Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Access My External Hdd, Trj/agent.fdu


  • Please log in to reply
58 replies to this topic

#1 cmon1011

cmon1011

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 23 July 2007 - 09:52 AM

Everything was fine, but suddenly:
When I plug my external hdd, it's ok, pop up appear, I can access it from that

But if I try to open from my computer, it gives me this:
Posted Image
But if I tried to open it by typing the drive name (M: ), I can access it

Sometimes I got this message:
Posted Image
or
Posted Image

Any idea why?
I already install usb driver & on device manager, there's no "!"
I tried to change the owner, but it doesn't work, previous owner is administrator & I change it into my username but I still can't access it in a normal way
I also add my username on security & allow full control
& by the way, if I right click open, it's ok, but if I double click, it gives me those error -_-"

I post it here because avg sometimes give me those error message if I tried to open it from my computer
I also checked from here: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/ & Panda tells me that I infected with Trj/Agent.FDU which I can't remove because I need to buy Panda Pro or something

Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:45:27 PM, on 7/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\mIRC\mirc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\utorrent.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtremewrestlingtorrents.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1185171995906
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe

--
End of file - 5015 bytes

BC AdBot (Login to Remove)

 


#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:02:40 PM

Posted 25 July 2007 - 03:27 AM

Hi and welcome.

I see you have 2 firewalls installed.
Comodo and AVG
Likely Windows Firewall is turned on as well.
Doing this will cause big conflicts.
So I suggest uninstalling one of the firewalls and turning off the XP one.

----------------------

Sounds like there is a command in the registry to have your external run another program that AVG has denied access to.
So Windows does not know how to access your M drive.

Download this program and save it to your desktop:

http://www.techsupportforum.com/sectools/s...Disinfector.exe

Don't run it yet.

Download this file and save it to your desktop.

In the event you already have Combofix, please delete it as this is a new version I need you to download.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

Don't run it yet.

Make sure your External is plugged in but don't "open" it yet.

Once saved, temporarily disable your AVG Resident Shield and run Flash_Disinfector.
Follow the prompts & let it do its job.

Double click ComboFix.exe and let it run.
Follow the prompts.
You will temporarily lose desktop while scan is running. Once scan is done desktop will return to normal.
-When finished, it shall produce a log for you. Post that log in your next reply along with a new HIjackthis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note2:
Don't forget to turn AVG back on!

Let me know how things are running.

You may not be able to access M drive on double click but *should* be able to right click> explore.
There will be more work to do.

Thanks!

********************



ps. If I don't get back to you within 24 hours please shoot me a PM. Mailer does not always work its best and I miss replies sometimes.

:thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#3 cmon1011

cmon1011
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 25 July 2007 - 03:54 AM

I see you have 2 firewalls installed.
Comodo and AVG
Likely Windows Firewall is turned on as well.
Doing this will cause big conflicts.
So I suggest uninstalling one of the firewalls and turning off the XP one.

I already turn off my Windows Firewall before & AVG's firewall doesn't work because I need to register a pro version or something (it was trial)

For some reason, it's suddenly working but I didn't edit my post here (I'm sorry about that :thumbsup:)
Should I keep doing what you're telling me to?

Or I think I still got infected with Trj/Agent.FDU because I can't find it with AVG & free scan on Housecall Anti Virus & Bit Defender didn't find that
Any suggestion about that?

I'm sorry again about I didn't edit my external hdd problem

This is my current log: (I haven't follow your instruction except downloading what you want)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:12 AM, on 7/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\utorrent.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtremewrestlingtorrents.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1185171995906
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe

--
End of file - 5304 bytes

Thanks again

#4 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:02:40 PM

Posted 25 July 2007 - 09:02 PM

Hi,

Yes. Go ahead and carry out previous instructions please.
Combofix log is what I really need to see.

If AVG Firewall is expired then best to uninstall it.
You have Comodo which never expires.

Did the AVG Firewall come bundled with AVG Antivirus or are these seperate apps?

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#5 cmon1011

cmon1011
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 25 July 2007 - 11:17 PM

If AVG Firewall is expired then best to uninstall it.
You have Comodo which never expires.

Did the AVG Firewall come bundled with AVG Antivirus or are these seperate apps?

