windows explorer error (virus unknown)

View previous topic View next topic Go down

windows explorer error (virus unknown)

Post by TobolaRJ on 11th July 2009, 9:39 pm

Every time I start windows I get a windows explorer error asking if I want to send the error to Microsoft. My wireless internet won't work on the computer, I can't even search for the signal. I have Malwarebyte's anti-Malware but it wont let me start it. Symantec anti-virus does not come up with anything and it keeps disabling the auto protect. The computer runs extremely slow if you need any more info please let me know.

TobolaRJ
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-06-05
OS OS : xp
Points Points : 27444
# Likes # Likes : 0

View user profile

Back to top Go down

Re: windows explorer error (virus unknown)

Post by Belahzur on 11th July 2009, 11:04 pm

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: windows explorer error (virus unknown)

Post by TobolaRJ on 12th July 2009, 1:50 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:13 PM, on 7/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\br_funcs.exe
C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcMurocHlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR .exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp .exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR .exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray .exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\ThinkVantage\AMSG\Amsg .exe
C:\WINDOWS\explorer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\WMPNSCFG .exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\ThinkVantage Fingerprint Software\ctlcntr.exe" /startup
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [amsg] C:\Program Files\ThinkVantage\AMSG\Amsg .exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ihaupd32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [JAVA_IBM] Java (IBM)
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Ltd. - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 12898 bytes

TobolaRJ
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-06-05
OS OS : xp
Points Points : 27444
# Likes # Likes : 0

View user profile

Back to top Go down

Re: windows explorer error (virus unknown)

Post by Belahzur on 12th July 2009, 4:21 pm

Hello.

These services needs resetting back to their default value.

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

Please download this fix tool from [You must be registered and logged in to see this link.].

Double click it to run it.
Allow it to run if protection programs stop it, it will open, the vanish quickly.
The services should now be back to default value and no longer appear in Hijack This.

Next,

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - Startup: ihaupd32.exe


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: windows explorer error (virus unknown)

Post by TobolaRJ on 12th July 2009, 9:15 pm

I ran the WUS Fix as you said but the two 023 errors are still showing up on Hijack This. I went ahead and got rid of the 04 error and ran MBAM this is the log that I had received from that.



Malwarebytes' Anti-Malware 1.37
Database version: 2232
Windows 5.1.2600 Service Pack 3

7/12/2009 5:07:17 PM
mbam-log-2009-07-12 (17-07-17).txt

Scan type: Quick Scan
Objects scanned: 97349
Time elapsed: 25 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

TobolaRJ
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-06-05
OS OS : xp
Points Points : 27444
# Likes # Likes : 0

View user profile

Back to top Go down

Re: windows explorer error (virus unknown)

Post by Belahzur on 12th July 2009, 11:08 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (Symantec)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: windows explorer error (virus unknown)

Post by TobolaRJ on 13th July 2009, 3:35 am

When I try to run CombFix an error pops up and says "You cannon rename ComboFix as Combo-Fix Please use another name, preferbaly made up of alphanumeric characters" the misspelling of preferably is also in the error.

TobolaRJ
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-06-05
OS OS : xp
Points Points : 27444
# Likes # Likes : 0

View user profile

Back to top Go down

Re: windows explorer error (virus unknown)

Post by Belahzur on 13th July 2009, 3:35 pm

Okay, download it as normal, don't rename it.
See if it will run without renaming.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: windows explorer error (virus unknown)

Post by TobolaRJ on 13th July 2009, 6:34 pm

Here is the combofix log:

