My cd keeps ejecting itself!!

Hewlett-packard / Hp compaq dx6100 st(pk868...
March 11, 2009 at 17:29:47
Specs: Microsoft Windows XP Professional, 3.194 GHz / 503 MB
My comp has a virus - it keeps ejecting cd!

About 2 weeks ago, i've discovered that my computer had a vicious virus on it and there was this banner flying around the screen every few seconds saying 'this computer is being attacked'. I googled up the virus and apparently it had something to do with the name global.exe..

anyways the other problem i had is that the cd keeps on ejecting itself whenever i put something in.

Also, administrator's controls were disabled.

I tried for almost a week to find out how to get rid of this virus, antivirus.. avg. but it couldn't find the virus and delete it.


i formatted the computer.

it's been about a week now.. i transferred some of the files i had in the comp before i formatted..

whenever i shutdown the 'global.exe cannot but initiated due to shutdown'..kept on coming up. But banners weren't flying around, cds weren't ejecting and administration's rights were fine.

But today when i switched on my computer, the cd ejected itself again.
Then i checked to see if i could use anything in control panels.. and it didnt' work.

I don't seen any banners flying around again, but i'm guessing somehow soon it my appear again..

I read somewhere that i could post some 'hijackthis' logfile on this forum?

Can someone tell me how to delete this virus please?

I need to do my homework...

See More: My cd keeps ejecting itself!!

Report •

March 13, 2009 at 08:52:51
Your best bet is to post a HijackThis log to this thread. This way we can better help you see if something re-infected your machine from some of the files that were copied back on.

To post a HijackThis log. Simply download HijackThis from here. Accept the defaults during installation and it should install into the "C:\Program files\Trend Micro\HijackThis" folder. Once it is installed, browse to that folder and change the name of the program to Scanit.exe. Now run it and select "Do a system scan and save a log file". Once the scan is complete, copy and paste the output of the log into this thread.

MOS Master Certified
MCP Certified
CCNA Certificate Pending
A+ Certificate Pending

"I have gone to find myself. If I get back before I return, please tell myself to wait." :

Report •

March 16, 2009 at 22:24:18
Hey Songcloud!
thanks for coming back to my thread.. i didn't think i'd get a response for ages!

Anyways, sorry for being a little inconvenient.. but i downloaded the hijackthis program into my other folder. I didn't rename it Scanit.exe but i didn't do a system scan.. following the steps i found on another internet website.

here is my log.

Also... just letting you know.. now i'm getting these frequent 'DING!' sound whenever i turn my speakers on. I remember this happening the last time i had the virus also... it didn't happen yesterday...

it's as if the virus is actually growing inside my computer :S

here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:04:36 PM, on 17/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\My Documents\new downloaded programs\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [] C:\WINDOWS\system\KEYBOARD.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\RunOnce: [] C:\WINDOWS\system32\dllcache\Default.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\RunOnce: [] C:\WINDOWS\system32\dllcache\Default.exe
O4 - HKLM\..\Policies\Explorer\Run: [sys] C:\WINDOWS\Fonts\Fonts.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Canon LBP3200 ª¬ºAµøµ¡.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4LAK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) -
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

End of file - 6034 bytes

thanks again for getting back to me.

let me know.. what can i do? i'm so frustrated.. i need help.

Report •

March 20, 2009 at 11:02:58
OK, from what I can see, you are definitely infected.

Please read through these instructions and print them out if needed. If you have any questions, please ask them before starting this procedure. Please do the steps in the order that they are listed for the best results. Also, although it may seem like the infection is cleaned after performing these steps, please stay with me until I let you know that your machine is "all-clear" for best results.

Here is what I need you to do. First of all, download DDS from here and save it to your desktop.

Next, download Malware Bytes Anti Malware from here and save the installer to your desktop.

Once you have both of those downloaded, please disable any script blocking program you might have and run DDS.scr. When it is done, DDS will open two (2) logs. They are named DDS.txt and Attach.txt. Please save both reports to your desktop.

Then install and run MalwareBytes. Select quick scan and let it scan. Let it clean what it finds and save the logfile from there to your desktop as well.

Please copy and paste the contents of the MalwareBytes log and the dds.txt log to this thread. As for the attach.txt log, please send it as an attachment to the email address I have provided for you in the private message that I just sent you.

Once I have a chance to check these logs and see what MalwareBytes cleaned, I will be able to better determine what our next steps will be.

If you have any questions, please let me know.

