GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

I have virus called "cindy.exe" I can't access my external drive

View previous topic View next topic Go down

I have virus called "cindy.exe" I can't access my external drive

Post by fendy3 on Sun Jun 21, 2009 6:32 am

Everytime I tried to access my external drive, I get a message that says, "windows can not find cindy.exe."

The drive has folder in "My Computer" and not the regular drive icon like it usally does.

I have already saved the hijack log file when someone is ready help.

Please contact me soon, Thanks.


fendy3

fendy3
Novice
Novice

Status :
Online
Offline

Posts : 35
Joined : 2008-12-27
OS : winXP, win7
Points : 29179
# Likes : 0

View user profile

Back to top Go down

Re: I have virus called "cindy.exe" I can't access my external drive

Post by Belahzur on Sun Jun 21, 2009 1:49 pm

Please post your Hijack This log here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: I have virus called "cindy.exe" I can't access my external drive

Post by fendy3 on Sun Jun 21, 2009 4:02 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:21:25 AM, on 6/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\MediaCodec\MediaCodec.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\AM Browser\AM Browser.exe
C:\Documents and Settings\DeWayne\Desktop\Hijack(GP)This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - C:\PROGRA~1\Zend\ZENDST~1.2\toolbars\ZENDIE~1.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [MediaCodec] C:\Program Files\MediaCodec\MediaCodec.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Zend Studio - Debug current page - [You must be registered and logged in to see this link.] Files\Zend\Zend Studio for Eclipse - 6.1.2\toolbars\ZendIEToolbar.dll/DebugCurrent.html
O8 - Extra context menu item: Zend Studio - Debug next page - [You must be registered and logged in to see this link.] Files\Zend\Zend Studio for Eclipse - 6.1.2\toolbars\ZendIEToolbar.dll/DebugNext.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Zend Studio Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\Zend\ZENDST~1.2\toolbars\ZENDIE~1.DLL
O9 - Extra 'Tools' menuitem: Zend Studio - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\Zend\ZENDST~1.2\toolbars\ZENDIE~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7878 bytes

fendy3
Novice
Novice

Status :
Online
Offline

Posts : 35
Joined : 2008-12-27
OS : winXP, win7
Points : 29179
# Likes : 0

View user profile

Back to top Go down

Re: I have virus called "cindy.exe" I can't access my external drive

Post by Belahzur on Sun Jun 21, 2009 4:07 pm

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Ask Toolbar

Please download [You must be registered and logged in to see this link.] to your Desktop and run it by double clicking the program's icon.

  1. Wait a couple of seconds for initial scan to finish.
  2. Connect all of your USB storage devices to the PC, one at a time, and keep each one connected at least for 10 seconds.
  3. If there are more USB storage devices to scan, please take a note about the order in which these were connected.
  4. After all the devices are scanned, right click in the Monitor tab, and choose "Save log". That will open the log in Notepad. Please copy and paste the log into this thread.
Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC, e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras, memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: I have virus called "cindy.exe" I can't access my external drive

Post by fendy3 on Sun Jun 21, 2009 4:23 pm

Hi,

There's no ask toolbar showing up in the add or remove program and so I did a manual search on it. The computer found nothing, but I found a folder in programs files that says AskBarDis.

I never seen that one before, should I delete from there or what will you have me to do?

fendy3
Novice
Novice

Status :
Online
Offline

Posts : 35
Joined : 2008-12-27
OS : winXP, win7
Points : 29179
# Likes : 0

View user profile

Back to top Go down

Re: I have virus called "cindy.exe" I can't access my external drive

Post by Belahzur on Sun Jun 21, 2009 4:26 pm

See if the AskBarDis folder will delete, but I suspect it might not since the Ask service is active. If not, we'll deal with it later.