Thanks :thumbsup:

Yes, AVG Firewall come with AVG Antivirus, but it doesn't work since it was trial & I don't display it on AVG component (It's not active too)


This is from ComboFix:
"Cmon" - 2007-07-26 6:09:37 - ComboFix 07-07-23.6 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-06-26 to 2007-07-26 )))))))))))))))))))))))))))))))


2007-07-26 06:04 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-26 06:03 26,112 --a------ C:\WINDOWS\system32\nircmd.exe
2007-07-26 06:03 <DIR> drahs---- C:\autorun.inf
2007-07-25 22:00 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-07-24 15:06 <DIR> d-------- C:\Program Files\VideoLAN
2007-07-24 15:06 <DIR> d-------- C:\DOCUME~1\Cmon\APPLIC~1\vlc
2007-07-24 13:06 <DIR> d-------- C:\WWE.Raw.07.23.07.DSR.XViD-KYR
2007-07-23 23:41 <DIR> d-------- C:\Program Files\Grandia2
2007-07-23 18:44 <DIR> d-------- C:\Program Files\Bullfrog
2007-07-23 18:43 299,008 --a------ C:\WINDOWS\uninst.exe
2007-07-23 18:31 36,864 --a------ C:\WINDOWS\system32\EGameEncrypt.dll
2007-07-23 18:31 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-07-23 17:04 <DIR> d-------- C:\DOCUME~1\Cmon\APPLIC~1\ATI
2007-07-23 17:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ATI
2007-07-23 17:01 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-07-23 17:01 <DIR> d-------- C:\Program Files\ATI Technologies
2007-07-23 17:00 <DIR> d-------- C:\ATI
2007-07-23 13:27 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-23 13:12 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-07-23 13:05 <DIR> d-------- C:\WINDOWS\system32\Panda Software
2007-07-23 12:02 20,016 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-07-23 12:02 <DIR> d-------- C:\Program Files\Winamp
2007-07-23 11:55 <DIR> d-------- C:\DOCUME~1\Cmon\.housecall6.6
2007-07-23 09:56 <DIR> d-------- C:\Stuff
2007-07-23 09:44 174,163 --a------ C:\Program Files\utorrent.exe
2007-07-23 09:22 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-07-23 08:52 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-07-23 08:40 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-07-23 08:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-07-23 08:37 <DIR> d-------- C:\Program Files\Yahoo!
2007-07-23 08:36 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-07-23 08:36 <DIR> d-------- C:\DOCUME~1\Cmon\Contacts
2007-07-23 08:34 <DIR> d-------- C:\Program Files\MSN Messenger
2007-07-23 08:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-07-23 08:23 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-07-23 08:23 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-07-23 08:21 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-23 08:21 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-07-23 08:20 <DIR> d---s---- C:\DOCUME~1\Cmon\UserData
2007-07-23 08:13 66,424 --a------ C:\WINDOWS\system32\NicEtCoE.dll
2007-07-23 08:13 62,840 --a------ C:\WINDOWS\system32\NicInstE.dll
2007-07-23 08:13 28,536 --a------ C:\WINDOWS\system32\NicCo.dll
2007-07-23 08:13 254,872 --a------ C:\WINDOWS\system32\drivers\e1e5132.sys
2007-07-23 08:13 179,048 --a------ C:\WINDOWS\system32\e1000msg.dll
2007-07-23 08:13 154,496 --a------ C:\WINDOWS\system32\Prounstl.exe
2007-07-23 02:50 <DIR> d-------- C:\Cinema
2007-07-23 00:35 <DIR> d-------- C:\DOCUME~1\Cmon\APPLIC~1\AdobeUM
2007-07-22 12:58 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-22 12:33 <DIR> d-------- C:\DOCUME~1\Cmon\APPLIC~1\uTorrent
2007-07-22 02:32 <DIR> d-------- C:\Program Files\CDisplay
2007-07-22 01:46 0 --a------ C:\WINDOWS\PowerReg.dat
2007-07-21 22:48 304,128 --a------ C:\WINDOWS\IsUninst.exe
2007-07-21 22:48 <DIR> d-------- C:\DOCUME~1\Cmon\WINDOWS
2007-07-21 22:47 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-07-21 22:47 <DIR> d-------- C:\DOCUME~1\Cmon\APPLIC~1\Atari
2007-07-21 22:41 <DIR> d-------- C:\Entertainments
2007-07-21 22:39 <DIR> d-------- C:\WINDOWS\ShellNew
2007-07-21 22:39 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-07-21 22:36 <DIR> d-------- C:\Program Files\mIRC
2007-07-21 22:31 <DIR> d-------- C:\WINDOWS\Cache
2007-07-21 22:00 5,248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys
2007-07-21 22:00 155,136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys
2007-07-21 22:00 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-07-21 22:00 <DIR> d-------- C:\Program Files\D-Tools
2007-07-21 22:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-21 21:02 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-07-21 21:02 110,592 --a------ C:\WINDOWS\system32\avgfwafu.dll
2007-07-21 20:35 <DIR> d-------- C:\WINDOWS\system32\ReinstallBackups
2007-07-21 20:34 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-07-21 20:34 <DIR> d-------- C:\Program Files\Intel
2007-07-21 20:33 <DIR> d-------- C:\WINDOWS\system32\Lang
2007-07-21 20:32 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-07-21 20:32 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-07-21 20:32 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2007-07-21 20:32 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-07-21 20:32 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-07-21 20:32 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2007-07-21 20:32 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-07-21 20:32 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-07-21 20:32 49,152 --a------ C:\WINDOWS\system32\ChCfg.exe
2007-07-21 20:32 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2007-07-21 20:32 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-07-21 20:32 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-07-21 20:32 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2007-07-21 20:32 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2007-07-21 20:32 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2007-07-21 20:32 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2007-07-21 20:31 9,715,200 --a------ C:\WINDOWS\RTLCPL.exe
2007-07-21 20:31 86,016 --a------ C:\WINDOWS\SoundMan.exe
2007-07-21 20:31 69,632 --a------ C:\WINDOWS\Alcmtr.exe
2007-07-21 20:31 520,192 --a------ C:\WINDOWS\RtlExUpd.dll
2007-07-21 20:31 4,403,712 --a------ C:\WINDOWS\system32\drivers\RtkHDAud.sys
2007-07-21 20:31 315,392 --a------ C:\WINDOWS\HideWin.exe
2007-07-21 20:31 2,808,832 --a------ C:\WINDOWS\alcwzrd.exe
2007-07-21 20:31 2,162,688 --a------ C:\WINDOWS\MicCal.exe
2007-07-21 20:31 16,132,608 --a------ C:\WINDOWS\RTHDCPL.exe
2007-07-21 20:31 1,822,720 --a------ C:\WINDOWS\SkyTel.exe
2007-07-21 20:31 1,191,936 --a------ C:\WINDOWS\RtlUpd.exe
2007-07-21 20:31 <DIR> d-------- C:\Program Files\Realtek
2007-07-21 19:15 4 --a------ C:\WINDOWS\wmsetup.dat


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-27 02:27:54 44,240 ----a-w C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-06-05 17:40:44 149,278 ----a-w C:\WINDOWS\system32\atiicdxx.dat
2007-05-16 07:18:44 95,864 ----a-w C:\WINDOWS\system32\NeroCo.dll
2007-04-26 17:45:42 172,032 ----a-w C:\WINDOWS\system32\Ncs2Setp.dll
2007-04-26 17:25:28 564,096 ----a-w C:\WINDOWS\system32\ncs2dmix.dll
2007-04-26 17:25:14 449,408 ----a-w C:\WINDOWS\system32\accesor.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-07-21 00:14]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-26 14:27 C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [2005-05-03 18:43 C:\WINDOWS\Alcmtr.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-23 08:21]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"ATIModeChange"="Ati2mdxx.exe" [2007-06-27 03:51 C:\WINDOWS\system32\Ati2mdxx.exe]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-07-16 15:17]

C:\Documents and Settings\Cmon\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2007-07-23 23:45:31]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)

R0 Inspect;Comodo Network Engine;C:\WINDOWS\system32\DRIVERS\inspect.sys
R1 CmdMon;Comodo Application Engine;C:\WINDOWS\system32\DRIVERS\cmdmon.sys
R2 windrvNT;windrvNT;\??\C:\WINDOWS\system32\windrvNT.sys
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver;C:\WINDOWS\system32\DRIVERS\e1e5132.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\N]
Auto\command- N:\RECYCLER\usbdriver.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\usbdriver.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63092b8c-37ad-11dc-a43c-bf70731e2dc9}]
Auto\command- K:\RECYCLER\usbdriver.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\usbdriver.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{da26d988-3714-11dc-a438-bea8baa15c47}]
Auto\command- G:\RECYCLER\usbdriver.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\usbdriver.exe

*Newly Created Service* - APPMGMT
*Newly Created Service* - CATCHME

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-26 06:10:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software
disk error: C:\Documents and Settings\Cmon\ntuser.dat
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan
**************************************************************************

Completion time: 2007-07-26 6:10:57
C:\ComboFix-quarantined-files.txt ... 2007-07-26 06:10
C:\ComboFix2.txt ... 2007-07-26 06:06

--- E O F ---

This is HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:33 AM, on 7/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\utorrent.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtremewrestlingtorrents.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1185171995906
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe

--
End of file - 5311 bytes

#6 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:02:40 PM

Posted 26 July 2007 - 09:02 PM

Hi,

Is your user account one with admin privs?
You can check this in control panel. Open User accounts. (may need to enable "classic view")
Under your name should say "limited user" or "computer administrator"

Let me know please.
Also let me know if the administrator account is password protected. Might need to use it to fix the rest of your issues but it will need to be password protected account to use the "run as" feature. (it won't let you unless you have a password on it)

------------------------

AVG being expired and the AV not working either...
It is useless to you if you can't update. It is nearly as bad as having no antivirus.
Uninstall AVG totally.

You can get the free AVG here:

http://free.grisoft.com/doc/1

Alternative AV:

AntiVir:
http://www.free-av.com/antivirus/allinonen.html

Active Virus Shield:
http://www.activevirusshield.com/antivirus/freeav/index.adp
(uncheck the security toolbar during install)

Only install ONE> update it> run scan & let it fix/quarentine what it wants.

AntiVir has very good detections and is light on resorces.

Active Virus shield is built on Kaspersky engine. (Awsome AV)

What is this?

C:\WINDOWS\HideWin.exe

Did you install that program? Free version of this?:

http://www.hide-window.com/

and you installed "Folderlock"?

I'm asking these questions cus "catchme" scan in your ComboFix log is giving me really funky results I am having trouble to figure out.

---------------------------------------

Download Bobbi Flekman's RegSearch from
http://www.xs4all.nl/~fstaal01/downloads/regsearch.zip

Create a folder for RegSearch on the C: drive called C:\RegSearch. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it RegSearch. Extract all the files from the zip archive into that folder.

Open the RegSearch folder and double-click the icon for RegSearch.exe to launch the program.
Copy / Paste the following line into the Search Box:

usbdriver.exe

then hit Ok

After completion Notepad will be opened with all the found instances of the string. The resulting file is saved in the same location as RegSearch.exe.

Post contents of RegSearch.txt
Let me know if you installed the programs I asked about and what HideWindow is if you know.
Let me know if your user account is/is not admin.
Let me know if you got AVG uninstalled OK and the other AV installed.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#7 cmon1011

cmon1011
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 26 July 2007 - 09:28 PM

Is your user account one with admin privs?

Also let me know if the administrator account is password protected. Might need to use it to fix the rest of your issues but it will need to be password protected account to use the "run as" feature. (it won't let you unless you have a password on it)

Yes, it's computer administrator, I just made it password protected

AVG being expired and the AV not working either...

I already register my AVG, but AVG's Firewall is not allowed by my current license, I can update it as well, but I don't mind changing AV, which one you would suggest? AntiVir or Active Virus Shield ? (I don't mind with resource since I think I can handle it). I'll uninstall my AVG after your next reply & download your suggestion (maybe your personal choice between them :thumbsup: )

What is this?

C:\WINDOWS\HideWin.exe

Did you install that program? Free version of this?:

http://www.hide-window.com/

I have no idea, never know that program exist.

and you installed "Folderlock"?

Yes, just to lock some folder

Download Bobbi Flekman's RegSearch from
http://www.xs4all.nl/~fstaal01/downloads/regsearch.zip

Create a folder for RegSearch on the C: drive called C:\RegSearch. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it RegSearch. Extract all the files from the zip archive into that folder.

Open the RegSearch folder and double-click the icon for RegSearch.exe to launch the program.
Copy / Paste the following line into the Search Box:

usbdriver.exe

then hit Ok

After completion Notepad will be opened with all the found instances of the string. The resulting file is saved in the same location as RegSearch.exe.

Post contents of RegSearch.txt

Done, here's the content:

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman ę 2005
; Version: 2.0.5.0

; Results at 7/27/2007 4:18:42 AM for strings:
; 'usbdriver.exe'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\N\Shell\Auto\command]
@="N:\\RECYCLER\\usbdriver.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\N\Shell\AutoRun\command]
@="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\\usbdriver.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{63092b8c-37ad-11dc-a43c-bf70731e2dc9}\Shell\Auto\command]
@="K:\\RECYCLER\\usbdriver.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{63092b8c-37ad-11dc-a43c-bf70731e2dc9}\Shell\AutoRun\command]
@="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\\usbdriver.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{da26d988-3714-11dc-a438-bea8baa15c47}\Shell\Auto\command]
@="G:\\RECYCLER\\usbdriver.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{da26d988-3714-11dc-a438-bea8baa15c47}\Shell\AutoRun\command]
@="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\\usbdriver.exe"

; End Of The Log...

Thanks :flowers:

#8 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:02:40 PM

Posted 27 July 2007 - 01:58 PM

Hi,

Copy the following text to a new notepad file.
Save as file name Fix.reg
As file types: All Files (*)
Save it to your desktop.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\N]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{63092b8c-37ad-11dc-a43c-bf70731e2dc9}]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{da26d988-3714-11dc-a438-bea8baa15c47}]

Once saved, double click it and allow the merge.
Should get success messege.

After a reboot you should be able to access all your drives normally.
You can delete Fix.reg

--------------------------------------
Upload this file:

C:\WINDOWS\HideWin.exe

Here please:

http://www.bleepingcomputer.com/submit-mal....php?channel=20

Put link to this thread in the space provided so I know who's file it is.

Thanks :thumbsup:

---------------------------------

Click start> run> type: msconfig and hit enter.
Click the boot.ini tab.
Checkmark ONLY /Bootlog
Apply & "close"

Go ahead and reboot.
When you get the MSConfig nag at boot-up...
Just check the box that says "don't tell me this again" and hit OK.

Upload this file:

c:\Windows\ntbtlog.txt to this site:

http://www.bleepingcomputer.com/submit-mal....php?channel=19

Put link to this thread in space provided so I know who the log belongs to.

-----------------------------

Antivirus....

Your choice. I like either.
If you choose Active Virus Shield make sure to uncheck the "security toolbar" during the install.

-----------------------------

That catchme reading is kinda odd.
Have you been getting any "Disk" messeges in event viewer?
Start> run> type eventvwr and hit enter.
Click "system" at left.
Anything in RED at right?
Anything there with title "Disk" ?


Hmmm..

Click start> run> type cmd and hit enter.
A "Dos" window pops up.
Type the following command exactly as you see it and hit enter:

fsutil dirty query c:

Let me know if you get a NOT DIRTY messege or DIRTY messege.
It will be displayed in the open cmd window.

Type "exit" then hit "enter" to close it.

Let me know how things are running.

Thanks :flowers:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#9 cmon1011

cmon1011
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 27 July 2007 - 06:52 PM

...
You can delete Fix.reg

...
Upload this file:
C:\WINDOWS\HideWin.exe

...
Upload this file:
c:\Windows\ntbtlog.txt

Done

That catchme reading is kinda odd.
Have you been getting any "Disk" messeges in event viewer?
Start> run> type eventvwr and hit enter.
Click "system" at left.
Anything in RED at right?
Anything there with title "Disk" ?

Yea, some are red, for example because I disable AVG Firewall, about safe mode, about a wrong driver that I tried to install (I was confused when I try to install some driver, but it should be alright right now)
This is the one with title "disk"
Posted Image

...
fsutil dirty query c:

It's dirty, is it because I haven't checkdisk? If it is because checkdisk, I cancel the checkdisk, I forgot how to cancel checkdisk whenever I reset my computer, it happened because I had a problem while I try to play a game so I need to reset my computer

I already uninstall AVG & install AntiVir (update it, currently scanning with it, so far found 3 detections & I already delete those)

Thanks :thumbsup:

Edited by cmon1011, 27 July 2007 - 06:52 PM.


#10 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:02:40 PM

Posted 28 July 2007 - 03:25 AM

Hi,

OK. Let me go look at that log you uploaded and the file.

I'll get back to you shortly.

Can you check something for me?

Right click "my computer" then "properties"
Click Hardware tab
Click "device manager"

Any thing in list with ! or ?

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#11 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:02:40 PM

Posted 28 July 2007 - 03:50 AM

Hi,

<<post edited>> If you already read this please look again.
Thanks :thumbsup:

Log you uploaded is OK.
HideWin is OK. Part of RealTek software.
Seems to give you the ability to use "hotkeys" to minimise programs to your systray rather than in the task bar.

You will need to run chkdsk to reset the "dirty bit".

This is going to take a while so mabye set it up for when you head off to sleep.

Click start> run> type: cmd and hit enter

Type chkdsk /r and hit enter. (there is a space between the k and / )
You *should* be told that the disk is in use and will be run at next boot.
When done with the computer go ahead and reboot.

Let the chkdsk do its thing. This might take several hours!

Once back into windows run this command again:

fsutil dirty query c:

Let me know if still dirty or not.

Let me know if AntiVir cleaned up those trojans OK.

Let me know how system is running and if you can access your external OK.

Thanks :flowers:

Edited by Blender, 28 July 2007 - 04:21 AM.

I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#12 cmon1011

cmon1011
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 28 July 2007 - 08:57 AM

fsutil dirty query c:

Let me know if still dirty or not.

Let me know if AntiVir cleaned up those trojans OK.

Let me know how system is running and if you can access your external OK.

Thanks :thumbsup:


c: is NOT dirty

AntiVir looks fine & I already delete the problem files

Looks like everything works perfectly

Thanks for everything ;)

#13 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:02:40 PM

Posted 29 July 2007 - 07:10 AM

Awsome. Good to hear. :thumbsup:

Can you do me one more test please?
I want to confirm my suspicions about the "dirty bit" being set that was screwing up "catchme"

Please do this:

Click start> run> type catchme and hit enter.
A "dos" box will pop up and scan....
Once it is done it should tell you if anything hidden was found or not.
You can close this "dos" box.

Locate this file and post its contents here:

C:\Windows\system32\catchme.log

Also one more Hijackthis log please.

Thanks :flowers:

Don't run away yet. We need to clean up the tools we used and a few other things to finish up.
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#14 cmon1011

cmon1011
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 29 July 2007 - 08:23 AM

Can you do me one more test please?
I want to confirm my suspicions about the "dirty bit" being set that was screwing up "catchme"

Please do this:

Click start> run> type catchme and hit enter.
A "dos" box will pop up and scan....
Once it is done it should tell you if anything hidden was found or not.
You can close this "dos" box.

Locate this file and post its contents here:

C:\Windows\system32\catchme.log

It gives me this:
Posted Image

It doesn't do anything, so I click Scan & it gives me this:
Posted Image

My account is:
Posted Image

Any idea?

Don't worry, I have no intention to run, my folder looks messed up because some additional program you told me to download & I might need your help to clean it up :thumbsup:

My current HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:20:18 PM, on 7/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\utorrent.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\mIRC\mirc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtremewrestlingtorrents.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1185171995906
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

--
End of file - 5042 bytes

Thanks :flowers:

Edited by cmon1011, 29 July 2007 - 08:25 AM.


#15 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:02:40 PM

Posted 29 July 2007 - 04:38 PM

Hi,

Thanks for the screenshots.
I was wrong about location of catchme.log. It would have been in \windows folder.

That is kinda odd -- those errors.
I did post a message for the Combofix creator and Catchme creator because I am not sure what is wrong.
I should expect reply from either or both them shortly.

You still getting "disk" errors showing up in Eventvwr?
Same sorta thing as you posted the screenshot about earlier?
Hard drive making any funny noises?
Can you access your folders/files OK?
Are you getting other error messeges when running programs?

What brand is your hard drive?
Right click "my computer" then properties.
Click "hardware" tab
Click "device manager"
Expand "disk drives"

What is listed there other than the external? Post the model number(s) you see please.

Sorry about all the questions but I'm asking them since I ran into a similar issue on one of my machines. (disk errors)

Not sure if we are looking at a dying hard drive or not but it is a possibility.
You do have your important stuff backed up to the external?
If not I suggest you do. Just in case.
I had those disk errors on one of my PCs and after a while I eventually lost the hdd.
I saw my operating system along with everything else get more or less deleted right before my eyes.

--------------------------

Start Hijackthis
Run system scan and check:

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

Click "fix checked", Ok it and exit Hijackthis.

It is part of RealTek software but you don't need it running.
RealTek doesn't need to gather data about you.

http://www.bleepingcomputer.com/startups/ALCMTR.EXE-240.html

--------------------------

Don't worry, I have no intention to run, my folder looks messed up because some additional program you told me to download & I might need your help to clean it up


What do you mean by this? Can you explain some? What program you figure did this?

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users