MOS Master Certified
MCP Certified
CCNA Certificate Pending
A+ Certificate Pending

"I have gone to find myself. If I get back before I return, please tell myself to wait." :

Report •

Related Solutions

March 30, 2009 at 03:06:53
hey Songcloud!!

thank you so much for replying. Sorry that i have kept you waiting, i haven't had the chance to use my computer because i've been trying to use my mum's laptop instead.

Everything that is important to me though, is on this computer. It's good people like you, who help for the sake of helping, rather than just money that inspires the rest of us to do the same thing for others when they need us =D

Here is my DDS log:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Administrator at 20:50:13.90 on Mon 30/03/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.230 [GMT 11:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://
uSearch Page = hxxp://
uSearch Bar = hxxp://
mDefault_Search_URL = hxxp://
uSearchAssistant = hxxp://
uSearchURL,(Default) = hxxp://
mSearchAssistant = hxxp://
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRunOnce: [<NO NAME>] c:\windows\system32\dllcache\Default.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [<NO NAME>] c:\windows\system\KEYBOARD.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRunOnce: [<NO NAME>] c:\windows\system32\dllcache\Default.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mExplorerRun: [sys] c:\windows\fonts\Fonts.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\canonl~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\CAP4LAK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: RestrictCpl = 1 (0x1)
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-explorer: <NO NAME> = 0
uPolicies-disallowrun: 25 = MPBrowser.exe
uPolicies-disallowrun: 12 = forge60.exe
uPolicies-disallowrun: 24 = Forge70.exe
uPolicies-disallowrun: 13 = keygen.exe
uPolicies-disallowrun: 15 = Forge80.exe
uPolicies-disallowrun: 16 = nero.exe
uPolicies-disallowrun: 17 = smartmovie.exe
uPolicies-disallowrun: 18 = wmplayer.exe
uPolicies-disallowrun: 19 = mPhonetools.exe
uPolicies-disallowrun: 20 = videoenc.exe
uPolicies-disallowrun: 21 = smartmovie_sp.exe
uPolicies-disallowrun: 22 = Dr.DivX.exe
uPolicies-disallowrun: 7 = vegas50.exe
uPolicies-disallowrun: 28 = vegas40.exe
uPolicies-disallowrun: 29 = vegas30.exe
uPolicies-disallowrun: 8 = vegas60.exe
uPolicies-disallowrun: 9 = Audition.exe
uPolicies-disallowrun: 23 = WinRAR.exe
uPolicies-disallowrun: 26 = BlueSoleil.exe
uPolicies-disallowrun: 27 = ENCARTA.exe
uPolicies-disallowrun: 30 = Photoshop.exe
uPolicies-disallowrun: 31 = Dreamweaver.exe
uPolicies-disallowrun: 32 = NeatImage.exe
uPolicies-disallowrun: 33 = AudioCommander.exe
uPolicies-disallowrun: 34 = NeroStartSmart.exe
uPolicies-disallowrun: 35 = msiexec.exe
mPolicies-system: DisableStatusMessages = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://
DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} - hxxps://
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\fgrchnjh.default\
FF - prefs.js: browser.startup.homepage -

pref(dom.disable_open_during_load, false);
============= SERVICES / DRIVERS ===============

R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};c:\program files\cyberlink\powerdvd\000.fcl [2007-11-3 41456]
S3 autorun;autorun;C:\huadio.tmp [2009-3-2 5311]

