Computing.Net > Forums > Security and Virus > The Red x on the C drive--part 3

Specialty Forums
Security and Virus
General Hardware
CPUs/Overclocking
Networking
Digital Photo/Video
Office Software
PC Gaming
Console Gaming
Programming
Database
Web Development
Digital Home

General Forums
Windows XP
Windows Vista
Windows 95/98
Windows Me
Windows NT
Windows 2000
Win Server 2008
Win Server 2003
Windows 3.1
Linux
PDAs
BeOS
Novell Netware
OpenVMS
Solaris
Disk Op. System
Unix
Mac
OS/2

The Lounge

Drivers
Driver Scan
Driver Forum

Software
Automatic Updates

BIOS Updates

My Computing.Net

Howtos

Site Search

Message Find

Data Recovery

About

The Red x on the C drive--part 3

Reply to Message Icon
Original Message
Name: dmoose
Date: February 15, 2008 at 21:43:36 Pacific
Subject: The Red x on the C drive--part 3
OS: XP SP2
CPU/Ram: Intel Celeron 2.4 GHz/ 76
Comment:

Well after you guys did a great job on my computer my son decided to log into his profile....after that I received the X back on the C drive. I found that he had locked out some of his files (made private) so when I scanning it probably didn't find these issues. I have now made his files shared so I can start this puppy over again...just let me know what you want.

Thanks again.


Report Offensive Message For Removal


Response Number 1
Name: jabuck
Date: February 16, 2008 at 04:45:22 Pacific
Subject: The Red x on the C drive--part 3
Reply: (edit)

Please run through the scans as you did before then post their logs.


Report Offensive Follow Up For Removal

Response Number 2
Name: dmoose
Date: February 16, 2008 at 10:32:58 Pacific
Subject: The Red x on the C drive--part 3
Reply: (edit)

ComboFix 08-02.05.3 - The Parents 2008-02-05 21:46:30.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.429 [GMT -5:00]
Running from: C:\Documents and Settings\The Parents\Desktop\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.

