Computing.Net > Forums > Security and Virus > Red cross C Drive icon

Computing.Net: Over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to sign up now, it's free!

Red cross C Drive icon

Reply to Message Icon
Original Message
Name: nilabh
Date: February 20, 2008 at 22:33:31 Pacific
Subject: Red cross C Drive icon
OS: Windows XP Professional
CPU/Ram: 256MB
Comment:

I have a red cross in front of my C drive and my machine has become really slow.Sometimes icons come on desktop when it starts sometimes it doesnt come.In that case I have to restart the system


Report Offensive Message For Removal


Response Number 1
Name: jabuck
Date: February 21, 2008 at 06:26:45 Pacific
Reply:

Please run the following scans and post the results.

Go to the this link:

Disable Realtime Protection

Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files.

Please download Atribune's VundoFix.exe from the following site to your desktop:

Vundofix.exe

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files,
click "yes".

Once you click yes, your desktop will go blank as it starts removing
Vundo.

When completed, it will prompt that it will reboot your computer,
click "ok".

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This


1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.


Report Offensive Follow Up For Removal

Response Number 2
Name: nilabh
Date: February 21, 2008 at 06:40:38 Pacific
Reply:

Hi jabuck,
Im having red cross infront of my C drive.I went through the procedures which you said.I ran Vundo.Removed all teh files.
Then ran HijackThis.Please see the log file of teh same
**********************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:41:22 PM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe
C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\nilabh\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12e8c553-ea9a-4455-8a68-81aded89160a} - C:\WINDOWS\system32\tvsvevs.dll
O2 - BHO: RabioBHO - {1C2E5D27-A17C-4D89-85DD-3553C189380D} - C:\Program Files\RABCO\RABCO.dll
O2 - BHO: {e9806956-02e2-4e88-a5f4-641093924e92} - {29e42939-0146-4f5a-88e4-2e206596089e} - C:\WINDOWS\system32\oigwrupf.dll (file missing)
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: (no name) - {6FB539C7-D6A0-4DB3-9A5F-31164B482A73} - C:\Program Files\NetMeeting\komexo89104.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {E0EA1F31-B58F-47E8-A185-20C52DF9F168} - C:\WINDOWS\system32\ljjjjjk.dll
O2 - BHO: (no name) - {EA51BCB9-9DEF-4AEF-B8A5-4CA52897BFA2} - C:\WINDOWS\system32\geedd.dll (file missing)
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: NetScreen-Remote.lnk = C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{E471CFB5-48C7-4719-8178-9EB238CC8132}: NameServer = 202.144.13.50,202.144.66.6
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7327 bytes
***********************************
Then I ran combofix.Please see teh logfile for the same
************************
ComboFix 08-02-20.2 - nilabh 2008-02-20 14:47:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.198 [GMT 5.5:30]
Running from: C:\Documents and Settings\nilabh\Desktop\ComboFix.exe
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\NetMeeting\komexo89104.dll
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInst.exe
C:\Program Files\web buying
C:\Program Files\web buying\v1.8.8\wbuninst.exe
C:\Program Files\web buying\v1.8.8\webbuying.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\isgTi19
C:\Temp\isgTi19\lPig.log
C:\temp\tn3
C:\WINDOWS\b122.exe
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\ac1
C:\WINDOWS\system32\ac1\liamdll2.exe
C:\WINDOWS\system32\atmtd.dll.tmp
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\ljjjjjk.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nGpxx18
C:\WINDOWS\system32\nGpxx18\nGpxx182328.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\tvsvevs.dll
C:\WINDOWS\Fonts\'

.
((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-20 14:15 . 2008-02-20 14:37 <DIR> d-------- C:\VundoFix Backups
2008-02-15 06:39 . 2008-02-16 16:13 1,235,581 ---hs---- C:\WINDOWS\system32\uqbiexbx.ini
2008-02-13 00:33 . 2008-02-15 06:37 1,235,401 ---hs---- C:\WINDOWS\system32\htwtbfpy.ini
2008-02-12 08:30 . 2008-01-12 18:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-02-12 08:30 . 2008-01-15 09:54 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-02-12 08:30 . 2008-01-15 05:28 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-02-10 13:19 . 2008-02-10 13:20 <DIR> d-------- C:\Program Files\MB Free Janam Kundali
2008-02-10 13:19 . 2000-07-17 09:20 185,856 --a------ C:\WINDOWS\system32\Bmp2Jpeg.dll
2008-02-10 13:19 . 1999-05-07 00:00 140,288 --a------ C:\WINDOWS\system32\Comdlg32.ocx
2008-02-09 21:30 . 2008-02-12 00:24 1,221,730 ---hs---- C:\WINDOWS\system32\drebldkw.ini
2008-02-09 02:39 . 2008-02-09 02:39 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-02-09 02:39 . 2008-02-09 02:39 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-02-09 02:15 . 2008-02-09 02:16 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-02-09 01:51 . 2008-02-09 01:51 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-09 01:51 . 2008-02-09 02:04 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-02-09 01:49 . 2008-02-09 01:58 <DIR> d-------- C:\bb4b4773182ee03a3ba88dae
2008-02-08 21:21 . 2008-02-09 21:22 1,220,890 ---hs---- C:\WINDOWS\system32\xdbmwkwo.ini
2008-02-08 21:16 . 2008-02-09 23:47 <DIR> d-------- C:\Program Files\Drmupgds
2008-02-08 21:16 . 2008-02-08 21:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-08 21:16 . 2008-02-08 21:16 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-02-08 21:15 . 2008-02-08 21:17 <DIR> d-------- C:\Program Files\RABCO
2008-02-08 21:13 . 2008-02-08 21:13 <DIR> d-------- C:\WINDOWS\system32\za7
2008-02-08 21:13 . 2008-02-08 21:13 <DIR> d-------- C:\WINDOWS\system32\wd11
2008-02-08 21:13 . 2008-02-09 03:06 <DIR> d-------- C:\WINDOWS\system32\mv3
2008-02-08 21:13 . 2008-02-08 21:13 <DIR> d-------- C:\WINDOWS\system32\kp9
2008-02-08 21:06 . 2008-02-08 21:06 <DIR> d-------- C:\Program Files\LimeWire
2008-02-08 20:51 . 2008-02-13 05:40 <DIR> d-------- C:\Documents and Settings\nilabh\.limewire
2008-02-07 22:33 . 2008-02-08 20:27 <DIR> d-------- C:\Program Files\Sify Broadband
2008-02-07 22:21 . 2008-02-18 23:59 <DIR> d-------- C:\Documents and Settings\nilabh\Application Data\Broadband
2008-02-07 22:21 . 2008-02-10 12:19 300 --a------ C:\deb.sbl
2008-02-07 22:19 . 2008-02-07 22:33 108 --a------ C:\bberror1.sbl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-18 10:20 --------- d-----w C:\Documents and Settings\nilabh\Application Data\Skype
2008-02-18 09:04 3,137,024 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-02-16 10:59 1,491,968 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-02-15 02:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-15 02:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-13 13:12 2,886,656 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-02-12 17:52 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-12 02:57 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-02-12 02:57 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-12 02:57 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-02-12 02:57 --------- d-----w C:\Program Files\Symantec
2008-02-09 21:03 --------- d-----w C:\Program Files\DivX
2008-02-08 15:46 278,554 ----a-w C:\WINDOWS\Fonts\Setup.exe
2008-01-25 11:15 --------- d-----w C:\Documents and Settings\nilabh\Application Data\webex
2008-01-13 13:30 --------- d-----w C:\Program Files\3GP Player
2008-01-08 07:17 --------- d-----w C:\Program Files\Shutterfly
2008-01-04 21:58 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-11-17 16:43 121,344 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2007-11-17 16:43 1,412,096 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2007-11-06 11:54 1,001,984 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2007-10-27 10:47 20,293,623 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_10_27_13_48_12_full.dmp.zip
2007-10-01 08:28 20,266,872 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_10_01_09_41_27_full.dmp.zip
2007-08-10 04:11 17,590,002 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_08_10_09_38_44_full.dmp.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C2E5D27-A17C-4D89-85DD-3553C189380D}]
2008-01-30 14:02 414992 --a------ C:\Program Files\RABCO\RABCO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29e42939-0146-4f5a-88e4-2e206596089e}]
C:\WINDOWS\system32\oigwrupf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA51BCB9-9DEF-4AEF-B8A5-4CA52897BFA2}]
C:\WINDOWS\system32\geedd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SifyBB"="C:\Program Files\Sify Broadband\BBImpSec.exe" [2006-04-21 20:04 127085]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 18:11 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-07-12 14:17 185896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NetScreen-Remote.lnk - C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe [2007-11-21 22:45:37 73780]
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 22:24:38 1134592]

