DIR>   d--------   C:\!KillBox
2008-10-27 05:22 . 2003-06-25 16:05   266,360   --a------   C:\WINDOWS\system32\TweakUI.exe
2008-10-27 05:22 . 2002-06-21 15:09   160,217   --a------   C:\WINDOWS\system32\PowerToysLicense.rtf
2008-10-26 14:53 . 2008-10-26 14:53   <DIR>   d--------   C:\Program Files\Common Files\Adobe Systems Shared
2008-10-26 14:06 . 2008-10-26 14:06   <DIR>   d--------   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\TERMINAL Studio
2008-10-26 14:05 . 2008-10-26 14:05   <DIR>   d--------   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\Astro Gemini Software
2008-10-26 06:49 . 2008-10-30 07:38   <DIR>   d--------   C:\Program Files\Avira
2008-10-26 04:36 . 2008-10-26 04:36   <DIR>   d--------   C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab Setup Files
2008-10-26 03:44 . 2008-10-26 03:46   10,752   --ahs----   C:\WINDOWS\system32\Thumbs.db
2008-10-26 03:43 . 2008-10-26 03:43   7,680   --ahs----   C:\WINDOWS\Thumbs.db
2008-10-26 03:43 . 2008-10-26 03:43   5,632   --ahs----   C:\Thumbs.db
2008-10-24 10:06 . 2008-10-15 22:04   337,408   -----c---   C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-24 06:52 . 2008-10-24 06:54   <DIR>   d--------   C:\Program Files\Trend Micro
2008-10-24 06:45 . 2008-10-24 06:45   410,976   --a------   C:\WINDOWS\system32\deploytk.dll
2008-10-24 05:15 . 2008-10-24 05:16   <DIR>   d--------   C:\Program Files\CCleaner
2008-10-24 04:50 . 2008-10-24 04:50   <DIR>   d--------   C:\Program Files\BinaryMark
2008-10-24 04:41 . 2008-10-26 14:54   <DIR>   d--------   C:\Program Files\Common Files\Adobe
2008-10-20 12:19 . 2008-09-08 16:11   333,824   -----c---   C:\WINDOWS\system32\dllcache\srv.sys
2008-10-20 12:17 . 2008-08-14 15:41   2,189,184   -----c---   C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-20 12:17 . 2008-08-14 15:39   2,145,280   -----c---   C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-20 12:17 . 2008-08-14 15:03   2,066,048   -----c---   C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-20 12:17 . 2008-08-14 15:03   2,023,936   -----c---   C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-20 12:17 . 2008-09-15 17:42   1,846,400   -----c---   C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 08:49 . 2008-10-15 08:49   <DIR>   d--------   C:\Program Files\123 Free Solitaire
2008-10-15 00:02 . 2008-10-15 00:02   <DIR>   d--------   C:\swsetup
2008-10-14 23:26 . 2008-10-14 23:26   <DIR>   d--------   C:\Documents and Settings\All Users.WINDOWS\Application Data\PC Drivers Headquarters
2008-10-14 00:46 . 2008-10-14 00:46   <DIR>   d--------   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\Auslogics
2008-10-10 23:56 . 2008-10-10 23:56   <DIR>   d--------   C:\Program Files\Sun
2008-10-02 12:57 . 2008-10-02 12:59   <DIR>   d--------   C:\WINDOWS\system32\Adobe
2008-09-05 16:53 . 2008-09-05 16:53   <DIR>   d--------   C:\Program Files\Litsoft
2008-09-05 16:53 . 1997-07-03 09:35   109,056   --a------   C:\WINDOWS\UNWISE.EXE
2008-09-05 01:00 . 2008-09-05 01:00   432   --a------   C:\WINDOWS\system32\iolo.ini
2008-09-05 01:00 . 2008-09-05 01:00   406   --a------   C:\WINDOWS\system32\ioloBootDefrag.cfg
2008-09-05 00:57 . 2008-09-14 15:01   <DIR>   d--------   C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\iolo
2008-09-05 00:57 . 2008-08-26 15:23   118,784   --a------   C:\WINDOWS\system32\iavlsp.dll
2008-09-05 00:44 . 2008-09-05 00:44   74,703   --a------   C:\WINDOWS\system32\mfc45.dll
2008-09-05 00:43 . 2008-10-10 04:37   <DIR>   d--------   C:\Documents and Settings\All Users.WINDOWS\Application Data\iolo
2008-09-05 00:43 . 2008-09-05 09:50   <DIR>   d--------   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\iolo
2008-09-01 01:50 . 2008-09-01 01:50   2,812   --a------   C:\Settings.ini
