vundo in my window

Computing.Net > Forums > Security and Virus > vundo in my window

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

vundo in my window

Name: poggendroff
Date: November 18, 2007 at 06:22:47 Pacific
OS: winxp
CPU/Ram: 128MB RD ram
Product: dell

Comment:

i have searched all kinds of solutions for this vundo thing including here but im sure there is still this virus coz there are tmp files getting created in my documents folder . plus there is a red cross that appears on my c drive ( which does not in safe mode)
tried the following
vundofix--deleted some variants twice
spy sweeper
vundo fix tool from symantec in safe mode-never found anything ever
windows registry repair
xp repair
it just wont go. i dont want to try hijack this
can someone please help me i am dying beyond my means.
xtreme work is rest

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: November 18, 2007 at 07:30:55 Pacific

Reply:

Please download and install the latest version of HijackThis v2.0.2:
Download the HijackThis Installer from this link: HijackThis
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Please download ComboFix to the desktop from this link:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.

Response Number 2

Name: poggendroff
Date: November 18, 2007 at 14:20:44 Pacific

Reply:

COMBOFIX log:::
------------------
ComboFix 07-11-08.1 - Administrator 2007-11-18 21:10:33.1 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.601 [GMT 0:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator\ResErrors.log
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\gebyy.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\x2
C:\WINDOWS\system32\yybeg.ini
C:\WINDOWS\system32\yybeg.ini2
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_FMTR

((((((((((((((((((((((((( Files Created from 2007-10-18 to 2007-11-18 )))))))))))))))))))))))))))))))
.
2007-11-18 21:07 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-18 13:33 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-11-18 13:15 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-11-18 13:14 <DIR> d-------- C:\Program Files\Webroot
2007-11-18 13:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-11-18 13:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2007-11-18 13:14 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-11-18 13:14 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-11-18 13:14 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-11-18 13:14 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-11-18 13:14 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-11-18 13:14 164 --a------ C:\install.dat
2007-11-18 13:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\GetRightToGo
2007-11-18 01:30 <DIR> d-------- C:\Program Files\XP Repair Pro 2007
2007-11-18 01:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-18 01:22 <DIR> d-------- C:\Program Files\SmartPCTools
2007-11-18 00:09 34,308 --a------ C:\WINDOWS\system32\Chip.dll
2007-11-17 22:56 87,104 --a------ C:\WINDOWS\system32\wyudeebr.dll
2007-11-17 22:56 78,400 --a------ C:\WINDOWS\system32\nxqciqel.dll
2007-11-17 22:53 216,160 --a------ C:\WINDOWS\system32\fgfiyfad.dll
2007-11-17 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-17 20:13 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-17 20:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-11-16 22:53 78,400 --------- C:\WINDOWS\system32\wmydverm.dll
2007-11-15 22:00 78,400 --a------ C:\WINDOWS\system32\ypvexngf.dll
2007-11-14 21:59 78,400 --a------ C:\WINDOWS\system32\ttlqqxps.dll
2007-11-13 21:22 78,400 --a------ C:\WINDOWS\system32\bhngujwn.dll
2007-11-12 21:02 78,400 --a------ C:\WINDOWS\system32\dnrwwflg.dll
2007-11-11 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-11 17:24 <DIR> d-------- C:\Program Files\CCleaner
2007-11-11 11:41 216,160 --a------ C:\WINDOWS\system32\poratyyb.dll
2007-11-11 11:39 78,400 --a------ C:\WINDOWS\system32\ubfxarwb.dll
2007-11-10 11:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-10 11:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2007-11-10 11:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-10 11:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-11-10 11:04 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-11-10 02:16 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-11-10 02:09 <DIR> d-------- C:\WINDOWS\system32\rev3
2007-11-10 02:09 <DIR> d-------- C:\WINDOWS\system32\dn5
2007-11-10 02:08 <DIR> d-------- C:\WINDOWS\system32\rMa01yy
2007-11-10 02:08 <DIR> d-------- C:\Temp\abW9
2007-10-27 16:49 1,156 --a------ C:\WINDOWS\mozver.dat
2007-10-27 16:36 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-21 02:46 <DIR> d-------- C:\Program Files\Real
2007-10-21 02:46 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-21 02:46 <DIR> d-------- C:\Program Files\Common Files\Real
2007-10-19 22:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\dvdcss
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-13 00:18 --------- d-----w C:\Documents and Settings\Administrator\Application Data\mIRC
2007-09-30 19:28 --------- d-----w C:\Program Files\KLC
2007-09-21 22:16 --------- d-----w C:\Program Files\Viewpoint
2007-09-21 22:16 --------- d-----w C:\Program Files\AOD
2007-09-21 22:16 --------- d-----w C:\Program Files\AIM
2007-09-21 22:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Aim
2007-09-19 14:11 --------- d-----w C:\Program Files\Beyond Compare 2
2007-09-19 14:11 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Scooter Software
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17EF9054-7ADA-482F-9F49-6EE94CDA3D58}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9889F34D-BF64-42C0-9E10-3711AE54FF5C}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a184534b-b30a-44ea-9ebe-71f4b710b8da}]
2007-11-17 22:56 78400 --a------ C:\WINDOWS\system32\nxqciqel.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F70487A9-0E6E-4409-389A-E26780A41BFD}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2005-11-17 19:49]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 C:\WINDOWS\stsystra.exe]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 18:10]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 17:44]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 17:41]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 17:45]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 22:22]
"4871f5fd"="C:\WINDOWS\system32\wyudeebr.dll" [2007-11-17 22:56]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 19:26]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-15 12:57]
"XPRepairPro2007"="C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe" [2007-07-04 04:51]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\gebyy.dll
R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINDOWS\system32\Drivers\SSFS0BB9.SYS
S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows
S3 qcusbmdm;Qualcomm Proprietary USB Driver (PID 3197);C:\WINDOWS\system32\DRIVERS\qcusbmdm.sys
S3 qcusbser;Qualcomm Diagnostic Port 3197;C:\WINDOWS\system32\DRIVERS\qcusbser.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ba078b5-426f-11dc-aa5f-00197e952ae2}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(0)\command - Recycled\ctfmon.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-18 13:15:00 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-18 21:16:21
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-18 21:17:08 - machine was rebooted
.
--- E O F ---
------------