2008-02-13 18:36 . 2008-02-13 18:36 <DIR> d-------- C:\Program Files\America's Army Server Manager
2008-02-13 18:29 . 2008-02-13 18:42 <DIR> d-------- C:\Program Files\America's Army
2008-02-12 17:31 . 2008-02-12 17:31 <DIR> d-------- C:\Program Files\MSBuild
2008-02-12 17:30 . 2008-02-12 17:30 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-02-12 17:30 . 2008-02-12 17:30 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-02-12 17:30 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-02-12 17:26 . 2008-02-12 17:26 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-02-10 12:22 . 2008-02-10 12:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-10 12:22 . 2008-02-10 12:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-09 18:03 . 2008-02-09 18:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MumboJumbo
2008-02-09 17:30 . 2008-02-09 17:30 <DIR> d-------- C:\Program Files\iTunes
2008-02-09 14:24 . 2008-02-09 14:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-08 19:26 . 2008-02-08 19:26 <DIR> d-------- C:\Documents and Settings\Brae\Application Data\Sony
2008-02-08 19:26 . 2008-02-08 19:26 <DIR> d-------- C:\Documents and Settings\Brae\Application Data\Publish Providers
2008-02-08 18:53 . 2008-02-08 18:53 <DIR> d---s---- C:\Documents and Settings\Aszure\UserData
2008-02-08 16:19 . 2008-02-08 16:19 <DIR> d-------- C:\Documents and Settings\The Parents\Server Setups
2008-02-06 21:20 . 2008-02-08 22:50 575 --a------ C:\WINDOWS\wininit.ini
2008-02-06 19:27 . 2008-02-06 19:27 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-06 19:27 . 2008-02-06 19:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-05 16:11 . 2008-02-05 16:11 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-05 08:35 . 2004-08-03 19:56 388,608 --a------ C:\kmd.exe
2008-01-29 22:15 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-01-29 22:15 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-01-27 17:35 . 2008-01-27 17:35 <DIR> d-------- C:\Documents and Settings\Mars\Application Data\DivX
2008-01-26 18:14 . 2008-01-26 18:14 <DIR> d-------- C:\Documents and Settings\Brae\Application Data\DivX
2008-01-26 18:05 . 2008-01-26 18:05 <DIR> d-------- C:\Program Files\DivX
2008-01-24 10:28 . 2008-01-24 10:28 <DIR> d-------- C:\Documents and Settings\Brae\Application Data\MySpace
2008-01-22 01:00 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-01-22 01:00 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-01-13 15:50 . 2008-01-13 15:50 <DIR> d-------- C:\Documents and Settings\Brae\Application Data\Ahead
2008-01-07 20:16 . 2008-01-07 20:16 630,784 --a------ C:\WINDOWS\system32\divxdec.ax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-13 01:30 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-02-09 23:02 --------- d-----w C:\Program Files\Yahoo! Games
2008-02-09 22:30 --------- d-----w C:\Program Files\iPod
2008-02-08 23:52 --------- d-----w C:\Documents and Settings\Brae\Application Data\Yahoo!
2008-02-08 23:49 --------- d-----w C:\Documents and Settings\Brae\Application Data\Apple Computer
2008-02-08 00:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-08 00:16 --------- d--h--r C:\Documents and Settings\The Parents\Application Data\yahoo!
2008-02-08 00:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-02-06 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-05 21:11 --------- d-----w C:\Program Files\McAfee
2008-02-05 12:25 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-05 12:25 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-01-21 15:04 --------- d-----w C:\Documents and Settings\Aszure\Application Data\Yahoo!
2008-01-13 19:08 --------- d-----w C:\Documents and Settings\The Parents\Application Data\McAfee
2008-01-13 19:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-04 21:59 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-01-04 21:58 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-01-04 21:58 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-01-04 21:58 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-01-04 21:58 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 21:58 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-01-04 21:58 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2008-01-04 21:58 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2008-01-04 21:58 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2008-01-04 21:58 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 21:56 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-01-01 16:54 --------- d-----w C:\Documents and Settings\The Parents\Application Data\SiteAdvisor
2008-01-01 15:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-01 15:09 --------- d-----w C:\Program Files\Apple Software Update
2008-01-01 15:08 --------- d-----w C:\Program Files\Common Files\Apple
2008-01-01 15:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-12-31 13:46 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-12-31 11:28 --------- d-----w C:\Program Files\RainbowSoft
2007-12-29 00:43 --------- d-----w C:\Program Files\XBC
2007-12-28 00:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-28 00:14 --------- d-----w C:\Program Files\ATI Technologies
2007-12-28 00:02 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-27 23:17 --------- d-----w C:\Program Files\LucasArts
2007-12-27 23:17 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-26 02:43 --------- d-----w C:\Program Files\XLink Kai Evolution VII
2007-12-24 02:00 --------- d-----w C:\Program Files\WinPcap
2007-12-21 21:28 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-20 23:43 --------- d-----w C:\Documents and Settings\Mars\Application Data\SiteAdvisor
2007-12-20 01:28 --------- d-----w C:\Documents and Settings\Aszure\Application Data\SiteAdvisor
2007-12-20 01:28 --------- d-----w C:\Documents and Settings\Aszure\Application Data\McAfee
2007-12-18 00:03 737,581,072 ----a-w C:\MSSetup.exe
2007-12-17 23:23 --------- d-----w C:\Documents and Settings\Brae\Application Data\McAfee
2007-12-15 15:46 --------- d-----w C:\Documents and Settings\Mars\Application Data\IGN_DLM
2007-12-15 03:09 --------- d-----w C:\Program Files\Microsoft Games
2007-12-05 22:52 24,368 ----a-w C:\Documents and Settings\Mars\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-05-10 03:37 614489]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 17:53 153136]
"MWLExe"="C:\Program Files\Mcafee\MWL\MWLGuiSt.exe" [2007-07-28 09:32 206184]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 16:57 36640]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-07-22 20:29 1160480]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 12:59 4838952]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 10:22 20480]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

R0 viasraid;viasraid;C:\WINDOWS\system32\drivers\viasraid.sys [2003-10-31 06:22]
S2 0296321202245893mcinstcleanup;McAfee Application Installer Cleanup (0296321202245893);C:\WINDOWS\TEMP\[u]0[/u]29632~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog []
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;C:\WINDOWS\system32\DRIVERS\SWUSBFLT.sys [2001-08-17 13:02]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 19:07:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-15 06:15:11 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2007-10-06 16:24:04 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 21:50:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-05 21:51:29
ComboFix-quarantined-files.txt 2008-02-06 02:51:25
ComboFix2.txt 2008-02-05 13:40:25
ComboFix3.txt 2008-02-13 21:51:54
ComboFix4.txt 2008-02-11 19:05:43


Report Offensive Follow Up For Removal

Response Number 3
Name: dmoose
Date: February 16, 2008 at 10:38:46 Pacific
Subject: The Red x on the C drive--part 3
Reply: (edit)

hijack file in case needed:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:53:47 PM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie...
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [MWLExe] C:\Program Files\Mcafee\MWL\MWLGuiSt.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/pa...
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/s...
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/Div...
O23 - Service: McAfee Application Installer Cleanup (0296321202245893) (0296321202245893mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\029632~1.EXE (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 7218 bytes


Report Offensive Follow Up For Removal

Response Number 4
Name: jabuck
Date: February 16, 2008 at 15:12:49 Pacific
Subject: The Red x on the C drive--part 3
Reply: (edit)

I don't see anything so far.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Download ATF Cleaner from this link:
ATF Cleaner

Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.


