Author Topic: C drive display (Read 27680 times)

CBMatt · « **Reply #15 on:** October 26, 2008, 03:17:23 AM »

A couple of things...
1. You can try changing the C drive icon with TweakUI. Simply download it and install it. When you run the program, click on Repair and then Rebuild Icons. Click on Repair Now and wait patiently while it goes to work. NOTE: this may change any custom icon settings you have (i.e. if you've changed the system icons to another theme).

2. Out of curiosity, I would like for you to try the Kaspersky scan again, if you don't mind. I'm fairly certain that file is what changed your icon, so I want to make sure it is gone.

NNEagle · « **Reply #16 on:** October 26, 2008, 08:10:18 PM »

No change in the C drive icon after running TweakUI. Performed a Kaspersky scan and here is the report. Appreciate the time taken to sort this out.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, October 27, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, October 26, 2008 20:40:15
Records in database: 1349057
--------------------------------------------------------------------------------

Scan settings:
   Scan using the following database: extended
   Scan archives: yes
   Scan mail databases: yes

Scan area - My Computer:
   A:\
   C:\
   D:\
   E:\

Scan statistics:
   Files scanned: 59553
   Threat name: 1
   Infected objects: 1
   Suspicious objects: 0
   Duration of the scan: 01:40:10

File name / Threat name / Threats count
C:\WINDOWS\system32\win.dll\reg.bkp\autorun.inf   Infected: Backdoor.Win32.Hupigon.cfeh   1

The selected area was scanned.

CBMatt · « **Reply #17 on:** October 26, 2008, 08:53:55 PM »

Okay, Kaspersky is showing that the file is still there. I'll have you try deleting the file manually. First, download Pocket KillBox and save it to your desktop. Although it's not necessary, I would suggest booting into Safe Mode (typically done by restarting your computer and repeatedly hitting the F8 key before it loads). Either way, run KillBox. You should get this screen:

(stolen from MalwareRemoval.com)

In the Full Path of File to Delete box, enter C:\WINDOWS\system32\win.dll click on the red X button. When prompted for backup, click on Yes. If that doesn't work (you'll receive an error message), try repeating the process, but select Delete on Reboot.

Give these steps a try and then post back here with your results and another Kaspersky scan.

NNEagle · « **Reply #18 on:** October 27, 2008, 04:55:47 AM »

Used the kill box to kill that file twice,just to make sure. Then I performed a Kaspersky scan . Finding that file still there, I repeated kill box and performed another scan and have submitted both reports. The virus is still there.

CBMatt · « **Reply #19 on:** October 27, 2008, 05:38:57 PM »

Okay, this one's a bit tricky. I believe this particular infection may have keylogger capabilities, so I strongly advise against using your computer for online banking or anything of that nature. You actually may even want to consider backing up your personal files and reformatting the computer.

However, if you'd like to continue with this, we can try a couple more things... Download and save Blacklight to your desktop. Then download a free trial of Kaspersky. Install Kaspersky and update it completely. Reboot into Safe Mode.

Run Kaspersky and run a full scan and allow it to remove any threats it finds. If it produces a log, post that here. Afterwards, double-click fsbl.exe on the desktop, then accept the agreement and click on Scan. Once it's complete, click on Next.

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

NNEagle · « **Reply #20 on:** October 28, 2008, 05:41:13 PM »

While trying to install Kaspersky, I come up against a wall. I am prompted to remove AVG 8 and then try to install. I have removed AVG through add and remove prog, through search, kill box and also through Revo uninstaller. Cannot find anymore the AVG anti virus but Kaspersky still stops at the prompt to remove AVG 8 while installing.

I am sorry, this is taking up so much of your time.

NNEagle · « **Reply #21 on:** October 28, 2008, 09:27:45 PM »

I subscribe to WXPnews letter and today I found this in my in box. I had purchased earlier their sunbelt product but never updated my subscription. Anyway they offered a free 15 day trial and so I downloaded the same and ran a scan. Below is the link to the download

http://www.wxpnews.com/8JJRE7/081028-Get-VIPRE

Here is the scan report:

Risk name:   INF.Autorun (v)
Source:      Scanner
Risk level:   High
Risk category:   Trojan

Advice:      This is a high risk and should be removed immediately as it may compromise your privacy and security, make dangerous changes to your computer's settings without your knowledge and consent, or severely degrade your computer's performance and stability.