[HKLM\~\startupfolder\C:^Documents and Settings^nilabh^Start Menu^Programs^Startup^RABCO - Auto Update.lnk]
path=C:\Documents and Settings\nilabh\Start Menu\Programs\Startup\RABCO - Auto Update.lnk
backup=C:\WINDOWS\pss\RABCO - Auto Update.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\90edf268]
C:\WINDOWS\system32\dwdcbjfu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
-ra------ 2005-10-07 14:13 176128 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 15:30 110592 C:\WINDOWS\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
--a------ 2006-11-01 12:48 1392640 C:\WINDOWS\system32\WLTRAY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2007-01-09 22:59 115816 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 15:30 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-12-09 20:29 49152 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-09-13 15:49 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a------ 2006-10-18 17:58 696320 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
--a------ 2006-10-18 18:04 802816 C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 21:54 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2006-09-06 07:52 26248 C:\Program Files\Norton AntiVirus\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SifyBB]
--a------ 2006-04-21 20:04 127085 C:\Program Files\Sify Broadband\BBImpSec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2006-03-24 17:30 282624 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-07-12 14:17 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToolBoxFX]
--a------ 2006-10-06 10:14 53248 C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.8\webbuying.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-03-01 18:11 4670968 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
--a------ 2007-03-09 01:02 919280 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"wltrysvc"=2 (0x2)
"Symantec Core LC"=3 (0x3)
"SSScsiSV"=3 (0x3)
"SPTISRV"=3 (0x3)
"SonicStage Back-End Service"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"PACSPTISVR"=3 (0x3)
"odserv"=3 (0x3)
"MSCSPTISRV"=3 (0x3)

R1 IPSECDRV;SafeNet IPSec Plugin;C:\WINDOWS\system32\Drivers\IPSECDRV.sys [2006-02-01 11:38]
R2 Crypto;Crypto;C:\WINDOWS\system32\Drivers\Crypto.sys [2005-08-15 08:27]
R3 DniVap;SafeNet WAN Miniport (VA);C:\WINDOWS\system32\DRIVERS\vap.sys [2001-12-14 15:26]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d401b0c-8936-11dc-b067-0019b97196a8}]
\Shell\Open(&O)\command - RECYCLED\appmgmt.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ee44f4e-4836-11dc-afd8-0019b97196a8}]
\Shell\Auto\command - boot.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 14:30:00 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - nilabh.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 14:53:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
r Running Proce
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe
C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-02-20 14:55:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-20 09:25:22
.
2008-02-16 10:46:50 --- E O F ---
***************************

Please help me what should I do now.


Report Offensive Follow Up For Removal

Response Number 3
Name: jabuck
Date: February 21, 2008 at 10:40:30 Pacific
Reply:

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\system32\uqbiexbx.ini
C:\WINDOWS\system32\htwtbfpy.ini
C:\WINDOWS\system32\drebldkw.ini
C:\WINDOWS\system32\nscompat.tlb
C:\WINDOWS\system32\amcompat.tlb
C:\WINDOWS\system32\xdbmwkwo.ini
C:\WINDOWS\system32\vbzip10.dll
C:\deb.sbl
C:\bberror1.sbl
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\oigwrupf.dll
C:\Program Files\RABCO\RABCO.dll
C:\WINDOWS\system32\dwdcbjfu.dll
C:\Program Files\Web Buying\v1.8.8\webbuying.exe

Driver::
90edf268

Folder::
C:\VundoFix Backups
C:\bb4b4773182ee03a3ba88dae
C:\Program Files\RABCO
C:\WINDOWS\system32\za7
C:\WINDOWS\system32\wd11
C:\WINDOWS\system32\mv3
C:\WINDOWS\system32\kp9
C:\Program Files\Web Buying\v1.8.8
C:\Program Files\Web Buying

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C2E5D27-A17C-4D89-85DD-3553C189380D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29e42939-0146-4f5a-88e4-2e206596089e}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA51BCB9-9DEF-4AEF-B8A5-4CA52897BFA2}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\90edf268]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Download ATF Cleaner from this link:
ATF Cleaner

Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

Post a new Combofix log.