2008-09-01 01:50 . 2008-09-01 01:50   2,617   --a------   C:\Commands.cfg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-27 17:40   ---------   d-----w   C:\Program Files\Windows Media Connect 2
2008-10-25 23:14   ---------   d-----w   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\SUPERAntiSpyware.com
2008-10-24 01:15   ---------   d-----w   C:\Program Files\Java
2008-10-22 07:06   ---------   d-----w   C:\Program Files\Microsoft Silverlight
2008-10-15 01:21   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-10-10 11:14   ---------   d-----w   C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-10-09 07:38   ---------   d-----w   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\LimeWire
2008-10-02 07:28   ---------   d-----w   C:\Program Files\Google
2008-09-15 12:12   1,846,400   ----a-w   C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41   333,824   ----a-w   C:\WINDOWS\system32\drivers\srv.sys
2008-08-31 10:26   ---------   d---a-w   C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-08-31 10:26   ---------   d-----w   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\EAST Technologies
2008-08-29 10:50   ---------   d-----w   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\Windows Search
2008-08-29 04:02   ---------   d-----w   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\Windows Desktop Search
2008-08-29 04:01   ---------   d-----w   C:\Program Files\Windows Desktop Search
2008-08-28 08:44   98,304   ----a-w   C:\WINDOWS\system32\JkDefragScreenSaver.scr
2008-08-28 08:44   237,056   ----a-w   C:\WINDOWS\system32\JkDefragScreenSaver.exe
2008-08-26 07:24   826,368   ----a-w   C:\WINDOWS\system32\wininet.dll
2008-08-14 10:11   2,189,184   ----a-w   C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33   2,066,048   ----a-w   C:\WINDOWS\system32\ntkrnlpa.exe
2008-07-18 16:40   94,920   ----a-w   C:\WINDOWS\system32\cdm.dll
2008-07-18 16:40   53,448   ----a-w   C:\WINDOWS\system32\wuauclt.exe
2008-07-18 16:40   45,768   ----a-w   C:\WINDOWS\system32\wups2.dll
2008-07-18 16:40   36,552   ----a-w   C:\WINDOWS\system32\wups.dll
2008-07-18 16:39   563,912   ----a-w   C:\WINDOWS\system32\wuapi.dll
2008-07-18 16:39   325,832   ----a-w   C:\WINDOWS\system32\wucltui.dll
2008-07-18 16:39   205,000   ----a-w   C:\WINDOWS\system32\wuweb.dll
2008-07-18 16:39   1,811,656   ----a-w   C:\WINDOWS\system32\wuaueng.dll
2008-07-18 16:37   270,880   ----a-w   C:\WINDOWS\system32\mucltui.dll
2008-07-18 16:37   210,976   ----a-w   C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26   253,952   ----a-w   C:\WINDOWS\system32\es.dll
2008-03-27 05:09   14,523,983   ----a-w   C:\Program Files\klcodec385f.exe
2008-03-26 08:09   2,400,784   ----a-w   C:\Program Files\WLinstaller.exe
2003-03-21 08:07   16,056   ----a-w   C:\Program Files\owcstp16.dll
2008-05-15 15:26   32,768   --sha-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051520080516\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-10-30_ 6.30.55.75 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-09 07:45:51   45,376   ----a-w   C:\WINDOWS\system32\drivers\avgntdd.sys
+ 2008-01-21 12:41:28   22,336   ----a-w   C:\WINDOWS\system32\drivers\avgntmgr.sys
+ 2008-06-27 09:33:55   75,072   ----a-w   C:\WINDOWS\system32\drivers\avipbb.sys
+ 2007-03-01 05:04:22   28,352   ----a-w   C:\WINDOWS\system32\drivers\ssmdrv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2002-10-15 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2002-10-15 114688]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-09-11 53248]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-10-24 136600]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 286720]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"CTHelper"="CTHELPER.EXE" [2007-04-09 C:\WINDOWS\system32\CtHelper.exe]
"EssSpkPhone"="essspk.exe" [2002-05-30 C:\WINDOWS\essspk.exe]