Report Offensive Follow Up For Removal

Response Number 5
Name: dmoose
Date: February 17, 2008 at 07:17:26 Pacific
Subject: The Red x on the C drive--part 3
Reply: (edit)

I accidently did the scan first....I ran the scan then did the system restore dump, then ran the ATF cleaner. log is below:

---------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, February 06, 2008 6:33:28 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/02/2008
Kaspersky Anti-Virus database records: 569883
---------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 107678
Number of viruses found: 2
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 02:58:22

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\EasyNet\MHNData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\logout.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{79B268B3-FF3D-46C6-AA32-2230BDD447D8}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFRB.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2f03071b602b5910c7371ef948683b8c_651b155e-ce1c-4e1b-8341-512f86af2cb5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fd80cc79af95b492964132f2b0a638e9_651b155e-ce1c-4e1b-8341-512f86af2cb5 Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\The Parents\Application Data\McAfee\MBK\ARBUSFILE.GDB Object is locked skipped
C:\Documents and Settings\The Parents\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\The Parents\Desktop\Saved\Nero-7.8.5.0_eng_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Documents and Settings\The Parents\Desktop\Saved\Nero-7.8.5.0_eng_trial.exe RAR: infected - 1 skipped
C:\Documents and Settings\The Parents\Local Settings\Application Data\ApplicationHistory\McAfeeDataBackup.exe.e548c4c.ini.inuse Object is locked skipped
C:\Documents and Settings\The Parents\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\The Parents\Local Settings\History\History.IE5\MSHist012008020620080207\index.dat Object is locked skipped
C:\Documents and Settings\The Parents\Local Settings\Temp\fb_2716.lck Object is locked skipped
C:\Documents and Settings\The Parents\Local Settings\Temp\sqlite_RpCURnP7liBWkUs Object is locked skipped
C:\Documents and Settings\The Parents\Local Settings\Temp\~DF325F.tmp Object is locked skipped
C:\Documents and Settings\The Parents\Local Settings\Temp\~DFEF2F.tmp Object is locked skipped
C:\Documents and Settings\The Parents\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\The Parents\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\The Parents\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\The Parents\UserData\index.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{5428ABFE-1CD4-429C-A12D-B8BF3371567A}\RP165\A0108654.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{5428ABFE-1CD4-429C-A12D-B8BF3371567A}\RP173\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\fb_124.lck Object is locked skipped
C:\WINDOWS\Temp\mcafee_kpIXUdG8OFggcV3 Object is locked skipped
C:\WINDOWS\Temp\mcafee_nTEhoA1wTQPxVK7 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_0oE9yvD06def7kP Object is locked skipped
C:\WINDOWS\Temp\mcmsc_7HaA7dDXkFnNG7Y Object is locked skipped
C:\WINDOWS\Temp\mcmsc_UXbF7DugJO3Y1xq Object is locked skipped
C:\WINDOWS\Temp\sqlite_h0lpTeV8MwbFBuP Object is locked skipped
C:\WINDOWS\Temp\sqlite_wbeg3vXeHCONbPl Object is locked skipped
C:\WINDOWS\Temp\sqlite_YnF4n6v7BZPCXch Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Report Offensive Follow Up For Removal


Response Number 6
Name: jabuck
Date: February 17, 2008 at 08:21:48 Pacific
Subject: The Red x on the C drive--part 3
Reply: (edit)

One file in the restore folder.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

You should be clean now. How is the computer operating?


Report Offensive Follow Up For Removal

Response Number 7
Name: dmoose
Date: February 17, 2008 at 10:08:11 Pacific
Subject: The Red x on the C drive--part 3
Reply: (edit)

well it still had the stupid red x, but I went to my past post where you put this fix on it and it corrected my problem...thanks!!

This should fix the red X.

Go to start> run> type in notepad > ok. Copy paste the following into notepad making [autorun] the very top line:

[autorun]

ICON=C:\WINDOWS\SYSTEM\SHELL32.DLL,8

Click "save as"> then using the drop down arrow on the far right of the "save in" window select Local Disk C: to be displayed in the "save in" window.

Next type "C:\autorun.inf" (you must use the quotes) in the file name window> click save.

Restart the computer.


Report Offensive Follow Up For Removal

Response Number 8
Name: jabuck
Date: February 17, 2008 at 17:06:48 Pacific
Subject: The Red x on the C drive--part 3
Reply: (edit)

Gald we could help.


Report Offensive Follow Up For Removal






Use following form to reply to current message: 

   Name: From My Computing.Net Settings
 E-Mail: From My Computing.Net Settings

Subject: The Red x on the C drive--part 3

Comments:
            
         

 


  Homepage URL (*): 
Homepage Title (*): 
         Image URL:
 
Data Recovery Software



How often do you use Computing.Net?

Every Day
Once a Week
Once a Month
This Is My First Time!


View Results

Poll Finishes In 3 Days.
Discuss in The Lounge


Another Clueless In Need of Help

VM Win Server 2003 Admin password

Connecting Vista to an XP network

XP won't let me log in

Internet Cuts Out Every Few Minutes

All Posts Awaiting Replies