Report Offensive Follow Up For Removal

Response Number 4
Name: nilabh
Date: February 21, 2008 at 13:56:34 Pacific
Reply:

KScan log file:
---------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, February 22, 2008 3:21:23 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/02/2008
Kaspersky Anti-Virus database records: 574690
---------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 40174
Number of viruses found: 4
Number of infected objects: 16
Number of suspicious objects: 0
Duration of the scan process: 01:01:23

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-02-21_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\39189355.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\nilabh\Application Data\Mozilla\Firefox\Profiles\tkhvva31.default\cert8.db Object is locked skipped
C:\Documents and Settings\nilabh\Application Data\Mozilla\Firefox\Profiles\tkhvva31.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\nilabh\Application Data\Mozilla\Firefox\Profiles\tkhvva31.default\history.dat Object is locked skipped
C:\Documents and Settings\nilabh\Application Data\Mozilla\Firefox\Profiles\tkhvva31.default\key3.db Object is locked skipped
C:\Documents and Settings\nilabh\Application Data\Mozilla\Firefox\Profiles\tkhvva31.default\parent.lock Object is locked skipped
C:\Documents and Settings\nilabh\Application Data\Mozilla\Firefox\Profiles\tkhvva31.default\search.sqlite Object is locked skipped
C:\Documents and Settings\nilabh\Application Data\Mozilla\Firefox\Profiles\tkhvva31.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\nilabh\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\nilabh\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\nilabh\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\nilabh\Local Settings\Application Data\Mozilla\Firefox\Profiles\tkhvva31.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\nilabh\Local Settings\Application Data\Mozilla\Firefox\Profiles\tkhvva31.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\nilabh\Local Settings\Application Data\Mozilla\Firefox\Profiles\tkhvva31.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\nilabh\Local Settings\Application Data\Mozilla\Firefox\Profiles\tkhvva31.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\nilabh\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\nilabh\Local Settings\History\History.IE5\MSHist012008022220080223\index.dat Object is locked skipped
C:\Documents and Settings\nilabh\Local Settings\Temp\googlewebaccclient.exe.log Object is locked skipped
C:\Documents and Settings\nilabh\Local Settings\Temp\GoogleWebAccelerator.pac Object is locked skipped
C:\Documents and Settings\nilabh\Local Settings\Temp\GoogleWebAcceleratorCache Object is locked skipped
C:\Documents and Settings\nilabh\Local Settings\Temp\GoogleWebAccWarden.exe.log Object is locked skipped
C:\Documents and Settings\nilabh\Local Settings\Temp\~DF71AE.tmp Object is locked skipped
C:\Documents and Settings\nilabh\Local Settings\Temp\~DFDBA9.tmp Object is locked skipped
C:\Documents and Settings\nilabh\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\nilabh\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\nilabh\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\QooBox\Quarantine\C\Program Files\NetMeeting\komexo89104.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\QooBox\Quarantine\C\VundoFix Backups\geedd.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\VundoFix Backups\ljjjjjk.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kp9\liopud89104.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kp9\liopud89104.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ljjjjjk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tvsvevs.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.acn skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D599408F-8290-4D67-AE9F-7F45DC171083}\RP164\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\APACHE-DA.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{56902CD8-5A73-4641-A642-830D4A75D598}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT01308.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT0130b.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\setups\vnc-4_1_2-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
E:\setups\vnc-4_1_2-x86_win32.exe/file2 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
E:\setups\vnc-4_1_2-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
E:\setups\vnc-4_1_2-x86_win32.exe/file5 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
E:\setups\vnc-4_1_2-x86_win32.exe Inno: infected - 4 skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{D599408F-8290-4D67-AE9F-7F45DC171083}\RP164\change.log Object is locked skipped

Scan process completed.
************************************
comboix log file:
ComboFix 08-02-20.2 - nilabh 2008-02-22 0:34:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.128 [GMT 5.5:30]
Running from: C:\Documents and Settings\nilabh\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\nilabh\Desktop\CFScript.txt
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE ::
C:\bberror1.sbl
C:\deb.sbl
C:\Program Files\RABCO\RABCO.dll
C:\Program Files\Web Buying\v1.8.8\webbuying.exe
C:\WINDOWS\system32\amcompat.tlb
C:\WINDOWS\system32\drebldkw.ini
C:\WINDOWS\system32\dwdcbjfu.dll
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\htwtbfpy.ini
C:\WINDOWS\system32\nscompat.tlb
C:\WINDOWS\system32\oigwrupf.dll
C:\WINDOWS\system32\uqbiexbx.ini
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\xdbmwkwo.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bb4b4773182ee03a3ba88dae
C:\bb4b4773182ee03a3ba88dae\update\update.log
C:\bberror1.sbl
C:\deb.sbl
C:\Program Files\RABCO
C:\Program Files\RABCO\ExecutionDll.dll
C:\Program Files\RABCO\RABCO.dll
C:\Program Files\RABCO\RABCO.dll.intermediate.manifest
C:\Program Files\RABCO\RABCOse.exe
C:\Program Files\RABCO\RABCOse.info
C:\Program Files\RABCO\RABCOse.original
C:\Program Files\RABCO\Setup.log
C:\Program Files\RABCO\un_RABCOSetup_16230.exe
C:\Program Files\RABCO\un_RABCOSetup_16230.txt
C:\Program Files\RABCO\X_RABCOse.exe
C:\Program Files\RABCO\X_RABCOse.log
C:\VundoFix Backups
C:\VundoFix Backups\ddeeg.ini.bad
C:\VundoFix Backups\ddeeg.ini2.bad
C:\VundoFix Backups\geedd.dll.bad
C:\VundoFix Backups\ljjjjjk.dll.bad
C:\VundoFix Backups\mceehnll.dllbox.bad
C:\VundoFix Backups\ngwmebnz.dllbox.bad
C:\VundoFix Backups\ufjbcdwd.ini.bad
C:\VundoFix Backups\xtxjwryj.dllbox.bad
C:\WINDOWS\system32\amcompat.tlb
C:\WINDOWS\system32\drebldkw.ini
C:\WINDOWS\system32\htwtbfpy.ini
C:\WINDOWS\system32\kp9
C:\WINDOWS\system32\kp9\liopud89104.exe
C:\WINDOWS\system32\mv3
C:\WINDOWS\system32\nscompat.tlb
C:\WINDOWS\system32\uqbiexbx.ini
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\wd11
C:\WINDOWS\system32\wd11\hiba3133.exe
C:\WINDOWS\system32\xdbmwkwo.ini
C:\WINDOWS\system32\za7
C:\WINDOWS\system32\za7\vltcin2.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-21 to 2008-02-21 )))))))))))))))))))))))))))))))
.

2008-02-20 22:57 . 2008-02-20 23:20 <DIR> d-------- C:\Documents and Settings\nilabh\Application Data\Folder Guard
2008-02-20 22:51 . 2008-02-20 23:20 <DIR> d-------- C:\Program Files\Folder Guard 32-bit
2008-02-20 22:35 . 2008-02-20 22:35 <DIR> d-------- C:\Program Files\Axon Data
2008-02-12 08:30 . 2008-01-12 18:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-02-12 08:30 . 2008-01-15 09:54 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-02-12 08:30 . 2008-01-15 05:28 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-02-10 13:19 . 2000-07-17 09:20 185,856 --a------ C:\WINDOWS\system32\Bmp2Jpeg.dll
2008-02-09 02:15 . 2008-02-09 02:16 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-02-09 01:51 . 2008-02-09 01:51 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-09 01:51 . 2008-02-09 02:04 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-02-08 21:16 . 2008-02-09 23:47 <DIR> d-------- C:\Program Files\Drmupgds
2008-02-08 21:16 . 2008-02-08 21:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-08 21:06 . 2008-02-08 21:06 <DIR> d-------- C:\Program Files\LimeWire
2008-02-08 20:51 . 2008-02-13 05:40 <DIR> d-------- C:\Documents and Settings\nilabh\.limewire
2008-02-07 22:33 . 2008-02-08 20:27 <DIR> d-------- C:\Program Files\Sify Broadband
2008-02-07 22:21 . 2008-02-22 00:32 <DIR> d-------- C:\Documents and Settings\nilabh\Application Data\Broadband

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 16:24 --------- d-----w C:\Documents and Settings\nilabh\Application Data\Skype
2008-02-18 09:04 3,137,024 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-02-16 10:59 1,491,968 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-02-15 02:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-15 02:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-13 13:12 2,886,656 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-02-12 17:52 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-12 02:57 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-02-12 02:57 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-12 02:57 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-12 02:57 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-02-12 02:57 --------- d-----w C:\Program Files\Symantec
2008-02-09 21:03 --------- d-----w C:\Program Files\DivX
2008-01-25 11:15 --------- d-----w C:\Documents and Settings\nilabh\Application Data\webex
2008-01-13 13:30 --------- d-----w C:\Program Files\3GP Player
2008-01-08 07:17 --------- d-----w C:\Program Files\Shutterfly
2008-01-04 21:59 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-01-04 21:58 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-01-04 21:58 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 21:58 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-01-04 21:58 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2008-01-04 21:58 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2008-01-04 21:58 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2008-01-04 21:58 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 21:56 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-11-17 16:43 121,344 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2007-11-17 16:43 1,412,096 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2007-11-06 11:54 1,001,984 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2007-10-27 10:47 20,293,623 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_10_27_13_48_12_full.dmp.zip
2007-10-01 08:28 20,266,872 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_10_01_09_41_27_full.dmp.zip
2007-08-10 04:11 17,590,002 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_08_10_09_38_44_full.dmp.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SifyBB"="C:\Program Files\Sify Broadband\BBImpSec.exe" [2006-04-21 20:04 127085]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 18:11 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-07-12 14:17 185896]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]
"FG_Monitor"="C:\Program Files\Folder Guard 32-bit\FGKey.exe" [2008-01-05 00:00 118600]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NetScreen-Remote.lnk - C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe [2007-11-21 22:45:37 73780]
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 22:24:38 1134592]

[HKLM\~\startupfolder\C:^Documents and Settings^nilabh^Start Menu^Programs^Startup^RABCO - Auto Update.lnk]
path=C:\Documents and Settings\nilabh\Start Menu\Programs\Startup\RABCO - Auto Update.lnk
backup=C:\WINDOWS\pss\RABCO - Auto Update.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
-ra------ 2005-10-07 14:13 176128 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 15:30 110592 C:\WINDOWS\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
--a------ 2006-11-01 12:48 1392640 C:\WINDOWS\system32\WLTRAY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2007-01-09 22:59 115816 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 15:30 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-12-09 20:29 49152 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-09-13 15:49 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a------ 2006-10-18 17:58 696320 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
--a------ 2006-10-18 18:04 802816 C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 21:54 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2006-09-06 07:52 26248 C:\Program Files\Norton AntiVirus\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SifyBB]
--a------ 2006-04-21 20:04 127085 C:\Program Files\Sify Broadband\BBImpSec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2006-03-24 17:30 282624 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-07-12 14:17 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToolBoxFX]
--a------ 2006-10-06 10:14 53248 C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-03-01 18:11 4670968 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
--a------ 2007-03-09 01:02 919280 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"wltrysvc"=2 (0x2)
"Symantec Core LC"=3 (0x3)
"SSScsiSV"=3 (0x3)
"SPTISRV"=3 (0x3)
"SonicStage Back-End Service"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"PACSPTISVR"=3 (0x3)
"odserv"=3 (0x3)
"MSCSPTISRV"=3 (0x3)

R1 IPSECDRV;SafeNet IPSec Plugin;C:\WINDOWS\system32\Drivers\IPSECDRV.sys [2006-02-01 11:38]
R2 Crypto;Crypto;C:\WINDOWS\system32\Drivers\Crypto.sys [2005-08-15 08:27]
R2 FGUARD32;FGUARD32;C:\Program Files\Folder Guard 32-bit\FGUARD32.SYS [2008-01-05 00:00]
R3 DniVap;SafeNet WAN Miniport (VA);C:\WINDOWS\system32\DRIVERS\vap.sys [2001-12-14 15:26]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d401b0c-8936-11dc-b067-0019b97196a8}]
\Shell\Open(&O)\command - RECYCLED\appmgmt.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ee44f4e-4836-11dc-afd8-0019b97196a8}]
\Shell\Auto\command - boot.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 14:30:00 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - nilabh.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-22 00:35:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-22 0:36:36
ComboFix-quarantined-files.txt 2008-02-21 19:06:33
ComboFix2.txt 2008-02-20 09:25:27
.
2008-02-16 10:46:50 --- E O F ---
***********************



Report Offensive Follow Up For Removal

Response Number 5
Name: jabuck
Date: February 21, 2008 at 14:45:00 Pacific
Reply:

Open Notepad and copy/paste everything between the X"s into it and make sure "Folder::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Folder::
C:\QooBox
C:\Documents and Settings\nilabh\Start Menu\Programs\Startup\RABCO
C:\WINDOWS\pss\RABCO


XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Your computer should now be clean.