C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2008-01-11 39792]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-05-11 738968]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-05-10 282624]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-06-23 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=

R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-10-24 152984]
R3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys [2002-12-30 12160]
S3 SBRE;SBRE;C:\WINDOWS\system32\drivers\SBREdrv.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8882d75a-7cf3-11dd-a5ca-0008a174a0ac}]
\Shell\AutoRun\command - F:\System\DriveGuard\DriveProtect.exe -run
\Shell\Explore\Command - F:\System\DriveGuard\DriveProtect.exe -run
\Shell\Open\Command - F:\System\DriveGuard\DriveProtect.exe -run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{93b6f101-cc8c-11dc-acfc-aa8fad93d89f}]
\Shell\AutoRun\command - setup.exe

*Newly Created Service* - SSMDRV

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1EC04D97-5F10-DD1B-0306-020403060503}]
C:\WINDOWS\system32\SecSystem.exe
.
Contents of the 'Scheduled Tasks' folder

2008-10-30 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe []

2008-10-30 C:\WINDOWS\Tasks\At1.job
- C:\WINDOWS\system32\svchost []

2008-10-27 C:\WINDOWS\Tasks\EasyShare Registration Task.job
- C:\WINDOWS\system32\rundll32.exe [2008-04-14 05:42]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-30 13:22:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\searchindexer.exe
C:\WINDOWS\system32\searchprotocolhost.exe
C:\WINDOWS\system32\searchfilterhost.exe
C:\WINDOWS\system32\searchprotocolhost.exe
.
**************************************************************************
.
Completion time: 2008-10-30 13:29:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-30 07:59:27
ComboFix2.txt 2008-10-30 01:44:23
ComboFix3.txt 2008-10-30 01:01:50

Pre-Run: 4,444,672,000 bytes free
Post-Run: 4,471,721,984 bytes free

205   --- E O F ---   2008-10-29 18:45:52

CBMatt · « **Reply #26 on:** October 30, 2008, 02:51:46 AM »

Congrats! You are now clean! That last log indicates that ComboFix has managed to delete those files, along with a few others. It was a stubborn little bugger, but persistence paid off. Now that you're clean, there are a few things you should attend to...

First, you'll want to clean out your System Restore. This is to remove any infected files that have been backed up by Windows. Please follow these steps...

1. Go to Start > Programs > Accessories > System Tools > System Restore
2. Click on System Restore Settings.
3. Check Turn off System Restore and click OK.
4. Restart your computer.
5. Follow steps 1 and 2 to return to the settings, uncheck Turn off System Restore, and click OK.
6. Create a new restore point and close the program.

System Restore will now be active again. If you would like to learn more about System Restore, go here.

Uninstall ComboFix by going to Start > Run and typing in combofix /u (note the space) and clicking OK.

You should update your Java by following the steps in this link...
http://www.computerhope.com/forum/index.php/topic,61006.msg389477.html#msg389477

You also need a firewall. You're vulnerable without a firewall, so you should look into getting either ZoneAlarm, Kerio Personal Firewall, or Comodo. They're all good free firewalls. Just be sure you only have one installed at a time! Download the firewall of your choice, disconnect from the internet, disable Windows Firewall, and install your new firewall.

And now I must go to bed because my wife is cranky and doesn't want me staying up any longer. Heh. Good luck with everything. If you have any questions, feel free to ask.

NNEagle · « **Reply #27 on:** October 30, 2008, 10:13:08 AM »

Thank you very much. Yet another successful story at ComputerHope. You guys are genuine.

Just a thing that is bother me. Each time I get onto the internet. Tubesucker tries to load itself. I click on the cancel option but it persists for some time. Uninstalled it from the add and remove progs, After doing so. It disables my internet. Strange as it may seem.

Thank you for your guidance on system restore settings. I was able to go over there and restore from that point. Minus the virus and stubborn file. I have my internet connection now. The tubesucker is back. If you have the time, do let me know or do not worry as I could cancel installation each time it comes up.

Thanks once again for all the patience and dedication to the lesser informed.

Glad to be among the helpful. Thank you very much once again.

CBMatt · « **Reply #28 on:** October 30, 2008, 06:11:35 PM »

I'm not familiar with this program, so I ran a few searches on it and I found a few people complaining about having trouble uninstalling it, but I didn't find any solutions. This may be a longshot, but we can give this a try...

Download LSPFix from here.
Run the LSPFix.exe that you have just finished downloading.
Check the I know what I'm doing box.
In the Keep box you should see a bunch of .dll files. Write them down and list them here. Close the program.

Then try uninstalling Tubesucker. Does it kill your internet connection again? If so, follow the above steps again. So, you should have two lists of .dll files (they may be the exact same lists). And just for the heck of it, go ahead and run another HJT log. I don't see any instances of this program in your previous logs, so I want to see if it'll show up in a new one.

NNEagle · « **Reply #29 on:** October 30, 2008, 07:13:42 PM »

LSPFix:
mswsock.dll
winmr.dll
rsvpsp.dll

On both occasions.

After uninstalling tubesucker, I lost my internetconnection and restored it by doing a system restore as I did yesterday..System check point:Removed Tubesucker.

Now do not stay up late just for this. We cannot win over them wives LOL

And here is my HJT log file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:40 AM, on 10/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\sniper.exe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{030FF9B5-6998-4858-AB77-D6D93A684113}: NameServer = 202.54.6.60,202.54.29.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{462E450B-8421-4C8A-9DC1-E6D78C347DB3}: NameServer = 202.54.6.60,202.54.29.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{030FF9B5-6998-4858-AB77-D6D93A684113}: NameServer = 202.54.6.60,202.54.29.5
O17 - HKLM\System\CS3\Services\Tcpip\..\{030FF9B5-6998-4858-AB77-D6D93A684113}: NameServer = 202.54.6.60,202.54.29.5
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6323 bytes

CBMatt · « **Reply #30 on:** October 30, 2008, 07:57:58 PM »

Heh, no worries, my wife is still at work. I do have to get to my classes pretty soon, however.

I hate to admit it, but I'm not entirely sure what to do about this program. I'm not seeing any trace of it in your log. It's not set to start up with the computer, nor is it imbedded in your IE.

The only thing I can think of at the moment is to try removing it with CCleaner and then clean the registry. Download CCleaner (install without Yahoo! toolbar) and configure it according to this guide. Make sure you let CCleaner back up your registry!

You could also install a new download of Tubesucker and then try uninstalling that.

If you still have no luck, you may want to contact them and ask for help...
http://www.newrad.com/mail.html

NNEagle · « **Reply #31 on:** October 30, 2008, 09:30:59 PM »

Ran CCleaner and followed the guide. It had 314 issues and all was fixed. Uninstalled Tubesucker from CCleaner and came up with a lost internet connection. Restored the internet connection after a system restore and got back my internet connection. The tubesucker is back and runs each time I sign in,open inbox or refresh a page.

Wrote to the folk at Newrad and now awaiting a response from them. You have a great day and do take care.

NNEagle · « **Reply #32 on:** October 31, 2008, 05:26:27 AM »

Reply from newrad

hmmm.all I can say is msft sucks. If I did not want TubeSucker onmy PC, (but of course u do),I would just reinstall IE.But if u dont mind TS beingon ur pc, then I would just reinstallTS, and see if that helps.If it does not, then re-installIE, and you should be fine. I apologize on msft's behalf.They are crazy.Most of what they do is toprotect their monopoly, andwe are the ones who pay without wasted time. But all systemsexcept maybe linux are the same.They just want money it seems. Thanks for trying my product,and please tell your friends about it. Thx E -----

Original Message ----- : Friday, October 31, 2008 12:25 AMSubject: Uninstalling TubeSucker >
Hello,>> I had some computer problems with a virus. I did what has to be done and > got rid of it. Created a new restore point after a clean and ran restore > point after deleting all the old restore points. When my computer booted > up, TubeSucker came up and automatically started to install the same. > Since there was a file by name TubeSucker.msi missing. I am prompted to > browse and install the same. And this happens each time I sign into the > internet, refresh the page or go to another link. When I uninstalled > TubeSucker, my internet connection does not get activated.The icon on the > desk top changes to another Icon and I just cannot get back onto the > internet, till I go back and do a system restore and do the same from > Systemcheck point Unistall TubeSucker.>> I have no problem to let this software remain on my computer as a friend > of mine had downloaded the same. Kindly advise and appreciate your time.>> Thank you

NNEagle · « **Reply #33 on:** November 02, 2008, 04:42:38 AM »

Dowloaded Internet Explorer,Uninstalled Tubesucker. Rebooted the computer and then re installed Internet Explorer and this has stopped the tubescuker from reloading.

Thank you very much for all the help.

As Always

Computerhope will overcome them all. Thank you very much once again

CBMatt · « **Reply #34 on:** November 03, 2008, 02:56:20 AM »

Awesome! I'm a bit surprised that this ended up being the solution, but it's certainly good to know (we will now know what to do if this happens to someone else). I figured if anyone was going to have an idea of how to fix this, it would be the program's creator. Heh. In any case, I'm very glad that everything is working as it should. Take care and keep safe.

[email protected] · « **Reply #35 on:** November 19, 2008, 03:31:24 AM »

Quote from: NNEagle on October 09, 2008, 07:17:18 PM

When I went to my computer last evening. It showed and still showing my C drive as %$thb$%(C). and a picture with thb creation. Is this a virus or what is it. Kindly help

CBMatt · « **Reply #36 on:** November 19, 2008, 06:55:22 AM »

Are you experiencing the same problem, chakra? If so, you need to start your own thread and follow the instructions here:
http://www.computerhope.com/forum/index.php/topic,46313.0.html

patti · « **Reply #37 on:** December 02, 2008, 10:32:48 AM »

Quote from: CBMatt on October 30, 2008, 02:51:46 AM

Congrats! You are now clean! That last log indicates that ComboFix has managed to delete those files, along with a few others.

I think that system is still infected. The next HJT log that was posted doesn't show it because HJT is pretty limited, but if you look at the Combofix log it indicates:

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\
{1EC04D97-5F10-DD1B-0306-020403060503}]
C:\WINDOWS\system32\SecSystem.exe

This is a common load point for trojans. That particular entry is related to a member of Win32.Poison, a family of backdoor trojans. See: http://www.threatexpert.com/report.aspx?uid=1fbb1810-63d1-40f1-82da-c4b065bace0f for details. You can also grab a copy of secsystem.exe and upload it to VirusTotal for a scan.

NNEagle, in addition to Win32.Poison, there's indication of a possible autorun worm impacting the system:
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\
{93b6f101-cc8c-11dc-acfc-aa8fad93d89f}]
\Shell\AutoRun\command - setup.exe

I don't recognized that CLSID; it may or may not be legit. Definitely worth checking into since autorun is frequently abused by malware distributors (and autorun worms frequently come hand in hand with backdoors). There are really only two good ways of disabling autorun: either via TweakUI or via a registry hack that sends calls to autorun.inf into never-never-land:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

For details on the challenges of disabling autorun (and why only the above 2 methods will work), see:
http://nick.brown.free.fr/blog/2007/10/memory-stick-worms

In any event, if the system was infected by a backdoor, trying to remove the malware is fruitless. You should consider the system completely compromised and do a wipe and reload. Make sure you change all your passwords afterward since those were likely compromised during the infection.

evilfantasy · « **Reply #38 on:** December 02, 2008, 04:20:27 PM »

Welcome to CH patti.

Do you have any experience in online malware removal?

Quote

trying to remove the malware is fruitless

This isn't entirely true. Many of the malware we deal with are very curable, just because it's labeled a backdoor trojan doesn't mean they are incurable. And many users don't really just have the option to reinstall since PC manufacturers have fallen into the trend of not shipping the install CD with a new computer. Thats where we come in.

You might want to look here http://www.computerhope.com/forum/index.php/topic,57605.0.html

We would love to have you on our team if you are willing to work with us and provide a little more information.

Thanks. Kevin.

CBMatt · « **Reply #39 on:** December 02, 2008, 04:32:31 PM »

I'm with evilfantasy; this infection should be curable. I would also like to know if you have experience in this (and how much if you do) because we are quite shorthanded and could use some help. This is probably part of the reason why I missed this file...I stare at tons of these logs each day and I have to admit that something slips by me from time to time. So, any help we can get would be great.

With that said...NNEagle, if you're still around, I'd like to request a new ComboFix and HijackThis log to get an update on your system. [PM sent as well]

patti · « **Reply #40 on:** December 02, 2008, 06:47:09 PM »

The problem with malware today is that even a simple adware infestation can quickly evolve into rootkit-enabled threats that aren't easily discoverable. Combofix does better than HJT, but even it ignores some things (NTFS data streams are one example). And since you're forced to interpret based on filename / location alone, neither is much help when it comes to malware that is named after a legitimate system file and has modified or replaced the original. It's not whether something *can* be removed, but whether you're able to find all the things that *must* be removed. I realize it's not easy to wipe and reload, but it's a necessary evil these days. :-(

I'm a professional in the antivirus/security industry. I'd love to help more but I seriously lack the time. I came across the forum while searching for something else and just didn't want NNEagle going on his merry way with a likely backdoor still intact on his system.

BC_Programmer · « **Reply #41 on:** December 02, 2008, 07:08:26 PM »

People make it more difficult then it seems. I've easily accosted many infections on my machine- maybe 10 in the last year. I have no anti-virus software.

One or two got my normally 28 Process task manager into the 200+ process count.

Recovery console. Deleted the files. Ran a Windows Repair install.

Boom- reboot. 28 processes.

re-installation is only a "necessary evil", and it's only hard to identify what to delete when you don't know everywhere you have to look.

specific registry keys, such as the run, winlogon and browser helper keys, can be used to find dlls and CLSIDs. CLSIDs, of course, can be looked up under the HKEY_CLASSES_ROOT\CLSID and the inprocserver dll identified, and subsequently added to the list of items one needs to delete in recovery console.

Rootkits are a breeze as well. Once again, Rootkitrevealer paired with recovery console, or in the worst case the usage of a separate OS install.

ALL infections are curable. It's a matter of weighing in the time/skill required to vanquish them with the time that would be used backing up important data, wiping the drive, reinstalling the OS and applications, and restoring the data.

The only variable here is skill.

evilfantasy · « **Reply #42 on:** December 02, 2008, 07:59:38 PM »

There is a big difference in doing malware removal as a profession and as a volunteer. We have no time constraints. Reinstalling an OS is relatively a quick process and, more bluntly, cheaper then spending hours and hours looking over logs from the wide variety of tools at our disposal.

There is one particular rootkit that has been introduced recently that was taking hours just to get started in removing. The more we learn about it the better we are prepared to deal with it and less time is spent.

Many of the volunteers who do malware removal are also in the antivirus/security industry. The result is a better product for the end user. So you can say that what we do is also a necessary evil these days. :-(

BC_Programmer · « **Reply #43 on:** December 02, 2008, 09:15:00 PM »

indeed- but it was implied that reinstallation was necessary in severe cases. Sure, it may be warranted in some cases, but necessary? No.

evilfantasy · « **Reply #44 on:** December 02, 2008, 10:27:54 PM »

Agreed. Although a reinstall is the only sure way to know it is seldom a must.

Geek-9pm · « **Reply #45 on:** December 02, 2008, 11:00:10 PM »

Hey, wait a sec.

Just WHAT do you see that bothers you?

Is the system slow? Are programs not working? Does anything hang? Does task manager show heavy activity for no reason? If not, and given the AV programs say nothing, what is the issue?
Can you try this? Restart in Safe mode. At the command prompt invoke the CHKDSK program without any options. Let's see if there is anything odd about the hard drive drive file system.

There are 1600 people looking at this thread. Curious minds want to know.

What is wrong with your system? Why do you think is is Malware? How do you know it is not the common COLD?

BC_Programmer · « **Reply #46 on:** December 02, 2008, 11:18:04 PM »

Quote from: Geek-9pm on December 02, 2008, 11:00:10 PM

Hey, wait a sec.
Just WHAT do you see that bothers you?
Is the system slow? Are programs not working? Does anything hang? Does task manager show heavy activity for no reason? If not, and given the AV programs say nothing, what is the issue?
Can you try this? Restart in Safe mode. At the command prompt invoke the CHKDSK program without any options. Let's see if there is anything odd about the hard drive drive file system.
There are 1600 people looking at this thread. Curious minds want to know.
What is wrong with your system? Why do you think is is Malware? How do you know it is not the common COLD?

I believe the original issue was solved. Now it is after topic banter!

Computer Hope Admin · « **Reply #47 on:** December 03, 2008, 05:29:57 AM »

Believe this topic is getting hit a lot because it's on the top results for related winthb.exe searches. If you've stumbled upon this thread and are encountering an issue with this file I suggest creating a new topic.

Since the original posters issue appears to be resolved I'm locking this thread.

Computer Hope Forum

News:

Author Topic: C drive display (Read 27295 times)

NNEagle

Carbon Dudeoxide

NNEagle

NNEagle

m_elashry74

NNEagle

Carbon Dudeoxide

CBMatt

NNEagle

CBMatt

NNEagle

CBMatt

NNEagle

CBMatt

NNEagle

CBMatt

NNEagle

CBMatt

NNEagle

CBMatt

NNEagle

NNEagle

CBMatt

NNEagle

CBMatt

NNEagle

CBMatt

NNEagle

CBMatt

NNEagle

CBMatt

NNEagle

NNEagle

NNEagle

CBMatt

CBMatt

patti

evilfantasy

CBMatt

patti

BC_Programmer

evilfantasy

BC_Programmer

evilfantasy

Geek-9pm

BC_Programmer

Computer Hope Admin