============== File Associations ===============


=============== Created Last 30 ================

2009-03-30 20:45 <DIR> -cdsh--- c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}
2009-03-30 20:40 <DIR> --d----- c:\program files\common files\DivX Shared
2009-03-26 14:45 <DIR> --d----- c:\program files\Azureus(4)
2009-03-24 20:31 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-03-24 20:31 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-24 20:31 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-24 20:31 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-24 20:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-17 16:41 <DIR> --d----- C:\downloads
2009-03-17 16:41 <DIR> --d----- c:\docume~1\admini~1\applic~1\GrabPro
2009-03-17 16:40 <DIR> --d----- c:\program files\Orbitdownloader
2009-03-17 01:23 <DIR> --d----- c:\program files\AskBarDis
2009-03-17 01:23 <DIR> --d----- c:\program files\DVDVideoSoft
2009-03-17 01:23 <DIR> --d----- c:\program files\common files\DVDVideoSoft
2009-03-14 01:57 505,392 a------- c:\windows\system32\msvcp71.dll
2009-03-14 01:57 353,840 a------- c:\windows\system32\msvcr71.dll
2009-03-14 01:40 <DIR> --d----- c:\program files\GRETECH
2009-03-13 23:12 <DIR> --d----- c:\program files\Azureus
2009-03-12 13:39 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-12 13:39 <DIR> --d----- c:\program files\Lavasoft
2009-03-11 20:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Azureus
2009-03-11 20:26 <DIR> --d----- c:\docume~1\admini~1\applic~1\Azureus
2009-03-11 19:56 <DIR> --d----- c:\program files\Azureus(2)
2009-03-09 15:17 5,632 a------- c:\windows\system32\ptpusb.dll
2009-03-09 15:17 159,232 a------- c:\windows\system32\ptpusd.dll
2009-03-09 15:17 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2009-03-09 15:17 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-03-04 19:19 17,728 a------- c:\docume~1\admini~1\applic~1\GDIPFONTCACHEV1.DAT
2009-03-04 17:05 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys
2009-03-04 17:05 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-03-04 16:51 <DIR> --d----- c:\program files\DivX
2009-03-04 14:22 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-03-03 21:42 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-03 21:42 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-03 21:41 1,172 a------- c:\windows\mozver.dat
2009-03-03 20:50 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-03-03 20:50 272,128 -------- c:\windows\system32\drivers\bthport.sys
2009-03-03 20:43 2,180,352 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-03 20:43 2,136,064 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-03 20:43 2,057,728 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-03 20:43 2,015,744 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-03 20:38 453,632 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-03-03 19:43 22,752 a------- c:\windows\system32\spupdsvc.exe
2009-03-03 19:43 <DIR> --d----- c:\windows\system32\PreInstall
2009-03-03 19:43 <DIR> --d-h--- c:\windows\$hf_mig$
2009-03-03 15:48 268,648 a------- c:\windows\system32\mucltui.dll
2009-03-03 15:48 208,744 a------- c:\windows\system32\muweb.dll
2009-03-03 15:48 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-03-03 11:03 462,848 a------- c:\windows\system32\ltkrn13n.dll
2009-03-03 11:03 450,560 a------- c:\windows\system32\ltimg13n.dll
2009-03-03 11:03 401,408 a------- c:\windows\system32\lfcmp13n.dll
2009-03-03 11:03 299,008 a------- c:\windows\system32\ltdis13n.dll
2009-03-03 11:03 206,336 a------- c:\windows\system32\ltefx13n.dll
2009-03-03 11:03 163,840 a------- c:\windows\system32\ltfil13n.dll
2009-03-03 11:03 69,632 a------- c:\windows\system32\lfgif13n.dll
2009-03-03 11:03 57,344 a------- c:\windows\system32\lfbmp13n.dll
2009-03-03 10:11 <DIR> --ds---- c:\documents and settings\administrator\UserData
2009-03-03 10:07 14,848 ac------ c:\windows\system32\dllcache\kbdhid.sys
2009-03-03 10:07 14,848 a------- c:\windows\system32\drivers\kbdhid.sys
2009-03-03 07:44 3,072 a------- c:\windows\system32\drivers\audstub.sys
2009-03-03 07:43 57,472 a------- c:\windows\system32\drivers\redbook.sys
2009-03-03 07:43 74,240 a------- c:\windows\system32\usbui.dll
2009-03-03 07:43 5,504 a------- c:\windows\system32\drivers\intelide.sys
2009-03-03 07:43 8,832 a------- c:\windows\system32\drivers\wmiacpi.sys
2009-03-03 07:42 <DIR> --d----- c:\program files\common files\ODBC
2009-03-03 07:42 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-03-03 07:41 66,594 ac------ c:\windows\system32\dllcache\c_857.nls
2009-03-03 07:41 <DIR> --d--r-- c:\documents and settings\all users\Documents
2009-03-03 07:40 <DIR> --d----- C:\Documents and Settings
2009-03-03 07:40 261 a------- c:\windows\system32\$winnt$.inf
2009-03-02 22:30 <DIR> --d----- c:\documents and settings\administrator\Tracing
2009-03-02 22:17 <DIR> --d----- c:\program files\Microsoft
2009-03-02 22:16 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-03-02 22:04 <DIR> --d----- c:\program files\common files\Windows Live
2009-03-02 21:52 <DIR> --d----- c:\program files\Microsoft ActiveSync
2009-03-02 20:56 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-03-02 20:56 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-03-02 20:55 <DIR> --d----- c:\program files\common files\MSSoap
2009-03-02 20:54 <DIR> --d----- c:\program files\Online Services
2009-03-02 20:53 <DIR> --d----- c:\program files\Messenger
2009-03-02 20:53 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-03-02 20:53 <DIR> --d----- c:\program files\Windows NT

==================== Find3M ====================

2009-03-05 21:07 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-02 22:06 4,356 ---shr-- c:\windows\cursors\Boom.vbs
2009-03-02 20:54 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-02-09 21:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-09 21:19 1,846,272 a------- c:\windows\system32\win32k(2)(3).sys
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-01-27 12:34 90,112 a------- c:\windows\system32\dpl100.dll
2009-01-27 12:34 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-01-27 12:34 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-01-27 12:34 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-01-27 12:34 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-01-27 12:34 684,032 a------- c:\windows\system32\DivX.dll
2008-04-10 09:15 225,280 a--shr-- c:\windows\fonts\Fonts.exe
2008-04-10 09:15 225,280 a--shr-- c:\windows\fonts\tskmgr.exe
2008-04-10 09:15 225,280 a--shr-- c:\windows\media\rndll32.pif
2008-04-10 09:15 225,280 a--shr-- c:\windows\pchealth\Global.exe
2008-04-10 09:15 225,280 a--shr-- c:\windows\pchealth\helpctr\binaries\
2008-04-10 09:15 225,280 a--shr-- c:\windows\system\KEYBOARD.exe
2008-04-10 09:15 225,280 a--shr-- c:\windows\system32\regedit.exe
2008-04-10 09:15 225,280 ac-shr-- c:\windows\system32\dllcache\Default.exe
2008-04-10 09:15 225,280 ac-shr-- c:\windows\system32\dllcache\Global.exe
2008-04-10 09:15 225,280 ac-shr-- c:\windows\system32\dllcache\svchost.exe
2008-04-10 09:15 225,280 -c-shr-- c:\windows\system32\dllcache\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\Global.exe
2008-04-10 09:15 225,280 ac-shr-- c:\windows\system32\dllcache\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\system.exe
2008-04-10 09:15 225,280 a--shr-- c:\windows\system32\drivers\

============= FINISH: 20:50:26.23 ===============

Here is my malwarebytes log:
Some items could not be removed. The first few are listed below.


Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

30/03/2009 9:02:35 PM
mbam-log-2009-03-30 (21-02-35).txt

Scan type: Quick Scan
Objects scanned: 72511
Time elapsed: 10 minute(s), 5 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:

F954E}\svchost.exe (Trojan.Agent) -> Unloaded process successfully.

F954E}\system.exe (Trojan.Agent) -> Unloaded process successfully.

F954E}\Global.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image

File Execution Options\auto.exe (Security.Hijack) -> Quarantined and

deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image

File Execution Options\AutoRun.exe (Security.Hijack) -> Quarantined

and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image

File Execution Options\rundll32.exe (Security.Hijack) -> Quarantined

and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image

File Execution Options\msconfig.exe (Security.Hijack) -> Quarantined

and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image

File Execution Options\autoruns.exe (Security.Hijack) -> Quarantined

and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image

File Execution Options\ctfmon.exe (Security.Hijack) -> Quarantined and

deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image

File Execution Options\procexp.exe (Security.Hijack) -> Quarantined

and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) ->

Bad: (C:\WINDOWS\pchealth\Global.exe) Good: (regedit.exe "%1") ->

Quarantined and deleted successfully.

Folders Infected:

F954E} (Trojan.Agent) -> Delete on reboot.

Files Infected:

F954E}\Global.exe (Trojan.Agent) -> Quarantined and deleted


F954E}\svchost.exe (Trojan.Agent) -> Delete on reboot.

F954E}\system.exe (Trojan.Agent) -> Quarantined and deleted


I will be sending you my attach.txt right now.

Please get to me when you can.

Also, thanks so much! =)

Report •

March 30, 2009 at 10:01:16
Did you reboot after the MalwareBytes scan was done?

It looks like this one is deeply entrenched in your system. We will have to do some further cleaning to get rid of this one.

MOS Master Certified
MCP Certified
CCNA Certificate Pending
A+ Certificate Pending

"I have gone to find myself. If I get back before I return, please tell myself to wait." :

Report •

April 4, 2009 at 02:30:40
Yeah i did reboot after the Malware bytes scan was done.

Is there anything else i can do to clean this up?

Would it help if i used system restore? Would that make it easier to clean?

I used system restore once after i sent you the details of my virus because my dad needed to urgently download a word document (which was disabled as well)

did that change some of the details where the virus are?

if it did, would i have to send another list?

Report •

April 12, 2009 at 03:07:53
can anyone help?
i'm still waiting for a response please..

Report •

Ask Question