File C:\Windows\system32\win.dll

I removed it and performed another scan. This file did not show up again. My C drive icon although remains the same.

CBMatt · « **Reply #22 on:** October 29, 2008, 01:18:09 AM »

Quote from: NNEagle on October 28, 2008, 05:41:13 PM

I am sorry, this is taking up so much of your time.

No need to apologize to me. I'm the one who's sorry that this thing is being so stubborn. In any case, I'm glad the file has finally stopped showing up. I'm not entirely sure what to make of the AVG/Kaspersky situation. You may want to head over to AVG's site and re-download the newest AVG. See if it will let you install properly.

As for the icon...now that the file isn't coming back, you can give TweakUI another try to see if it helps. If not, you can also try opening My Computer and right-clicking on the C drive. Click on Properties. There is a white text box near the top of the window. Is there any writing in it? If so, erase it all (leave it blank) and click on OK. It's a longshot, but worth a try.

Also...I was refraining from having you try this because the program was taken offline recently, but it appears to be up and running again. Although not always advised, it's a powerful malware tool that I am quite partial to. Go ahead and download ComboFix and save it to your desktop. Run the program and read its disclaimer (it's fairly short) and make sure you really pay attention to what it says. Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt. Go ahead and post that here. Note: Don't click on the window while it's running; this may cause stalls.

This will help us figure out if anything else might be lurking about.

NNEagle · « **Reply #23 on:** October 29, 2008, 07:56:36 PM »

Posted with regard to the combox log,but it went into cyber space. Guess it is because I am so excited to see my C drive icon back to normal. Here is the log

ComboFix 08-10-30.04 - Administrator 2008-10-30 7:09:15.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1192 [GMT 5.5:30]
Running from: C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-30 )))))))))))))))))))))))))))))))
.