ComboFix 09-07-12.03 - Bert 07/13/2009 13:58.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1496 [GMT -4:00]
Running from: c:\documents and settings\Bert\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-1271802787
C:\ckxd.exe
c:\documents and settings\Bert\Application Data\bcrypt.html
c:\documents and settings\Bert\Application Data\inst.exe
c:\documents and settings\Bert\Application Data\wiaservg.log
C:\furvsh.exe
C:\illhtee.exe
c:\program files\sFX
c:\program files\sFX\SfX.DlL
c:\program files\sFX\sfX.sYs
c:\recycler\S-1-5-21-1887189875-1930722247-846540127-0823
c:\recycler\S-1-5-21-2440502639-6991348421-395431157-7447
c:\recycler\S-1-5-21-2657316957-2347121408-283879683-8354
c:\recycler\S-1-5-21-2768927337-0106278838-176513052-7975
c:\recycler\S-1-5-21-3509647087-8148213732-197159457-5068
c:\recycler\S-1-5-21-3678172678-4599374395-509857132-6852
c:\recycler\S-1-5-21-4003669074-0319550211-807465122-4285
c:\recycler\S-1-5-21-4671869118-6660810675-655296484-8889
c:\recycler\S-1-5-21-7751016635-5121308491-994758174-9718
c:\recycler\S-1-5-21-7751016635-5121308491-994758174-9718\Desktop.ini
c:\recycler\S-1-5-21-7751016635-5121308491-994758174-9718\wnzip32.exe
c:\recycler\S-1-5-21-8186717818-7312877287-686574310-6030
c:\recycler\S-1-5-21-8432899113-2300129329-500851121-8501
C:\stfqqym.exe
c:\windows\010112010146118114.dat
c:\windows\0101120101464849.dat
c:\windows\0101120101465752.dat
c:\windows\system32\ctfmon.exe.tmp
c:\windows\system32\drivers\87b5fceb.sys
c:\windows\system32\wbem\proquota.exe
F:\Autorun.inf

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_sfx
-------\Legacy_sfxdrv
-------\Service_87b5fceb
-------\Service_sfx
-------\Service_sfxdrv


((((((((((((((((((((((((( Files Created from 2009-06-13 to 2009-07-13 )))))))))))))))))))))))))))))))
.