HJT LOG::::::
-------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:06:20 PM, on 11/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\TEMP\BV3718.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mybeat.techmahindra.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKLM\..\Run: [4871f5fd] "rundll32.exe" "C:\WINDOWS\system32\wyudeebr.dll",b
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\{A589D32F-AF08-419E-8FE8-1714A8697E8A}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" -quiet
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [XPRepairPro2007] "C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe" /r
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mybeat.techmahindra.com
O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://vg.aramco.com/vdesk/cachecleaner.cab#version=6010,2007,0726,1517
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://vg.aramco.com/vdesk/terminal/InstallerControl.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://vg.aramco.com/vdesk/terminal/f5InspectionHost.cab#version=6010,2007,0726,1518
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://vg.aramco.com/vdesk/terminal/urTermProxy.cab#version=6010,2007,0726,1516
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} (Microsoft RDP Client Control (redist)) - https://vg.aramco.com/vdesk/terminal/msrdp.cab#version=5,2,3790,0
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://vg.aramco.com/vdesk/terminal/urxhost.cab#version=6010,2007,0726,1519
O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://vg.aramco.com/policy/download_binary.php/win32/f5syschk.cab#Version=6010,2007,0223,0322
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = TechMahindra.com
O17 - HKLM\Software\..\Telephony: DomainName = TechMahindra.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = TechMahindra.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = TechMahindra.com
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.exe
--
End of file - 7483 bytes
--------
Thanks for the amazingly quick follow up. i luv this site.
xtreme work is rest

Response Number 3

Name: jabuck
Date: November 18, 2007 at 20:08:07 Pacific

Reply:

Temporarily disable any of the following anti-spyware realtime protection programs that you may have Disable Realtime Protection or the fixes will not work. Be sure to turn yout anti-spyware programs back on once the computer is clean.
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\Documents and Settings\Administrator\ResErrors.log
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\gebyy.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\x2
C:\WINDOWS\system32\yybeg.ini
C:\WINDOWS\system32\yybeg.ini2
C:\WINDOWS\system32\wyudeebr.dll
C:\WINDOWS\system32\nxqciqel.dll
C:\WINDOWS\system32\fgfiyfad.dll
C:\WINDOWS\system32\wmydverm.dll
C:\WINDOWS\system32\ypvexngf.dll
C:\WINDOWS\system32\ttlqqxps.dll
C:\WINDOWS\system32\bhngujwn.dll
C:\WINDOWS\system32\dnrwwflg.dll
C:\WINDOWS\system32\poratyyb.dll
C:\WINDOWS\system32\ubfxarwb.dll
C:\WINDOWS\system32\wyudeebr.dll
C:\WINDOWS\system32\wyudeebr.dll,b
C:\WINDOWS\TEMP\BV3718.exe
Folder::
C:\WINDOWS\system32\rev3
C:\WINDOWS\system32\dn5
C:\WINDOWS\system32\rMa01yy
C:\Temp\abW9
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17EF9054-7ADA-482F-9F49-6EE94CDA3D58}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9889F34D-BF64-42C0-9E10-3711AE54FF5C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a184534b-b30a-44ea-9ebe-71f4b710b8da}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F70487A9-0E6E-4409-389A-E26780A41BFD}]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0
Driver::
MSControlService

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".
Post a new Hijack This log and a new Combofix log please.

Response Number 4

Name: poggendroff
Date: November 19, 2007 at 15:24:36 Pacific

Reply:

This time there was one dll error and one window popping up saying something could not be run...
here's the coombofix log:
--------------------
ComboFix 07-11-08.3 - Administrator 2007-11-19 22:15:09.2 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.595 [GMT 0:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\Documents and Settings\Administrator\ResErrors.log
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bhngujwn.dll
C:\WINDOWS\system32\dnrwwflg.dll
C:\WINDOWS\system32\fgfiyfad.dll
C:\WINDOWS\system32\gebyy.dll
C:\WINDOWS\system32\nxqciqel.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\poratyyb.dll
C:\WINDOWS\system32\ttlqqxps.dll
C:\WINDOWS\system32\ubfxarwb.dll
C:\WINDOWS\system32\wmydverm.dll
C:\WINDOWS\system32\wyudeebr.dll
C:\WINDOWS\system32\wyudeebr.dll,b
C:\WINDOWS\system32\x2
C:\WINDOWS\system32\ypvexngf.dll
C:\WINDOWS\system32\yybeg.ini
C:\WINDOWS\system32\yybeg.ini2
C:\WINDOWS\TEMP\BV3718.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Temp\abW9
C:\Temp\abW9\tOasF.log
C:\WINDOWS\system32\bhngujwn.dll
C:\WINDOWS\system32\dn5
C:\WINDOWS\system32\dnrwwflg.dll
C:\WINDOWS\system32\fgfiyfad.dll
C:\WINDOWS\system32\nxqciqel.dll
C:\WINDOWS\system32\poratyyb.dll
C:\WINDOWS\system32\rev3
C:\WINDOWS\system32\rev3\revdrive33b.exe
C:\WINDOWS\system32\rMa01yy
C:\WINDOWS\system32\ttlqqxps.dll
C:\WINDOWS\system32\ubfxarwb.dll
C:\WINDOWS\system32\wmydverm.dll
C:\WINDOWS\system32\wyudeebr.dll
C:\WINDOWS\system32\ypvexngf.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_MSCONTROLSERVICE
-------\MSControlService