2008-10-29 06:03 . 2008-10-29 06:03   <DIR>   d--------   C:\Documents and Settings\All Users.WINDOWS\Application Data\Sunbelt
2008-10-27 23:19 . 2008-10-27 23:19   <DIR>   d--------   C:\Program Files\VS Revo Group
2008-10-27 23:12 . 2008-10-28 09:13   23,392   --a------   C:\WINDOWS\system32\nscompat.tlb
2008-10-27 23:12 . 2008-10-28 09:13   16,832   --a------   C:\WINDOWS\system32\amcompat.tlb
2008-10-27 10:02 . 2008-10-29 05:59   <DIR>   d--------   C:\!KillBox
2008-10-27 05:22 . 2003-06-25 16:05   266,360   --a------   C:\WINDOWS\system32\TweakUI.exe
2008-10-27 05:22 . 2002-06-21 15:09   160,217   --a------   C:\WINDOWS\system32\PowerToysLicense.rtf
2008-10-26 14:53 . 2008-10-26 14:53   <DIR>   d--------   C:\Program Files\Common Files\Adobe Systems Shared
2008-10-26 14:06 . 2008-10-26 14:06   <DIR>   d--------   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\TERMINAL Studio
2008-10-26 14:05 . 2008-10-26 14:05   <DIR>   d--------   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\Astro Gemini Software
2008-10-26 06:49 . 2008-10-28 09:18   <DIR>   d--------   C:\Program Files\Avira
2008-10-26 04:36 . 2008-10-26 04:36   <DIR>   d--------   C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab Setup Files
2008-10-26 03:44 . 2008-10-26 03:46   10,752   --ahs----   C:\WINDOWS\system32\Thumbs.db
2008-10-26 03:43 . 2008-10-26 03:43   7,680   --ahs----   C:\WINDOWS\Thumbs.db
2008-10-26 03:43 . 2008-10-26 03:43   5,632   --ahs----   C:\Thumbs.db
2008-10-24 10:06 . 2008-10-15 22:04   337,408   -----c---   C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-24 06:52 . 2008-10-24 06:54   <DIR>   d--------   C:\Program Files\Trend Micro
2008-10-24 06:45 . 2008-10-24 06:45   410,976   --a------   C:\WINDOWS\system32\deploytk.dll
2008-10-24 05:15 . 2008-10-24 05:16   <DIR>   d--------   C:\Program Files\CCleaner
2008-10-24 04:50 . 2008-10-24 04:50   <DIR>   d--------   C:\Program Files\BinaryMark
2008-10-24 04:41 . 2008-10-26 14:54   <DIR>   d--------   C:\Program Files\Common Files\Adobe
2008-10-20 12:19 . 2008-09-08 16:11   333,824   -----c---   C:\WINDOWS\system32\dllcache\srv.sys
2008-10-20 12:17 . 2008-08-14 15:41   2,189,184   -----c---   C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-20 12:17 . 2008-08-14 15:39   2,145,280   -----c---   C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-20 12:17 . 2008-08-14 15:03   2,066,048   -----c---   C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-20 12:17 . 2008-08-14 15:03   2,023,936   -----c---   C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-20 12:17 . 2008-09-15 17:42   1,846,400   -----c---   C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 08:49 . 2008-10-15 08:49   <DIR>   d--------   C:\Program Files\123 Free Solitaire
2008-10-15 00:02 . 2008-10-15 00:02   <DIR>   d--------   C:\swsetup
2008-10-14 23:26 . 2008-10-14 23:26   <DIR>   d--------   C:\Documents and Settings\All Users.WINDOWS\Application Data\PC Drivers Headquarters
2008-10-14 00:46 . 2008-10-14 00:46   <DIR>   d--------   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\Auslogics
2008-10-10 23:56 . 2008-10-10 23:56   <DIR>   d--------   C:\Program Files\Sun
2008-10-02 12:57 . 2008-10-02 12:59   <DIR>   d--------   C:\WINDOWS\system32\Adobe
2008-09-30 13:16 . 2008-10-14 23:11   <DIR>   d--------   C:\WINDOWS\system32\win.dll
2008-09-05 16:53 . 2008-09-05 16:53   <DIR>   d--------   C:\Program Files\Litsoft
2008-09-05 16:53 . 1997-07-03 09:35   109,056   --a------   C:\WINDOWS\UNWISE.EXE
2008-09-05 01:00 . 2008-09-05 01:00   432   --a------   C:\WINDOWS\system32\iolo.ini
2008-09-05 01:00 . 2008-09-05 01:00   406   --a------   C:\WINDOWS\system32\ioloBootDefrag.cfg
2008-09-05 00:57 . 2008-09-14 15:01   <DIR>   d--------   C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\iolo
2008-09-05 00:57 . 2008-08-26 15:23   118,784   --a------   C:\WINDOWS\system32\iavlsp.dll
2008-09-05 00:44 . 2008-09-05 00:44   74,703   --a------   C:\WINDOWS\system32\mfc45.dll
2008-09-05 00:43 . 2008-10-10 04:37   <DIR>   d--------   C:\Documents and Settings\All Users.WINDOWS\Application Data\iolo
2008-09-05 00:43 . 2008-09-05 09:50   <DIR>   d--------   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\iolo
2008-09-01 01:50 . 2008-09-01 01:50   2,812   --a------   C:\Settings.ini
2008-09-01 01:50 . 2008-09-01 01:50   2,617   --a------   C:\Commands.cfg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-27 17:40   ---------   d-----w   C:\Program Files\Windows Media Connect 2
2008-10-25 23:14   ---------   d-----w   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\SUPERAntiSpyware.com
2008-10-24 01:15   ---------   d-----w   C:\Program Files\Java
2008-10-22 07:06   ---------   d-----w   C:\Program Files\Microsoft Silverlight
2008-10-15 01:21   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-10-10 11:14   ---------   d-----w   C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-10-09 07:38   ---------   d-----w   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\LimeWire
2008-10-02 07:28   ---------   d-----w   C:\Program Files\Google
2008-09-15 12:12   1,846,400   ----a-w   C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41   333,824   ----a-w   C:\WINDOWS\system32\drivers\srv.sys
2008-08-31 10:26   ---------   d---a-w   C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-08-31 10:26   ---------   d-----w   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\EAST Technologies
2008-08-29 10:50   ---------   d-----w   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\Windows Search
2008-08-29 04:02   ---------   d-----w   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\Windows Desktop Search
2008-08-29 04:01   ---------   d-----w   C:\Program Files\Windows Desktop Search
2008-08-28 08:44   98,304   ----a-w   C:\WINDOWS\system32\JkDefragScreenSaver.scr
2008-08-28 08:44   237,056   ----a-w   C:\WINDOWS\system32\JkDefragScreenSaver.exe
2008-08-26 07:24   826,368   ----a-w   C:\WINDOWS\system32\wininet.dll
2008-08-14 10:11   2,189,184   ----a-w   C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33   2,066,048   ----a-w   C:\WINDOWS\system32\ntkrnlpa.exe
2008-07-18 16:40   94,920   ----a-w   C:\WINDOWS\system32\cdm.dll
2008-07-18 16:40   53,448   ----a-w   C:\WINDOWS\system32\wuauclt.exe
2008-07-18 16:40   45,768   ----a-w   C:\WINDOWS\system32\wups2.dll
2008-07-18 16:40   36,552   ----a-w   C:\WINDOWS\system32\wups.dll
2008-07-18 16:39   563,912   ----a-w   C:\WINDOWS\system32\wuapi.dll
2008-07-18 16:39   325,832   ----a-w   C:\WINDOWS\system32\wucltui.dll
2008-07-18 16:39   205,000   ----a-w   C:\WINDOWS\system32\wuweb.dll
2008-07-18 16:39   1,811,656   ----a-w   C:\WINDOWS\system32\wuaueng.dll
2008-07-18 16:37   270,880   ----a-w   C:\WINDOWS\system32\mucltui.dll
2008-07-18 16:37   210,976   ----a-w   C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26   253,952   ----a-w   C:\WINDOWS\system32\es.dll
2008-03-27 05:09   14,523,983   ----a-w   C:\Program Files\klcodec385f.exe
2008-03-26 08:09   2,400,784   ----a-w   C:\Program Files\WLinstaller.exe
2003-03-21 08:07   16,056   ----a-w   C:\Program Files\owcstp16.dll
2008-05-15 15:26   32,768   --sha-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051520080516\index.dat
2008-03-08 09:47   681,474   --sha-w   C:\WINDOWS\system32\win.dll\reg.bkp\winthb.exe
.