2009-07-13 18:13 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-13 18:13 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-12 01:42 . 2009-07-12 01:42 -------- d-----w- c:\program files\Trend Micro
2009-07-10 13:33 . 2009-07-10 13:33 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Lenovo
2009-07-10 04:26 . 2009-07-10 04:26 15360 ---ha-w- c:\windows\pp10 .exe
2009-07-10 04:26 . 2009-07-10 04:26 25600 ----a-w- C:\ciuge.exe
2009-07-10 04:26 . 2009-07-10 04:26 33280 ----a-w- c:\documents and settings\Bert\reader_s .exe
2009-07-10 04:26 . 2009-07-10 04:26 33280 ----a-w- c:\windows\system32\reader_s .exe
2009-07-10 04:26 . 2009-07-10 04:26 201016 ----a-w- C:\lkrpk.exe
2009-07-10 04:25 . 2009-07-10 04:25 26112 ----a-w- c:\windows\ld12 .exe
2009-07-09 02:19 . 2009-07-09 05:35 -------- d-----w- c:\documents and settings\Bert\Application Data\Apple Computer
2009-07-09 02:19 . 2009-03-19 20:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-07-09 02:19 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-07-09 02:19 . 2009-07-09 02:19 -------- d-----w- c:\program files\iPod
2009-07-09 02:04 . 2009-07-09 02:06 -------- d-----w- c:\documents and settings\Bert\Local Settings\Application Data\Adobe
2009-07-09 01:58 . 2009-07-09 01:58 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-06 12:41 . 2009-07-06 12:41 -------- d-----w- c:\documents and settings\Tobola\Local Settings\Application Data\Ahead
2009-07-04 20:40 . 2009-07-04 20:40 -------- d--h--w- c:\windows\PIF
2009-07-04 19:32 . 2009-07-12 01:39 -------- d-----w- c:\documents and settings\Bert\Application Data\uTorrent
2009-07-03 22:55 . 2009-07-13 17:53 -------- d-----w- c:\program files\PeerGuardian2
2009-06-17 13:20 . 2009-06-17 13:20 -------- d-----w- c:\documents and settings\Bert\Local Settings\Application Data\Help
2009-06-16 14:33 . 2009-06-16 14:33 -------- d-----w- c:\documents and settings\Bert\Application Data\Sonic
2009-06-16 14:32 . 2009-06-16 14:32 -------- d-----w- c:\documents and settings\Bert\Application Data\Leadertech
2009-06-16 00:55 . 2009-06-17 13:20 -------- d-----w- c:\program files\CDisplay
2009-06-15 00:28 . 2009-06-15 00:28 -------- d-----w- c:\documents and settings\Bert\Local Settings\Application Data\Identities
2009-06-15 00:20 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-15 00:20 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-15 00:20 . 2009-04-30 21:22 1985024 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-06-15 00:20 . 2009-04-30 21:22 11064832 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-06-14 22:08 . 2009-07-10 01:48 -------- d-s---w- C:\Combo-Fix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-13 03:19 . 2009-05-17 15:37 -------- d-----w- c:\program files\Symantec Client Security
2009-07-13 03:13 . 2009-05-17 15:37 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-13 03:13 . 2009-05-17 15:38 -------- d-----w- c:\program files\Symantec
2009-07-13 03:13 . 2009-05-17 15:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-13 03:07 . 2009-05-17 15:43 40 ----a-w- c:\windows\system32\profile.dat
2009-07-12 04:03 . 2009-05-17 15:44 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2009-07-09 19:50 . 2009-06-04 03:42 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-09 05:31 . 2009-07-09 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-09 02:19 . 2009-07-09 02:19 -------- d-----w- c:\program files\iTunes
2009-07-09 02:19 . 2009-07-09 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-09 02:18 . 2009-07-09 02:18 -------- d-----w- c:\program files\Bonjour
2009-07-09 02:18 . 2009-07-09 02:18 -------- d-----w- c:\program files\QuickTime
2009-07-09 02:18 . 2009-07-09 02:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-07-09 02:17 . 2009-07-09 02:17 -------- d-----w- c:\program files\Apple Software Update
2009-07-09 02:17 . 2009-07-09 02:17 -------- d-----w- c:\program files\Common Files\Apple
2009-06-07 22:55 . 2009-06-07 22:55 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-06-05 17:57 . 2009-06-05 17:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-05 15:42 . 2009-07-09 02:17 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-05 15:42 . 2009-07-09 02:17 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 02:02 . 2009-06-05 02:02 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-04 03:07 . 2009-06-04 03:06 -------- d-----w- c:\documents and settings\Bert\Application Data\Vso
2009-06-04 03:06 . 2009-06-04 03:06 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-06-04 03:06 . 2009-06-04 03:06 47360 ----a-w- c:\documents and settings\Bert\Application Data\pcouffin.sys
2009-06-04 03:06 . 2009-06-04 03:06 47360 ----a-w- c:\documents and settings\Bert\Application Data\pcouffin.sys
2009-06-04 03:06 . 2009-06-04 03:06 -------- d-----w- c:\program files\VSO
2009-06-04 03:06 . 2009-06-04 03:06 -------- d-----w- c:\program files\Burning Software
2009-05-28 22:58 . 2009-05-17 22:00 35104 ----a-w- c:\documents and settings\Bert\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-28 22:56 . 2009-05-28 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\LightScribe
2009-05-28 22:43 . 2009-05-28 22:43 -------- d-----w- c:\program files\Common Files\LightScribe
2009-05-28 22:42 . 2009-05-28 22:42 -------- d-----w- c:\documents and settings\Bert\Application Data\Ahead
2009-05-28 22:41 . 2009-05-28 22:37 -------- d-----w- c:\program files\Common Files\Ahead
2009-05-28 22:37 . 2009-05-28 22:37 -------- d-----w- c:\program files\Nero
2009-05-28 22:37 . 2009-05-28 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-05-28 02:20 . 2009-05-28 02:20 -------- d-----w- c:\program files\Games
2009-05-26 17:20 . 2009-05-17 16:07 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 17:19 . 2009-05-17 16:07 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-22 06:01 . 2009-05-22 06:01 -------- d-----w- c:\documents and settings\Bert\Application Data\Media Player Classic
2009-05-22 06:00 . 2009-05-18 00:04 -------- d-----w- c:\program files\Windows Media Connect 2
2009-05-21 10:00 . 2009-05-21 10:00 -------- d-----w- c:\documents and settings\Bert\Application Data\InterVideo
2009-05-21 02:01 . 2009-05-21 02:01 127877 ----a-w- c:\documents and settings\Bert\Application Data\Move Networks\uninstall.exe
2009-05-21 02:01 . 2009-05-21 02:01 -------- d-----w- c:\documents and settings\Bert\Application Data\Move Networks
2009-05-21 02:01 . 2009-05-01 06:30 4183416 ----a-w- c:\documents and settings\Bert\Application Data\Move Networks\plugins\npqmp071500000347.dll
2009-05-18 02:38 . 2009-05-18 02:38 -------- d-----w- c:\program files\7-Zip
2009-05-18 00:02 . 2009-05-17 15:31 -------- d-----w- c:\program files\Windows Media Connect
2009-05-17 22:00 . 2009-05-17 22:00 137 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\fusioncache.dat
2009-05-17 22:00 . 2009-05-17 16:00 127 ----a-w- c:\documents and settings\Bert\Local Settings\Application Data\fusioncache.dat
2009-05-17 21:38 . 2009-05-17 21:38 -------- d-----w- c:\program files\MSXML 4.0
2009-05-17 20:49 . 2004-08-09 17:54 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-17 16:07 . 2009-05-17 16:07 -------- d-----w- c:\documents and settings\Bert\Application Data\Malwarebytes
2009-05-17 16:07 . 2009-05-17 16:07 -------- d-----w- c:\program files\Anti-Virus
2009-05-17 16:07 . 2009-05-17 16:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-17 16:03 . 2009-05-17 16:03 -------- d-----w- c:\documents and settings\Bert\Application Data\Intel
2009-05-17 16:00 . 2009-05-17 16:00 47 ----a-w- c:\windows\system32\drivers\IBM_2529_RCU.MRK
2009-05-17 15:55 . 2009-05-24 05:20 -------- d-----w- c:\documents and settings\Tobola\Application Data\ThinkVantage
2009-05-17 15:55 . 2009-05-17 16:00 -------- d-----w- c:\documents and settings\Bert\Application Data\ThinkVantage
2009-05-17 15:55 . 2009-05-17 15:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\ThinkVantage
2009-05-17 15:45 . 2009-05-17 15:45 -------- d-----w- c:\program files\Diskeeper Corporation
2009-05-17 15:44 . 2009-05-17 15:44 -------- d-----w- c:\program files\SMI2
2009-05-17 15:44 . 2009-05-17 15:44 -------- d-----w- c:\program files\TVT SMBus
2009-05-17 15:44 . 2009-05-17 15:44 32256 ----a-w- c:\windows\system32\drivers\psasrv.exe
2009-05-17 15:44 . 2009-05-17 15:44 16256 ----a-w- c:\windows\system32\drivers\psadd.sys
2009-05-17 15:44 . 2009-05-17 15:44 109056 ----a-w- c:\windows\system32\pxinsi64.exe
2009-05-17 15:44 . 2009-05-17 15:44 108544 ----a-w- c:\windows\system32\pxcpyi64.exe
2009-05-17 15:43 . 2009-05-17 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\IBM
2009-05-17 15:43 . 2009-05-17 15:43 -------- d-----w- c:\documents and settings\LocalService\Application Data\Lenovo
2009-05-17 15:41 . 2009-05-17 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-05-17 15:41 . 2009-05-17 15:41 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-05-17 15:41 . 2009-05-17 15:41 -------- d-----w- c:\program files\Sonic
2009-05-17 15:41 . 2009-05-17 15:41 -------- d-----w- c:\program files\Multimedia Center for Think Offerings
2009-05-17 15:40 . 2009-05-17 15:40 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-05-17 15:38 . 2009-05-24 05:20 -------- d-----w- c:\documents and settings\Tobola\Application Data\Symantec
2009-05-17 15:38 . 2009-05-17 16:00 -------- d-----w- c:\documents and settings\Bert\Application Data\Symantec
2009-05-17 15:38 . 2009-05-17 15:38 -------- d-----w- c:\documents and settings\Administrator\Application