This should fix the red X.

Go to start> run> type in notepad > ok. Copy paste the following into notepad making [autorun] the very top line:

[autorun]

ICON=C:\WINDOWS\SYSTEM\SHELL32.DLL,8

Click "save as"> then using the drop down arrow on the far right of the "save in" window select Local Disk C: to be displayed in the "save in" window.

Next type "C:\autorun.inf" (you must use the quotes) in the file name window> click save.

Restart the computer, let us know how it is operating.


Report Offensive Follow Up For Removal


Response Number 6
Name: nilabh
Date: February 21, 2008 at 21:36:13 Pacific
Reply:

Hi Jabuck,
I do not see a red cross in front of my c drive.Thanks you so much.For all the help.
Regrds,
Nilabh


Report Offensive Follow Up For Removal

Response Number 7
Name: nilabh
Date: February 21, 2008 at 21:38:21 Pacific
Reply:

HI JABUCK,
I still see RABCO in my add remove program window.Shall I go ahead and remove it manually


Report Offensive Follow Up For Removal

Response Number 8
Name: jabuck
Date: February 22, 2008 at 09:39:26 Pacific
Reply:

Yes remove it manually.


Report Offensive Follow Up For Removal

Response Number 9
Name: nilabh
Date: February 22, 2008 at 18:06:23 Pacific
Reply:

Hi,
I removed Rabco manually.I have few issues with my PC now.It freezes off and on.When I try to open control panel by settings>control panel.It hangs on me for about 2-3 minutes before opening it.When the system is hung then teh taskbar dissapears and the icons on desktop disappear.
Sometimes when I switch on my desktop the icons on desktop do not come.

Regrds,
Nilabh


Report Offensive Follow Up For Removal

Response Number 10
Name: jabuck
Date: February 22, 2008 at 19:51:44 Pacific
Reply:

Please post a new Hijack This log.


Report Offensive Follow Up For Removal






Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.


Go to Security and Virus Forum Home



Results for: Red cross C Drive icon
Red cross C Drive icon & tmp files
    Summary: Hi jabuck, Im having red cross infront of my C drive.I went through the procedures which you said.I ran Vundo.Removed all teh files. Then ran HijackThis.Please see the log file of teh same ***********...
www.computing.net/answers/security/red-cross-c-drive-icon-amp-tmp-files/22333.html

Red Cross C Drive & loads of .tmp
    Summary: My computer has a red cross for the C Drive icon in my computer and loads of .tmp files. I'm guessing at some point I've picked up a virus or something. The computer is very slow and doesn't like ru...
www.computing.net/answers/security/red-cross-c-drive-loads-of-tmp-/23634.html

pos###.tmp and red on c drive
    Summary: I had the same problem as some other people, withthe pos###.tmp files, i ran vundofix and hijack this, things seems to be fine so far, but I still have the red X on my C drive, can someone please help...
www.computing.net/answers/security/postmp-and-red-on-c-drive/22284.html



Specialty Forums
Security and Virus
General Hardware
CPUs/Overclocking
Networking
Digital Photo/Video
Office Software
PC Gaming
Console Gaming
Programming
Database
Web Development
Digital Home

The Lounge

Drivers
Driver Scan
Driver Forum

Software
Automatic Updates

BIOS Updates

My Computing.Net

Howtos
General Forums
Windows XP
Windows Vista
Windows 95/98
Windows Me
Windows NT
Windows 2000
Win Server 2008
Win Server 2003
Windows 3.1
Linux
PDAs
BeOS
Novell Netware
OpenVMS
Solaris
Disk Op. System
Unix
Mac
OS/2

Site Search

Message Find

Data Recovery

About


Which MP3 player do you have?

iPod/iPhone
Zune
Something Else
None


View Results

Poll Finishes Today.
Discuss in The Lounge
Poll History


Reinstalling Win 2003

viewing HD space in Vista

Where to buy a touch screen?

Gbyte 45-DQ6 Mobo 1 long, 2 short?

graphic media acc. problem

All Awaiting Reply



CES 2009: PC Building Competition

Sony's Recession Friendly Walkman and Cybershot Phones

Palm Wants to Take Out the iPhone

Tom Hanks, Howard Stringer Show Prototype Movie Glasses

CES '09: Toshiba SCiB Battery Charges 4X Faster

More Tom's Guide News

Data Recovery Software