Re: Drive access error! [moved from XP support]

figon · 06-03-2007, 08:31 PM

I got the same problem too!

Symantec classified it as W32.Salga.A@mm virus.

I had deleted (a few times)references to copy.exe in the registry mainly here:-

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\

but the same problem recurs upon reboot.

I ran Ad Aware, Spybolt, avg 7.5, stinger and Microsoft Windows Malicious Software Removal Tool - May 2007 with no result.

Here is my HJT log for your info.:-

Logfile of HijackThis v1.99.1
Scan saved at 10:28:14 AM, on 6/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Jurong\Files\1\KB890830\Windows-KB890830-V1.29.exe
e:\3d7f8145271d7ae557e92c76a023\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
D:\NewCD\2 Checkers\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.poems.com.sg
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://192.168.0.100:9000/plugin/h263ctrl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Help appreciated.

chauffeur2 · 06-03-2007, 10:04 PM

Moved from being attached to another members thread to here for analysing.

figon · 06-06-2007, 10:59 PM

phew...got it solved!
and opening of drives becomes faster!

Please note:
Did a number of things.
Not 100% sure which is/are the actual ones that remove the copy.exe and family.
:D
My system is running xp pro with sp2.
I ran CleanUP, CCleaner, Spybolt, Ad-Aware, Avg 7.5, stinger and Microsoft Windows Malicious Software Removal Tool - May 2007 before I did the followings:-

1. Expand files (please read this first:- http://support.microsoft.com/kb/888017 )
a. put Windows cd in cdrom
b. run msconfig (start – run - msconfig)
c. expand file (expand file – explorer.exe – from drive:\SUPPORT\TOOLS\SUPPORT.CAB – to C:\WINDOWS - expand)

2. Registry (please read this first:- http://support.microsoft.com/kb/256986 )
a. run registry editor (start - run - regedit)
b. backup registry (file - export)
c. find all references to copy.exe (Ctrl F - type copy.exe)
d. replace copy.exe with explorer.exe

3. File association
a. start - my computer
b. tools - Folder Options - File Types
c. select [NONE] drive - select advance - select new - type explore (or something)- select browse - select C:\windows\explorer.exe - select open - select ok - select Set Default - tick confirm open after download - select ok

4. on off Services using StartDreck.exe
a. download here : Startdreck.exe
b. extract files in a new folder - double click startdreck.exe
c. scroll down to NT services
d. scroll down further to Logical Disk Manager Administrative Service and Logical Disk Manager - off both services for a while – turn them back on – close startDreck.exe

5. Restart computer.

** The above worked on my system. Hope some of the steps could help u too.

Ried · 06-06-2007, 11:10 PM

Hello figon,

Due to the nature of the infection you had, it would be a good idea to let me take another look just to be sure there aren't any remnants.

Download Deckard's System Scanner (DSS) to your Desktop.

What DSS will do:

create a new System Restore point in Windows XP and Vista.
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
check some important areas of your system and produce a report for your analyst to review.
DSS automatically runs HijackThis 1.99.1 for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.

Please include the following in your next reply:

main.txt

figon · 06-07-2007, 02:50 PM

Hi Ried,

Thank you for your time.

Just wanna add that in my earlier post, I forgot to list the following step step :-

before expanding explorer.exe, I deleted copy.exe, launch.exe, host.exe and an associated ****.inf(sorry, forgot the name) files from every drive.

Ok. downloaded DSS. Here my log:-

Deckard's System Scanner v20070603.47
Run by Pnew on 2007-06-08 at 04:32:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
30: 2007-06-07 20:33:03 UTC - RP366 - Deckard's System Scanner Restore Point
29: 2007-06-07 19:14:34 UTC - RP365 - System Checkpoint
28: 2007-06-06 18:21:44 UTC - RP364 - System Checkpoint
27: 2007-06-05 18:01:37 UTC - RP363 - System Checkpoint
26: 2007-06-04 17:18:32 UTC - RP362 - System Checkpoint

-- First Restore Point --
1: 2007-05-08 07:04:24 UTC - RP337 - System Checkpoint

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as Pnew.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 4:34:09 AM, on 6/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Pnew.P428\Desktop\dss.exe
D:\NewCD\2CHECK~1\HIJACK~1\Pnew.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://192.168.0.100:9000/plugin/h263ctrl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

-- HijackThis Fixed Entries (D:\NewCD\2CHECK~1\HIJACK~1\backups\) --------------

backup-20050511-141448-907 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20050511-141448-932 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20060914-222530-279 O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
backup-20060914-222530-196 O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
backup-20060914-222530-976 O15 - Trusted Zone: http://www.silkroadonline.net
backup-20060914-222530-902 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
backup-20061011-062311-647 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20061208-053406-269 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20061208-053406-186 O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
backup-20061208-053406-714 O4 - HKLM\..\RunOnce: [megauploadtoolbar] C:\DOCUME~1\9135\LOCALS~1\Temp\tbuninstall.exe -df "C:\Program Files\MegauploadToolbar\"
backup-20061227-082107-524 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://info.pristontale.com/nP_Msg/a...g=150&lang=100
backup-20061227-082107-317 O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
backup-20070101-071025-621 O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
backup-20070101-071725-966 O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
backup-20070101-073155-481 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20070604-091916-959 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20070604-091916-624 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20070604-091916-404 O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file)
backup-20070604-091916-861 O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
backup-20070604-091916-237 O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
backup-20070604-091916-326 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20070604-091916-525 O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
backup-20070604-091916-194 O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
backup-20070604-091916-187 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20070604-091918-158 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20070604-091918-540 O11 - Options group: [INTERNATIONAL] International*
backup-20070604-091918-281 O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
backup-20070604-091918-835 O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
backup-20070604-102712-100 O8 - Extra context menu item: &Download All by Gigaget - d:\Giganology\Gigaget\getallurl.htm
backup-20070604-102712-797 O8 - Extra context menu item: &Download by Gigaget - d:\Giganology\Gigaget\geturl.htm
backup-20070604-102712-192 O15 - Trusted Zone: http://www.frogg.fr
backup-20070604-102712-829 O15 - Trusted Zone: http://www.keppelcareers.com
backup-20070604-102712-964 O15 - Trusted IP range: http://203.127.20.195
backup-20070604-102712-957 O15 - Trusted IP range: http://192.168.0.100

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys <Not Verified; IVT Corporation; BlueSoleil(c)>
R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync04 (StarForce Protection Synchronization Driver (version 4.x)) - c:\windows\system32\drivers\sfsync04.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 npkcrypt - d:\triglowpictures\pristontale\npkcrypt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver>
R2 XPROTECTOR - c:\windows\system32\drivers\oreans.sys
R3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows (R) 2000 DDK driver>
R3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys
R3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys <Not Verified; IVT Corporation; BlueSoleil>

S3 AEXPAM (Philips SmartManage Service) - c:\windows\system32\drivers\aexpamdrv.sys <Not Verified; Philips Consumer Electronics Co.; Philips SmartManage>
S3 Btcsrusb (Bluetooth USB For Bluetooth Service) - c:\windows\system32\drivers\btcusb.sys <Not Verified; IVT Corporation; Bluetooth USB Device Driver>
S3 emupia (E-mu Plug-in Architecture Driver) - c:\windows\system32\drivers\emupia2k.sys <Not Verified; Creative Technology Ltd; E-mu Plug-In Architecture>
S3 hamachi (Hamachi Network Interface) - c:\windows\system32\drivers\hamachi.sys <Not Verified; Applied Networking Inc.; Hamachi Virtual Network Interface Driver>
S3 u2kg54 (BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service) - c:\windows\system32\drivers\rt2500usb.sys <Not Verified; Ralink Technology Inc.; Ralink 802.11g Wireless USB Adapters>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R0 Nla (Network Location Awareness (NLA)) - \systemroot\c:\windows\system32\svchost.exe -k netsvcs (file missing)

S4 BlueSoleil Hid Service - d:\bluetooth\btntservice.exe
S4 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>

-- Files created between 2007-05-08 and 2007-06-08 -----------------------------

2007-06-07 01:36:06 0 dr-h----- C:\Documents and Settings\9135\Recent
2007-06-04 12:17:51 0 dr-h----- C:\Documents and Settings\Pnew.P428\Recent
2007-06-04 11:48:56 0 --a------ C:\AUTOEXEC.BAT
2007-06-04 11:01:40 0 d-------- C:\Documents and Settings\Pnew.P428\Contacts
2007-06-04 08:51:22 0 d-------- C:\GiriGiri
2007-06-04 08:39:30 0 d-------- C:\Documents and Settings\Pnew.P428\Application Data\AVG7
2007-06-04 01:45:06 0 d-------- C:\WINDOWS\Cassini
2007-06-04 01:43:50 0 d-------- C:\WINDOWS\Profiles
2007-06-04 01:43:48 0 d-------- C:\WINDOWS\Cassini Emulator
2007-06-04 01:43:47 0 d-------- C:\Program Files\Cassini Emulator
2007-06-03 14:00:34 0 d-------- C:\Documents and Settings\9135\Application Data\True Sword
2007-06-03 14:00:30 0 d-------- C:\Program Files\True Sword 4
2007-06-03 13:57:26 0 d-------- C:\Documents and Settings\9135\.housecall6.6
2007-06-03 12:22:36 0 dr-h----- C:\$VAULT$.AVG
2007-06-03 12:21:58 0 d-------- C:\Documents and Settings\9135\Application Data\AVG7
2007-06-03 12:21:40 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2007-06-03 12:21:13 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2007-06-03 12:21:13 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2007-06-03 11:28:20 0 dr------- C:\Documents and Settings\LocalService.NT AUTHORITY\Favorites
2007-06-03 11:28:13 0 d-------- C:\Program Files\Intel
2007-06-02 20:15:49 179669 --a------ C:\WINDOWS\system32\CTSTATIC.DAT
2007-06-02 20:15:49 164044 --a------ C:\WINDOWS\system32\CTDLANG.DAT
2007-06-02 20:15:49 44055 --a------ C:\WINDOWS\system32\CTDAUGHT.DAT
2007-06-02 20:15:49 113373 --a------ C:\WINDOWS\system32\CTBASICW.DAT
2007-06-02 20:15:49 113273 --a------ C:\WINDOWS\system32\CTBAS2W.DAT
2007-06-02 12:32:53 786432 --a------ C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat
2007-06-02 12:32:53 10747904 --a------ C:\Documents and Settings\9135\ntuser.dat
2007-05-29 11:44:04 1048576 -----n--- C:\WINDOWS\system32\SFMAN.DAT
2007-05-29 11:44:04 54784 -----n--- C:\WINDOWS\system32\INETWH32.DLL <Not Verified; Blue Sky Software Corporation.; Blue Sky Software - INETWH32>
2007-05-29 11:44:04 0 d-------- C:\WINDOWS\system32\Defaults
2007-05-29 11:44:04 53552 -----n--- C:\WINDOWS\CTCCW.DLL <Not Verified; Creative® Technology Ltd.; Custom Control for Windows>
2007-05-29 11:43:52 0 d-------- C:\WINDOWS\system32\Data
2007-05-29 11:43:49 270336 --a------ C:\WINDOWS\system32\SFMS32.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2007-05-29 11:43:49 36864 --a------ C:\WINDOWS\system32\REGPLIB.EXE
2007-05-29 11:43:49 110592 --a------ C:\WINDOWS\system32\PIAPROXY.DLL <Not Verified; Creative Technology Ltd; E-mu PIA>
2007-05-29 11:43:49 135168 --a------ C:\WINDOWS\system32\OPENAL32.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2007-05-29 11:43:49 49152 --a------ C:\WINDOWS\system32\KILLAPPS.EXE
2007-05-29 11:43:49 77824 --a------ C:\WINDOWS\system32\EAXAC3.DLL <Not Verified; Creative Labs; EAX-AC3 DLL>
2007-05-29 11:43:49 998004 --a------ C:\WINDOWS\system32\drivers\HA10KX2K.SYS <Not Verified; Creative Technology Ltd; Creative Audio Product>
2007-05-29 11:43:49 156604 --a------ C:\WINDOWS\system32\drivers\EMUPIA2K.SYS <Not Verified; Creative Technology Ltd; E-mu Plug-In Architecture>
2007-05-29 11:43:49 213860 --a------ C:\WINDOWS\system32\drivers\CTSFM2K.SYS <Not Verified; Creative Technology Ltd; Creative Audio Product>
2007-05-29 11:43:49 11068 --a------ C:\WINDOWS\system32\drivers\CTPRXY2K.SYS <Not Verified; Creative Technology Ltd; Creative Audio Product>
2007-05-29 11:43:49 837548 --a------ C:\WINDOWS\system32\drivers\CTAUD2K.SYS <Not Verified; Creative Technology Ltd; Creative Audio Product>
2007-05-29 11:43:49 127948 --a------ C:\WINDOWS\system32\drivers\CTAC32K.SYS <Not Verified; Creative Technology Ltd; Creative Audio Product>
2007-05-29 11:43:49 28672 --a------ C:\WINDOWS\system32\CTSPKHLP.DLL <Not Verified; Creative Technology Ltd; CtSpkHlp Dynamic Link Library>
2007-05-29 11:43:49 643072 --a------ C:\WINDOWS\system32\CTSBLFX.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2007-05-29 11:43:49 155648 --a------ C:\WINDOWS\system32\CTOSUSER.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2007-05-29 11:43:49 24576 --a------ C:\WINDOWS\system32\CTHELPER.EXE <Not Verified; Creative Technology Ltd; CtHelper Application>
2007-05-29 11:43:49 36864 --a------ C:\WINDOWS\system32\CTEMUPIA.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2007-05-29 11:43:49 106496 --a------ C:\WINDOWS\system32\CTDPROXY.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2007-05-29 11:43:49 319488 --a------ C:\WINDOWS\system32\CTDEVCON.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2007-05-29 11:43:49 184320 --a------ C:\WINDOWS\PSCONV.EXE
2007-05-29 11:43:49 61440 --a------ C:\WINDOWS\MIDIDEF.EXE <Not Verified; Creative Technology Ltd; Creative Audio Product>
2007-05-29 11:43:49 94208 --a------ C:\WINDOWS\DEVREG.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2007-05-29 11:43:49 49152 --a------ C:\WINDOWS\CTDCRES.DLL <Not Verified; Creative Technology Ltd; Creative Technology Ltd CTDCRES>
2007-05-29 11:43:48 106496 --a------ C:\WINDOWS\system32\CTASIO.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2007-05-29 11:43:48 61440 --a------ C:\WINDOWS\system32\CTAGENT.DLL <Not Verified; Creative Technology Ltd; ctagent>
2007-05-29 11:43:48 110592 --a------ C:\WINDOWS\system32\COMMONFX.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2007-05-29 11:43:48 53248 --a------ C:\WINDOWS\system32\AC3API.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>

-- Find3M Report ---------------------------------------------------------------

2007-06-04 08:51:03 720896 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-06-03 11:42:01 0 d-------- C:\Program Files\AvRack
2007-06-02 20

47 11017 --a------ C:\Documents and Settings\Pnew.P428\Application Data\NMM-MetaData.db
2007-06-01 08:55:13 0 d-------- C:\Program Files\Azureus
2007-05-29 11:44:04 0 d-------- C:\Program Files\Creative
2007-05-29 11:43:48 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-05-29 11:12:22 0 d-------- C:\Documents and Settings\Pnew.P428\Application Data\AdobeUM
2007-05-29 10:28:14 0 d-------- C:\Documents and Settings\Pnew.P428\Application Data\Adobe
2007-05-11 09:47:56 0 d-------- C:\Documents and Settings\Pnew.P428\Application Data\Azureus
2007-05-07 21:33:00 179 --a------ C:\WINDOWS\DIIUnin.bat
2007-04-27 19:48:11 21840 --a-----t C:\WINDOWS\system32\SIntfNT.dll
2007-04-27 19:48:11 17212 --a-----t C:\WINDOWS\system32\SIntf32.dll
2007-04-27 19:48:11 12067 --a-----t C:\WINDOWS\system32\SIntf16.dll
2007-04-27 19:19:34 2829 --a------ C:\WINDOWS\DIIUnin.pif
2007-04-27 19:19:34 94208 --a------ C:\WINDOWS\DIIUnin.exe <Not Verified; Blizzard Entertainment; Diablo II Uninstaller>
2007-04-25 05:37:00 0 d-------- C:\Documents and Settings\Pnew.P428\Application Data\MSN6
2007-04-20 13:59:24 0 d-------- C:\Program Files\SystemRequirementsLab
2007-04-20 13:59:24 0 d-------- C:\Documents and Settings\Pnew.P428\Application Data\SystemRequirementsLab
2007-04-16 19:34:39 0 d-------- C:\Program Files\MSN Messenger
2007-04-10 15:40:46 0 d-------- C:\Documents and Settings\Pnew.P428\Application Data\U3
2007-04-10 13:52:33 0 d-------- C:\Documents and Settings\Pnew.P428\Application Data\Printer Info Cache
2007-04-09 09:15:55 0 d-------- C:\Program Files\Common Files\Adobe
2007-03-12 14:52:05 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-03-11 00:48:21 53248 --a------ C:\WINDOWS\system32\apache.dll

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMan"="SOUNDMAN.EXE"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MIDIDef"
"hkey"="HKCU"
"command"="MIDIDef.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_9"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTHELPER"
"hkey"="HKLM"
"command"="CTHELPER.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=dword:00000003
"IDriverT"=dword:00000003
"usnjsvc"=dword:00000003
"ServiceLayer"=dword:00000003
"ose"=dword:00000003
"MDM"=dword:00000002
"iPod Service"=dword:00000003
"BlueSoleil Hid Service"=dword:00000002
"Adobe LM Service"=dword:00000003

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J]

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f6c44c58-79cf-11db-8a4a-001485ea1313}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL explorer.exe

-- End of Deckard's System Scanner: finished at 2007-06-08 at 04:34:55 ---------

Ried · 06-07-2007, 10:35 PM

Quote:

before expanding explorer.exe, I deleted copy.exe, launch.exe, host.exe and an associated ****.inf(sorry, forgot the name) files from every drive.

Excellent work...that was my concern--the auto.inf files on the drives.

As there are many files that accompany flash drive infections that aren't recognized yet by many standard scanners, let's just run this next tool to be certain. This next tool would remove any of those files that may have been hanging around prior to the 3 month time frame reported in the main.txt.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

***************************************************

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

Close any open browsers.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts. When finished, it shall produce a log for you which I will need in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

figon · 06-07-2007, 11:11 PM

ok. scanned.
Here is the log:-

"Pnew" - 2007-06-08 12:58:33 Service Pack 2 NTFS
ComboFix 07-06-3B - Running from: "D:\Jurong\Files\1\ComboFix\"

((((((((((((((((((((((((( Files Created from 2007-05-08 to 2007-06-08 )))))))))))))))))))))))))))))))

2007-06-08 11:08 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-08 04:32 <DIR> d-------- C:\Deckard
2007-06-04 11:01 <DIR> d-------- C:\DOCUME~1\PNEW~1.P42\Contacts
2007-06-04 08:51 <DIR> d-------- C:\GiriGiri
2007-06-04 01:45 <DIR> d-------- C:\WINDOWS\Cassini
2007-06-04 01:43 <DIR> d-------- C:\WINDOWS\Profiles
2007-06-04 01:43 <DIR> d-------- C:\WINDOWS\Cassini Emulator
2007-06-04 01:43 <DIR> d-------- C:\Program Files\Cassini Emulator
2007-06-03 14:02 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-06-03 14:00 <DIR> d-------- C:\Program Files\True Sword 4
2007-06-03 14:00 <DIR> d-------- C:\DOCUME~1\9135\APPLIC~1\True Sword
2007-06-03 13:57 <DIR> d-------- C:\DOCUME~1\9135\.housecall6.6
2007-06-03 11:45 3,712 --a------ C:\WINDOWS\system32\drivers\ctljystk.sys
2007-06-03 11:45 10,624 --a------ C:\WINDOWS\system32\drivers\gameenum.sys
2007-06-03 11:28 <DIR> d-------- C:\Program Files\Intel
2007-06-02 20:15 44,055 --a------ C:\WINDOWS\system32\CTDAUGHT.DAT
2007-06-02 20:15 179,669 --a------ C:\WINDOWS\system32\CTSTATIC.DAT
2007-06-02 20:15 164,044 --a------ C:\WINDOWS\system32\CTDLANG.DAT
2007-06-02 20:15 113,373 --a------ C:\WINDOWS\system32\CTBASICW.DAT
2007-06-02 20:15 113,273 --a------ C:\WINDOWS\system32\CTBAS2W.DAT
2007-06-02 12:32 786,432 --a------ C:\DOCUME~1\LOCALS~1.NTA\ntuser.dat
2007-06-02 12:32 10,747,904 --a------ C:\DOCUME~1\9135\ntuser.dat
2007-05-29 11:49 6,912 --a------ C:\WINDOWS\system32\drivers\ctlfacem.sys
2007-05-29 11:49 495,616 --a------ C:\WINDOWS\system32\sblfx.dll
2007-05-29 11:49 4,096 --a------ C:\WINDOWS\system32\ctwdm32.dll
2007-05-29 11:49 36,480 --a------ C:\WINDOWS\system32\drivers\sfmanm.sys
2007-05-29 11:49 283,904 --a------ C:\WINDOWS\system32\drivers\emu10k1m.sys
2007-05-29 11:49 256,512 --a------ C:\WINDOWS\system32\devcon32.dll
2007-05-29 11:49 24,064 --a------ C:\WINDOWS\system32\devldr32.exe
2007-05-29 11:44 90,112 --------- C:\WINDOWS\Updreg.EXE
2007-05-29 11:44 84,992 --------- C:\WINDOWS\system32\SFCVRT32.DLL
2007-05-29 11:44 82,432 --------- C:\WINDOWS\system32\CTWFLT32.DLL
2007-05-29 11:44 54,784 --------- C:\WINDOWS\system32\INETWH32.DLL
2007-05-29 11:44 53,552 --------- C:\WINDOWS\CTCCW.DLL
2007-05-29 11:44 26,768 --------- C:\WINDOWS\system32\CTL3D.DLL
2007-05-29 11:44 24,976 --------- C:\WINDOWS\CTRES.DLL
2007-05-29 11:44 149,504 --------- C:\WINDOWS\system32\MFCANS32.DLL
2007-05-29 11:44 108,032 --------- C:\WINDOWS\system32\MFCUIA32.DLL
2007-05-29 11:44 1,048,576 --------- C:\WINDOWS\system32\SFMAN.DAT
2007-05-29 11:44 <DIR> d-------- C:\WINDOWS\system32\Defaults
2007-05-29 11:43 998,004 --a------ C:\WINDOWS\system32\drivers\HA10KX2K.SYS
2007-05-29 11:43 94,208 --a------ C:\WINDOWS\DEVREG.DLL
2007-05-29 11:43 837,548 --a------ C:\WINDOWS\system32\drivers\CTAUD2K.SYS
2007-05-29 11:43 77,824 --a------ C:\WINDOWS\system32\EAXAC3.DLL
2007-05-29 11:43 643,072 --a------ C:\WINDOWS\system32\CTSBLFX.DLL
2007-05-29 11:43 61,440 --a------ C:\WINDOWS\system32\CTAGENT.DLL
2007-05-29 11:43 61,440 --a------ C:\WINDOWS\MIDIDEF.EXE
2007-05-29 11:43 53,248 --a------ C:\WINDOWS\system32\AC3API.DLL
2007-05-29 11:43 51,200 --a------ C:\WINDOWS\system32\sfman32.dll
2007-05-29 11:43 49,152 --a------ C:\WINDOWS\system32\KILLAPPS.EXE
2007-05-29 11:43 49,152 --a------ C:\WINDOWS\CTDCRES.DLL
2007-05-29 11:43 36,864 --a------ C:\WINDOWS\system32\REGPLIB.EXE
2007-05-29 11:43 36,864 --a------ C:\WINDOWS\system32\CTEMUPIA.DLL
2007-05-29 11:43 319,488 --a------ C:\WINDOWS\system32\CTDEVCON.DLL
2007-05-29 11:43 28,672 --a------ C:\WINDOWS\system32\CTSPKHLP.DLL
2007-05-29 11:43 270,336 --a------ C:\WINDOWS\system32\SFMS32.DLL
2007-05-29 11:43 24,576 --a------ C:\WINDOWS\system32\CTHELPER.EXE
2007-05-29 11:43 213,860 --a------ C:\WINDOWS\system32\drivers\CTSFM2K.SYS
2007-05-29 11:43 20,480 --a------ C:\WINDOWS\INRES.DLL
2007-05-29 11:43 195,432 --a------ C:\WINDOWS\system32\drivers\CTOSS2K.SYS
2007-05-29 11:43 184,320 --a------ C:\WINDOWS\PSCONV.EXE
2007-05-29 11:43 176,128 --a------ C:\WINDOWS\READREG.EXE
2007-05-29 11:43 156,604 --a------ C:\WINDOWS\system32\drivers\EMUPIA2K.SYS
2007-05-29 11:43 155,648 --a------ C:\WINDOWS\system32\CTOSUSER.DLL
2007-05-29 11:43 135,168 --a------ C:\WINDOWS\system32\OPENAL32.DLL
2007-05-29 11:43 127,948 --a------ C:\WINDOWS\system32\drivers\CTAC32K.SYS
2007-05-29 11:43 110,592 --a------ C:\WINDOWS\system32\PIAPROXY.DLL
2007-05-29 11:43 110,592 --a------ C:\WINDOWS\system32\COMMONFX.DLL
2007-05-29 11:43 11,068 --a------ C:\WINDOWS\system32\drivers\CTPRXY2K.SYS
2007-05-29 11:43 106,496 --a------ C:\WINDOWS\system32\CTDPROXY.DLL
2007-05-29 11:43 106,496 --a------ C:\WINDOWS\system32\CTASIO.DLL
2007-05-29 11:43 <DIR> d-------- C:\WINDOWS\system32\Data
2007-05-29 11:42 6,752 --------- C:\WINDOWS\system32\PFMODNT.SYS

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-04 00:51:03 720,896 ----a-w C:\WINDOWS\iun6002.exe
2007-06-03 03:42:01 -------- d-----w C:\Program Files\AvRack
2007-06-01 00:55:13 -------- d-----w C:\Program Files\Azureus
2007-05-29 03:44:04 -------- d-----w C:\Program Files\Creative
2007-05-29 03:43:48 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-29 03:12:22 -------- d-----w C:\DOCUME~1\PNEW~1.P42\APPLIC~1\AdobeUM
2007-05-11 01:47:56 -------- d-----w C:\DOCUME~1\PNEW~1.P42\APPLIC~1\Azureus
2007-05-07 13:33:00 179 ----a-w C:\WINDOWS\DIIUnin.bat
2007-04-27 11:48:11 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll
2007-04-27 11:48:11 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll
2007-04-27 11:48:11 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll
2007-04-27 11:19:34 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2007-04-27 11:19:34 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
2007-04-24 21:37:00 -------- d-----w C:\DOCUME~1\PNEW~1.P42\APPLIC~1\MSN6
2007-04-20 05:59:24 -------- d-----w C:\Program Files\SystemRequirementsLab
2007-04-20 05:59:24 -------- d-----w C:\DOCUME~1\PNEW~1.P42\APPLIC~1\SystemRequirementsLab
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 11:34:39 -------- d-----w C:\Program Files\MSN Messenger
2007-04-10 07:40:46 -------- d-----w C:\DOCUME~1\PNEW~1.P42\APPLIC~1\U3
2007-04-10 05:52:33 -------- d-----w C:\DOCUME~1\PNEW~1.P42\APPLIC~1\Printer Info Cache
2007-04-04 10:18:57 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-12 06:52:08 249,856 ------w C:\WINDOWS\Setup1.exe
2007-03-12 06:52:05 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-03-10 16:48:21 53,248 ----a-w C:\WINDOWS\system32\apache.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 13:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-03 12:21]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
MIDIDef.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"usnjsvc"=3 (0x3)
"ServiceLayer"=3 (0x3)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)
"BlueSoleil Hid Service"=2 (0x2)
"Adobe LM Service"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMan"=SOUNDMAN.EXE
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6c44c58-79cf-11db-8a4a-001485ea1313}]

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-08 13:01:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-08 13:02:49
C:\ComboFix-quarantined-files.txt ... 2007-06-08 13:02
C:\ComboFix2.txt ... 2007-06-08 11:08

--- E O F ---

Ried · 06-07-2007, 11:32 PM

All clear.

Did the first run of ComboFix remove anything? Can I see the C:\ComboFix2.txt please?

figon · 06-08-2007, 04:14 AM

Cool.
sure.
I read other posts and downloaded and ran Combofix before you asked. :D.
Here is the ComboFix2.txt:-

"Pnew" - 2007-06-08 11:04:00 Service Pack 2 NTFS
ComboFix 07-06-3B - Running from: "D:\Jurong\Files\1\ComboFix\"

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\All Users.WINDOWS.\documents\setup.exe
C:\WINDOWS\autorun.inf

((((((((((((((((((((((((( Files Created from 2007-05-08 to 2007-06-08 )))))))))))))))))))))))))))))))

2007-06-08 04:32 <DIR> d-------- C:\Deckard
2007-06-04 11:01 <DIR> d-------- C:\DOCUME~1\PNEW~1.P42\Contacts
2007-06-04 08:51 <DIR> d-------- C:\GiriGiri
2007-06-04 01:45 <DIR> d-------- C:\WINDOWS\Cassini
2007-06-04 01:43 <DIR> d-------- C:\WINDOWS\Profiles
2007-06-04 01:43 <DIR> d-------- C:\WINDOWS\Cassini Emulator
2007-06-04 01:43 <DIR> d-------- C:\Program Files\Cassini Emulator
2007-06-03 14:02 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-06-03 14:00 <DIR> d-------- C:\Program Files\True Sword 4
2007-06-03 14:00 <DIR> d-------- C:\DOCUME~1\9135\APPLIC~1\True Sword
2007-06-03 13:57 <DIR> d-------- C:\DOCUME~1\9135\.housecall6.6
2007-06-03 11:45 3,712 --a------ C:\WINDOWS\system32\drivers\ctljystk.sys
2007-06-03 11:45 10,624 --a------ C:\WINDOWS\system32\drivers\gameenum.sys
2007-06-03 11:28 <DIR> d-------- C:\Program Files\Intel
2007-06-02 20:15 44,055 --a------ C:\WINDOWS\system32\CTDAUGHT.DAT
2007-06-02 20:15 179,669 --a------ C:\WINDOWS\system32\CTSTATIC.DAT
2007-06-02 20:15 164,044 --a------ C:\WINDOWS\system32\CTDLANG.DAT
2007-06-02 20:15 113,373 --a------ C:\WINDOWS\system32\CTBASICW.DAT
2007-06-02 20:15 113,273 --a------ C:\WINDOWS\system32\CTBAS2W.DAT
2007-06-02 12:32 786,432 --a------ C:\DOCUME~1\LOCALS~1.NTA\ntuser.dat
2007-06-02 12:32 10,747,904 --a------ C:\DOCUME~1\9135\ntuser.dat
2007-05-29 11:49 6,912 --a------ C:\WINDOWS\system32\drivers\ctlfacem.sys
2007-05-29 11:49 495,616 --a------ C:\WINDOWS\system32\sblfx.dll
2007-05-29 11:49 4,096 --a------ C:\WINDOWS\system32\ctwdm32.dll
2007-05-29 11:49 36,480 --a------ C:\WINDOWS\system32\drivers\sfmanm.sys
2007-05-29 11:49 283,904 --a------ C:\WINDOWS\system32\drivers\emu10k1m.sys
2007-05-29 11:49 256,512 --a------ C:\WINDOWS\system32\devcon32.dll
2007-05-29 11:49 24,064 --a------ C:\WINDOWS\system32\devldr32.exe
2007-05-29 11:44 90,112 --------- C:\WINDOWS\Updreg.EXE
2007-05-29 11:44 84,992 --------- C:\WINDOWS\system32\SFCVRT32.DLL
2007-05-29 11:44 82,432 --------- C:\WINDOWS\system32\CTWFLT32.DLL
2007-05-29 11:44 54,784 --------- C:\WINDOWS\system32\INETWH32.DLL
2007-05-29 11:44 53,552 --------- C:\WINDOWS\CTCCW.DLL
2007-05-29 11:44 26,768 --------- C:\WINDOWS\system32\CTL3D.DLL
2007-05-29 11:44 24,976 --------- C:\WINDOWS\CTRES.DLL
2007-05-29 11:44 149,504 --------- C:\WINDOWS\system32\MFCANS32.DLL
2007-05-29 11:44 108,032 --------- C:\WINDOWS\system32\MFCUIA32.DLL
2007-05-29 11:44 1,048,576 --------- C:\WINDOWS\system32\SFMAN.DAT
2007-05-29 11:44 <DIR> d-------- C:\WINDOWS\system32\Defaults
2007-05-29 11:43 998,004 --a------ C:\WINDOWS\system32\drivers\HA10KX2K.SYS
2007-05-29 11:43 94,208 --a------ C:\WINDOWS\DEVREG.DLL
2007-05-29 11:43 837,548 --a------ C:\WINDOWS\system32\drivers\CTAUD2K.SYS
2007-05-29 11:43 77,824 --a------ C:\WINDOWS\system32\EAXAC3.DLL
2007-05-29 11:43 643,072 --a------ C:\WINDOWS\system32\CTSBLFX.DLL
2007-05-29 11:43 61,440 --a------ C:\WINDOWS\system32\CTAGENT.DLL
2007-05-29 11:43 61,440 --a------ C:\WINDOWS\MIDIDEF.EXE
2007-05-29 11:43 53,248 --a------ C:\WINDOWS\system32\AC3API.DLL
2007-05-29 11:43 51,200 --a------ C:\WINDOWS\system32\sfman32.dll
2007-05-29 11:43 49,152 --a------ C:\WINDOWS\system32\KILLAPPS.EXE
2007-05-29 11:43 49,152 --a------ C:\WINDOWS\CTDCRES.DLL
2007-05-29 11:43 36,864 --a------ C:\WINDOWS\system32\REGPLIB.EXE
2007-05-29 11:43 36,864 --a------ C:\WINDOWS\system32\CTEMUPIA.DLL
2007-05-29 11:43 319,488 --a------ C:\WINDOWS\system32\CTDEVCON.DLL
2007-05-29 11:43 28,672 --a------ C:\WINDOWS\system32\CTSPKHLP.DLL
2007-05-29 11:43 270,336 --a------ C:\WINDOWS\system32\SFMS32.DLL
2007-05-29 11:43 24,576 --a------ C:\WINDOWS\system32\CTHELPER.EXE
2007-05-29 11:43 213,860 --a------ C:\WINDOWS\system32\drivers\CTSFM2K.SYS
2007-05-29 11:43 20,480 --a------ C:\WINDOWS\INRES.DLL
2007-05-29 11:43 195,432 --a------ C:\WINDOWS\system32\drivers\CTOSS2K.SYS
2007-05-29 11:43 184,320 --a------ C:\WINDOWS\PSCONV.EXE
2007-05-29 11:43 176,128 --a------ C:\WINDOWS\READREG.EXE
2007-05-29 11:43 156,604 --a------ C:\WINDOWS\system32\drivers\EMUPIA2K.SYS
2007-05-29 11:43 155,648 --a------ C:\WINDOWS\system32\CTOSUSER.DLL
2007-05-29 11:43 135,168 --a------ C:\WINDOWS\system32\OPENAL32.DLL
2007-05-29 11:43 127,948 --a------ C:\WINDOWS\system32\drivers\CTAC32K.SYS
2007-05-29 11:43 110,592 --a------ C:\WINDOWS\system32\PIAPROXY.DLL
2007-05-29 11:43 110,592 --a------ C:\WINDOWS\system32\COMMONFX.DLL
2007-05-29 11:43 11,068 --a------ C:\WINDOWS\system32\drivers\CTPRXY2K.SYS
2007-05-29 11:43 106,496 --a------ C:\WINDOWS\system32\CTDPROXY.DLL
2007-05-29 11:43 106,496 --a------ C:\WINDOWS\system32\CTASIO.DLL
2007-05-29 11:43 <DIR> d-------- C:\WINDOWS\system32\Data
2007-05-29 11:42 6,752 --------- C:\WINDOWS\system32\PFMODNT.SYS

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-04 00:51:03 720,896 ----a-w C:\WINDOWS\iun6002.exe
2007-06-03 03:42:01 -------- d-----w C:\Program Files\AvRack
2007-06-01 00:55:13 -------- d-----w C:\Program Files\Azureus
2007-05-29 03:44:04 -------- d-----w C:\Program Files\Creative
2007-05-29 03:43:48 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-29 03:12:22 -------- d-----w C:\DOCUME~1\PNEW~1.P42\APPLIC~1\AdobeUM
2007-05-11 01:47:56 -------- d-----w C:\DOCUME~1\PNEW~1.P42\APPLIC~1\Azureus
2007-05-07 13:33:00 179 ----a-w C:\WINDOWS\DIIUnin.bat
2007-04-27 11:48:11 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll
2007-04-27 11:48:11 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll
2007-04-27 11:48:11 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll
2007-04-27 11:19:34 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2007-04-27 11:19:34 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
2007-04-24 21:37:00 -------- d-----w C:\DOCUME~1\PNEW~1.P42\APPLIC~1\MSN6
2007-04-20 05:59:24 -------- d-----w C:\Program Files\SystemRequirementsLab
2007-04-20 05:59:24 -------- d-----w C:\DOCUME~1\PNEW~1.P42\APPLIC~1\SystemRequirementsLab
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 11:34:39 -------- d-----w C:\Program Files\MSN Messenger
2007-04-10 07:40:46 -------- d-----w C:\DOCUME~1\PNEW~1.P42\APPLIC~1\U3
2007-04-10 05:52:33 -------- d-----w C:\DOCUME~1\PNEW~1.P42\APPLIC~1\Printer Info Cache
2007-04-04 10:18:57 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-12 06:52:08 249,856 ------w C:\WINDOWS\Setup1.exe
2007-03-12 06:52:05 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-03-10 16:48:21 53,248 ----a-w C:\WINDOWS\system32\apache.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 13:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-03 12:21]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
MIDIDef.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"usnjsvc"=3 (0x3)
"ServiceLayer"=3 (0x3)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)
"BlueSoleil Hid Service"=2 (0x2)
"Adobe LM Service"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMan"=SOUNDMAN.EXE
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6c44c58-79cf-11db-8a4a-001485ea1313}]

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-08 11:07:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-08 11:08:28
C:\ComboFix-quarantined-files.txt ... 2007-06-08 11:08

--- E O F ---

And here is the content of the ComboFix-quarantined-files.txt:-

Code:

2006-05-09 20:36      34    --a------    C:\Qoobox\Quarantine\C\WINDOWS\autorun.inf.vir
2007-06-04 01:31      2242477    --a------    C:\Qoobox\Quarantine\C\Documents and Settings\All Users.WINDOWS\Documents\setup.exe.vir


Folder PATH listing
Volume serial number is 6CEA-1F46
C:\QOOBOX
\---Quarantine
    +---C
    |   +---avenger
    |   +---Documents and Settings
    |   |   \---All Users.WINDOWS
    |   |       \---Documents
    |   |               setup.exe.vir
    |   |               
    |   \---WINDOWS
    |           autorun.inf.vir
    |           
    \---Registry_backups

Again, appreciate for your detailed attention.

Ried · 06-08-2007, 07:30 AM

I feel better now--thanks for humoring me.

You're good to go, please continue with these final instructions.

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

Ensure Windows Auto Update is Enabled
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from previous restore points.

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

Spyware Guard to catch and block spyware before it can execute.

IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)

Now navigate to C:\ie-spyad. Double click to open it.
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list, by typing 2
Then return to the main menu.
Select option #4 - Add the old porn sites domain, by typing 4

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

figon · 06-08-2007, 08:09 PM

Nice.
You are very kind.
You are a great educator.
The learning experience is both great and precious!

Thank you very much!

06-03-2007, 08:31 PM	#1 (permalink)
figon Registered User Join Date: Jun 2007 Posts: 6 OS: xp	Re: Drive access error! [moved from XP support] I got the same problem too! Symantec classified it as W32.Salga.A@mm virus. I had deleted (a few times)references to copy.exe in the registry mainly here:- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\ but the same problem recurs upon reboot. I ran Ad Aware, Spybolt, avg 7.5, stinger and Microsoft Windows Malicious Software Removal Tool - May 2007 with no result. Here is my HJT log for your info.:- Logfile of HijackThis v1.99.1 Scan saved at 10:28:14 AM, on 6/4/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16441) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\regedit.exe C:\Program Files\Mozilla Firefox\firefox.exe D:\Jurong\Files\1\KB890830\Windows-KB890830-V1.29.exe e:\3d7f8145271d7ae557e92c76a023\mrtstub.exe C:\WINDOWS\system32\MRT.exe D:\NewCD\2 Checkers\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://www.poems.com.sg O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://192.168.0.100:9000/plugin/h263ctrl.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe Help appreciated.

06-03-2007, 10:04 PM	#2 (permalink)
chauffeur2 Manager Emeritus Join Date: Feb 2006 Location: Adelaide, South Australia Posts: 10,180 OS: Xp Sp3 with all updates + Vista™ Ultimate SP1. My System	Re: Drive access error! Moved from being attached to another members thread to here for analysing. __________________ Dave T. Submit New Articles If it works, Don't fix it! Especially if Bill Gates had anything to do with it!!

06-06-2007, 10:59 PM	#3 (permalink)
figon Registered User Join Date: Jun 2007 Posts: 6 OS: xp	Re: Drive access error! [moved from XP support] phew...got it solved! and opening of drives becomes faster! Please note: Did a number of things. Not 100% sure which is/are the actual ones that remove the copy.exe and family. :D My system is running xp pro with sp2. I ran CleanUP, CCleaner, Spybolt, Ad-Aware, Avg 7.5, stinger and Microsoft Windows Malicious Software Removal Tool - May 2007 before I did the followings:- 1. Expand files (please read this first:- http://support.microsoft.com/kb/888017 ) a. put Windows cd in cdrom b. run msconfig (start – run - msconfig) c. expand file (expand file – explorer.exe – from drive:\SUPPORT\TOOLS\SUPPORT.CAB – to C:\WINDOWS - expand) 2. Registry (please read this first:- http://support.microsoft.com/kb/256986 ) a. run registry editor (start - run - regedit) b. backup registry (file - export) c. find all references to copy.exe (Ctrl F - type copy.exe) d. replace copy.exe with explorer.exe 3. File association a. start - my computer b. tools - Folder Options - File Types c. select [NONE] drive - select advance - select new - type explore (or something)- select browse - select C:\windows\explorer.exe - select open - select ok - select Set Default - tick confirm open after download - select ok 4. on off Services using StartDreck.exe a. download here : Startdreck.exe b. extract files in a new folder - double click startdreck.exe c. scroll down to NT services d. scroll down further to Logical Disk Manager Administrative Service and Logical Disk Manager - off both services for a while – turn them back on – close startDreck.exe 5. Restart computer. ** The above worked on my system. Hope some of the steps could help u too.

06-06-2007, 11:10 PM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,908 OS: WinXP and Vista	Re: Drive access error! [moved from XP support] Hello figon, Due to the nature of the infection you had, it would be a good idea to let me take another look just to be sure there aren't any remnants. Download Deckard's System Scanner (DSS) to your Desktop. What DSS will do: create a new System Restore point in Windows XP and Vista. clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives. check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis 1.99.1 for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed. Note: You must be logged onto an account with administrator privileges. Close all applications and windows. Double-click on dss.exe to run it, and follow the prompts. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply. Please include the following in your next reply: main.txt __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-07-2007, 02:50 PM	#5 (permalink)
figon Registered User Join Date: Jun 2007 Posts: 6 OS: xp	Re: Drive access error! [moved from XP support] Hi Ried, Thank you for your time. Just wanna add that in my earlier post, I forgot to list the following step step :- before expanding explorer.exe, I deleted copy.exe, launch.exe, host.exe and an associated ***.inf(sorry, forgot the name) files from every drive. Ok. downloaded DSS. Here my log:- Deckard's System Scanner v20070603.47 Run by Pnew on 2007-06-08 at 04:32:55 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 30: 2007-06-07 20:33:03 UTC - RP366 - Deckard's System Scanner Restore Point 29: 2007-06-07 19:14:34 UTC - RP365 - System Checkpoint 28: 2007-06-06 18:21:44 UTC - RP364 - System Checkpoint 27: 2007-06-05 18:01:37 UTC - RP363 - System Checkpoint 26: 2007-06-04 17:18:32 UTC - RP362 - System Checkpoint -- First Restore Point -- 1: 2007-05-08 07:04:24 UTC - RP337 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis (run as Pnew.exe) ------------------------------------------------ Logfile of HijackThis v1.99.1 Scan saved at 4:34:09 AM, on 6/8/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16441) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\dmadmin.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\Pnew.P428\Desktop\dss.exe D:\NewCD\2CHECK~1\HIJACK~1\Pnew.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://192.168.0.100:9000/plugin/h263ctrl.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- HijackThis Fixed Entries (D:\NewCD\2CHECK~1\HIJACK~1\backups\) -------------- backup-20050511-141448-907 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = backup-20050511-141448-932 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = backup-20060914-222530-279 O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm backup-20060914-222530-196 O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm backup-20060914-222530-976 O15 - Trusted Zone: http://www.silkroadonline.net backup-20060914-222530-902 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) backup-20061011-062311-647 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = backup-20061208-053406-269 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = backup-20061208-053406-186 O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll backup-20061208-053406-714 O4 - HKLM\..\RunOnce: [megauploadtoolbar] C:\DOCUME~1\9135\LOCALS~1\Temp\tbuninstall.exe -df "C:\Program Files\MegauploadToolbar\" backup-20061227-082107-524 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://info.pristontale.com/nP_Msg/a...g=150&lang=100 backup-20061227-082107-317 O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file) backup-20070101-071025-621 O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file) backup-20070101-071725-966 O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll backup-20070101-073155-481 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = backup-20070604-091916-959 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = backup-20070604-091916-624 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = backup-20070604-091916-404 O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file) backup-20070604-091916-861 O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll backup-20070604-091916-237 O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file) backup-20070604-091916-326 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) backup-20070604-091916-525 O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE backup-20070604-091916-194 O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" backup-20070604-091916-187 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) backup-20070604-091918-158 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) backup-20070604-091918-540 O11 - Options group: [INTERNATIONAL] International backup-20070604-091918-281 O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll backup-20070604-091918-835 O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe backup-20070604-102712-100 O8 - Extra context menu item: &Download All by Gigaget - d:\Giganology\Gigaget\getallurl.htm backup-20070604-102712-797 O8 - Extra context menu item: &Download by Gigaget - d:\Giganology\Gigaget\geturl.htm backup-20070604-102712-192 O15 - Trusted Zone: http://www.frogg.fr backup-20070604-102712-829 O15 - Trusted Zone: http://www.keppelcareers.com backup-20070604-102712-964 O15 - Trusted IP range: http://203.127.20.195 backup-20070604-102712-957 O15 - Trusted IP range: http://192.168.0.100 -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys <Not Verified; IVT Corporation; BlueSoleil(c)> R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System> R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System> R0 sfsync04 (StarForce Protection Synchronization Driver (version 4.x)) - c:\windows\system32\drivers\sfsync04.sys <Not Verified; Protection Technology; StarForce Protection System> R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System> R1 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; > R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu> R2 npkcrypt - d:\triglowpictures\pristontale\npkcrypt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver> R2 XPROTECTOR - c:\windows\system32\drivers\oreans.sys R3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows (R) 2000 DDK driver> R3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys <Not Verified; IVT Corporation; BlueSoleil> R3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys R3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys <Not Verified; IVT Corporation; BlueSoleil> R3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys <Not Verified; IVT Corporation; BlueSoleil> S3 AEXPAM (Philips SmartManage Service) - c:\windows\system32\drivers\aexpamdrv.sys <Not Verified; Philips Consumer Electronics Co.; Philips SmartManage> S3 Btcsrusb (Bluetooth USB For Bluetooth Service) - c:\windows\system32\drivers\btcusb.sys <Not Verified; IVT Corporation; Bluetooth USB Device Driver> S3 emupia (E-mu Plug-in Architecture Driver) - c:\windows\system32\drivers\emupia2k.sys <Not Verified; Creative Technology Ltd; E-mu Plug-In Architecture> S3 hamachi (Hamachi Network Interface) - c:\windows\system32\drivers\hamachi.sys <Not Verified; Applied Networking Inc.; Hamachi Virtual Network Interface Driver> S3 u2kg54 (BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service) - c:\windows\system32\drivers\rt2500usb.sys <Not Verified; Ralink Technology Inc.; Ralink 802.11g Wireless USB Adapters> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R0 Nla (Network Location Awareness (NLA)) - \systemroot\c:\windows\system32\svchost.exe -k netsvcs (file missing) S4 BlueSoleil Hid Service - d:\bluetooth\btntservice.exe S4 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution> -- Files created between 2007-05-08 and 2007-06-08 ----------------------------- 2007-06-07 01:36:06 0 dr-h----- C:\Documents and Settings\9135\Recent 2007-06-04 12:17:51 0 dr-h----- C:\Documents and Settings\Pnew.P428\Recent 2007-06-04 11:48:56 0 --a------ C:\AUTOEXEC.BAT 2007-06-04 11:01:40 0 d-------- C:\Documents and Settings\Pnew.P428\Contacts 2007-06-04 08:51:22 0 d-------- C:\GiriGiri 2007-06-04 08:39:30 0 d-------- C:\Documents and Settings\Pnew.P428\Application Data\AVG7 2007-06-04 01:45:06 0 d-------- C:\WINDOWS\Cassini 2007-06-04 01:43:50 0 d-------- C:\WINDOWS\Profiles 2007-06-04 01:43:48 0 d-------- C:\WINDOWS\Cassini Emulator 2007-06-04 01:43:47 0 d-------- C:\Program Files\Cassini Emulator 2007-06-03 14:00:34 0 d-------- C:\Documents and Settings\9135\Application Data\True Sword 2007-06-03 14:00:30 0 d-------- C:\Program Files\True Sword 4 2007-06-03 13:57:26 0 d-------- C:\Documents and Settings\9135\.housecall6.6 2007-06-03 12:22:36 0 dr-h----- C:\$VAULT$.AVG 2007-06-03 12:21:58 0 d-------- C:\Documents and Settings\9135\Application Data\AVG7 2007-06-03 12:21:40 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7 2007-06-03 12:21:13 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft 2007-06-03 12:21:13 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7 2007-06-03 11:28:20 0 dr------- C:\Documents and Settings\LocalService.NT AUTHORITY\Favorites 2007-06-03 11:28:13 0 d-------- C:\Program Files\Intel 2007-06-02 20:15:49 179669 --a------ C:\WINDOWS\system32\CTSTATIC.DAT 2007-06-02 20:15:49 164044 --a------ C:\WINDOWS\system32\CTDLANG.DAT 2007-06-02 20:15:49 44055 --a------ C:\WINDOWS\system32\CTDAUGHT.DAT 2007-06-02 20:15:49 113373 --a------ C:\WINDOWS\system32\CTBASICW.DAT 2007-06-02 20:15:49 113273 --a------ C:\WINDOWS\system32\CTBAS2W.DAT 2007-06-02 12:32:53 786432 --a------ C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat 2007-06-02 12:32:53 10747904 --a------ C:\Documents and Settings\9135\ntuser.dat 2007-05-29 11:44:04 1048576 -----n--- C:\WINDOWS\system32\SFMAN.DAT 2007-05-29 11:44:04 54784 -----n--- C:\WINDOWS\system32\INETWH32.DLL <Not Verified; Blue Sky Software Corporation.; Blue Sky Software - INETWH32> 2007-05-29 11:44:04 0 d-------- C:\WINDOWS\system32\Defaults 2007-05-29 11:44:04 53552 -----n--- C:\WINDOWS\CTCCW.DLL <Not Verified; Creative® Technology Ltd.; Custom Control for Windows> 2007-05-29 11:43:52 0 d-------- C:\WINDOWS\system32\Data 2007-05-29 11:43:49 270336 --a------ C:\WINDOWS\system32\SFMS32.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product> 2007-05-29 11:43:49 36864 --a------ C:\WINDOWS\system32\REGPLIB.EXE 2007-05-29 11:43:49 110592 --a------ C:\WINDOWS\system32\PIAPROXY.DLL <Not Verified; Creative Technology Ltd; E-mu PIA> 2007-05-29 11:43:49 135168 --a------ C:\WINDOWS\system32\OPENAL32.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product> 2007-05-29 11:43:49 49152 --a------ C:\WINDOWS\system32\KILLAPPS.EXE 2007-05-29 11:43:49 77824 --a------ C:\WINDOWS\system32\EAXAC3.DLL <Not Verified; Creative Labs; EAX-AC3 DLL> 2007-05-29 11:43:49 998004 --a------ C:\WINDOWS\system32\drivers\HA10KX2K.SYS <Not Verified; Creative Technology Ltd; Creative Audio Product> 2007-05-29 11:43:49 156604 --a------ C:\WINDOWS\system32\drivers\EMUPIA2K.SYS <Not Verified; Creative Technology Ltd; E-mu Plug-In Architecture> 2007-05-29 11:43:49 213860 --a------ C:\WINDOWS\system32\drivers\CTSFM2K.SYS <Not Verified; Creative Technology Ltd; Creative Audio Product> 2007-05-29 11:43:49 11068 --a------ C:\WINDOWS\system32\drivers\CTPRXY2K.SYS <Not Verified; Creative Technology Ltd; Creative Audio Product> 2007-05-29 11:43:49 837548 --a------ C:\WINDOWS\system32\drivers\CTAUD2K.SYS <Not Verified; Creative Technology Ltd; Creative Audio Product> 2007-05-29 11:43:49 127948 --a------ C:\WINDOWS\system32\drivers\CTAC32K.SYS <Not Verified; Creative Technology Ltd; Creative Audio Product> 2007-05-29 11:43:49 28672 --a------ C:\WINDOWS\system32\CTSPKHLP.DLL <Not Verified; Creative Technology Ltd; CtSpkHlp Dynamic Link Library> 2007-05-29 11:43:49 643072 --a------ C:\WINDOWS\system32\CTSBLFX.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product> 2007-05-29 11:43:49 155648 --a------ C:\WINDOWS\system32\CTOSUSER.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product> 2007-05-29 11:43:49 24576 --a------ C:\WINDOWS\system32\CTHELPER.EXE <Not Verified; Creative Technology Ltd; CtHelper Application> 2007-05-29 11:43:49 36864 --a------ C:\WINDOWS\system32\CTEMUPIA.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product> 2007-05-29 11:43:49 106496 --a------ C:\WINDOWS\system32\CTDPROXY.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product> 2007-05-29 11:43:49 319488 --a------ C:\WINDOWS\system32\CTDEVCON.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product> 2007-05-29 11:43:49 184320 --a------ C:\WINDOWS\PSCONV.EXE 2007-05-29 11:43:49 61440 --a------ C:\WINDOWS\MIDIDEF.EXE <Not Verified; Creative Technology Ltd; Creative Audio Product> 2007-05-29 11:43:49 94208 --a------ C:\WINDOWS\DEVREG.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product> 2007-05-29 11:43:49 49152 --a------ C:\WINDOWS\CTDCRES.DLL <Not Verified; Creative Technology Ltd; Creative Technology Ltd CTDCRES> 2007-05-29 11:43:48 106496 --a------ C:\WINDOWS\system32\CTASIO.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product> 2007-05-29 11:43:48 61440 --a------ C:\WINDOWS\system32\CTAGENT.DLL <Not Verified; Creative Technology Ltd; ctagent> 2007-05-29 11:43:48 110592 --a------ C:\WINDOWS\system32\COMMONFX.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product> 2007-05-29 11:43:48 53248 --a------ C:\WINDOWS\system32\AC3API.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product> -- Find3M Report --------------------------------------------------------------- 2007-06-04 08:51:03 720896 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module> 2007-06-03 11:42:01 0 d-------- C:\Program Files\AvRack 2007-06-02 2047 11017 --a------ C:\Documents and Settings\Pnew.P428\Application Data\NMM-MetaData.db 2007-06-01 08:55:13 0 d-------- C:\Program Files\Azureus 2007-05-29 11:44:04 0 d-------- C:\Program Files\Creative 2007-05-29 11:43:48 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-05-29 11:12:22 0 d-------- C:\Documents and Settings\Pnew.P428\Application Data\AdobeUM 2007-05-29 10:28:14 0 d-------- C:\Documents and Settings\Pnew.P428\Application Data\Adobe 2007-05-11 09:47:56 0 d-------- C:\Documents and Settings\Pnew.P428\Application Data\Azureus 2007-05-07 21:33:00 179 --a------ C:\WINDOWS\DIIUnin.bat 2007-04-27 19:48:11 21840 --a-----t C:\WINDOWS\system32\SIntfNT.dll 2007-04-27 19:48:11 17212 --a-----t C:\WINDOWS\system32\SIntf32.dll 2007-04-27 19:48:11 12067 --a-----t C:\WINDOWS\system32\SIntf16.dll 2007-04-27 19:19:34 2829 --a------ C:\WINDOWS\DIIUnin.pif 2007-04-27 19:19:34 94208 --a------ C:\WINDOWS\DIIUnin.exe <Not Verified; Blizzard Entertainment; Diablo II Uninstaller> 2007-04-25 05:37:00 0 d-------- C:\Documents and Settings\Pnew.P428\Application Data\MSN6 2007-04-20 13:59:24 0 d-------- C:\Program Files\SystemRequirementsLab 2007-04-20 13:59:24 0 d-------- C:\Documents and Settings\Pnew.P428\Application Data\SystemRequirementsLab 2007-04-16 19:34:39 0 d-------- C:\Program Files\MSN Messenger 2007-04-10 15:40:46 0 d-------- C:\Documents and Settings\Pnew.P428\Application Data\U3 2007-04-10 13:52:33 0 d-------- C:\Documents and Settings\Pnew.P428\Application Data\Printer Info Cache 2007-04-09 09:15:55 0 d-------- C:\Program Files\Common Files\Adobe 2007-03-12 14:52:05 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows> 2007-03-11 00:48:21 53248 --a------ C:\WINDOWS\system32\apache.dll -- Registry Dump --------------------------------------------------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll {53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "nwiz"="nwiz.exe /install" "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background" "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "SoundMan"="SOUNDMAN.EXE" "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKLM" "command"="" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="MIDIDef" "hkey"="HKCU" "command"="MIDIDef.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="AdobeUpdateManager" "hkey"="HKCU" "command"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_9" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="CTHELPER" "hkey"="HKLM" "command"="CTHELPER.EXE" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPodService"=dword:00000003 "IDriverT"=dword:00000003 "usnjsvc"=dword:00000003 "ServiceLayer"=dword:00000003 "ose"=dword:00000003 "MDM"=dword:00000002 "iPod Service"=dword:00000003 "BlueSoleil Hid Service"=dword:00000002 "Adobe LM Service"=dword:00000003 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J] [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f6c44c58-79cf-11db-8a4a-001485ea1313}] Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL explorer.exe -- End of Deckard's System Scanner: finished at 2007-06-08 at 04:34:55 ---------

06-07-2007, 11:11 PM	#7 (permalink)
figon Registered User Join Date: Jun 2007 Posts: 6 OS: xp	Re: Drive access error! [moved from XP support] ok. scanned. Here is the log:- "Pnew" - 2007-06-08 12:58:33 Service Pack 2 NTFS ComboFix 07-06-3B - Running from: "D:\Jurong\Files\1\ComboFix\" ((((((((((((((((((((((((( Files Created from 2007-05-08 to 2007-06-08 ))))))))))))))))))))))))))))))) 2007-06-08 11:08 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-08 04:32 <DIR> d-------- C:\Deckard 2007-06-04 11:01 <DIR> d-------- C:\DOCUME~1\PNEW~1.P42\Contacts 2007-06-04 08:51 <DIR> d-------- C:\GiriGiri 2007-06-04 01:45 <DIR> d-------- C:\WINDOWS\Cassini 2007-06-04 01:43 <DIR> d-------- C:\WINDOWS\Profiles 2007-06-04 01:43 <DIR> d-------- C:\WINDOWS\Cassini Emulator 2007-06-04 01:43 <DIR> d-------- C:\Program Files\Cassini Emulator 2007-06-03 14:02 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-06-03 14:00 <DIR> d-------- C:\Program Files\True Sword 4 2007-06-03 14:00 <DIR> d-------- C:\DOCUME~1\9135\APPLIC~1\True Sword 2007-06-03 13:57 <DIR> d-------- C:\DOCUME~1\9135\.housecall6.6 2007-06-03 11:45 3,712 --a------ C:\WINDOWS\system32\drivers\ctljystk.sys 2007-06-03 11:45 10,624 --a------ C:\WINDOWS\system32\drivers\gameenum.sys 2007-06-03 11:28 <DIR> d-------- C:\Program Files\Intel 2007-06-02 20:15 44,055 --a------ C:\WINDOWS\system32\CTDAUGHT.DAT 2007-06-02 20:15 179,669 --a------ C:\WINDOWS\system32\CTSTATIC.DAT 2007-06-02 20:15 164,044 --a------ C:\WINDOWS\system32\CTDLANG.DAT 2007-06-02 20:15 113,373 --a------ C:\WINDOWS\system32\CTBASICW.DAT 2007-06-02 20:15 113,273 --a------ C:\WINDOWS\system32\CTBAS2W.DAT 2007-06-02 12:32 786,432 --a------ C:\DOCUME~1\LOCALS~1.NTA\ntuser.dat 2007-06-02 12:32 10,747,904 --a------ C:\DOCUME~1\9135\ntuser.dat 2007-05-29 11:49 6,912 --a------ C:\WINDOWS\system32\drivers\ctlfacem.sys 2007-05-29 11:49 495,616 --a------ C:\WINDOWS\system32\sblfx.dll 2007-05-29 11:49 4,096 --a------ C:\WINDOWS\system32\ctwdm32.dll 2007-05-29 11:49 36,480 --a------ C:\WINDOWS\system32\drivers\sfmanm.sys 2007-05-29 11:49 283,904 --a------ C:\WINDOWS\system32\drivers\emu10k1m.sys 2007-05-29 11:49 256,512 --a------ C:\WINDOWS\system32\devcon32.dll 2007-05-29 11:49 24,064 --a------ C:\WINDOWS\system32\devldr32.exe 2007-05-29 11:44 90,112 --------- C:\WINDOWS\Updreg.EXE 2007-05-29 11:44 84,992 --------- C:\WINDOWS\system32\SFCVRT32.DLL 2007-05-29 11:44 82,432 --------- C:\WINDOWS\system32\CTWFLT32.DLL 2007-05-29 11:44 54,784 --------- C:\WINDOWS\system32\INETWH32.DLL 2007-05-29 11:44 53,552 --------- C:\WINDOWS\CTCCW.DLL 2007-05-29 11:44 26,768 --------- C:\WINDOWS\system32\CTL3D.DLL 2007-05-29 11:44 24,976 --------- C:\WINDOWS\CTRES.DLL 2007-05-29 11:44 149,504 --------- C:\WINDOWS\system32\MFCANS32.DLL 2007-05-29 11:44 108,032 --------- C:\WINDOWS\system32\MFCUIA32.DLL 2007-05-29 11:44 1,048,576 --------- C:\WINDOWS\system32\SFMAN.DAT 2007-05-29 11:44 <DIR> d-------- C:\WINDOWS\system32\Defaults 2007-05-29 11:43 998,004 --a------ C:\WINDOWS\system32\drivers\HA10KX2K.SYS 2007-05-29 11:43 94,208 --a------ C:\WINDOWS\DEVREG.DLL 2007-05-29 11:43 837,548 --a------ C:\WINDOWS\system32\drivers\CTAUD2K.SYS 2007-05-29 11:43 77,824 --a------ C:\WINDOWS\system32\EAXAC3.DLL 2007-05-29 11:43 643,072 --a------ C:\WINDOWS\system32\CTSBLFX.DLL 2007-05-29 11:43 61,440 --a------ C:\WINDOWS\system32\CTAGENT.DLL 2007-05-29 11:43 61,440 --a------ C:\WINDOWS\MIDIDEF.EXE 2007-05-29 11:43 53,248 --a------ C:\WINDOWS\system32\AC3API.DLL 2007-05-29 11:43 51,200 --a------ C:\WINDOWS\system32\sfman32.dll 2007-05-29 11:43 49,152 --a------ C:\WINDOWS\system32\KILLAPPS.EXE 2007-05-29 11:43 49,152 --a------ C:\WINDOWS\CTDCRES.DLL 2007-05-29 11:43 36,864 --a------ C:\WINDOWS\system32\REGPLIB.EXE 2007-05-29 11:43 36,864 --a------ C:\WINDOWS\system32\CTEMUPIA.DLL 2007-05-29 11:43 319,488 --a------ C:\WINDOWS\system32\CTDEVCON.DLL 2007-05-29 11:43 28,672 --a------ C:\WINDOWS\system32\CTSPKHLP.DLL 2007-05-29 11:43 270,336 --a------ C:\WINDOWS\system32\SFMS32.DLL 2007-05-29 11:43 24,576 --a------ C:\WINDOWS\system32\CTHELPER.EXE 2007-05-29 11:43 213,860 --a------ C:\WINDOWS\system32\drivers\CTSFM2K.SYS 2007-05-29 11:43 20,480 --a------ C:\WINDOWS\INRES.DLL 2007-05-29 11:43 195,432 --a------ C:\WINDOWS\system32\drivers\CTOSS2K.SYS 2007-05-29 11:43 184,320 --a------ C:\WINDOWS\PSCONV.EXE 2007-05-29 11:43 176,128 --a------ C:\WINDOWS\READREG.EXE 2007-05-29 11:43 156,604 --a------ C:\WINDOWS\system32\drivers\EMUPIA2K.SYS 2007-05-29 11:43 155,648 --a------ C:\WINDOWS\system32\CTOSUSER.DLL 2007-05-29 11:43 135,168 --a------ C:\WINDOWS\system32\OPENAL32.DLL 2007-05-29 11:43 127,948 --a------ C:\WINDOWS\system32\drivers\CTAC32K.SYS 2007-05-29 11:43 110,592 --a------ C:\WINDOWS\system32\PIAPROXY.DLL 2007-05-29 11:43 110,592 --a------ C:\WINDOWS\system32\COMMONFX.DLL 2007-05-29 11:43 11,068 --a------ C:\WINDOWS\system32\drivers\CTPRXY2K.SYS 2007-05-29 11:43 106,496 --a------ C:\WINDOWS\system32\CTDPROXY.DLL 2007-05-29 11:43 106,496 --a------ C:\WINDOWS\system32\CTASIO.DLL 2007-05-29 11:43 <DIR> d-------- C:\WINDOWS\system32\Data 2007-05-29 11:42 6,752 --------- C:\WINDOWS\system32\PFMODNT.SYS (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-04 00:51:03 720,896 ----a-w C:\WINDOWS\iun6002.exe 2007-06-03 03:42:01 -------- d-----w C:\Program Files\AvRack 2007-06-01 00:55:13 -------- d-----w C:\Program Files\Azureus 2007-05-29 03:44:04 -------- d-----w C:\Program Files\Creative 2007-05-29 03:43:48 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-05-29 03:12:22 -------- d-----w C:\DOCUME~1\PNEW~1.P42\APPLIC~1\AdobeUM 2007-05-11 01:47:56 -------- d-----w C:\DOCUME~1\PNEW~1.P42\APPLIC~1\Azureus 2007-05-07 13:33:00 179 ----a-w C:\WINDOWS\DIIUnin.bat 2007-04-27 11:48:11 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll 2007-04-27 11:48:11 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll 2007-04-27 11:48:11 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll 2007-04-27 11:19:34 94,208 ----a-w C:\WINDOWS\DIIUnin.exe 2007-04-27 11:19:34 2,829 ----a-w C:\WINDOWS\DIIUnin.pif 2007-04-24 21:37:00 -------- d-----w C:\DOCUME~1\PNEW~1.P42\APPLIC~1\MSN6 2007-04-20 05:59:24 -------- d-----w C:\Program Files\SystemRequirementsLab 2007-04-20 05:59:24 -------- d-----w C:\DOCUME~1\PNEW~1.P42\APPLIC~1\SystemRequirementsLab 2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-16 11:34:39 -------- d-----w C:\Program Files\MSN Messenger 2007-04-10 07:40:46 -------- d-----w C:\DOCUME~1\PNEW~1.P42\APPLIC~1\U3 2007-04-10 05:52:33 -------- d-----w C:\DOCUME~1\PNEW~1.P42\APPLIC~1\Printer Info Cache 2007-04-04 10:18:57 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll 2007-03-12 06:52:08 249,856 ------w C:\WINDOWS\Setup1.exe 2007-03-12 06:52:05 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE 2007-03-10 16:48:21 53,248 ----a-w C:\WINDOWS\system32\apache.dll 2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll 2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll 2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll 2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56] {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 13:22] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-03 12:21] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI] MIDIDef.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch] CTHELPER.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPodService"=3 (0x3) "IDriverT"=3 (0x3) "usnjsvc"=3 (0x3) "ServiceLayer"=3 (0x3) "ose"=3 (0x3) "MDM"=2 (0x2) "iPod Service"=3 (0x3) "BlueSoleil Hid Service"=2 (0x2) "Adobe LM Service"=3 (0x3) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "SoundMan"=SOUNDMAN.EXE "NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit "NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost netsvcs [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6c44c58-79cf-11db-8a4a-001485ea1313}] ************************************************************************ catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-08 13:01:28 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ Completion time: 2007-06-08 13:02:49 C:\ComboFix-quarantined-files.txt ... 2007-06-08 13:02 C:\ComboFix2.txt ... 2007-06-08 11:08 --- E O F ---

06-07-2007, 11:32 PM	#8 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,908 OS: WinXP and Vista	Re: Drive access error! [moved from XP support] All clear. Did the first run of ComboFix remove anything? Can I see the C:\ComboFix2.txt please? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-08-2007, 04:14 AM	#9 (permalink)
figon Registered User Join Date: Jun 2007 Posts: 6 OS: xp	Re: Drive access error! [moved from XP support] Cool. sure. I read other posts and downloaded and ran Combofix before you asked. :D. Here is the ComboFix2.txt:- "Pnew" - 2007-06-08 11:04:00 Service Pack 2 NTFS ComboFix 07-06-3B - Running from: "D:\Jurong\Files\1\ComboFix\" ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Documents and Settings\All Users.WINDOWS.\documents\setup.exe C:\WINDOWS\autorun.inf ((((((((((((((((((((((((( Files Created from 2007-05-08 to 2007-06-08 ))))))))))))))))))))))))))))))) 2007-06-08 04:32 <DIR> d-------- C:\Deckard 2007-06-04 11:01 <DIR> d-------- C:\DOCUME~1\PNEW~1.P42\Contacts 2007-06-04 08:51 <DIR> d-------- C:\GiriGiri 2007-06-04 01:45 <DIR> d-------- C:\WINDOWS\Cassini 2007-06-04 01:43 <DIR> d-------- C:\WINDOWS\Profiles 2007-06-04 01:43 <DIR> d-------- C:\WINDOWS\Cassini Emulator 2007-06-04 01:43 <DIR> d-------- C:\Program Files\Cassini Emulator 2007-06-03 14:02 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-06-03 14:00 <DIR> d-------- C:\Program Files\True Sword 4 2007-06-03 14:00 <DIR> d-------- C:\DOCUME~1\9135\APPLIC~1\True Sword 2007-06-03 13:57 <DIR> d-------- C:\DOCUME~1\9135\.housecall6.6 2007-06-03 11:45 3,712 --a------ C:\WINDOWS\system32\drivers\ctljystk.sys 2007-06-03 11:45 10,624 --a------ C:\WINDOWS\system32\drivers\gameenum.sys 2007-06-03 11:28 <DIR> d-------- C:\Program Files\Intel 2007-06-02 20:15 44,055 --a------ C:\WINDOWS\system32\CTDAUGHT.DAT 2007-06-02 20:15 179,669 --a------ C:\WINDOWS\system32\CTSTATIC.DAT 2007-06-02 20:15 164,044 --a------ C:\WINDOWS\system32\CTDLANG.DAT 2007-06-02 20:15 113,373 --a------ C:\WINDOWS\system32\CTBASICW.DAT 2007-06-02 20:15 113,273 --a------ C:\WINDOWS\system32\CTBAS2W.DAT 2007-06-02 12:32 786,432 --a------ C:\DOCUME~1\LOCALS~1.NTA\ntuser.dat 2007-06-02 12:32 10,747,904 --a------ C:\DOCUME~1\9135\ntuser.dat 2007-05-29 11:49 6,912 --a------ C:\WINDOWS\system32\drivers\ctlfacem.sys 2007-05-29 11:49 495,616 --a------ C:\WINDOWS\system32\sblfx.dll 2007-05-29 11:49 4,096 --a------ C:\WINDOWS\system32\ctwdm32.dll 2007-05-29 11:49 36,480 --a------ C:\WINDOWS\system32\drivers\sfmanm.sys 2007-05-29 11:49 283,904 --a------ C:\WINDOWS\system32\drivers\emu10k1m.sys 2007-05-29 11:49 256,512 --a------ C:\WINDOWS\system32\devcon32.dll 2007-05-29 11:49 24,064 --a------ C:\WINDOWS\system32\devldr32.exe 2007-05-29 11:44 90,112 --------- C:\WINDOWS\Updreg.EXE 2007-05-29 11:44 84,992 --------- C:\WINDOWS\system32\SFCVRT32.DLL 2007-05-29 11:44 82,432 --------- C:\WINDOWS\system32\CTWFLT32.DLL 2007-05-29 11:44 54,784 --------- C:\WINDOWS\system32\INETWH32.DLL 2007-05-29 11:44 53,552 --------- C:\WINDOWS\CTCCW.DLL 2007-05-29 11:44 26,768 --------- C:\WINDOWS\system32\CTL3D.DLL 2007-05-29 11:44 24,976 --------- C:\WINDOWS\CTRES.DLL 2007-05-29 11:44 149,504 --------- C:\WINDOWS\system32\MFCANS32.DLL 2007-05-29 11:44 108,032 --------- C:\WINDOWS\system32\MFCUIA32.DLL 2007-05-29 11:44 1,048,576 --------- C:\WINDOWS\system32\SFMAN.DAT 2007-05-29 11:44 <DIR> d-------- C:\WINDOWS\system32\Defaults 2007-05-29 11:43 998,004 --a------ C:\WINDOWS\system32\drivers\HA10KX2K.SYS 2007-05-29 11:43 94,208 --a------ C:\WINDOWS\DEVREG.DLL 2007-05-29 11:43 837,548 --a------ C:\WINDOWS\system32\drivers\CTAUD2K.SYS 2007-05-29 11:43 77,824 --a------ C:\WINDOWS\system32\EAXAC3.DLL 2007-05-29 11:43 643,072 --a------ C:\WINDOWS\system32\CTSBLFX.DLL 2007-05-29 11:43 61,440 --a------ C:\WINDOWS\system32\CTAGENT.DLL 2007-05-29 11:43 61,440 --a------ C:\WINDOWS\MIDIDEF.EXE 2007-05-29 11:43 53,248 --a------ C:\WINDOWS\system32\AC3API.DLL 2007-05-29 11:43 51,200 --a------ C:\WINDOWS\system32\sfman32.dll 2007-05-29 11:43 49,152 --a------ C:\WINDOWS\system32\KILLAPPS.EXE 2007-05-29 11:43 49,152 --a------ C:\WINDOWS\CTDCRES.DLL 2007-05-29 11:43 36,864 --a------ C:\WINDOWS\system32\REGPLIB.EXE 2007-05-29 11:43 36,864 --a------ C:\WINDOWS\system32\CTEMUPIA.DLL 2007-05-29 11:43 319,488 --a------ C:\WINDOWS\system32\CTDEVCON.DLL 2007-05-29 11:43 28,672 --a------ C:\WINDOWS\system32\CTSPKHLP.DLL 2007-05-29 11:43 270,336 --a------ C:\WINDOWS\system32\SFMS32.DLL 2007-05-29 11:43 24,576 --a------ C:\WINDOWS\system32\CTHELPER.EXE 2007-05-29 11:43 213,860 --a------ C:\WINDOWS\system32\drivers\CTSFM2K.SYS 2007-05-29 11:43 20,480 --a------ C:\WINDOWS\INRES.DLL 2007-05-29 11:43 195,432 --a------ C:\WINDOWS\system32\drivers\CTOSS2K.SYS 2007-05-29 11:43 184,320 --a------ C:\WINDOWS\PSCONV.EXE 2007-05-29 11:43 176,128 --a------ C:\WINDOWS\READREG.EXE 2007-05-29 11:43 156,604 --a------ C:\WINDOWS\system32\drivers\EMUPIA2K.SYS 2007-05-29 11:43 155,648 --a------ C:\WINDOWS\system32\CTOSUSER.DLL 2007-05-29 11:43 135,168 --a------ C:\WINDOWS\system32\OPENAL32.DLL 2007-05-29 11:43 127,948 --a------ C:\WINDOWS\system32\drivers\CTAC32K.SYS 2007-05-29 11:43 110,592 --a------ C:\WINDOWS\system32\PIAPROXY.DLL 2007-05-29 11:43 110,592 --a------ C:\WINDOWS\system32\COMMONFX.DLL 2007-05-29 11:43 11,068 --a------ C:\WINDOWS\system32\drivers\CTPRXY2K.SYS 2007-05-29 11:43 106,496 --a------ C:\WINDOWS\system32\CTDPROXY.DLL 2007-05-29 11:43 106,496 --a------ C:\WINDOWS\system32\CTASIO.DLL 2007-05-29 11:43 <DIR> d-------- C:\WINDOWS\system32\Data 2007-05-29 11:42 6,752 --------- C:\WINDOWS\system32\PFMODNT.SYS (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-04 00:51:03 720,896 ----a-w C:\WINDOWS\iun6002.exe 2007-06-03 03:42:01 -------- d-----w C:\Program Files\AvRack 2007-06-01 00:55:13 -------- d-----w C:\Program Files\Azureus 2007-05-29 03:44:04 -------- d-----w C:\Program Files\Creative 2007-05-29 03:43:48 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-05-29 03:12:22 -------- d-----w C:\DOCUME~1\PNEW~1.P42\APPLIC~1\AdobeUM 2007-05-11 01:47:56 -------- d-----w C:\DOCUME~1\PNEW~1.P42\APPLIC~1\Azureus 2007-05-07 13:33:00 179 ----a-w C:\WINDOWS\DIIUnin.bat 2007-04-27 11:48:11 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll 2007-04-27 11:48:11 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll 2007-04-27 11:48:11 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll 2007-04-27 11:19:34 94,208 ----a-w C:\WINDOWS\DIIUnin.exe 2007-04-27 11:19:34 2,829 ----a-w C:\WINDOWS\DIIUnin.pif 2007-04-24 21:37:00 -------- d-----w C:\DOCUME~1\PNEW~1.P42\APPLIC~1\MSN6 2007-04-20 05:59:24 -------- d-----w C:\Program Files\SystemRequirementsLab 2007-04-20 05:59:24 -------- d-----w C:\DOCUME~1\PNEW~1.P42\APPLIC~1\SystemRequirementsLab 2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-16 11:34:39 -------- d-----w C:\Program Files\MSN Messenger 2007-04-10 07:40:46 -------- d-----w C:\DOCUME~1\PNEW~1.P42\APPLIC~1\U3 2007-04-10 05:52:33 -------- d-----w C:\DOCUME~1\PNEW~1.P42\APPLIC~1\Printer Info Cache 2007-04-04 10:18:57 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll 2007-03-12 06:52:08 249,856 ------w C:\WINDOWS\Setup1.exe 2007-03-12 06:52:05 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE 2007-03-10 16:48:21 53,248 ----a-w C:\WINDOWS\system32\apache.dll 2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll 2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll 2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll 2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56] {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 13:22] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-03 12:21] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI] MIDIDef.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch] CTHELPER.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPodService"=3 (0x3) "IDriverT"=3 (0x3) "usnjsvc"=3 (0x3) "ServiceLayer"=3 (0x3) "ose"=3 (0x3) "MDM"=2 (0x2) "iPod Service"=3 (0x3) "BlueSoleil Hid Service"=2 (0x2) "Adobe LM Service"=3 (0x3) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "SoundMan"=SOUNDMAN.EXE "NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit "NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost netsvcs [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6c44c58-79cf-11db-8a4a-001485ea1313}] ************************************************************************ catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-08 11:07:52 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ Completion time: 2007-06-08 11:08:28 C:\ComboFix-quarantined-files.txt ... 2007-06-08 11:08 --- E O F --- And here is the content of the ComboFix-quarantined-files.txt:- Code: 2006-05-09 20:36 34 --a------ C:\Qoobox\Quarantine\C\WINDOWS\autorun.inf.vir 2007-06-04 01:31 2242477 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users.WINDOWS\Documents\setup.exe.vir Folder PATH listing Volume serial number is 6CEA-1F46 C:\QOOBOX \---Quarantine +---C \| +---avenger \| +---Documents and Settings \| \| \---All Users.WINDOWS \| \| \---Documents \| \| setup.exe.vir \| \| \| \---WINDOWS \| autorun.inf.vir \| \---Registry_backups Again, appreciate for your detailed attention.

06-08-2007, 07:30 AM	#10 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,908 OS: WinXP and Vista	Re: Drive access error! [moved from XP support] I feel better now--thanks for humoring me. You're good to go, please continue with these final instructions. Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links: Ensure Windows Auto Update is Enabled Go to Start>Run* - type wuaucpl.cpl Tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Create a new System Restore point* Click Start >> Run - type SYSDM.CPL & press Enter * Select the System Restore Tab * Tick on the checkbox - "Turn off System Restore on all drives" Click Apply * Then untick the same checkbox & click OK This will prevent any reinfection from previous restore points. To help protect your computer in the future I recommend that you get the following free programs if you do not already have them: McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad. SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Spyware Guard to catch and block spyware before it can execute. IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD) Now navigate to C:\ie-spyad. Double click to open it. From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list, by typing 2 Then return to the main menu. Select option #4 - Add the old porn sites domain, by typing 4 Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released. In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles: PC Safety and Security--What Do I Need? HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Understanding and Using Firewalls **Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. ----------------------------------------------------- Follow the list above and the potential for infection will reduce dramatically. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-08-2007, 08:09 PM	#11 (permalink)
figon Registered User Join Date: Jun 2007 Posts: 6 OS: xp	Re: Drive access error! [moved from XP support] Nice. You are very kind. You are a great educator. The learning experience is both great and precious! Thank you very much!