((((((((((((((((((((((((((((( snapshot@2008-10-30_ 6.30.55.75 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-30 01:36:56   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2002-10-15 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2002-10-15 114688]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-09-11 53248]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-10-24 136600]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 286720]
"CTHelper"="CTHELPER.EXE" [2007-04-09 C:\WINDOWS\system32\CtHelper.exe]
"EssSpkPhone"="essspk.exe" [2002-05-30 C:\WINDOWS\essspk.exe]

C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2008-01-11 39792]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-05-11 738968]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-05-10 282624]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-06-23 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=

R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-10-24 152984]
R3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys [2002-12-30 12160]
S3 SBRE;SBRE;C:\WINDOWS\system32\drivers\SBREdrv.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8882d75a-7cf3-11dd-a5ca-0008a174a0ac}]
\Shell\AutoRun\command - F:\System\DriveGuard\DriveProtect.exe -run
\Shell\Explore\Command - F:\System\DriveGuard\DriveProtect.exe -run
\Shell\Open\Command - F:\System\DriveGuard\DriveProtect.exe -run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{93b6f101-cc8c-11dc-acfc-aa8fad93d89f}]
\Shell\AutoRun\command - setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1EC04D97-5F10-DD1B-0306-020403060503}]
C:\WINDOWS\system32\SecSystem.exe
.
Contents of the 'Scheduled Tasks' folder

2008-10-30 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe []

2008-10-29 C:\WINDOWS\Tasks\At1.job
- C:\WINDOWS\system32\svchost []

2008-10-27 C:\WINDOWS\Tasks\EasyShare Registration Task.job
- C:\WINDOWS\system32\rundll32.exe [2008-04-14 05:42]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\Mozilla\Firefox\Profiles\vjez9wmu.default\
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-30 07:11:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-30 7:14:22
ComboFix-quarantined-files.txt 2008-10-30 01:43:58
ComboFix2.txt 2008-10-30 01:01:50

Pre-Run: 4,599,820,288 bytes free
Post-Run: 4,577,411,072 bytes free

180   --- E O F ---   2008-10-29 18:45:52

CBMatt · « **Reply #24 on:** October 29, 2008, 08:27:28 PM »

I'm glad to hear that the icon has finally gone back to normal. And your ComboFix looks good...but that win.dll file is still showing up. Let's try one more thing, which should [hopefully] get rid of the infection...