Run USBNoRisk while the infected drive is pluged in.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: I have virus called "cindy.exe" I can't access my external drive

Post by fendy3 on Sun Jun 21, 2009 4:31 pm

USBNoRisk 2.4 (1 June 2009) by bobby

Started at 6/21/2009 11:29:48 AM

Searching for connected USB Mass storage...
----------------------------------------
========================================

Searching for other storage...
----------------------------------------
F: {7182f0f3-37d9-11de-a3d1-806d6172696f}
C: {7182f0f7-37d9-11de-a3d1-806d6172696f}
========================================


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 7182f0f7-37d9-11de-a3d1-806d6172696f
No Desktop.ini files found on C:
----------------------------------------

No blocked files found on F:
autorun.inf found on F:
----------------------------------------
File F:\autorun.inf renamed successfully

Content of F:\autorun.inf.blocked
----------------------------------------
[autorUN]
action=Open folder to view files
ShELLExEcUtE=cINdy.Exe
iCOn=syStEMRoOT%\SYsTeM32\sHElL32.dll,4
USEaUToplAy=1
----------------------------------------

No mountpoint found for F:
Sanitized mountpoint for 7182f0f3-37d9-11de-a3d1-806d6172696f
----------------------------------------
Desktop.ini found at F:\$RECYCLE.BIN\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-8964
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
----------------------------------------
Desktop.ini found at F:\Recycled\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
----------------------------------------

========================================
Initial scan finished!
========================================

fendy3
Novice
Novice

Status :
Online
Offline

Posts : 35
Joined : 2008-12-27
OS : winXP, win7
Points : 29179
# Likes : 0

View user profile

Back to top Go down

Re: I have virus called "cindy.exe" I can't access my external drive

Post by Belahzur on Sun Jun 21, 2009 4:34 pm

That has disabled the autorun file, now we can remove it and protect the drives at the same time.

Please open USBNoRisk again, we need to use a custom script to delete the malicious autorun.inf files.

  1. When USBNoRisk opens, go into the Script tab, and insert the bolded script below.


    {7182f0f3-37d9-11de-a3d1-806d6172696f}
    delete: F:\autorun.inf.blocked
    delete: F:\cINdy.Exe
    protect:
    {7182f0f7-37d9-11de-a3d1-806d6172696f}
    protect:



  2. Then press the Run Script button.
  3. Copy and paste the report back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: I have virus called "cindy.exe" I can't access my external drive

Post by fendy3 on Sun Jun 21, 2009 4:40 pm

USBNoRisk 2.4 (1 June 2009) by bobby

Started at 6/21/2009 11:38:16 AM

Searching for connected USB Mass storage...
----------------------------------------
========================================

Searching for other storage...
----------------------------------------
F: {7182f0f3-37d9-11de-a3d1-806d6172696f}
C: {7182f0f7-37d9-11de-a3d1-806d6172696f}
========================================


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 7182f0f7-37d9-11de-a3d1-806d6172696f
No Desktop.ini files found on C:
----------------------------------------

Blocked file found: F:\autorun.inf.blocked
----------------------------------------
Content of F:\autorun.inf.blocked
----------------------------------------
[autorUN]
action=Open folder to view files
ShELLExEcUtE=cINdy.Exe
iCOn=syStEMRoOT%\SYsTeM32\sHElL32.dll,4
USEaUToplAy=1
----------------------------------------

No Autorun.inf files found on F:
No mountpoint found for F:
No mountpoint found for 7182f0f3-37d9-11de-a3d1-806d6172696f
----------------------------------------
Desktop.ini found at F:\$RECYCLE.BIN\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-8964
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
----------------------------------------
Desktop.ini found at F:\Recycled\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
----------------------------------------

========================================
Initial scan finished!
========================================

Processing script
----------------------------------------
7182f0f3-37d9-11de-a3d1-806d6172696f
Drive letter for GUID: F:
SectionStart = 0
SectionEnd = 3
Delete: F:\autorun.inf.blocked > Done!
Delete: F:\cINdy.Exe > File does not exist!
----------------------------------------
Protect F:
----------------------------------------
FAT32 root: autorun.inf found. Doing magic...
Magic is done
----------------------------------------

7182f0f7-37d9-11de-a3d1-806d6172696f
Drive letter for GUID: C:
SectionStart = 4
SectionEnd = 5
----------------------------------------
Protect C:
----------------------------------------
Unsupported file system: NTFS
----------------------------------------

fendy3
Novice
Novice

Status :
Online
Offline

Posts : 35
Joined : 2008-12-27
OS : winXP, win7
Points : 29179
# Likes : 0

View user profile

Back to top Go down

Re: I have virus called "cindy.exe" I can't access my external drive

Post by Belahzur on Sun Jun 21, 2009 4:44 pm

Okay, the autorun infection is gone. Your drive icon should be back to normal and you now have access to it again. I want to run one more scan to make sure there's no more malware left sitting on your machine.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: I have virus called "cindy.exe" I can't access my external drive

Post by fendy3 on Sun Jun 21, 2009 4:49 pm

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/3/2009 12:30:30 PM
System Uptime: 6/21/2009 5:11:46 AM (6 hours ago)

Motherboard: Dell Inc. | | 0KD882
Processor: Genuine Intel(R) CPU T2050 @ 1.60GHz | Microprocessor | 1595/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 73 GiB total, 47.979 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (FAT32) - 149 GiB total, 68.894 GiB free.
G: is CDROM ()
H: is CDROM ()
I: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 5/3/2009 1:01:20 PM - Installed Digital Media Feature Pack for Windows Media Center 2005
RP2: 5/3/2009 1:03:52 PM - Installed Sonic Encoders
RP3: 5/3/2009 1:06:35 PM - Installed Windows Media Player 10 KB903157.
RP4: 5/3/2009 1:06:55 PM - Installed Windows XP KB891593.
RP5: 5/3/2009 1:07:05 PM - Installed Windows XP KB895961.
RP6: 5/3/2009 1:07:16 PM - Installed Windows XP KB899337.
RP7: 5/3/2009 1:07:27 PM - Installed Windows XP KB912812.
RP8: 5/3/2009 1:07:42 PM - Installed Windows XP KB899510.
RP9: 5/3/2009 1:07:54 PM - Installed Windows XP KB888795.
RP10: 5/3/2009 1:08:07 PM - Installed Windows XP KB902841.
RP11: 5/3/2009 1:09:30 PM - Installed Windows XP Media Center Edition 2005 Update Rollup 2.
RP12: 5/3/2009 1:17:51 PM - Installed Dell Resource CD
RP13: 5/3/2009 1:19:17 PM - Installed Windows XP KB835221WXP.
RP14: 5/3/2009 1:19:48 PM - Installed SigmaTel Audio
RP15: 5/3/2009 1:23:50 PM - Installed Broadcom 440x 10/100 Integrated Controller
RP16: 5/3/2009 1:27:14 PM - Installed J2SE Runtime Environment 5.0 Update 6
RP17: 5/3/2009 1:28:47 PM - Installed Dell System Software
RP18: 5/3/2009 1:28:50 PM - Installed Notebook System Software
RP19: 5/3/2009 1:29:00 PM - Installed Windows XP KB908673.
RP20: 5/3/2009 1:29:08 PM - Installed Windows XP KB914642.
RP21: 5/3/2009 1:29:16 PM - Installed Windows XP KB885855.
RP22: 5/3/2009 1:29:26 PM - Installed Windows XP KB896256.
RP23: 5/3/2009 1:30:37 PM - Installed QuickSet
RP24: 5/3/2009 1:31:15 PM - Installed Modem Helper
RP25: 5/3/2009 1:52:11 PM - Installed Windows Media Player 11
RP26: 5/3/2009 1:52:31 PM - Installed Windows XP Media Center Edition 2005 KB925766.
RP27: 5/3/2009 1:52:52 PM - Installed Windows XP Wudf01000.
RP28: 5/3/2009 1:54:18 PM - Installed Windows XP MSCompPackV1.
RP29: 5/3/2009 1:54:28 PM - Installed Windows XP KB926239.
RP30: 5/3/2009 2:01:06 PM - Software Distribution Service 3.0
RP31: 5/3/2009 3:58:07 PM - Installed Java(TM) 6 Update 13
RP32: 5/3/2009 4:08:07 PM - Software Distribution Service 3.0
RP33: 5/3/2009 4:15:35 PM - Software Distribution Service 3.0
RP34: 5/3/2009 5:17:55 PM - Installed Digital Line Detect
RP35: 5/3/2009 5:46:06 PM - Installed Adobe Reader 9.1.
RP36: 5/3/2009 6:11:44 PM - Software Distribution Service 3.0
RP37: 5/3/2009 8:32:33 PM - Installed QuickTime
RP38: 5/3/2009 9:23:16 PM - Avira AntiVir Personal - 5/3/2009 21:23
RP39: 5/5/2009 3:00:17 AM - Software Distribution Service 3.0
RP40: 5/5/2009 6:13:44 PM - SPTD setup V1.56
RP41: 5/5/2009 8:14:05 PM - Installed Zero G InstallAnywhere.NET
RP42: 5/5/2009 8:20:38 PM - Removed Zero G InstallAnywhere.NET
RP43: 5/6/2009 9:11:51 PM - System Checkpoint
RP44: 5/7/2009 10:07:20 PM - System Checkpoint
RP45: 5/8/2009 9:51:57 PM - Installed Microsoft Office Basic Edition 2003
RP46: 5/8/2009 10:58:59 PM - Installed Global Trading System Pro
RP47: 5/8/2009 11:06:31 PM - Software Distribution Service 3.0
RP48: 5/10/2009 12:03:36 AM - System Checkpoint
RP49: 5/10/2009 3:00:32 AM - Software Distribution Service 3.0
RP50: 5/11/2009 5:45:50 PM - System Checkpoint
RP51: 5/12/2009 7:51:15 PM - System Checkpoint
RP52: 5/13/2009 3:00:16 AM - Software Distribution Service 3.0
RP53: 5/14/2009 3:05:21 AM - System Checkpoint
RP54: 5/15/2009 4:58:36 AM - System Checkpoint
RP55: 5/15/2009 12:26:51 PM - Installed Keyword Elite
RP56: 5/15/2009 12:34:51 PM - Removed Keyword Elite
RP57: 5/15/2009 12:35:31 PM - Installed Keyword Elite
RP58: 5/16/2009 12:57:30 PM - System Checkpoint
RP59: 5/18/2009 6:06:56 AM - System Checkpoint
RP60: 5/19/2009 6:57:57 AM - System Checkpoint
RP61: 5/20/2009 5:10:35 PM - System Checkpoint
RP62: 5/21/2009 5:38:33 PM - System Checkpoint
RP63: 5/22/2009 6:44:04 PM - System Checkpoint
RP64: 5/23/2009 7:38:37 PM - System Checkpoint
RP65: 5/24/2009 10:40:04 PM - System Checkpoint
RP66: 5/25/2009 11:19:14 PM - System Checkpoint
RP67: 5/27/2009 12:14:18 AM - System Checkpoint
RP68: 5/28/2009 12:38:18 AM - System Checkpoint
RP69: 5/29/2009 1:38:15 AM - System Checkpoint
RP70: 5/30/2009 1:59:39 AM - System Checkpoint
RP71: 5/31/2009 3:11:37 AM - System Checkpoint
RP72: 5/31/2009 10:45:41 PM - Software Distribution Service 3.0
RP73: 6/1/2009 12:24:41 AM - Restore Operation
RP74: 6/2/2009 2:10:44 AM - System Checkpoint
RP75: 6/3/2009 2:53:41 AM - System Checkpoint
RP76: 6/4/2009 3:53:42 AM - System Checkpoint
RP77: 6/5/2009 4:56:46 AM - System Checkpoint
RP78: 6/6/2009 4:58:51 AM - System Checkpoint
RP79: 6/7/2009 10:17:13 AM - System Checkpoint
RP80: 6/8/2009 2:29:31 PM - System Checkpoint
RP81: 6/9/2009 6:32:03 PM - System Checkpoint
RP82: 6/10/2009 6:40:12 PM - System Checkpoint
RP83: 6/11/2009 3:00:30 AM - Software Distribution Service 3.0
RP84: 6/12/2009 3:56:06 AM - System Checkpoint
RP85: 6/12/2009 3:43:59 PM - Removed Global Trading System Pro
RP86: 6/12/2009 3:44:18 PM - Removed Keyword Elite
RP87: 6/13/2009 3:48:27 PM - System Checkpoint
RP88: 6/14/2009 3:53:24 PM - System Checkpoint
RP89: 6/15/2009 4:31:21 PM - System Checkpoint
RP90: 6/16/2009 5:03:34 PM - System Checkpoint
RP91: 6/17/2009 5:30:31 PM - System Checkpoint
RP92: 6/18/2009 5:30:54 PM - System Checkpoint
RP93: 6/19/2009 6:10:59 PM - System Checkpoint
RP94: 6/20/2009 10:26:40 PM - System Checkpoint
RP95: 6/21/2009 2:37:04 AM - Restore Operation

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash Player 10 ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe Media Player
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 9.1.1
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AM Browser version 2.0.1
Apple Software Update
AutoUpdate
Avira AntiVir Personal - Free Antivirus
Broadcom 440x 10/100 Integrated Controller
Conexant HDA D110 MDC V.92 Modem
Critical Update for Windows Media Player 11 (KB959772)
DAEMON Tools Toolbar
Dell Resource CD
Dell Wireless WLAN Card
Digital Line Detect
DivX Codec
DivX Player
DivX Version Checker
DivX Web Player
gBurner
GOGInstaller
Google Toolbar for Internet Explorer
Hermes
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Intel(R) Graphics Media Accelerator Driver
Interbank FX Trader 4 4.00
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 13
Magic ISO Maker v5.5 (build 0273)
MagicDisc 2.7.106
Malwarebytes' Anti-Malware
MediaCodec 1.70
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Basic Edition 2003
Microsoft Report Viewer Redistributable 2005
Microsoft User-Mode Driver Framework Feature Pack 1.0
Modem Helper
Mozilla Firefox (3.0.11)
Notepad++
Otto
PDF Settings
PowerISO
QuickSet
QuickTime
Safari
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
SigmaTel Audio
Sonic Encoders
UltraISO Premium V9.33
Update for Windows Internet Explorer 8 (KB969497)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
VC80CRTRedist - 8.0.50727.762
Vuze
Vuze Toolbar
WebFldrs XP
Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
WinRAR archiver
XAMPP 1.7.1
Zend Studio for Eclipse - 6.1.2
ZendGuard-4.0.1

==== Event Viewer Messages From Past Week ========

6/21/2009 11:29:04 AM, error: Service Control Manager [7000] - The ASKUpgrade service failed to start due to the following error: The system cannot find the file specified.
6/21/2009 11:28:58 AM, error: Service Control Manager [7000] - The ASKService service failed to start due to the following error: The system cannot find the file specified.
6/21/2009 11:28:04 AM, error: Service Control Manager [7031] - The ASKUpgrade service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
6/21/2009 11:27:58 AM, error: Service Control Manager [7031] - The ASKService service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
6/20/2009 6:58:18 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
6/14/2009 11:04:35 AM, error: Removable Storage Service [111] - RSM could not load media in drive Drive 0 of library Kingston DataTraveler 2.0 USB Device.

==== End Of File ===========================

fendy3
Novice
Novice

Status :
Online
Offline

Posts : 35
Joined : 2008-12-27
OS : winXP, win7
Points : 29179
# Likes : 0

View user profile

Back to top Go down

Re: I have virus called "cindy.exe" I can't access my external drive

Post by Belahzur on Sun Jun 21, 2009 4:50 pm

Hello.
Wrong log, I need to see DDS.txt too.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    J2SE Runtime Environment 5.0 Update 6
    Java(TM) 6 Update 13
    Vuze
    Vuze Toolbar

Please post DDS.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: I have virus called "cindy.exe" I can't access my external drive

Post by fendy3 on Sun Jun 21, 2009 5:32 pm

Ok, I uninstall the programs above, but Vuze will not uninstall because of java. I did it in the order you posted.

Below is the dds.txt:


DDS (Ver_09-05-14.01) - NTFSx86
Run by DeWayne at 11:47:37.26 on Sun 06/21/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.633 [GMT -5:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\MediaCodec\MediaCodec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\AM Browser\AM Browser.exe
svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\DeWayne\Desktop\usbnorisk.exe
C:\Documents and Settings\DeWayne\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Zend Studio: {95188727-288f-4581-a48d-eab3bd027314} - c:\progra~1\zend\zendst~1.2\toolbars\ZENDIE~1.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [MediaCodec] c:\program files\mediacodec\MediaCodec.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\dewayne\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Zend Studio - Debug current page - c:\program files\zend\zend studio for eclipse - 6.1.2\toolbars\ZendIEToolbar.dll/DebugCurrent.html
IE: Zend Studio - Debug next page - c:\program files\zend\zend studio for eclipse - 6.1.2\toolbars\ZendIEToolbar.dll/DebugNext.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - {95188727-288F-4581-A48D-EAB3BD027314} - c:\progra~1\zend\zendst~1.2\toolbars\ZENDIE~1.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dewayne\applic~1\mozilla\firefox\profiles\ujm190ih.default\
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-5-3 11608]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-5-3 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-5-3 151297]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-5-3 52056]
S2 ASKService;ASKService;c:\program files\askbardis\bar\bin\askservice.exe --> c:\program files\askbardis\bar\bin\AskService.exe [?]
S2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\askupgrade.exe --> c:\program files\askbardis\bar\bin\ASKUpgrade.exe [?]

=============== Created Last 30 ================

2009-06-21 11:30 --d----- C:\USBNoRisk
2009-06-21 00:25 --d----- c:\program files\gBurner
2009-06-20 21:13 --d----- c:\docume~1\dewayne\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-06-20 18:38 --d----- c:\docume~1\dewayne\applic~1\Malwarebytes
2009-06-20 18:38 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-20 18:38 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-20 18:38 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-20 18:38 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-14 02:15 --d----- c:\windows\pss
2009-06-12 18:50 --d----- C:\Files
2009-06-12 18:10 --d----- C:\xampp
2009-06-12 17:29 --d----- C:\foo
2009-06-10 16:42 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 16:42 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-10 16:42 1,985,024 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-06-10 16:42 11,064,832 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-06-05 12:14 --d----- c:\windows\system32\NtmsData
2009-06-01 02:07 --d----- c:\program files\common files\EZB Systems
2009-06-01 02:07 --d----- c:\program files\UltraISO
2009-06-01 00:25 --d----- c:\windows\system32\wbem\Repository
2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2009-05-13 00:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-05 18:13 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-05-03 16:31 87,747 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-03 15:58 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-03 13:29 5 a------- c:\windows\system32\drivers\DELL_XPS_MM061 .MRK
2009-05-03 13:29 5 a------- c:\windows\system32\drivers\1028_DELL_XPS_MM061 .MRK
2009-05-03 12:21 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 15:25 129,784 -------- c:\windows\system32\pxafs.dll
2009-04-15 15:25 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-04-15 15:25 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-04-15 15:24 90,112 a------- c:\windows\system32\dpl100.dll
2009-04-15 15:24 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-04-15 15:24 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-04-15 15:24 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-04-15 15:24 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-04-15 15:24 684,032 a------- c:\windows\system32\DivX.dll
2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 11:47:54.75 ===============

fendy3
Novice
Novice

Status :
Online
Offline

Posts : 35
Joined : 2008-12-27
OS : winXP, win7
Points : 29179
# Likes : 0

View user profile

Back to top Go down

Re: I have virus called "cindy.exe" I can't access my external drive

Post by fendy3 on Sun Jun 21, 2009 6:09 pm

I was wondering if we were done? The drive is accessing once again just from double clicking on it, now that is normal.

But don't I need java to run certain apps and webpages? Can I re-installed them.

Also, this problem must exist on my external drive, right? I say this because I try to access it on another computer with a brand new xp installation, and the same thing happen.

Well, I will wait your reply.

fendy3
Novice
Novice

Status :
Online
Offline

Posts : 35
Joined : 2008-12-27
OS : winXP, win7
Points : 29179
# Likes : 0

View user profile

Back to top Go down

Re: I have virus called "cindy.exe" I can't access my external drive

Post by Belahzur on Sun Jun 21, 2009 6:29 pm

Hello.
Java is used to run stuff on webpages, but the Java you have is old now, and that's why I want to uninstall it. We'll install the newest version soon though.

Please download Revo Uninstall from here: [You must be registered and logged in to see this link.]

  1. Download and run the setup file for Revo Uninstaller.
  2. Once setup, run Revo Uninstaller.

    Look through the list of programs and see if any programs I listed can be removed.
    To uninstall something, highlight it by clicking on it only ONCE!!.

  3. Then hit the "Uninstall" button at the top.
  4. Close Revo Uninstaller.

Let me know it Vuze/Java have been removed via Revo.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: I have virus called "cindy.exe" I can't access my external drive

Post by fendy3 on Sun Jun 21, 2009 6:32 pm

One more thing, I tried to put a file that is 5gb on the external, but it says that there is not enough space on it.

I have 48gbs that I know is freed up, I wonder what this could be?

fendy3
Novice
Novice

Status :
Online
Offline

Posts : 35
Joined : 2008-12-27
OS : winXP, win7
Points : 29179
# Likes : 0

View user profile

Back to top Go down

Re: I have virus called "cindy.exe" I can't access my external drive

Post by Belahzur on Sun Jun 21, 2009 6:38 pm

Hello.
That's because your external is formatted as FAT32, and USBNoRisk showed me that too.

FAT32 has size limitations, you can't transfer anything over 4GB to FAT32. If you want to do that, the drive has to be formatted to NTFS.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: I have virus called "cindy.exe" I can't access my external drive

Post by fendy3 on Sun Jun 21, 2009 6:42 pm

No the program did not install, it still needs java to uninstall.

Here's the message below.

No JVM.
Please define EXE4J_JAVA_HOME
to point to an install 32-bit JDK or JRE or download a JRE from [You must be registered and logged in to see this link.]


Would formatting that the drive erase everything on it?

fendy3
Novice
Novice

Status :
Online
Offline

Posts : 35
Joined : 2008-12-27
OS : winXP, win7
Points : 29179
# Likes : 0

View user profile

Back to top Go down

Re: I have virus called "cindy.exe" I can't access my external drive

Post by fendy3 on Sun Jun 21, 2009 6:47 pm

I ran the program again, and this time around it deleted it.

fendy3
Novice
Novice

Status :
Online
Offline

Posts : 35
Joined : 2008-12-27
OS : winXP, win7
Points : 29179
# Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum