Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please Help Diagnose


  • Please log in to reply
12 replies to this topic

#1 harere

harere

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 04 February 2008 - 11:23 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:18:11 PM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
D:\WINDOWS\system32\igfxtray.exe
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\igfxpers.exe
D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\WordWeb\wweb32.exe
D:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
D:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\VideoLAN\VLC\vlc.exe
D:\Documents and Settings\himanshu\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = netmon.iitb.ac.in:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.iitb.ac.in;localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] D:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = D:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
O4 - Startup: Y'z ToolBar.lnk = D:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: WordWeb.lnk = D:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{23E65760-916A-4E4F-BC91-5B5EC5586CA8}: NameServer = 10.200.1.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B4B5921-F008-438A-9B75-7EDDAE46764D}: NameServer = 10.200.1.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{23E65760-916A-4E4F-BC91-5B5EC5586CA8}: NameServer = 10.200.1.11
O17 - HKLM\System\CS2\Services\Tcpip\..\{23E65760-916A-4E4F-BC91-5B5EC5586CA8}: NameServer = 10.200.1.11
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

--
End of file - 6397 bytes

BC AdBot (Login to Remove)

 


m

#2 harere

harere
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 07 February 2008 - 08:06 AM

Urgent help required!!!!!Could anyone please diagnose the log above?

#3 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:10 PM

Posted 14 February 2008 - 02:09 PM

Hi harere, :thumbsup:

If you still need help please post a new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide for use before posting a HijackThis Log , and I'll be happy to look at it for you.

Thanks for your patience. :blink:

#4 harere

harere
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 24 February 2008 - 11:34 AM

hello falu,
thanks for showing interest :blink: , I desperately need someone's help. Below is the log, please diagnose :thumbsup: :



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:40 PM, on 2/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
D:\WINDOWS\system32\igfxtray.exe
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\igfxpers.exe
D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\WordWeb\wweb32.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINDOWS\system32\cisvc.exe
D:\WINDOWS\system32\cidaemon.exe
D:\WINDOWS\system32\ntvdm.exe
D:\Program Files\DAEMON Tools\daemon.exe
D:\DC++\1gre\gre5vx.exe
D:\DC++\1gre\gre5vx.exe
D:\Program Files\Windows Media Player\wmplayer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = netmon.iitb.ac.in:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.iitb.ac.in;localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] D:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = D:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
O4 - Startup: Y'z ToolBar.lnk = D:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: WordWeb.lnk = D:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{23E65760-916A-4E4F-BC91-5B5EC5586CA8}: NameServer = 10.200.1.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B4B5921-F008-438A-9B75-7EDDAE46764D}: NameServer = 10.200.1.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{23E65760-916A-4E4F-BC91-5B5EC5586CA8}: NameServer = 10.200.1.11
O17 - HKLM\System\CS2\Services\Tcpip\..\{23E65760-916A-4E4F-BC91-5B5EC5586CA8}: NameServer = 10.200.1.11
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 6908 bytes

#5 harere

harere
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 24 February 2008 - 11:38 AM

the problem is that I am unable to login in my previous windows system, installed in C drive, it boots normally but logs out as soon as it logs in. No window appears just sound comes of login and logout.

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:10 PM

Posted 26 February 2008 - 12:55 PM

Hi harere. Can you give me a little backgound on what is going on with the system:
  • are there two operating systems installed?
  • if so, do you have a boot menu to select which one you want to boot to when the system starts up?
  • also if so, can you boot to Safe Mode on the C: drive?
  • were there any system changes made (new hardware, software, or updates) made to the system just prior to the problem with not being able to log in to the C: drive?
  • are the C: and D: drives two separate physical drives or a single drive with two partitions on it?
  • any other information relating to the issues you are currently encountering.
Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 harere

harere
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 28 February 2008 - 09:04 PM

yp, I have two OS installed, one in C: in which I am unable to login and other in D:. Both C: and D: are partitions on single disk. There comes a menu while

booting the laptop for selecting OS. I can boot to the safe mode in C: but there also the same problem of login and immediate logout persists, for both the

accounts-administrator and my name a/c. Actually, this whole drama went into one day step by step when the laptop got infected with virus: win32 virut. Now

also when I scan the C: drive it detects infected .exe files but unable to take any action as none of them are accessible. I am unable to get my important data on

C:, it shows all folders as empty on C: when I work in OS on D: drive. While searching the results show that the documents are there but the particular folders

are shown empty when clicked.

Edited by harere, 28 February 2008 - 09:04 PM.


#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:10 PM

Posted 29 February 2008 - 01:56 AM

Hi harere. In most cases, the virut infection cannot be removed. It has the capability to infected every executable file ont he system and can also jump across drives and shared folders so the boot system that is currently used may also be infected. AVG rarely detects it so we'll need to check. Although virut infects every executable it does not normally infect other data files. The issue with folders being empty might indicate something else on the system as well.

Let's try something and see if it can do anything. Sometimes it works and sometimes not.

Download Dr.Web CureIt
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options and Change settings
  • Choose the Scan tab and remove the mark at Heuristic analysis.
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click Yes to all if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click File and choose Save Report List
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 harere

harere
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 01 March 2008 - 05:06 AM

gr8 man!! :blink:

would u believe as many as 1838 files were infected, most of them of C:System Value Info.

also the E: drive also found infected. I am attaching the saved report of Dr.Web. After rebooting the system I have checked and found that the problem of login, logout and the empty folders both persists.

I am thankful to u indeed :thumbsup: , tell me wt to do nxt?

Attached Files



#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:10 PM

Posted 01 March 2008 - 11:56 AM

Hi harere. No, you won't be able to log into that drive again. The operating system has been damaged beyond repair. If you still cannot see any files in the folders then the MFT (Master File Table) has also been damaged. This is not something that is usually associted with virtu so there is something else going on with that drive or virtu has changed its tactics.

The only other thing you can try is a file recovery program. There is a pretty good free one that I use from Convar called PC Inspector . You can try that by installing it on your good drive and seeing if it can find any recoverable files on the C: drive. If not, then they are lost. In any case, in the end the C: drive will need to be formatted and the operating system reinstalled if you want it on the C: drive, or, with the operating system working on the D: drive it can be left there and the C: drive could be used for data.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 harere

harere
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 01 March 2008 - 10:47 PM

OK then I'll try this PC Inspector, and then format it.

thank you once again.

#12 harere

harere
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 05 March 2008 - 11:09 PM

hey, I am unable to format the C: drive in which the corrupted OS is there. It prompts that WINDOWS is unable to format this drive.
How could I now format it? :thumbsup:

#13 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:10 PM

Posted 05 March 2008 - 11:36 PM

Hi harere. That I do not know, but the place to ask that quesiton would be the Windows XP Home and Professional forum.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users