((((((((((((((((((((((((( Files Created from 2007-10-19 to 2007-11-19 )))))))))))))))))))))))))))))))
.
2007-11-18 21:07 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-18 13:33 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-11-18 13:15 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-11-18 13:14 <DIR> d-------- C:\Program Files\Webroot
2007-11-18 13:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-11-18 13:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2007-11-18 13:14 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-11-18 13:14 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-11-18 13:14 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-11-18 13:14 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-11-18 13:14 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-11-18 13:14 164 --a------ C:\install.dat
2007-11-18 13:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\GetRightToGo
2007-11-18 01:30 <DIR> d-------- C:\Program Files\XP Repair Pro 2007
2007-11-18 01:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-18 01:22 <DIR> d-------- C:\Program Files\SmartPCTools
2007-11-18 00:09 34,308 --a------ C:\WINDOWS\system32\Chip.dll
2007-11-17 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-17 20:13 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-17 20:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-11-11 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-11 17:24 <DIR> d-------- C:\Program Files\CCleaner
2007-11-10 11:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-10 11:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2007-11-10 11:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-10 11:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-11-10 11:04 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-11-10 02:16 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-10-27 16:49 1,156 --a------ C:\WINDOWS\mozver.dat
2007-10-27 16:36 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-21 02:46 <DIR> d-------- C:\Program Files\Real
2007-10-21 02:46 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-21 02:46 <DIR> d-------- C:\Program Files\Common Files\Real
2007-10-19 22:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\dvdcss
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-13 00:18 --------- d-----w C:\Documents and Settings\Administrator\Application Data\mIRC
2007-09-30 19:28 --------- d-----w C:\Program Files\KLC
2007-09-21 22:16 --------- d-----w C:\Program Files\Viewpoint
2007-09-21 22:16 --------- d-----w C:\Program Files\AOD
2007-09-21 22:16 --------- d-----w C:\Program Files\AIM
2007-09-21 22:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Aim
2007-09-19 14:11 --------- d-----w C:\Program Files\Beyond Compare 2
2007-09-19 14:11 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Scooter Software
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2005-11-17 19:49]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 C:\WINDOWS\stsystra.exe]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 18:10]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 17:44]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 17:41]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 17:45]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 22:22]
"4871f5fd"="rundll32.exe" [2004-08-03 19:26 C:\WINDOWS\system32\rundll32.exe]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 19:26]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-15 12:57]
"XPRepairPro2007"="C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe" [2007-07-04 04:51]
R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINDOWS\system32\Drivers\SSFS0BB9.SYS
S3 qcusbmdm;Qualcomm Proprietary USB Driver (PID 3197);C:\WINDOWS\system32\DRIVERS\qcusbmdm.sys
S3 qcusbser;Qualcomm Diagnostic Port 3197;C:\WINDOWS\system32\DRIVERS\qcusbser.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ba078b5-426f-11dc-aa5f-00197e952ae2}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(0)\command - Recycled\ctfmon.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-11-19 22:06:56 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-19 22:18:27
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-19 22:20:45 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-18 21:17
.
--- E O F ---
--------
Here's the hjt log :::
--------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:31 PM, on 11/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\TEMP\EW2847.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mybeat.techmahindra.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKLM\..\Run: [4871f5fd] "rundll32.exe" "C:\WINDOWS\system32\wyudeebr.dll",b
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [XPRepairPro2007] C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe /r
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mybeat.techmahindra.com
O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://vg.aramco.com/vdesk/cachecleaner.cab#version=6010,2007,0726,1517
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://vg.aramco.com/vdesk/terminal/InstallerControl.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://vg.aramco.com/vdesk/terminal/f5InspectionHost.cab#version=6010,2007,0726,1518
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://vg.aramco.com/vdesk/terminal/urTermProxy.cab#version=6010,2007,0726,1516
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} (Microsoft RDP Client Control (redist)) - https://vg.aramco.com/vdesk/terminal/msrdp.cab#version=5,2,3790,0
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://vg.aramco.com/vdesk/terminal/urxhost.cab#version=6010,2007,0726,1519
O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://vg.aramco.com/policy/download_binary.php/win32/f5syschk.cab#Version=6010,2007,0223,0322
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = TechMahindra.com
O17 - HKLM\Software\..\Telephony: DomainName = TechMahindra.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = TechMahindra.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = TechMahindra.com
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.exe
--
End of file - 7611 bytes

-

Thanks for the help. i really appreciate it. There is still this red coloured cross on the my computer icon.
xtreme work is rest

Response Number 5

Name: poggendroff
Date: November 19, 2007 at 15:31:48 Pacific

Reply:

sry thrs a red cross in place of the c drive icon.
xtreme work is rest

USB\VID_0AC8&PID software.log netlogon.log	USB\VID_0AC8&PID mybeat techmahindra wireless manager vista
See More

Response Number 6

Name: jabuck
Date: November 19, 2007 at 16:34:41 Pacific

Reply:

Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode
Make sure spysweeper is turned off.
Run Hijack This,close all windows and browsers except Hijack This, place a check to the left of the following items and press "fix checked":
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [4871f5fd] "rundll32.exe" "C:\WINDOWS\system32\wyudeebr.dll",b
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\TEMP\EW2847.exe
C:\WINDOWS\system32\wyudeebr.dll

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Post a new Hijack this log please.

Response Number 7

Name: poggendroff
Date: November 19, 2007 at 17:25:57 Pacific

Reply:

hi, i tdid the hjt thing and then proceeded to do the combofix thing, but combofix keeps saying your copy has expired and then uinstalls itself. i had this problem once earlier but downloading from the other site had helped.
Now it doesnt help where i download combofix from. it just pops out that error message.:(
xtreme work is rest

Response Number 8

Name: jabuck
Date: November 19, 2007 at 20:59:30 Pacific

Reply:

Just post the Hijack This log ploease.

Response Number 9

Name: poggendroff
Date: November 20, 2007 at 14:22:50 Pacific

Reply:

oooo....here it is
HJT log::::
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:01 AM, on 11/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\WINDOWS\TEMP\ZHEDDC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mybeat.techmahindra.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [XPRepairPro2007] C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe /r
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mybeat.techmahindra.com
O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://vg.aramco.com/vdesk/cachecleaner.cab#version=6010,2007,0726,1517
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://vg.aramco.com/vdesk/terminal/InstallerControl.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://vg.aramco.com/vdesk/terminal/f5InspectionHost.cab#version=6010,2007,0726,1518
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://vg.aramco.com/vdesk/terminal/urTermProxy.cab#version=6010,2007,0726,1516
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} (Microsoft RDP Client Control (redist)) - https://vg.aramco.com/vdesk/terminal/msrdp.cab#version=5,2,3790,0
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://vg.aramco.com/vdesk/terminal/urxhost.cab#version=6010,2007,0726,1519
O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://vg.aramco.com/policy/download_binary.php/win32/f5syschk.cab#Version=6010,2007,0223,0322
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = TechMahindra.com
O17 - HKLM\Software\..\Telephony: DomainName = TechMahindra.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = TechMahindra.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = TechMahindra.com
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.exe
--
End of file - 6889 bytes

xtreme work is rest

Response Number 10

Name: poggendroff
Date: November 21, 2007 at 15:07:33 Pacific

Reply:

hi pleeese help its that red cross in place of the c drive icon that gets me really worried...plus there are no more errors at the start,,and no more temp files being created as far as i know....
is it because of bad sectors?
xtreme work is rest

Response Number 11

Name: jabuck
Date: November 21, 2007 at 22:00:44 Pacific

Reply:

Sorry for the delay, sick family member.
Does the red x look like an artist paint brush may have made it?
Run this free online scan from Kaspersky http://kaspersky.com/kos/english/kavwebscan.html

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files. Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended Scan Options:
Scan Archives
Scan Mail Base
When the scan is done, in the Scan is completed window , any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use Kaspersky, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

Response Number 12

Name: poggendroff
Date: November 22, 2007 at 14:46:31 Pacific

Reply:

yes it looks like an artists paintbrush might have made it....i'll respond back real quick once i get the online virus scan done.
xtreme work is rest

Response Number 13

Name: poggendroff
Date: November 22, 2007 at 18:02:15 Pacific

Reply:

this is the kappersky report:
---------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, November 23, 2007 12:00:52 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/11/2007
Kaspersky Anti-Virus database records: 464251
---------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 52481
Number of viruses found: 1
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 01:37:25
Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{84DC6BBC-6C43-4241-9DAA-DA45FA404724}.bin Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007112320071124\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Teleca\Telecalib\Logging\Application logs\SpecificUSB_log.txt Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Program Files\RAdmin\R_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Program Files\RAdmin\raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Program Files\RAdmin\AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Program Files\RAdmin\Radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Program Files\Trend Micro\OfficeScan Client\ConnLog\Conn_20071123.log Object is locked skipped
C:\System Volume Information\_restore{C068BF58-E786-4A60-A869-014FF40E884D}\RP2\change.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
............
Some remote admin virus thing it says...:( sadly the name seems to be not-a-virus
xtreme work is rest

Response Number 14

Name: jabuck
Date: November 22, 2007 at 18:35:15 Pacific

Reply:

Set up the computer to view hidden files by going to start>control panel>folder options>view tab>tick the circle beside "show hidden files and folders" and untick the box beside "hide extensions of known file types" and "hide protected system operating files">apply>ok.
Navigate to C:\Autorun.inf open it, copy/paste its contents (if anything) into the comment box and post it please.

Response Number 15

Name: poggendroff
Date: November 23, 2007 at 14:17:11 Pacific

Reply:

thnks for the reply.
thrs no autorun.inf in the c drive. i searched c drive and found two autoruns at two different places in c:/dell/drivers/<folder>
they had the following entry:
[autorun]
open=setup.exe
There is an autoexec.bat file in c drive but it is empty.
xtreme work is rest

Response Number 16

Name: jabuck
Date: November 24, 2007 at 23:35:51 Pacific

Reply:

Go to start> run> type in regedit> ok. Click edit> find> type in shell32.dll,123 > find next.
This should take you to the current drive default icon. Try this and let me know if this is correct but do not make any changes yet. The path would be:
HKEY_CLASS_ROOT\Drive\DefaultIcon
To exit the registry click file> exit or you can click the - signs to the right of the open keys untill you are back to "My computer" then click the X at the top right of the screen.

Response Number 17

Name: poggendroff
Date: November 25, 2007 at 03:30:32 Pacific

Reply:

hi shell32.dll,123 doesnt take me to the default drive icon, it says no entry found.
i did check he folder heirarchy u mentioned, and sure enuf theres a key for the default icon which is
%SystemRoot%\System32\shell32.dll,8
does that help?
xtreme work is rest

Response Number 18

Name: jabuck
Date: November 25, 2007 at 08:34:54 Pacific

Reply:

That is the correct data value for the standard c: drive icon. I'll continue look for a solution.

Response Number 19

Name: poggendroff
Date: November 28, 2007 at 16:39:04 Pacific

Reply:

hi any updates??
xtreme work is rest

Response Number 20

Name: jabuck
Date: November 28, 2007 at 22:14:46 Pacific

Reply:

I'm still working on it, keep me reminded. Alert me if I don't get back to you in a day or two.

Response Number 21

Name: poggendroff
Date: December 2, 2007 at 14:48:09 Pacific

Reply:

darn this weird icon,....i wonder why it has to be me.......[:(]
xtreme work is rest

Response Number 22

Name: InvisiBill
Date: January 27, 2008 at 19:42:59 Pacific

Reply:

Thanks, jabuck. You got me on the right track for finding the stupid icon. I had manually removed the rest of the Vundo/Virtumonde crap, but was still stuck with the red X for my C: icon.
I found that the X was icon #131 in shell32.dll, so I was able to search for that and find the location that Vundo uses.
poggendroff, you want to look in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\ (or search for "shell32.dll,131"). You can delete the whole "c" key under DriveIcons to get rid of the annoying icon.

Response Number 23

Name: poggendroff
Date: January 29, 2008 at 04:15:24 Pacific

Reply:

THANKS!!

xtreme work is rest

Sponsored Link

Ads by Google

Subject: zonebac.gen!B in...

Bunch of viruses!

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: vundo in my window

virus in my windows volume

Summary

www.computing.net/answers/security/virus-in-my-windows-volume/16365.html

I think I have a virus in my OS

Summary

www.computing.net/answers/security/i-think-i-have-a-virus-in-my-os-/21992.html

i got winserv.exe in my pc and i dont kn

Summary

www.computing.net/answers/security/i-got-winservexe-in-my-pc-and-i-dont-kn/1818.html

From the Geek Dictionary
Underpowering - Underpowering is a condition that occurs when the components of your comput...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 5 Days.
Discuss in The Lounge
Poll History

Recent Posts
F-Secure Internet Security 2009

Can a few people test this please?

d3d overrrider

Runnig Batch files.

Windows 7 Network share issue

All Awaiting Reply

Tom's News
Woman Tracks Down Club Attacker on Facebook

Geolocation Functions Come to Twitter

New Craigslist Trend: Trade Sex for Rent?

Law Firm Investigates MS Over Xbox Live Bans

Amazon Charges $25 for Palm Pixi and $80 for Pre

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE