Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

C Disc Showed As Red X


  • Please log in to reply
1 reply to this topic

#1 adi-beg

adi-beg

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 30 January 2008 - 09:05 AM

Hi.

On my computer C disc is showed as red X. I had a lot of files named posxxx in C:\ directory, and etrust antivirus repeatedly rapported about found virus. I downloaded ComboFix from your website and followed instructions. Here is output of the log file:

ComboFix 08-01-30.6 - havard.berntzen 2008-01-30 14:29:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.470 [GMT 1:00]
Running from: C:\Documents and Settings\havard.berntzen\Skrivebord\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\jkhhh.dll
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Programfiler\CA\eTrustITM\realmon.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\dinvsgfm.dll
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\gnncfybb.ini
C:\WINDOWS\system32\hhhkj.ini
C:\WINDOWS\system32\hhhkj.ini2
C:\WINDOWS\system32\jkhhh.dll
C:\WINDOWS\system32\jkhhh.exe
C:\WINDOWS\system32\jonzngug.dllbox
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mfgsvnid.ini
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\udqoajtr.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\NPF


((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.

2008-01-30 14:12 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-30 14:12 . 2007-09-18 18:56 211 --a------ C:\Boot.bak
2008-01-30 12:23 . 2008-01-30 12:36 4,976 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-30 12:22 . 2008-01-30 12:36 <DIR> d-------- C:\SmitfraudFix
2008-01-30 12:22 . 2007-11-26 11:08 1,045,572 --a------ C:\SmitfraudFix.exe
2008-01-30 10:13 . 2008-01-30 10:13 <DIR> d-------- C:\POWER POINT FOREDRAG 2007-2008
2008-01-29 14:56 . 2008-01-29 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Avg7
2008-01-29 14:44 . 2008-01-29 14:44 728 --a------ C:\WINDOWS\system32\DWRCCMDError.ini
2008-01-21 19:13 . 2008-01-21 19:13 12,413,440 --a------ C:\AVG-Anti-Spyware-7.5.1.43.exe
2008-01-21 18:34 . 2008-01-29 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Grisoft
2008-01-21 17:03 . 2008-01-21 18:33 31,768,752 --a------ C:\avg75free_516a1225.exe
2008-01-20 15:16 . 2008-01-20 15:16 2,402,832 --a------ C:\WLinstaller.exe
2008-01-18 23:43 . 2008-01-18 23:43 <DIR> d-------- C:\Programfiler\Windows Media Connect 2
2008-01-18 23:42 . 2008-01-18 23:42 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-01-18 23:42 . 2008-01-18 23:43 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-15 18:24 . 2008-01-28 12:37 <DIR> d-------- C:\Rekrutteringsdagene
2008-01-15 14:16 . 2008-01-29 15:45 <DIR> d-------- C:\Kompetansedagene
2008-01-08 12:18 . 2008-01-08 12:18 <DIR> d-------- C:\Programfiler\MSECache
2007-12-31 18:57 . 2007-12-31 18:57 <DIR> d-------- C:\Documents and Settings\LocalService\Programdata\Intel
2007-12-31 01:26 . 2007-12-31 01:26 <DIR> d-------- C:\Documents and Settings\havard.berntzen\NTI-Shadow
2007-12-29 02:30 . 2007-12-29 02:30 <DIR> d-------- C:\Programfiler\Microsoft CAPICOM 2.1.0.2
2007-12-28 20:30 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-28 20:30 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-12-28 20:30 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-28 16:18 . 2007-12-28 16:18 <DIR> d-------- C:\Documents and Settings\havard.berntzen\Contacts
2007-12-28 16:17 . 2008-01-30 13:11 <DIR> d-------- C:\Programfiler\Windows Live Toolbar
2007-12-28 16:14 . 2007-12-28 16:16 <DIR> d--hsc--- C:\Programfiler\Fellesfiler\WindowsLiveInstaller
2007-12-28 16:13 . 2007-12-28 16:16 <DIR> d-------- C:\Programfiler\Windows Live
2007-12-28 16:13 . 2008-01-20 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\WLInstaller
2007-12-14 11:22 . 2007-12-28 16:25 <DIR> d-------- C:\Kunstverket
2007-12-12 18:00 . 2008-01-29 16:07 <DIR> d-------- C:\Konferansetemaer 2008

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 12:11 --------- d-----w C:\Programfiler\Yahoo!
2008-01-20 13:40 --------- d-----w C:\Programfiler\Launch Manager
.
<pre>
----a-w		   342,528 2008-01-30 12:15:06  C:\Acer\Empowering Technology\eDataSecurity\eDSloader .exe
----a-w		   407,632 2008-01-30 12:15:05  C:\Programfiler\CA\eTrustITM\realmon .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59773eb7-aa43-4cc8-98e5-ca6fbf1b466d}]
C:\WINDOWS\system32\srdusopk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-30 12:26 15360]
"MsnMsgr"="C:\Programfiler\Windows Live\Messenger\MsnMsgr.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"preload"="C:\Windows\RUNXMLPL.exe" [ ]
"IAAnotif"="C:\Programfiler\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [ ]
"SynTPEnh"="C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [ ]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-28 15:32 16132608 C:\WINDOWS\RTHDCPL.exe]
"AzMixerSel"="C:\Programfiler\Realtek\InstallShield\AzMixerSel.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"RemoteControl"="C:\Programfiler\CyberLink\PowerDVD\PDVDServ.exe" [ ]
"LanguageShortcut"="C:\Programfiler\CyberLink\PowerDVD\Language\Language.exe" [ ]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2008-01-30 12:26 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2008-01-30 12:26 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2008-01-30 12:26 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2008-01-30 12:26 455168]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 12:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [ ]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [ ]
"Acer ePresentation HPD"="C:\Acer\Empowering Technology\ePresentation\ePresentation.exe" [ ]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [ ]
"Boot"="C:\Acer\Empowering Technology\ePower\Boot.exe" [ ]
"eLockMonitor"="C:\Acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe" [ ]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [ ]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [ ]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [ ]
"PLFSet"="C:\WINDOWS\PLFSet.dll" [2007-04-24 10:49 45056]
"Realtime Monitor"="C:\Programfiler\CA\eTrustITM\realmon.exe" [ ]
"Windows Taskmanager"="svchost.exe" [2004-08-04 12:00 14336 C:\WINDOWS\system32\svchost.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-01-30 12:26 15360]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\
Acer Empowering Technology.lnk - C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2007-09-18 19:03:07 45056]
BTTray.lnk - C:\Programfiler\WIDCOMM\Bluetooth Software\BTTray.exe [2007-04-01 08:02:38 568176]
Microsoft Office.lnk - C:\Programfiler\Microsoft Office\Office\OSA9.EXE [2004-08-30 15:31:05 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jonzngug]
jonzngug.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuurrp]
wvuurrp.dll

R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys [2006-08-28 18:30]
R0 viaagp;VIA AGP-bussfilter;C:\WINDOWS\system32\DRIVERS\viaagp.sys [2004-08-03 22:07]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;C:\WINDOWS\system32\DRIVERS\dwvkbd.sys [2007-02-15 19:00]
R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2004-07-19 12:10]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-07 17:08]
R2 int15;int15;C:\WINDOWS\system32\drivers\int15.sys [2007-07-31 09:43]
R2 tvicport;tvicport;C:\WINDOWS\system32\drivers\tvicport.sys [2007-07-31 09:43]
R3 DwMirror;DwMirror;C:\WINDOWS\system32\DRIVERS\DamewareMini.sys [2007-02-07 19:00]
R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC);C:\WINDOWS\system32\DRIVERS\snp2uvc.sys [2007-02-07 17:35]
S3 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 13:46]
S3 psdfilter;psdfilter;C:\WINDOWS\system32\Drivers\psdfilter.sys [2007-05-28 15:54]
S3 psdvdisk;psdvdisk;C:\WINDOWS\system32\Drivers\psdvdisk.sys [2007-05-28 15:55]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 14:32:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"IAAnotif"="\"C:\\Programfiler\\Intel\\Intel Matrix Storage Manager\\Iaanotif.exe\""
.
------------------------ Other Running Processes ------------------------
.
C:\Programfiler\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe
C:\Programfiler\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Programfiler\CA\SharedComponents\iTechnology\igateway.exe
C:\Programfiler\CA\eTrustITM\InoRpc.exe
C:\Programfiler\CA\eTrustITM\InoRT.exe
C:\Programfiler\CA\eTrustITM\InoTask.exe
C:\Programfiler\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe
C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe
C:\Programfiler\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\WINDOWS\system32\DWRCST.exe
C:\Programfiler\CA\eTrustITM\ppcl.exe
C:\Programfiler\CA\eTrustITM\ppcl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\userinit.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Programfiler\WIDCOMM\Bluetooth Software\BTTray.exe
C:\DOCUME~1\HAVARD~1.BER\LOKALE~1\Temp\RtkBtMnt.exe
.
**************************************************************************
.
Completion time: 2008-01-30 14:34:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-30 13:33:57
.
2008-01-19 12:22:28 --- E O F ---

After this run, all of posxxx files er deleted, but C disc is still showed as red X, and I can't start etrust antivirus. I've cleaned temp files with ATF-Cleaner, run smitfraudfix and hijackthis (without fixing). Can anybody help me on this? Thanks.

{Mod Edit:Moved to more appropriate forum~~boopme}

Edited by boopme, 30 January 2008 - 10:35 AM.


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,595 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:17 PM

Posted 30 January 2008 - 01:47 PM

You should not be using Combofix unless instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.

This issue will require further investigation and further use with ComboFix. Before that can be done you will need you to create and post a hijackthis log.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install the current version of HJT in the proper location.) If using Windows Vista, be sure to Run As Administrator.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users