Author Topic: Help needed (Read 3893 times)

Arpan · « **Reply #20 on:** December 22, 2008, 02:27:28 PM »

luckily system is started second time now. and i am able to write a post here.
I dont what went wring with the system. It has just started getting frozrn everytime i started my system. Even in safe mode it was getting hanged. in fact i never succeded in my attempt to start system in safe mode. what should i do?
please help me!

Arpan · « **Reply #21 on:** December 22, 2008, 02:30:34 PM »

hikackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:44 AM, on 12/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe
D:\Softwares\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 5023 bytes

guestolo · « **Reply #22 on:** December 22, 2008, 03:09:22 PM »

I posted additional instructions earlier

I'm going to change them a bit, with the new information you added

In addition>>
Download and save to your desktop
[color=\"#FF0000\"]OTScanIt2[/color][/url]
by OldTimer

Double click on it to Run it and then Extract it to a folder on desktop
Open that newly created folder and double click on OTScanIt2.exe
Leave all defaults selected
Except, change Rootkit Search to YES
Also, under Additional Scans, put a tick next to
Reg - SafeBoot Minimal
Reg - SafeBoot Network
Evnt - EventViewer Logs (Last 10 Errors)

Then click on [color=\"#0000FF\"]Run Scan [/color]

When done, it will produce a log
Can you post the contents of that log back here please
A copy of it can also be found it the OTScanIt2 folder on desktop
It may be best to attach that log

Arpan · « **Reply #23 on:** December 22, 2008, 03:21:44 PM »

i was trying hard but i was unable to post anything here.

error: 505

method not implemented

whats wrong?

guestolo · « **Reply #24 on:** December 22, 2008, 03:45:41 PM »

Nothing suspicious

Can you update Avira, run a new scan and post the new report from it

Arpan · « **Reply #25 on:** December 22, 2008, 03:51:19 PM »

then what could be the reason for repeated system hanging around 50 times?
can u understand anything?

Arpan · « **Reply #26 on:** December 22, 2008, 03:55:22 PM »

see as far as avira's report is concerned. i had started scanning when first time system started. At that time it had found few viruses ehose details are as under. Later scanning got stopped bcoa system got hanged.

Avira AntiVir Personal
Report file date: Tuesday, December 23, 2008 02:31

Scanning for 1107347 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: Owner
Computer name: COMPUTER2007

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 15:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 14:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 19:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 14:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36
ANTIVIR1.VDF : 7.1.0.197 1170432 Bytes 12/7/2008 06:55:46
ANTIVIR2.VDF : 7.1.0.250 342528 Bytes 12/18/2008 06:57:32
ANTIVIR3.VDF : 7.1.1.15 107520 Bytes 12/21/2008 06:41:50
Engineversion : 8.2.0.45
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 17:05:56
AESCRIPT.DLL : 8.1.1.19 336252 Bytes 12/21/2008 07:02:19
AESCN.DLL : 8.1.1.5 123251 Bytes 11/7/2008 22:06:41
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 20:58:38
AEPACK.DLL : 8.1.3.4 393591 Bytes 11/11/2008 16:41:39
AEOFFICE.DLL : 8.1.0.33 196987 Bytes 12/21/2008 07:01:58
AEHEUR.DLL : 8.1.0.75 1524087 Bytes 12/21/2008 07:00:55
AEHELP.DLL : 8.1.2.0 119159 Bytes 12/21/2008 06:58:40
AEGEN.DLL : 8.1.1.8 323956 Bytes 12/21/2008 06:58:34
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 17:05:56
AECORE.DLL : 8.1.5.2 172405 Bytes 12/21/2008 06:58:12
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 17:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 15:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 16:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 19:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 18:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 19:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 19:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 20:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 20:34:37

Configuration settings for the scan:
Jobname..........................: ShlExt
Configuration file...............: C:\DOCUME~1\Owner\LOCALS~1\Temp\d307754e.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: G:,
Process scan.....................: off
Scan registry....................: off
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Tuesday, December 23, 2008 02:31

Starting the file scan:

Begin scan in 'G:\' <MANISHA>
G:\New Folder .exe
[DETECTION] Is the TR/Autoit.CI.14 Trojan
[NOTE] The file was deleted!
G:\regsvr.exe
[DETECTION] Is the TR/Autoit.CI.14 Trojan
[NOTE] The file was moved to '49b7a274.qua'!
G:\lky.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49c9a27d.qua'!
G:\RESTORE\RESTORE .exe
[DETECTION] Is the TR/Autoit.CI.14 Trojan
[NOTE] The file was moved to '49a3a25a.qua'!
G:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\S-1-5-21-1482476501-1644491937-682003330-1013 .exe
[DETECTION] Is the TR/Autoit.CI.14 Trojan
[NOTE] The file was moved to '4981a248.qua'!
G:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe
[DETECTION] Contains recognition pattern of the WORM/SdBot.117248 worm
[NOTE] The file was moved to '49c1a282.qua'!
G:\OM\OM .exe
[DETECTION] Is the TR/Autoit.CI.14 Trojan
[NOTE] The file was moved to '4970a287.qua'!
G:\Shaadi\Shaadi .exe
[DETECTION] Is the TR/Autoit.CI.14 Trojan
[NOTE] The file was moved to '49b1a2a5.qua'!
G:\Shaadi\card-4\card-4 .exe
[DETECTION] Is the TR/Autoit.CI.14 Trojan
[NOTE] The file was moved to '49c2a2a3.qua'!
G:\Shaadi\CARD-3\CARD-3 .exe
[DETECTION] Is the TR/Autoit.CI.14 Trojan
[NOTE] The file was moved to '49a2a297.qua'!

End of the scan: Tuesday, December 23, 2008 02:33
Used time: 01:53 Minute(s)

The scan has been canceled!

7 Scanning directories
367 Files were scanned
10 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
1 files were deleted
0 files were repaired
9 files were moved to quarantine
0 files were renamed
0 Files cannot be scanned
357 Files not concerned
0 Archives were scanned
0 Warnings
10 Notes

Arpan · « **Reply #27 on:** December 22, 2008, 03:57:23 PM »

After that when system started working i did another scan, This time the process was completed without any interruption.

Avira AntiVir Personal
Report file date: Wednesday, December 24, 2008 00:52

Scanning for 1110459 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: COMPUTER2007

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 15:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 14:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 19:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 14:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36
ANTIVIR1.VDF : 7.1.0.197 1170432 Bytes 12/7/2008 06:55:46
ANTIVIR2.VDF : 7.1.0.250 342528 Bytes 12/18/2008 06:57:32
ANTIVIR3.VDF : 7.1.1.21 151040 Bytes 12/22/2008 06:51:36
Engineversion : 8.2.0.45
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 17:05:56
AESCRIPT.DLL : 8.1.1.19 336252 Bytes 12/21/2008 07:02:19
AESCN.DLL : 8.1.1.5 123251 Bytes 11/7/2008 22:06:41
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 20:58:38
AEPACK.DLL : 8.1.3.4 393591 Bytes 11/11/2008 16:41:39
AEOFFICE.DLL : 8.1.0.33 196987 Bytes 12/21/2008 07:01:58
AEHEUR.DLL : 8.1.0.75 1524087 Bytes 12/21/2008 07:00:55
AEHELP.DLL : 8.1.2.0 119159 Bytes 12/21/2008 06:58:40
AEGEN.DLL : 8.1.1.8 323956 Bytes 12/21/2008 06:58:34
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 17:05:56
AECORE.DLL : 8.1.5.2 172405 Bytes 12/21/2008 06:58:12
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 17:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 15:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 16:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 19:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 18:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 19:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 19:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 20:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 20:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:, E:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Wednesday, December 24, 2008 00:52

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avnotify.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'Ymsgr_tray.exe' - '1' Module(s) have been scanned
Scan process 'ServiceLayer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'DAP.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'LAUNCH~1.EXE' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
30 processes with 30 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '48' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\New Folder\McAfee Total Protection 2008 (Retail)-HeartBug\en-AU\Acroread\AcroRead.exe

Archive type: CAB SFX (self extracting)

--> \Data1.cab
[1] Archive type: CAB (Microsoft)
--> VDK10.RSD
[WARNING] No further files can be extracted from this archive. The archive will be closed
--> \instmsiw.exe
[WARNING] No further files can be extracted from this archive. The archive will be closed
Begin scan in 'D:\'
Begin scan in 'E:\'

End of the scan: Wednesday, December 24, 2008 01:20
Used time: 28:25 Minute(s)

The scan has been done completely.

4404 Scanning directories
174422 Files were scanned
0 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
174421 Files not concerned
1660 Archives were scanned
3 Warnings
0 Notes

guestolo · « **Reply #28 on:** December 22, 2008, 03:58:38 PM »

Which drive is your G: drive?

Arpan · « **Reply #29 on:** December 22, 2008, 04:03:25 PM »

that was for a pen drive. when i found virus in my pen drive, i formatted that drive bcoz that data was not imp for me.

guestolo · « **Reply #30 on:** December 22, 2008, 04:14:40 PM »

You mean for the pen drive you didn't have before?

Remember what I said earlier

Quote

But if it is infected, any computer it's been inserted too
Could also be infected

What probably happened, you inserted the Pendrive, it didn't autostart, so you accessed it thru MyComputer without scanning it first
You can right click a pendrive in MyComputer and choose to Scan with Avira in the future

We have to ensure that pendrive will not reinfect you again
even if it's already formatted, do the following

download Flash_Disinfector and save it to your desktop

Double on Flash_Disinfector.exe and select Run As Administrator to run it. If you receive a prompt, please allow it.
You will be prompted to plug in your flash drive. Plug it in. If you have more than one, plug them in
Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.

Leave your Pendrive connected

Can you temporarily disable Avira protection, right click it's icon by the clock
and uncheck "AntiVir Guard Enable"
Then, REDownload ComboFix from
[color=\"#0000FF\"]Link 1[/color]
[color=\"#0000FF\"]Link 2[/color]
[color=\"#0000FF\"]Link 3[/color]
Save it ONLY to your Desktop

Double click on it to run it, let it run it's course than post back the log from it later
C:\ComboFix.txt

guestolo · « **Reply #31 on:** December 22, 2008, 04:17:05 PM »

Forgot to add:

[color=\"#0000FF\"]Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.[/color]

Arpan · « **Reply #32 on:** December 23, 2008, 01:45:03 AM »

Quote

What probably happened, you inserted the Pendrive, it didn't autostart, so you accessed it thru MyComputer without scanning it first
You can right click a pendrive in MyComputer and choose to Scan with Avira in the future

We have to ensure that pendrive will not reinfect you again
even if it's already formatted, do the following

no. it wasnt the way i did things. i was aware there could be virus in a pendrive. so i opened my computer and scanned it the way you said before. there i found this viruses. and i dont have that pen drive with me right now. it was my friends one. i cant get it back. m sorry.
How does the system look to u now, keeping aside that pen drive?

guestolo · « **Reply #33 on:** December 23, 2008, 05:34:24 AM »

Well, I guess it looks OK
How is the system running?
You didn't post the new log from ComboFix so it's hard for me to tell, I would still run it just to double check that there are no leftovers behind. Post the new log afterwards

Arpan · « **Reply #34 on:** December 24, 2008, 02:42:04 PM »

well system still hangs up abruptly and i did run flash disinfector. here is the combo fix log

ComboFix 08-12-21.04 - Owner 2008-12-25 1:05:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.612 [GMT 5.5:30]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Application Data\twain_32
c:\documents and settings\NetworkService\Application Data\twain_32\user.ds

.
((((((((((((((((((((((((( Files Created from 2008-11-24 to 2008-12-24 )))))))))))))))))))))))))))))))
.

2008-12-24 12:51 . 2008-12-24 12:58   <DIR>   d--------   c:\program files\SpywareBlaster
2008-12-24 12:12 . 2008-12-24 12:12   <DIR>   d--------   c:\program files\CCleaner
2008-12-24 11:39 . 2008-12-24 11:39   <DIR>   d--------   c:\documents and settings\Administrator
2008-12-21 12:18 . 2008-12-21 12:18   <DIR>   d--------   c:\program files\Avira
2008-12-21 12:18 . 2008-12-21 12:18   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Avira
2008-12-21 00:14 . 2008-12-21 00:14   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Adobe Systems
2008-12-21 00:13 . 2008-12-21 00:13   <DIR>   d--------   c:\program files\Common Files\Adobe Systems Shared
2008-12-20 11:57 . 2008-12-20 11:57   <DIR>   d--------   c:\program files\Yahoo!
2008-12-20 11:57 . 2008-12-20 11:57   <DIR>   d--------   c:\documents and settings\Owner\Application Data\Yahoo!
2008-12-20 11:42 . 2008-12-20 11:43   <DIR>   d--------   c:\documents and settings\Owner\Phone Browser
2008-12-20 11:42 . 2008-12-20 11:42   <DIR>   d--------   c:\documents and settings\Owner\Application Data\Datalayer
2008-12-20 11:40 . 2008-12-20 11:40   <DIR>   d--------   c:\documents and settings\Owner\Application Data\Nokia
2008-12-20 11:39 . 2008-12-20 11:39   <DIR>   d--------   c:\program files\DIFX
2008-12-20 11:38 . 2008-12-20 11:39   <DIR>   d----c---   c:\windows\system32\DRVSTORE
2008-12-20 11:38 . 2008-12-20 11:38   <DIR>   d--------   c:\program files\Nokia
2008-12-20 11:38 . 2008-12-20 11:38   <DIR>   d--------   c:\program files\Common Files\PCSuite
2008-12-20 11:38 . 2008-12-20 11:38   <DIR>   d--------   c:\program files\Common Files\Nokia
2008-12-20 11:38 . 2008-12-20 11:39   <DIR>   d--------   c:\documents and settings\Owner\Application Data\PC Suite
2008-12-20 11:38 . 2008-12-20 11:39   <DIR>   d--------   c:\documents and settings\All Users\Application Data\PC Suite
2008-12-20 11:38 . 2006-05-29 19:56   127,488   --a------   c:\windows\system32\drivers\nmwcd.sys
2008-12-20 11:38 . 2006-05-29 19:56   50,688   --a------   c:\windows\system32\nmwcdcls.dll
2008-12-20 11:38 . 2006-05-29 19:56   30,720   --a------   c:\windows\system32\nmwcdcocls.dll
2008-12-20 11:38 . 2006-05-29 19:56   13,312   --a------   c:\windows\system32\drivers\nmwcdcm.sys
2008-12-20 11:38 . 2006-05-29 19:56   8,704   --a------   c:\windows\system32\drivers\nmwcdc.sys
2008-12-20 11:38 . 2006-05-29 19:56   4,608   --a------   c:\windows\system32\nmwcdlog.dll
2008-12-19 04:11 . 2008-12-19 07:45   <DIR>   d--------   c:\documents and settings\Owner\Application Data\gtk-2.0
2008-12-19 00:53 . 2008-12-19 10:25   1,589,280   --ahs----   c:\windows\system32\drivers\fidbox.dat
2008-12-19 00:53 . 2008-12-19 10:25   21,788   --ahs----   c:\windows\system32\drivers\fidbox.idx
2008-12-19 00:33 . 2008-12-19 00:34   <DIR>   d--------   c:\program files\Any Video Converter
2008-12-19 00:11 . 2008-12-19 00:11   <DIR>   d--------   c:\program files\GIMP-2.0
2008-12-19 00:09 . 2008-12-19 00:09   <DIR>   d--------   C:\New Folder
2008-12-18 22:36 . 2008-12-18 22:36   <DIR>   d--------   c:\windows\system32\xircom
2008-12-18 22:36 . 2008-12-18 22:36   <DIR>   d--------   c:\windows\system32\npp
2008-12-18 22:36 . 2008-12-18 22:36   <DIR>   d--------   c:\windows\srchasst
2008-12-18 22:36 . 2008-12-18 22:36   <DIR>   d--------   c:\program files\microsoft frontpage
2008-12-18 11:43 . 2008-12-18 11:43   <DIR>   d--------   c:\program files\Alwil Software
2008-12-18 11:35 . 2008-12-18 11:35   <DIR>   d--------   C:\KitTorrent
2008-12-18 11:32 . 2008-12-18 11:48   <DIR>   d--------   C:\(Any Video Convertor) (Many Formats..)
2008-12-18 10:43 . 2008-12-18 10:43   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Avg7
2008-12-17 11:24 . 2008-12-17 11:24   <DIR>   d--------   c:\documents and settings\Owner\.thumbnails
2008-12-17 10:31 . 2008-12-23 22:13   <DIR>   d--------   c:\documents and settings\Owner\.gimp-2.2
2008-12-17 10:29 . 2008-12-17 10:29   <DIR>   d--------   c:\program files\Common Files\GTK
2008-12-17 06:01 . 2008-12-17 06:01   260   --a------   c:\windows\_delis32.ini
2008-12-16 12:22 . 2008-12-16 12:22   <DIR>   d--------   c:\program files\Microsoft Works
2008-12-16 12:21 . 2008-12-16 12:21   <DIR>   d--------   c:\program files\MSBuild
2008-12-16 12:20 . 2008-12-16 12:20   <DIR>   d--------   c:\program files\Microsoft.NET
2008-12-16 12:14 . 2008-12-16 12:15   <DIR>   d--------   c:\program files\Microsoft Visual Studio 8
2008-12-16 12:13 . 2008-12-18 16:57   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-16 12:12 . 2008-12-16 12:12   <DIR>   dr-h-----   C:\MSOCache
2008-12-16 11:54 . 2008-12-16 12:08   <DIR>   d--------   c:\program files\MsOffice2007
2008-12-16 11:13 . 2008-12-16 11:13   <DIR>   d--------   c:\documents and settings\Owner\Application Data\AdobeUM
2008-12-16 10:49 . 2008-12-16 10:49   26,944   --a------   c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-12-14 12:47 . 2008-12-18 10:42   <DIR>   d--------   c:\program files\Winamp
2008-12-14 12:47 . 2008-12-21 06:02   <DIR>   d--------   c:\documents and settings\Owner\Application Data\Winamp
2008-12-14 12:43 . 2008-12-14 12:43   <DIR>   d--------   c:\program files\Combined Community Codec Pack
2008-12-14 03:10 . 2008-12-14 03:10   <DIR>   d--------   c:\program files\Gabest
2008-12-13 23:37 . 2008-12-18 11:44   478   --a------   c:\windows\ODBC.INI
2008-12-13 23:31 . 2008-12-18 16:56   <DIR>   d--------   c:\windows\ShellNew
2008-12-13 23:22 . 2008-12-13 23:22   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-13 23:22 . 2005-12-09 01:26   65,536   --a------   c:\windows\system32\QuickTimeVR.qtx
2008-12-13 23:22 . 2005-12-09 01:26   49,152   --a------   c:\windows\system32\QuickTime.qts
2008-12-13 23:20 . 2008-12-13 23:20   <DIR>   d--------   c:\windows\Downloaded Installations
2008-12-13 23:18 . 1998-10-30 04:15   306,688   --a------   c:\windows\IsUninst.exe
2008-12-13 23:11 . 2008-12-13 23:11   <DIR>   d--------   c:\documents and settings\Owner\Application Data\Media Player Classic
2008-12-13 23:10 . 2008-12-13 23:11   <DIR>   d--------   c:\documents and settings\Owner\Application Data\bsplayer
2008-12-13 23:09 . 2008-12-13 23:23   <DIR>   d--------   c:\program files\K-Lite Codec Pack
2008-12-13 23:06 . 2008-12-13 23:06   <DIR>   d--------   c:\documents and settings\Owner\Application Data\Ahead
2008-12-13 22:56 . 2008-12-13 22:56   <DIR>   d--------   c:\program files\Power Video Converter
2008-12-13 22:55 . 2008-12-21 00:16   <DIR>   d--------   c:\program files\Common Files\Adobe
2008-12-13 22:48 . 2008-12-13 22:48   <DIR>   d--------   c:\windows\Cache
2008-12-13 22:41 . 2008-12-13 23:21   <DIR>   d--------   c:\program files\QuickTime
2008-12-13 22:41 . 1999-11-10 22:35   86,016   --a------   c:\windows\unvise32qt.exe
2008-12-12 15:33 . 2008-12-12 15:33   <DIR>   d--------   c:\program files\SmartSound Software Inc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 08:44   ---------   d-----w   c:\documents and settings\Owner\Application Data\uTorrent
2008-12-12 05:46   ---------   d-----w   c:\program files\Windows Media Connect 2
2008-12-12 05:46   ---------   d-----w   c:\program files\NotePad++
2008-12-12 05:46   ---------   d-----w   c:\program files\Foxit
2008-12-11 21:46   ---------   d--h--w   c:\program files\InstallShield Installation Information
2008-12-11 21:45   ---------   d-----w   c:\program files\Common Files\InstallShield
2008-12-11 21:42   ---------   d-----w   c:\program files\Pinnacle Systems
2008-12-11 21:34   ---------   d-----w   c:\program files\DAP
2008-12-11 21:33   ---------   d-----w   c:\documents and settings\All Users\Application Data\SpeedBit
2008-12-11 20:01   ---------   d-----w   c:\program files\Pinnacle
2008-12-11 19:39   ---------   d-----w   c:\documents and settings\All Users\Application Data\Pinnacle
2008-12-11 19:29   ---------   d-----w   c:\program files\TC
2008-12-11 19:19   ---------   d-----w   c:\program files\uTorrent
2008-12-11 19:19   ---------   d-----w   c:\program files\Google
2008-12-11 19:17   50,688   ----a-w   c:\windows\system32\wbhelp2.dll
2008-12-11 19:10   ---------   d-----w   c:\program files\MiraScan
2008-12-11 19:00   ---------   d-----w   c:\program files\Ahead
2008-12-11 19:00   ---------   d-----w   c:\documents and settings\All Users\Application Data\Ahead
2008-12-11 18:59   ---------   d-----w   c:\program files\Common Files\Nero
2008-12-11 18:57   ---------   d-----w   c:\program files\Common Files\Ahead
2008-12-21 08:45   67,688   ----a-w   c:\program files\mozilla firefox\components\jar50.dll
2008-12-21 08:45   54,368   ----a-w   c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-21 08:45   34,944   ----a-w   c:\program files\mozilla firefox\components\myspell.dll
2008-12-21 08:45   46,712   ----a-w   c:\program files\mozilla firefox\components\spellchk.dll
2008-12-21 08:45   172,136   ----a-w   c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-12 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-18 68856]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2008-12-12 3114496]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-06-21 4538368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2002-03-11 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2002-03-11 106496]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-02 3739648]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-11 406016]
"PCSuiteTrayApplication"="c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2006-06-16 229376]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-13 266497]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2007-01-09 c:\windows\system32\advpack.dll]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-17 113664]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= vdrcodec.dll
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"VIDC.VP31"= vp31vfw.dll
"VIDC.FFDS"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.imc"= imc32.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\DAP\\DAP.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

R3 BENDER;Pinnacle AV/DV2 Capture;c:\windows\system32\drivers\bender.sys [2008-12-12 180480]

*Newly Created Service* - CATCHME
.
.
------- Supplementary Scan -------
.
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\d9j6y90l.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.speedbit.com/
FF - prefs.js: keyword.URL - hxxp://search.speedbit.com/searchresults.asp?src=default&q=
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-25 01:07:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-25 1:08:18
ComboFix-quarantined-files.txt 2008-12-24 19:38:14

Pre-Run: 7,496,040,448 bytes free
Post-Run: 7,487,504,384 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

201

guestolo · « **Reply #35 on:** December 25, 2008, 01:20:51 PM »

Quote

well system still hangs up abruptly

Can you explain exactly what it's doing, is it only on startup?

Arpan · « **Reply #36 on:** December 27, 2008, 04:12:51 PM »

As i have observed in past 2-3 days, system is not hanging anymore and i am really happy for it and also appreciate your help throughout these days. But i dont understand one thing here. I have a folder called "films" in my E drive, one of the partition of hard drive. whenever i keep open this folder for a minute or so it shows me an error message that "windows explorer has encountered an error, so it will close down." Then obviously win explorer gets close down. This does not happen if i open any other folder in E or any other drive. I neither understand the logic behind this problem nor the reason.
Can you help me with this issue?

guestolo · « **Reply #37 on:** December 27, 2008, 06:01:02 PM »

Since it's only one folder, and probably video files, it could be just one corrupt file in the folder causing the problem

Go to START>>RUN>>Copy and paste the following into the open field

regsvr32 /u shmedia.dll

Then click OK

See if you can open the Films folder without the error
What view are you using in that folder
Eg.. Thumbnails, Icons, Tiles?

Arpan · « **Reply #38 on:** December 28, 2008, 03:47:20 PM »

The given task completed successfully. There is a thumbnail view. It seems the error is gone.
It was not showing error at the time of opening the folder. In fact error used to come after 1-2 minutes of opening it which i am noticing right now. so it seems it has been repaired now.

guestolo · « **Reply #39 on:** December 29, 2008, 02:07:21 PM »

Do the following again
Start>>Run>>copy and paste the following

combofix /u

Hit OK
Again, this will uninstall ComboFix

Everything else ok?
I'll lock this topic if you find no other problems

News:

Author Topic: Help needed (Read 3893 times)