PC hangs when i search

Posted 12/16/2008 2:56 PM
#70000
User avatar

krayon Member

Date Joined Nov 2016
Total Posts: 5
Hi,


When i press search on windows to search a file or a folder, my pc stops responding.

It donesnt even open search window but freezes my task bar. I cant even press start after this and have to restart

my pc was infected by newfolder.exe earlies which i used antivirus system which showed all the exe files were infected

than i got rid with the virus with a newfolder.exe remover.



but still facing this problem(I might have deleted some exe and dll files when antivirus showed me those file as infected)



Please help me...



Many Thanks in advance

Krayon
Posted 12/16/2008 4:01 PM
#70003
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12976
Hello :smile:





Download: CCleaner
[color=#0000ff>http://www.majorgeeks.com/download4191.html[/url]]http://www.ccleaner.com/[/color]

Once installed, run CCleaner click the Windows tab

Select the following:
Internet Explorer:
Temp Internet
History
Recently Typed URLs
Delete Index.dat files

System:
Empty Recycle Bin
Temporary Files
Memory Dumps
Chkdsk File Fragments
Old Prefetch Data


Next: click Options click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click Ok


Then click Run Cleaner (bottom right) then Exit

Reboot



Please download Malwarebytes' Anti-Malware:

[color=#0000ff>http://www.spywarefri.dk/downloads1/mbam-setup.exe[/url]



Or here:

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10878968[/color]



to your desktop.



Double-click mbam-setup.exe and follow the prompts to install the program.



At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch




Malwarebytes' Anti-Malware, then click Finish.



If an update is found, it will download and install the latest version.



Please connect all your external hard drive/flash drive before running Malwarebyte



Once the program has loaded, select Perform full scan, then click Scan.



When the scan is complete, click OK, then Show Results to view the results.



Be sure that everything is checked, and click Remove Selected.



When completed, a log will open in Notepad. Please save it to a convenient location.







NB: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.



Click here to download HJTinstall.exe

Save HJTinstall.exe to your desktop.
Double click on the HJTinstall.exe icon on your desktop.

By default it will install to C:\Program Files\Trend Micro\Hijack This.

Click I accept

Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.

Click Save to save the log file and then the log will open in notepad.

Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.

Come back here to this thread and Paste the log in your next reply.

DO NOT have Hijack This fix anything yet.

Most of what it finds will be harmless or even required.



Post hijackthis log along with Malwarebytes' Anti-Malware log

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


Posted 12/17/2008 9:13 AM
#70035
User avatar

krayon Member

Date Joined Nov 2016
Total Posts: 5
Thank you so much for your help .. Touch

Will try doing the way u mentioned

Thanks again..
Posted 12/17/2008 9:24 PM
#70051
User avatar

krayon Member

Date Joined Nov 2016
Total Posts: 5
hi
I did the way you mentioned





[color=red>Hijackthis]

[/color][/b]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:35:00 AM, on 12/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
C:\Program Files\Topro\tppoll.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\WINDOWS\system32\lvhidsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TVR\TVR\RecSche.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url=http://in.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://in.search.yahoo.com]http://in.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://in.search.yahoo.com[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url=http://in.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://in.search.yahoo.com]http://in.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://in.search.yahoo.com[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url=http://in.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://in.search.yahoo.com]http://in.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://in.search.yahoo.com[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url=http://in.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://in.search.yahoo.com]http://in.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://in.search.yahoo.com[/url]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
O4 - HKLM\..\Run: [tppoll] C:\Program Files\Topro\tppoll.exe
O4 - HKLM\..\RunServices: [LvHidSvc] C:\WINDOWS\system32\lvhidsvc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: TVR Schedule.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{645E7729-C10C-4216-B058-8938EB93DC1A}: NameServer = 202.144.115.4,202.144.66.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF954329-909A-4D7E-AAC3-3A0BD1906306}: NameServer = 202.144.115.4,202.144.66.6
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Lifeview HID Remote Controller Service (lvhidsvc) - Animation Technologies Inc. - C:\WINDOWS\system32\lvhidsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7926 bytes











Malwarebytes' Anti-Malware 1.31


Database version: 1456
Windows 5.1.2600 Service Pack 2

12/18/2008 2:31:16 AM
mbam-log-2008-12-18 (02-31-16).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 209710
Time elapsed: 2 hour(s), 27 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost agent (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{72B56CBE-BA97-4CE8-8DBF-B25ABD782F79}\RP148\A0089579.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{72B56CBE-BA97-4CE8-8DBF-B25ABD782F79}\RP147\A0088219.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\28463\svchost.exe (Trojan.Agent) -> Delete on reboot.
C:\RECYCLER\ADAPT_Installer.exe (Heuristics.Malware) -> Quarantined and deleted successfully.




Thanks for your help



waiting for your reply for the next step



thanks again

Krayon
Posted 12/18/2008 3:24 AM
#70059
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12976
Next step will be a combo log :smile:





Please download Combofix:

Http://download.bleepingcomputer.com/subs/combofix.exe



And save to the desktop.


Close all other browser windows.



Please connect all your external hard drive/flash drive before running Combofix, if you any







Important-> Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with combofix or remove some of its embedded files which may cause "unpredictable results".



Double-click on the combofix icon found on your desktop.



Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.


When finished, it will produce a logfile located at C:\combofix.txt.

Post the contents of that log in your next reply.

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


Posted 12/18/2008 4:29 AM
#70070
User avatar

krayon Member

Date Joined Nov 2016
Total Posts: 5
I did the way you said again


Before that My Internet Client loader is not coming now. before this tests it was opening properly



here is the log:

ComboFix 08-12-17.01 - Gaurang 2008-12-18 9:34:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2030.1523 [GMT 5.5:30]
Running from: c:\documents and settings\Gaurang\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\jestertb.dll
c:\windows\system32\28463
c:\windows\system32\28463\svchost.001
c:\windows\system32\28463\svchost.002
c:\windows\system32\setting.ini
c:\windows\system32\setup.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASC3360PR
-------\Service_asc3360pr


((((((((((((((((((((((((( Files Created from 2008-11-18 to 2008-12-18 )))))))))))))))))))))))))))))))
.

2008-12-18 02:34 . 2008-12-18 02:34 <DIR> d-------- c:\program files\Trend Micro
2008-12-18 00:01 . 2008-12-18 00:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-18 00:01 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-18 00:01 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-17 22:59 . 2008-12-17 22:59 <DIR> d-------- c:\documents and settings\Gaurang\Application Data\Malwarebytes
2008-12-17 22:58 . 2008-12-17 22:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-17 22:48 . 2008-12-17 22:48 <DIR> d-------- c:\program files\CCleaner
2008-12-17 22:40 . 2008-12-17 22:44 <DIR> d-------- C:\SDFix
2008-12-17 20:23 . 2008-12-17 20:25 <DIR> d-------- c:\program files\Error Repair Professional
2008-12-17 15:39 . 2008-12-17 15:39 <DIR> d-------- c:\program files\TeraCopy
2008-12-17 15:39 . 2008-12-18 09:20 <DIR> d-------- c:\documents and settings\Gaurang\Application Data\TeraCopy
2008-12-16 11:37 . 2008-12-16 11:37 <DIR> d-------- c:\program files\AccuTrans 3D
2008-12-16 10:48 . 2008-12-16 10:56 40 --a------ c:\windows\devcap.ini
2008-12-14 17:29 . 2008-12-14 17:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\GRETECH
2008-12-14 17:28 . 2008-12-14 17:28 <DIR> d-------- c:\documents and settings\Gaurang\Application Data\GRETECH
2008-12-14 17:15 . 2008-12-14 17:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\SRSLabs
2008-12-14 17:13 . 2008-12-14 17:13 <DIR> d-------- c:\program files\SRSLabs
2008-12-14 17:13 . 2008-12-14 17:13 <DIR> d-------- c:\program files\Common Files\SRS
2008-12-10 18:19 . 2008-12-10 18:19 <DIR> d-------- c:\program files\Common Files\SWF Studio
2008-12-08 16:50 . 2008-12-08 16:50 <DIR> d-------- c:\program files\Alcohol Soft
2008-12-06 12:07 . 2008-12-06 20:49 <DIR> d-------- c:\program files\Internet Download Manager
2008-12-06 12:07 . 2008-12-18 02:45 <DIR> d-------- c:\documents and settings\Gaurang\Application Data\IDM
2008-12-04 23:39 . 2008-12-04 23:39 <DIR> d-------- c:\program files\Topro
2008-12-04 23:39 . 2003-09-08 14:01 1,523,712 --a------ c:\windows\system32\ToproVC.dll
2008-12-04 23:39 . 2005-03-04 10:27 221,184 --a------ c:\windows\ToproUI.exe
2008-12-04 23:39 . 2006-05-08 15:55 198,316 --a------ c:\windows\system32\drivers\TP6800.sys
2008-12-04 23:39 . 2003-09-01 14:16 65,536 --a------ c:\windows\system32\camlib.dll
2008-12-04 23:39 . 2006-02-21 10:35 49,152 --a------ c:\windows\system32\drivers\CustPage.ax
2008-12-04 23:39 . 2005-02-25 10:24 28,672 --a------ c:\windows\tpsti.exe
2008-12-03 16:28 . 2008-12-03 16:28 <DIR> d-------- c:\documents and settings\Gaurang\Application Data\Alien Skin
2008-12-02 21:57 . 2008-12-02 21:57 <DIR> d-------- c:\program files\Good Shot
2008-12-02 00:09 . 2008-12-02 00:09 <DIR> d-------- c:\program files\Smart Virus Remover
2008-12-01 23:55 . 2008-12-01 23:55 <DIR> d-------- c:\windows\system32\Flashy.exe
2008-12-01 15:00 . 2008-12-01 15:00 <DIR> d-------- c:\program files\Web Page Maker
2008-12-01 15:00 . 2008-12-01 15:10 <DIR> d-------- c:\documents and settings\Gaurang\Application Data\Web Page Maker
2008-12-01 13:25 . 2008-12-01 13:39 <DIR> d-------- c:\program files\Avanquest update
2008-12-01 13:25 . 2008-12-01 13:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\BVRP Software
2008-12-01 11:17 . 2008-12-01 11:17 <DIR> d-------- c:\program files\GlobalSCAPE
2008-12-01 11:17 . 2008-12-01 11:17 <DIR> d-------- c:\documents and settings\Gaurang\Application Data\GlobalSCAPE
2008-11-29 16:14 . 2008-11-29 16:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\MumboJumbo
2008-11-29 16:13 . 2008-11-29 16:13 <DIR> d-------- c:\windows\Elf Bowling - Hawaiian Vacation
2008-11-29 16:13 . 2008-11-29 16:13 <DIR> d-------- c:\program files\Elf Bowling - Hawaiian Vacation
2008-11-28 11:56 . 2008-11-28 11:56 <DIR> d-------- c:\program files\uTorrent
2008-11-28 11:56 . 2008-12-16 01:04 <DIR> d-------- c:\documents and settings\Gaurang\Application Data\uTorrent
2008-11-19 10:38 . 2004-09-17 15:07 61,440 -ra------ c:\windows\system32\vuins32.dll
2008-11-19 10:38 . 2005-01-19 12:15 43,008 -ra------ c:\windows\system32\drivers\dlkfet5b.sys
2008-11-19 10:10 . 2004-08-03 22:31 20,992 --a------ c:\windows\system32\drivers\RTL8139.sys
2008-11-19 10:10 . 2004-08-03 22:31 20,992 --a--c--- c:\windows\system32\dllcache\rtl8139.sys
2008-11-19 00:15 . 1997-07-19 21:30 155,920 --------- c:\windows\system32\comct232.ocx
2008-11-19 00:15 . 1997-07-19 21:30 129,808 --------- c:\windows\system32\comdlg32.ocx
2008-11-19 00:15 . 1997-06-13 15:26 56,832 --------- c:\windows\system32\iyvu9_32.dll
2008-11-19 00:06 . 2008-11-19 00:06 <DIR> d-------- c:\windows\BBSTORE
2008-11-19 00:06 . 2008-11-19 00:06 <DIR> d-------- c:\program files\The Learning Company
2008-11-19 00:06 . 2008-11-21 00:01 382 --a------ c:\windows\ereg077.dat
2008-11-19 00:05 . 2008-11-19 00:05 0 --a------ c:\windows\SETUP32.INI
2008-11-18 20:46 . 2007-03-02 14:07 1,904 --------- c:\windows\system32\SetupBD.din
2008-11-18 20:42 . 2008-11-18 20:46 <DIR> d-------- c:\program files\Intel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-18 04:07 --------- d-----w c:\program files\Symantec AntiVirus
2008-12-18 04:07 --------- d-----w c:\program files\DNA
2008-12-18 04:07 --------- d-----w c:\documents and settings\Gaurang\Application Data\DNA
2008-12-18 04:04 --------- d-----w c:\documents and settings\Gaurang\Application Data\DMCache
2008-12-18 03:53 --------- d-----w c:\documents and settings\Gaurang\Application Data\Broadband
2008-12-17 14:51 --------- d-----w c:\program files\Common Files\Adobe
2008-12-17 11:04 --------- d-----w c:\program files\Winamp
2008-12-17 09:56 --------- d-----w c:\program files\Folder Lock
2008-12-17 09:55 --------- d-----w c:\program files\Any FLV Player
2008-12-17 09:53 --------- d-----w c:\program files\DivX
2008-12-17 09:50 --------- d-----w c:\program files\VideoLAN
2008-12-17 09:49 --------- d-----w c:\program files\Common Files\Real
2008-12-17 09:48 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-17 09:48 --------- d-----w c:\program files\CyberLink
2008-12-17 09:46 --------- d-----w c:\program files\Google
2008-12-16 17:32 --------- d-----w c:\program files\Yahoo!
2008-12-16 05:42 --------- d-----w c:\program files\QuickTime
2008-12-15 20:26 --------- d-----w c:\program files\VideoMach-4.0.3
2008-12-15 20:26 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-15 20:26 --------- d-----w c:\program files\Apple Software Update
2008-12-15 09:36 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-14 11:58 --------- d-----w c:\program files\GRETECH
2008-11-19 05:18 --------- d-----w c:\program files\Internet Cyclone
2008-11-15 16:49 --------- d-----w c:\program files\Sify Broadband
2008-11-10 05:32 --------- d-----w c:\documents and settings\Gaurang\Application Data\Uniblue
2008-11-10 05:30 --------- d-----w c:\program files\PopCap Games
2008-11-10 05:30 --------- d-----w c:\program files\GameHouse
2008-11-09 09:51 --------- d-----w c:\program files\Zeallsoft
2008-11-07 14:23 --------- d-----w c:\documents and settings\All Users\Application Data\Downloaded Installations
2008-11-07 13:54 --------- d-----w c:\documents and settings\Gaurang\Application Data\MSNInstaller
2008-11-07 04:57 --------- d-----w c:\program files\Reflexive Arcade Games - Action
2008-11-06 15:08 --------- d-----w c:\documents and settings\Gaurang\Application Data\Yahoo!
2008-11-05 11:50 --------- d-----w c:\program files\UnHackMe
2008-11-05 10:52 522,240 ----a-w c:\windows\system32\libcurl.dll
2008-11-05 10:52 41,472 ----a-w c:\windows\system32\hengine.dll
2008-11-05 10:52 22,016 ----a-w c:\windows\system32\ndisprot.sys
2008-11-05 10:52 16,000 ----a-w c:\windows\system32\passthru.sys
2008-11-05 05:46 --------- d-----w c:\program files\Total Video Converter
2008-10-26 18:17 193 ----a-w C:\aw.dat
2008-10-26 17:38 --------- d-----w c:\program files\Autodesk
2008-10-14 10:30 16,896 ----a-w c:\windows\system32\RASPPPOE.EXE
2008-10-04 19:28 166,989 ----a-w c:\windows\Cam 3D Webmaster Edition Uninstaller.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SifyBB"="c:\program files\Sify Broadband\BBImpSec.exe" [2006-04-21 127085]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-11-12 342336]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2008-12-06 931248]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-12-17 3810544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-03-13 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-03-13 86016]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-09-21 9138176]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2008-12-01 193760]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248]
"DSS"="c:\windows\BBSTORE\DSS\DSSAGENT.EXE" [1999-10-12 590336]
"tppoll"="c:\program files\Topro\tppoll.exe" [2005-03-02 24576]
"nwiz"="nwiz.exe" [2007-03-13 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LvHidSvc"="c:\windows\system32\lvhidsvc.exe" [2004-10-10 33280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
TVR Schedule.lnk - c:\windows\Installer\{E4C3B10E-E277-4458-8440-DAE332D50BF3}\_4ae13d6c.exe [2008-12-16 1078]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\DRIVERS\RMSPPPOE.SYS [2008-09-23 33792]
S2 MCIDRV_2600_6_0;MCIDRV_2600_6_0;\??\c:\windows\system32\drivers\hsrnqs.sys []
S3 DCamUSBIntel;Webcam;c:\windows\system32\Drivers\TP6800.sys [2008-12-04 198316]
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2004-03-12 169192]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{324fb291-b07c-11dd-8c3b-0019d1fd5b3b}]
\Shell\Auto\command - asp.net
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL asp.net

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{324fb292-b07c-11dd-8c3b-0019d1fd5b3b}]
\Shell\Auto\command - asp.net
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL asp.net

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74120564-a4be-11dd-8c02-0019d1fd5b3b}]
\Shell\AutoRun\command - I:\Secret.exe
\Shell\explore\Command - I:\Secret.exe
\Shell\open\Command - I:\Secret.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d555c774-2f16-11dd-8a4d-0019d1fd5b3b}]
\Shell\AutoRun\command - I:\i.bat
\Shell\explore\Command - I:\i.bat
\Shell\open\Command - I:\i.bat
.
Contents of the 'Scheduled Tasks' folder

2008-12-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe []

2008-11-10 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://gmail.com/
uSearch Page = hxxp://in.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://in.search.yahoo.com
mDefault_Page_URL = hxxp://in.yahoo.com
mDefault_Search_URL = hxxp://in.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://in.search.yahoo.com
mSearch Page = hxxp://in.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://in.search.yahoo.com
mStart Page = hxxp://in.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://in.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://in.search.yahoo.com
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\idmmbc.dll
TCP: {645E7729-C10C-4216-B058-8938EB93DC1A} = 202.144.115.4,202.144.66.6
TCP: {AF954329-909A-4D7E-AAC3-3A0BD1906306} = 202.144.115.4,202.144.66.6
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-18 09:37:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1380)
c:\windows\system32\idmmbc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Internet Download Manager\IEMonitor.exe
.
**************************************************************************
.
Completion time: 2008-12-18 9:43:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-18 04:13:33

Pre-Run: 9,769,009,152 bytes free
Post-Run: 9,605,132,288 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

253 --- E O F --- 2008-11-04 18:11:04
Posted 12/18/2008 5:06 AM
#70072
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12976
Reboot, and tell how things are running now ?

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


Posted 12/18/2008 5:42 AM
#70075
User avatar

krayon Member

Date Joined Nov 2016
Total Posts: 5
no its still hangs.

When i press start
:(
Posted 12/18/2008 6:27 AM
#70078
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12976
There are no more infections. I´ll therefore suggest you try these tips/tweaks and see if they help:
http://home.comcast.net/~SupportCD/OptimizeXP.html

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Friday, December 9, 2016, 8:43 AM (GMT +1)
There are a total of 61,163 posts in 13,450 threads.
In the last 3 days there were 1 new threads and 3 reply posts.

Who's online

This forum has 37,968 registered members. Please welcome our newest member, Crawlerz.
There are currently no users on-line.