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Folder::
C:\WINDOWS\system32\win.dll

File::
C:\WINDOWS\system32\win.dll
C:\WINDOWS\system32\win.dll\reg.bkp\winthb.exe

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

NNEagle · « **Reply #25 on:** October 30, 2008, 02:19:46 AM »

Here is the Combofix text log. Did notice that the files in question was being deleted during the process. Anyway you will know better when you see the log.

ComboFix 08-10-30.04 - Administrator 2008-10-30 13:18:49.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1103 [GMT 5.5:30]
Running from: C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\win.dll
C:\WINDOWS\system32\win.dll\reg.bkp\winthb.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\win.dll
C:\WINDOWS\system32\win.dll\Desktop.ini
C:\WINDOWS\system32\win.dll\DLL.ico
C:\WINDOWS\system32\win.dll\drivelist.txt
C:\WINDOWS\system32\win.dll\Icon.ico
C:\WINDOWS\system32\win.dll\reg.bkp\winthb.exe
C:\WINDOWS\system32\win.dll\reproduce.txt
C:\WINDOWS\system32\win.dll\script1.txt
C:\WINDOWS\system32\win.dll\std.txt
C:\WINDOWS\system32\win.dll\thb.ico
C:\WINDOWS\system32\win.dll\win.mp3

.
((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-30 )))))))))))))))))))))))))))))))
.

2008-10-30 07:38 . 2008-10-30 07:38   <DIR>   d--------   C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira
2008-10-29 06:03 . 2008-10-29 06:03   <DIR>   d--------   C:\Documents and Settings\All Users.WINDOWS\Application Data\Sunbelt
2008-10-27 23:19 . 2008-10-27 23:19   <DIR>   d--------   C:\Program Files\VS Revo Group
2008-10-27 23:12 . 2008-10-28 09:13   23,392   --a------   C:\WINDOWS\system32\nscompat.tlb
2008-10-27 23:12 . 2008-10-28 09:13   16,832   --a------   C:\WINDOWS\system32\amcompat.tlb
2008-10-27 10:02 . 2008-10-30 13:11   <DIR>   d--------   C:\!KillBox
2008-10-27 05:22 . 2003-06-25 16:05   266,360   --a------   C:\WINDOWS\system32\TweakUI.exe
2008-10-27 05:22 . 2002-06-21 15:09   160,217   --a------   C:\WINDOWS\system32\PowerToysLicense.rtf
2008-10-26 14:53 . 2008-10-26 14:53   <DIR>   d--------   C:\Program Files\Common Files\Adobe Systems Shared
2008-10-26 14:06 . 2008-10-26 14:06   <DIR>   d--------   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\TERMINAL Studio
2008-10-26 14:05 . 2008-10-26 14:05   <DIR>   d--------   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\Astro Gemini Software
2008-10-26 06:49 . 2008-10-30 07:38   <DIR>   d--------   C:\Program Files\Avira
2008-10-26 04:36 . 2008-10-26 04:36   <DIR>   d--------   C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab Setup Files
2008-10-26 03:44 . 2008-10-26 03:46   10,752   --ahs----   C:\WINDOWS\system32\Thumbs.db
2008-10-26 03:43 . 2008-10-26 03:43   7,680   --ahs----   C:\WINDOWS\Thumbs.db
2008-10-26 03:43 . 2008-10-26 03:43   5,632   --ahs----   C:\Thumbs.db
2008-10-24 10:06 . 2008-10-15 22:04   337,408   -----c---   C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-24 06:52 . 2008-10-24 06:54   <DIR>   d--------   C:\Program Files\Trend Micro
2008-10-24 06:45 . 2008-10-24 06:45   410,976   --a------   C:\WINDOWS\system32\deploytk.dll
2008-10-24 05:15 . 2008-10-24 05:16   <DIR>   d--------   C:\Program Files\CCleaner
2008-10-24 04:50 . 2008-10-24 04:50   <DIR>   d--------   C:\Program Files\BinaryMark
2008-10-24 04:41 . 2008-10-26 14:54   <DIR>   d--------   C:\Program Files\Common Files\Adobe
2008-10-20 12:19 . 2008-09-08 16:11   333,824   -----c---   C:\WINDOWS\system32\dllcache\srv.sys
2008-10-20 12:17 . 2008-08-14 15:41   2,189,184   -----c---   C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-20 12:17 . 2008-08-14 15:39   2,145,280   -----c---   C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-20 12:17 . 2008-08-14 15:03   2,066,048   -----c---   C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-20 12:17 . 2008-08-14 15:03   2,023,936   -----c---   C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-20 12:17 . 2008-09-15 17:42   1,846,400   -----c---   C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 08:49 . 2008-10-15 08:49   <DIR>   d--------   C:\Program Files\123 Free Solitaire
2008-10-15 00:02 . 2008-10-15 00:02   <DIR>   d--------   C:\swsetup
2008-10-14 23:26 . 2008-10-14 23:26   <DIR>   d--------   C:\Documents and Settings\All Users.WINDOWS\Application Data\PC Drivers Headquarters
2008-10-14 00:46 . 2008-10-14 00:46   <DIR>   d--------   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\Auslogics
2008-10-10 23:56 . 2008-10-10 23:56   <DIR>   d--------   C:\Program Files\Sun
2008-10-02 12:57 . 2008-10-02 12:59   <DIR>   d--------   C:\WINDOWS\system32\Adobe
2008-09-05 16:53 . 2008-09-05 16:53   <DIR>   d--------   C:\Program Files\Litsoft
2008-09-05 16:53 . 1997-07-03 09:35   109,056   --a------   C:\WINDOWS\UNWISE.EXE
2008-09-05 01:00 . 2008-09-05 01:00   432   --a------   C:\WINDOWS\system32\iolo.ini
2008-09-05 01:00 . 2008-09-05 01:00   406   --a------   C:\WINDOWS\system32\ioloBootDefrag.cfg
2008-09-05 00:57 . 2008-09-14 15:01   <DIR>   d--------   C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\iolo
2008-09-05 00:57 . 2008-08-26 15:23   118,784   --a------   C:\WINDOWS\system32\iavlsp.dll
2008-09-05 00:44 . 2008-09-05 00:44   74,703   --a------   C:\WINDOWS\system32\mfc45.dll
2008-09-05 00:43 . 2008-10-10 04:37   <DIR>   d--------   C:\Documents and Settings\All Users.WINDOWS\Application Data\iolo
2008-09-05 00:43 . 2008-09-05 09:50   <DIR>   d--------   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\iolo
2008-09-01 01:50 . 2008-09-01 01:50   2,812   --a------   C:\Settings.ini
2008-09-01 01:50 . 2008-09-01 01:50   2,617   --a------   C:\Commands.cfg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-27 17:40   ---------   d-----w   C:\Program Files\Windows Media Connect 2
2008-10-25 23:14   ---------   d-----w   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\SUPERAntiSpyware.com
2008-10-24 01:15   ---------   d-----w   C:\Program Files\Java
2008-10-22 07:06   ---------   d-----w   C:\Program Files\Microsoft Silverlight
2008-10-15 01:21   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-10-10 11:14   ---------   d-----w   C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-10-09 07:38   ---------   d-----w   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\LimeWire
2008-10-02 07:28   ---------   d-----w   C:\Program Files\Google
2008-09-15 12:12   1,846,400   ----a-w   C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41   333,824   ----a-w   C:\WINDOWS\system32\drivers\srv.sys
2008-08-31 10:26   ---------   d---a-w   C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-08-31 10:26   ---------   d-----w   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\EAST Technologies
2008-08-29 10:50   ---------   d-----w   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\Windows Search
2008-08-29 04:02   ---------   d-----w   C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Application Data\Windows Desktop Search
2008-08-29 04:01   ---------   d-----w   C:\Program Files\Windows Desktop Search
2008-08-28 08:44   98,304   ----a-w   C:\WINDOWS\system32\JkDefragScreenSaver.scr
2008-08-28 08:44   237,056   ----a-w   C:\WINDOWS\system32\JkDefragScreenSaver.exe
2008-08-26 07:24   826,368   ----a-w   C:\WINDOWS\system32\wininet.dll
2008-08-14 10:11   2,189,184   ----a-w   C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33   2,066,048   ----a-w   C:\WINDOWS\system32\ntkrnlpa.exe
2008-07-18 16:40   94,920   ----a-w   C:\WINDOWS\system32\cdm.dll
2008-07-18 16:40   53,448   ----a-w   C:\WINDOWS\system32\wuauclt.exe
2008-07-18 16:40   45,768   ----a-w   C:\WINDOWS\system32\wups2.dll
2008-07-18 16:40   36,552   ----a-w   C:\WINDOWS\system32\wups.dll
2008-07-18 16:39   563,912   ----a-w   C:\WINDOWS\system32\wuapi.dll
2008-07-18 16:39   325,832   ----a-w   C:\WINDOWS\system32\wucltui.dll
2008-07-18 16:39   205,000   ----a-w   C:\WINDOWS\system32\wuweb.dll
2008-07-18 16:39   1,811,656   ----a-w   C:\WINDOWS\system32\wuaueng.dll
2008-07-18 16:37   270,880   ----a-w   C:\WINDOWS\system32\mucltui.dll
2008-07-18 16:37   210,976   ----a-w   C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26   253,952   ----a-w   C:\WINDOWS\system32\es.dll
2008-03-27 05:09   14,523,983   ----a-w   C:\Program Files\klcodec385f.exe
2008-03-26 08:09   2,400,784   ----a-w   C:\Program Files\WLinstaller.exe
2003-03-21 08:07   16,056   ----a-w   C:\Program Files\owcstp16.dll
2008-05-15 15:26   32,768   --sha-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051520080516\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-10-30_ 6.30.55.75 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-09 07:45:51   45,376   ----a-w   C:\WINDOWS\system32\drivers\avgntdd.sys
+ 2008-01-21 12:41:28   22,336   ----a-w   C:\WINDOWS\system32\drivers\avgntmgr.sys
+ 2008-06-27 09:33:55   75,072   ----a-w   C:\WINDOWS\system32\drivers\avipbb.sys
+ 2007-03-01 05:04:22   28,352   ----a-w   C:\WINDOWS\system32\drivers\ssmdrv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2002-10-15 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2002-10-15 114688]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-09-11 53248]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-10-24 136600]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 286720]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"CTHelper"="CTHELPER.EXE" [2007-04-09 C:\WINDOWS\system32\CtHelper.exe]
"EssSpkPhone"="essspk.exe" [2002-05-30 C:\WINDOWS\essspk.exe]

C:\Documents and Settings\Administrator.HOME-5E315BF5A7\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2008-01-11 39792]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-05-11 738968]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-05-10 282624]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-06-23 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=

R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-10-24 152984]
R3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys [2002-12-30 12160]
S3 SBRE;SBRE;C:\WINDOWS\system32\drivers\SBREdrv.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8882d75a-7cf3-11dd-a5ca-0008a174a0ac}]
\Shell\AutoRun\command - F:\System\DriveGuard\DriveProtect.exe -run
\Shell\Explore\Command - F:\System\DriveGuard\DriveProtect.exe -run
\Shell\Open\Command - F:\System\DriveGuard\DriveProtect.exe -run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{93b6f101-cc8c-11dc-acfc-aa8fad93d89f}]
\Shell\AutoRun\command - setup.exe

*Newly Created Service* - SSMDRV

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1EC04D97-5F10-DD1B-0306-020403060503}]
C:\WINDOWS\system32\SecSystem.exe
.
Contents of the 'Scheduled Tasks' folder

2008-10-30 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe []

2008-10-30 C:\WINDOWS\Tasks\At1.job
- C:\WINDOWS\system32\svchost []

2008-10-27 C:\WINDOWS\Tasks\EasyShare Registration Task.job
- C:\WINDOWS\system32\rundll32.exe [2008-04-14 05:42]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-30 13:22:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\searchindexer.exe
C:\WINDOWS\system32\searchprotocolhost.exe
C:\WINDOWS\system32\searchfilterhost.exe
C:\WINDOWS\system32\searchprotocolhost.exe
.
**************************************************************************
.
Completion time: 2008-10-30 13:29:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-30 07:59:27
ComboFix2.txt 2008-10-30 01:44:23
ComboFix3.txt 2008-10-30 01:01:50

Pre-Run: 4,444,672,000 bytes free
Post-Run: 4,471,721,984 bytes free

205   --- E O F ---   2008-10-29 18:45:52

CBMatt · « **Reply #26 on:** October 30, 2008, 02:51:46 AM »

Congrats! You are now clean! That last log indicates that ComboFix has managed to delete those files, along with a few others. It was a stubborn little bugger, but persistence paid off. Now that you're clean, there are a few things you should attend to...

First, you'll want to clean out your System Restore. This is to remove any infected files that have been backed up by Windows. Please follow these steps...

1. Go to Start > Programs > Accessories > System Tools > System Restore
2. Click on System Restore Settings.
3. Check Turn off System Restore and click OK.
4. Restart your computer.
5. Follow steps 1 and 2 to return to the settings, uncheck Turn off System Restore, and click OK.
6. Create a new restore point and close the program.

System Restore will now be active again. If you would like to learn more about System Restore, go here.

Uninstall ComboFix by going to Start > Run and typing in combofix /u (note the space) and clicking OK.

You should update your Java by following the steps in this link...
http://www.computerhope.com/forum/index.php/topic,61006.msg389477.html#msg389477

You also need a firewall. You're vulnerable without a firewall, so you should look into getting either ZoneAlarm, Kerio Personal Firewall, or Comodo. They're all good free firewalls. Just be sure you only have one installed at a time! Download the firewall of your choice, disconnect from the internet, disable Windows Firewall, and install your new firewall.

And now I must go to bed because my wife is cranky and doesn't want me staying up any longer. Heh. Good luck with everything. If you have any questions, feel free to ask.

NNEagle · « **Reply #27 on:** October 30, 2008, 10:13:08 AM »

Thank you very much. Yet another successful story at ComputerHope. You guys are genuine.

Just a thing that is bother me. Each time I get onto the internet. Tubesucker tries to load itself. I click on the cancel option but it persists for some time. Uninstalled it from the add and remove progs, After doing so. It disables my internet. Strange as it may seem.

Thank you for your guidance on system restore settings. I was able to go over there and restore from that point. Minus the virus and stubborn file. I have my internet connection now. The tubesucker is back. If you have the time, do let me know or do not worry as I could cancel installation each time it comes up.

Thanks once again for all the patience and dedication to the lesser informed.

Glad to be among the helpful. Thank you very much once again.

CBMatt · « **Reply #28 on:** October 30, 2008, 06:11:35 PM »

I'm not familiar with this program, so I ran a few searches on it and I found a few people complaining about having trouble uninstalling it, but I didn't find any solutions. This may be a longshot, but we can give this a try...

Download LSPFix from here.
Run the LSPFix.exe that you have just finished downloading.
Check the I know what I'm doing box.
In the Keep box you should see a bunch of .dll files. Write them down and list them here. Close the program.

Then try uninstalling Tubesucker. Does it kill your internet connection again? If so, follow the above steps again. So, you should have two lists of .dll files (they may be the exact same lists). And just for the heck of it, go ahead and run another HJT log. I don't see any instances of this program in your previous logs, so I want to see if it'll show up in a new one.

NNEagle · « **Reply #29 on:** October 30, 2008, 07:13:42 PM »

LSPFix:
mswsock.dll
winmr.dll
rsvpsp.dll

On both occasions.

After uninstalling tubesucker, I lost my internetconnection and restored it by doing a system restore as I did yesterday..System check point:Removed Tubesucker.

Now do not stay up late just for this. We cannot win over them wives LOL

And here is my HJT log file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:40 AM, on 10/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\sniper.exe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{030FF9B5-6998-4858-AB77-D6D93A684113}: NameServer = 202.54.6.60,202.54.29.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{462E450B-8421-4C8A-9DC1-E6D78C347DB3}: NameServer = 202.54.6.60,202.54.29.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{030FF9B5-6998-4858-AB77-D6D93A684113}: NameServer = 202.54.6.60,202.54.29.5
O17 - HKLM\System\CS3\Services\Tcpip\..\{030FF9B5-6998-4858-AB77-D6D93A684113}: NameServer = 202.54.6.60,202.54.29.5
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6323 bytes

Computer Hope Forum

News:

Author Topic: C drive display (Read 27680 times)

CBMatt

Re: C drive display

NNEagle

Re: C drive display

CBMatt

Re: C drive display

NNEagle

Re: C drive display

CBMatt

Re: C drive display

NNEagle

Re: C drive display

NNEagle

Re: C drive display

CBMatt

Re: C drive display

NNEagle

Re: C drive display

CBMatt

Re: C drive display

NNEagle

Re: C drive display

CBMatt

Re: C drive display

NNEagle

Re: C drive display

CBMatt

Re: C drive display

NNEagle

Re: C drive display