TobolaRJ
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-06-05
OS OS : xp
Points Points : 27444
# Likes # Likes : 0

View user profile

Back to top Go down

Re: windows explorer error (virus unknown)

Post by TobolaRJ on 13th July 2009, 6:34 pm

Data\Symantec
2009-05-17 15:36 . 2009-05-17 15:36 -------- d-----w- c:\program files\IBM ThinkVantage
2009-05-17 15:35 . 2009-05-17 15:35 -------- d-----w- c:\program files\Common Files\InterVideo
2009-05-17 15:35 . 2009-05-17 15:35 -------- d-----w- c:\program files\InterVideo
2009-05-17 15:34 . 2009-05-17 15:34 -------- d-----w- c:\program files\PC-Doctor for Windows
2009-05-17 15:34 . 2009-05-17 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lenovo
2009-05-17 15:33 . 2009-05-24 05:20 -------- d-----w- c:\documents and settings\Tobola\Application Data\IBM
2009-05-17 15:33 . 2009-05-17 16:00 -------- d-----w- c:\documents and settings\Bert\Application Data\IBM
2009-05-17 15:33 . 2009-05-17 15:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\IBM
2009-05-17 15:33 . 2009-05-17 15:33 -------- d-----w- c:\program files\IBM
2009-05-17 15:32 . 2009-05-17 15:32 -------- d-----w- c:\program files\ThinkVantage
2009-05-17 15:31 . 2009-05-24 05:20 136 ----a-w- c:\documents and settings\Tobola\Local Settings\Application Data\fusioncache.dat
2009-05-17 15:31 . 2009-05-17 15:31 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2009-05-17 15:27 . 2009-05-17 15:27 -------- d-----w- c:\program files\ATI Technologies
2009-05-17 15:26 . 2009-05-17 15:26 -------- d-----w- c:\program files\Digital Line Detect
2009-05-17 15:26 . 2009-05-17 15:26 -------- d-----w- c:\program files\NetWaiting
2009-05-17 15:26 . 2009-05-17 15:26 -------- d-----w- c:\program files\CONEXANT
2009-05-17 15:26 . 2009-05-17 15:26 -------- d-----w- c:\program files\Analog Devices
2009-05-17 15:26 . 2009-05-17 15:26 0 ---ha-r- c:\windows\system32\drivers\IBM_2529_RCU_TP.MRK
2009-05-17 15:26 . 2009-05-17 15:26 -------- d-----w- c:\program files\Fingerprint Tutorial
2009-05-17 15:22 . 2009-05-17 15:22 -------- d-----w- c:\program files\ThinkVantage Fingerprint Software
2009-05-17 15:22 . 2009-05-17 15:22 -------- d-----w- c:\program files\Common Files\Virtual Token
2009-05-17 15:22 . 2009-05-17 15:22 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-17 15:05 . 2009-05-17 15:05 17801 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-05-17 15:05 . 2009-05-17 15:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2009-05-17 15:04 . 2009-05-17 15:04 -------- d-----w- c:\program files\Intel
2009-05-17 15:02 . 2009-05-17 15:02 -------- d-----w- c:\program files\Lenovo
2009-05-17 15:01 . 2009-05-17 15:01 -------- d--h--w- c:\program files\InstallShield Installation Information
.

------- Sigcheck -------

[7] 2004-08-04 12:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2009-07-13 25600]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2009-07-13 25600]
"amsg"="c:\program files\ThinkVantage\AMSG\Amsg .exe" [2005-08-02 475136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2009-07-13 25600]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-13 25600]
"ControlCenter"="c:\program files\ThinkVantage Fingerprint Software\ctlcntr.exe" [2005-07-12 125026]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2009-07-13 25600]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2009-07-13 25600]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-29 344064]
"suScheduler"="c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-02 40960]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2009-07-13 25600]
"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2009-07-13 25600]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2009-07-13 25600]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"cssauth"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauth.exe" [2005-08-03 1988144]
"PDService.exe"="c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-07-07 49152]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-09-26 196696]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2009-07-13 25600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2009-07-13 25600]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-08-10 139264]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-08-10 208896]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-08-12 864256]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2009-07-13 25600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2005-06-23 86016]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-08-02 40960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2005-07-12 16:45 109664 ----a-w- c:\program files\ThinkVantage Fingerprint Software\psfus.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2005-12-16 00:14 32768 ----a-w- c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-06-17 05:23 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli csspwntfy

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11108:TCP"= 11108:TCP:BitComet 11108 TCP
"11108:UDP"= 11108:UDP:BitComet 11108 UDP
"8085:TCP"= 8085:TCP:sfx

R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [5/17/2009 11:02 AM 59904]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [5/17/2009 11:02 AM 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [5/17/2009 11:46 AM 4442]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [8/2/2005 9:15 PM 13184]
R2 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\privatediskm.sys [6/28/2005 11:26 AM 46142]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [8/2/2005 8:47 PM 3968]
R2 SmiHlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [7/12/2005 12:37 PM 3328]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-07-13 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2009-05-17 08:10]

2009-05-17 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2009-05-17 00:32]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MSMSGS - c:\program files\Messenger\msmsgs.exe
Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: Send To &Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-13 14:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\ctfmon.exe182 15360 bytes executable


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(292)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\ThinkVantage Fingerprint Software\psfus.dll
c:\program files\Common Files\Virtual Token\psutil.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'lsass.exe'(348)
c:\program files\IBM ThinkVantage\Client Security Solution\csspwntfy.dll
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtsp.dll
c:\program files\IBM ThinkVantage\Client Security Solution\tcsrpc.dll
c:\program files\IBM ThinkVantage\Client Security Solution\cssuserdatadispatcher.dll

- - - - - - - > 'explorer.exe'(2616)
c:\windows\system32\WININET.dll
c:\windows\system32\PROCHLP.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Virtual Token\vtserver.exe
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
c:\program files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
c:\program files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
c:\program files\ThinkVantage\SystemUpdate\UCLauncherService.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\IBM ThinkVantage\Common\Logger\logmon.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\program files\ThinkPad\ConnectUtilities\AcMurocHlpr.exe
c:\windows\system32\rundll32.exe
c:\progra~1\ThinkPad\UTILIT~1\ezejmnap .exe
c:\windows\system32\ctfmon.exe182Classes\exefile\shell\open
c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
c:\program files\ThinkPad\Bluetooth Software\BTTray.exe
c:\program files\Digital Line Detect\DLG.exe
c:\program files\Synaptics\SynTP\syntplpr .exe
c:\progra~1\THINKV~2\PrdCtr\lpmgr .exe
c:\progra~1\Lenovo\PkgMgr\HOTKEY\tphkmgr .exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\program files\Windows Media Player\wmpnscfg .exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2009-07-13 14:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-13 18:27

Pre-Run: 10,259,243,008 bytes free
Post-Run: 10,784,980,992 bytes free

358 --- E O F --- 2009-06-15 02:06

TobolaRJ
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-06-05
OS OS : xp
Points Points : 27444
# Likes # Likes : 0

View user profile

Back to top Go down

Re: windows explorer error (virus unknown)

Post by Belahzur on 13th July 2009, 6:40 pm

I'm afraid I have bad news.

Your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Recent variants also modify htm, html, asp and php files.

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.


For more information, please see [You must be registered and logged in to see this link.]

Instructions how to format and reinstall Windows can be found [You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: windows explorer error (virus unknown)

Post by TobolaRJ on 13th July 2009, 7:39 pm

I have been using an external hard drive switching back and forth should i now worry about the other computer? Does it affect avi or mp3 files? Is it ok if I just delete any .exe files that are on my external hard drive or will I have to clean the whole drive?

TobolaRJ
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-06-05
OS OS : xp
Points Points : 27444
# Likes # Likes : 0

View user profile

Back to top Go down

Re: windows explorer error (virus unknown)

Post by Origin on 13th July 2009, 9:05 pm

If you backed up some .exe in your external then yes you will have to clean the whole drive.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31493
# Likes # Likes : 0

View user profile

Back to top Go down

Re: windows explorer error (virus unknown)

Post by TobolaRJ on 13th July 2009, 9:18 pm

Sorry, even the avi files and mp3 files? I never ran any of the exe files on the drive during this time of infection, would it be enough just to delete the exe files themselves? Sorry about the extra questions before I reformat the computer just trying to be safe.

TobolaRJ
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-06-05
OS OS : xp
Points Points : 27444
# Likes # Likes : 0

View user profile

Back to top Go down

Re: windows explorer error (virus unknown)

Post by Belahzur on 13th July 2009, 9:21 pm

MP3/avi files are fine. Smile

EVERY exe file including system files are infected, which is why deleting won't work and we recommend a format.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: windows explorer error (virus unknown)

Post by TobolaRJ on 13th July 2009, 9:26 pm

What about the other computer that I was using when I was switching the hard drive back and forth is there a possibility that that computer is clean or should I go ahead and format that computer also?

TobolaRJ
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-06-05
OS OS : xp
Points Points : 27444
# Likes # Likes : 0

View user profile

Back to top Go down

Re: windows explorer error (virus unknown)

Post by Belahzur on 13th July 2009, 9:28 pm

The drive should be clean, Virut doesn't have autorun worm like features. Virut has to be installed by something that someone has run on your machine.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: windows explorer error (virus unknown)

Post by TobolaRJ on 13th July 2009, 9:30 pm

Ok thanks a lot guys for all your help, I really appreciate it. Your site is fantastic.

TobolaRJ
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-06-05
OS OS : xp
Points Points : 27444
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum