can not access drives

Emachines / T6212
January 17, 2009 at 16:47:17
Specs: Microsoft Windows XP Home Edition, 1.989 GHz / 2046 MB
I keep getting this error message when i try to open can local disk c. C:\resycled\ntldr.com is not vaild win32 application.
The only way to get in is right click then by clicking explore, but the main thing is i cannot not scan with my Norton to check any virus and i cant defrag it.

See More: can not access drives

Report •


#1
January 17, 2009 at 16:57:02
First try this:

Click on Start, click Run, and then type devmgmt.msc and click OK
On the View menu click on Show hidden devices
Browse to Non-Plug and Play Drivers and click the + sign to the left, you should see something like TDSSserv.sys in that list.
Highlight that driver and right click on it and select DISABLE - NOT uninstall.
Now RESTART your computer.

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This

Rename the setup file, HJTInstall.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename HJTInstall.exe to tools.exe> click save.
1. Save " tools.exe" to your desktop.
2. Double click on tools.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

#2
January 17, 2009 at 18:48:44
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:47:43 PM, on 1/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Xfire\xfire.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\mmc.exe
C:\Documents and Settings\Owner\Desktop\tools.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: mail.com - {CD292324-974F-4224-CE6F-CC9441768F5D} - C:\PROGRA~1\mail.com\Toolbar\Toolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: PCTools - {F9C6EC65-2988-4896-976F-6EA66FAD9844} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: mail.com - {CD292324-974F-4224-CE6F-CC9441768F5D} - C:\PROGRA~1\mail.com\Toolbar\Toolbar.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CHotkey] C:\WINDOWS\Files 2\zHotkey.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Optical Wheel mouse\mouse32a.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SoundMan] C:\Documents and Settings\cabs\D00334-001-002\wdm\soundman.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [System Updater Machine] windows_update.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\RunServices: [System Updater Machine] windows_update.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [kaqgq] "c:\documents and settings\owner\local settings\application data\kaqgq.exe" kaqgq
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [DriverCure] C:\Program Files\ParetoLogic\DriverCure\DriverCure.exe -scan
O4 - HKCU\..\RunOnce: [] C:\Program Files\Mozilla Firefox\firefox.exe http://www.symantec.com/techsupp/se...
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: run_startmenu.cmd
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 11152 bytes


Report •

#3
January 17, 2009 at 18:50:33
Malwarebytes' Anti-Malware 1.33
Database version: 1663
Windows 5.1.2600 Service Pack 3

1/17/2009 4:27:16 PM
mbam-log-2009-01-17 (16-27-16).txt

Scan type: Quick Scan
Objects scanned: 65946
Time elapsed: 6 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{d263b532-c528-49e5-8bb6-80fa67332c9a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{7165223d-d2c9-422b-8126-411b11842b8b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\seekmosa (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\PC-Cleaner (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\RelevantKnowledge (Spyware.Marketscore) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge (Spyware.Marketscore) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\RelevantKnowledge\rlservice.exe (Spyware.Marketscore) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\About RelevantKnowledge.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\Privacy Policy and User License Agreement.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\Support.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\nvs2.inf (Adware.EGDAccess) -> Quarantined and deleted successfully.


Report •

Related Solutions

#4
January 17, 2009 at 18:53:25
I couldn't find TDSSserv.sys in the list

Report •

#5
January 17, 2009 at 19:27:25
Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your Norton's antivirus, and other antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.


Report •

#6
January 17, 2009 at 22:10:32
thanks dude that worked

Report •

#7
January 18, 2009 at 07:42:57
Glad we could help.

Report •

#8
January 19, 2009 at 08:49:43
thanks JABUCK!

here's the log!


ComboFix 09-01-18.06 - user1 2009-01-20 0:31:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.950.886.1028.18.1015.573 [GMT 8:00]
執行位置: c:\documents and settings\user1\桌面\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)
FW: Symantec Endpoint Protection *enabled*
.

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\documents and settings\user1\「開始」功能表\程式集\videoplay
c:\program files\Mozilla Firefox\components\iamfamous.dll
C:\resycled
c:\resycled\ntldr.com
c:\windows\system32\drivers\gaopdxhqrewbpf.sys
c:\windows\system32\gaopdxqrmfemli.dll
D:\Autorun.inf
D:\resycled
d:\resycled\ntldr.com
E:\Autorun.inf
E:\resycled
e:\resycled\ntldr.com
K:\Autorun.inf
K:\resycled
k:\resycled\ntldr.com

.
((((((((((((((((((((((((((((((((((((((( 驅動/服務 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( 2008-12-19 至 2009-01-19 的新的檔案 )))))))))))))))))))))))))))))))
.

2009-01-19 23:59 . 2009-01-19 23:59 244 --ah----- C:\sqmnoopt12.sqm
2009-01-19 23:59 . 2009-01-19 23:59 232 --ah----- C:\sqmdata12.sqm
2009-01-19 23:39 . 2009-01-19 23:39 71,168 --a------ c:\windows\system32\drivers\gaopdxcnppjwir.sys
2009-01-19 18:57 . 2009-01-19 18:57 244 --ah----- C:\sqmnoopt11.sqm
2009-01-19 18:57 . 2009-01-19 18:57 232 --ah----- C:\sqmdata11.sqm
2009-01-19 10:34 . 2009-01-19 10:34 244 --ah----- C:\sqmnoopt10.sqm
2009-01-19 10:34 . 2009-01-19 10:34 232 --ah----- C:\sqmdata10.sqm
2009-01-19 00:49 . 2009-01-19 00:49 244 --ah----- C:\sqmnoopt09.sqm
2009-01-19 00:49 . 2009-01-19 00:49 232 --ah----- C:\sqmdata09.sqm
2009-01-18 20:59 . 2009-01-18 20:59 244 --ah----- C:\sqmnoopt08.sqm
2009-01-18 20:59 . 2009-01-18 20:59 232 --ah----- C:\sqmdata08.sqm
2009-01-18 18:12 . 2009-01-18 18:12 244 --ah----- C:\sqmnoopt07.sqm
2009-01-18 18:12 . 2009-01-18 18:12 232 --ah----- C:\sqmdata07.sqm
2009-01-18 10:11 . 2009-01-18 10:11 244 --ah----- C:\sqmnoopt06.sqm
2009-01-18 10:11 . 2009-01-18 10:11 232 --ah----- C:\sqmdata06.sqm
2009-01-17 23:32 . 2009-01-17 23:32 244 --ah----- C:\sqmnoopt05.sqm
2009-01-17 23:32 . 2009-01-17 23:32 232 --ah----- C:\sqmdata05.sqm
2009-01-17 18:12 . 2009-01-17 18:12 244 --ah----- C:\sqmnoopt04.sqm
2009-01-17 18:12 . 2009-01-17 18:12 232 --ah----- C:\sqmdata04.sqm
2009-01-17 14:47 . 2009-01-17 14:47 244 --ah----- C:\sqmnoopt03.sqm
2009-01-17 14:47 . 2009-01-17 14:47 232 --ah----- C:\sqmdata03.sqm
2009-01-15 17:30 . 2009-01-18 18:00 <DIR> d-------- c:\program files\Norton Security Scan
2009-01-15 14:30 . 2009-01-16 15:31 <DIR> d-------- c:\windows\system32\Adobe
2009-01-15 13:52 . 2003-04-06 21:23 3,903,569 --a------ c:\windows\system32\Q9SETUP.EXE
2009-01-15 13:38 . 2009-01-15 13:54 196,608 --a------ c:\windows\system32\q9b5rel.tbl
2009-01-15 13:38 . 2009-01-15 13:54 61,924 --a------ c:\windows\system32\q922pyb.tbl
2009-01-15 13:38 . 2009-01-15 13:54 56,976 --a------ c:\windows\system32\q922stb.tbl
2009-01-15 13:38 . 2009-01-15 13:54 46,760 --a------ c:\windows\system32\q922b.tbl
2009-01-15 13:31 . 2009-01-15 13:31 25,088 --a------ c:\windows\system32\QCKEY32.DLL
2009-01-15 13:10 . 2009-01-15 13:10 1,374 --a------ c:\windows\imsins.BAK
2009-01-12 18:55 . 2009-01-12 18:55 <DIR> d-------- c:\program files\InterVideo
2009-01-12 18:54 . 2009-01-12 18:54 <DIR> d-------- C:\SYSTEM.SAV
2009-01-12 18:44 . 2009-01-13 15:23 1,905 --a------ c:\windows\diagwrn.xml
2009-01-12 18:44 . 2009-01-13 15:23 1,905 --a------ c:\windows\diagerr.xml
2009-01-12 16:36 . 2009-01-12 16:38 <DIR> d-------- c:\program files\Mp3 Knife
2009-01-12 16:36 . 1998-06-24 00:00 609,584 --a------ c:\windows\system32\comctl32.ocx
2009-01-12 13:03 . 2009-01-12 13:04 <DIR> d-------- c:\program files\mp3DirectCut
2009-01-12 09:30 . 2009-01-12 09:30 <DIR> d-------- c:\program files\Poladroid
2009-01-10 15:44 . 2009-01-10 20:22 <DIR> d-------- c:\program files\WinKey
2009-01-10 15:43 . 2009-01-10 15:43 <DIR> d-------- c:\documents and settings\user1\WINDOWS
2009-01-10 15:43 . 1998-10-01 15:22 299,520 --a------ c:\windows\uninst.exe
2009-01-06 19:09 . 2009-01-06 19:09 <DIR> d-------- c:\program files\Common Files\Ulead Systems
2009-01-06 19:09 . 1998-12-08 18:53 212,480 --------- c:\windows\system32\PCDLIB32.DLL
2009-01-06 19:07 . 2009-01-06 19:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ulead Systems
2009-01-02 23:03 . 2009-01-02 23:03 244 --ah----- C:\sqmnoopt02.sqm
2009-01-02 23:03 . 2009-01-02 23:03 232 --ah----- C:\sqmdata02.sqm
2009-01-02 13:58 . 2009-01-02 13:58 244 --ah----- C:\sqmnoopt01.sqm
2009-01-02 13:58 . 2009-01-02 13:58 232 --ah----- C:\sqmdata01.sqm
2009-01-02 08:08 . 2009-01-02 08:08 244 --ah----- C:\sqmnoopt00.sqm
2009-01-02 08:08 . 2009-01-02 08:08 232 --ah----- C:\sqmdata00.sqm
2008-12-30 21:31 . 2008-12-30 21:31 7,680 --ahs---- c:\windows\Thumbs.db
2008-12-26 00:52 . 2008-12-26 00:52 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-12-24 16:02 . 2008-12-24 16:02 2,464 --a------ c:\windows\$_hpcst$.hpc
2008-12-24 16:01 . 2003-03-27 07:28 73,805 --a------ c:\windows\system32\RAPI.DLL
2008-12-24 16:01 . 2003-04-23 07:29 65,617 --a------ c:\windows\system32\PMAILEXT.DLL
2008-12-24 16:01 . 2003-04-23 07:29 57,425 --a------ c:\windows\system32\MSGSTRPC.DLL
2008-12-24 16:01 . 2003-04-23 07:29 57,424 --a------ c:\windows\system32\MOBILEV.ACM
2008-12-24 16:01 . 2003-04-23 07:29 53,327 --a------ c:\windows\system32\CEUTIL.DLL
2008-12-24 16:01 . 2003-04-23 07:29 36,944 --a------ c:\windows\system32\PPCLOAD.DLL
2008-12-24 16:00 . 1998-10-07 17:23 327,168 --a------ c:\windows\IsUn0404.exe
2008-12-24 16:00 . 2008-12-24 16:02 2,510 --a------ c:\windows\Microsoft.MIF
2008-12-24 15:59 . 2003-02-23 05:09 31,273 --a------ c:\windows\system32\drivers\wceusbsh.sys
2008-12-24 15:59 . 2003-02-23 05:09 31,273 --a--c--- c:\windows\system32\dllcache\wceusbsh.sys
2008-12-24 14:48 . 2008-12-24 14:48 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-12-24 14:47 . 2009-01-18 20:59 <DIR> d-------- c:\windows\system32\LogFiles
2008-12-24 14:47 . 2008-12-24 14:47 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-12-23 09:16 . 2008-12-23 09:16 <DIR> d-------- c:\program files\3M
2008-12-23 09:16 . 2008-12-23 09:16 <DIR> d-------- c:\documents and settings\user1\Application Data\3M

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 15:59 --------- d-----w c:\documents and settings\user1\Application Data\uTorrent
2009-01-19 15:58 --------- d-----w c:\documents and settings\user1\Application Data\.purple
2009-01-19 06:02 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-15 09:30 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-12 10:55 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-10 07:47 --------- d-----w c:\program files\Windows Live
2008-12-31 16:08 --------- d-----w c:\documents and settings\user1\Application Data\gtk-2.0
2008-12-27 07:12 --------- d-----w c:\program files\Microsoft ActiveSync
2008-12-27 07:12 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-12-24 08:08 --------- d-----w c:\documents and settings\user1\Application Data\ImgBurn
2008-12-17 12:58 --------- d-----w c:\program files\Your Uninstaller 2008
2008-12-17 12:28 --------- d-----w c:\program files\iSilo
2008-12-14 16:34 --------- d-----w c:\documents and settings\user1\Application Data\Thinstall
2008-12-11 19:37 --------- d-----w c:\program files\VideoLAN
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-09 17:11 --------- d-----w c:\program files\DivX
2008-12-09 15:20 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-09 15:18 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-12-09 15:18 60,800 ----a-w c:\windows\system32\S32EVNT1.DLL
2008-12-09 15:18 123,952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-09 15:18 10,563 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-09 15:18 --------- d-----w c:\program files\Symantec
2008-12-09 15:08 --------- d-----w c:\documents and settings\user1\Application Data\URSoft
2008-12-05 19:00 --------- d-----w c:\program files\MSXML 4.0
2008-12-05 05:05 1,682 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-12-05 04:41 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-05 04:40 --------- d-----w c:\program files\WinAVI MP4 Converter
2008-12-05 02:38 --------- d-----w c:\program files\Foxy
2008-12-04 16:59 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-12-02 18:38 --------- d-----w c:\program files\KMPlayer
2008-12-02 16:14 --------- d-----w c:\program files\uTorrent
2008-11-28 16:54 --------- d-----w c:\program files\Foxit Software
2008-11-28 15:35 --------- d-----w c:\program files\Pidgin
2008-11-28 13:48 --------- d-----w c:\program files\Common Files\GTK
2008-11-28 04:39 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
.

((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-04-23 413777]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"CJIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE" [2007-03-22 66400]
"PHIMETIPSYNC"="c:\program files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE" [2007-03-22 98656]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 115560]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2007-05-23 192512]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-01 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]

c:\documents and settings\All Users\「開始」功能表\程式集\啟動\
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2009-01-12 192512]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\「開始」功能表\程式集\啟動\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CJIMETIPSYNC]
--a------ 2007-03-22 19:17 66400 c:\program files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-15 18:54 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 08:38 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-08-04 17:28 49152 c:\program files\HP\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-12 20:00 208952 c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:35 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIMETIPSYNC]
--a------ 2007-03-22 19:17 98656 c:\program files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPHIDPAD]
--a------ 2001-10-02 11:23 45056 c:\winpenjr\win32\PPHIDPAD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
--a------ 2001-01-12 14:20 57344 c:\winpenjr\win32\CUSTOM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r------- 2006-05-16 18:04 2879488 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

R1 ppmoucls;ppmoucls;c:\windows\system32\drivers\PPMOUCLS.SYS [2008-11-28 20704]
R1 pptchpad;PenPower Touchpad;c:\windows\system32\drivers\PPTCHPD5.SYS [2008-11-28 17216]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-09 99376]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-05-29 23888]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{89aab7f8-696e-11dd-be73-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com c:
\Shell\Open\command - c:\resycled\ntldr.com c:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ea1b77c-cb86-11dd-be5d-0018f3c17778}]
\Shell\AutoRun\command - f:\.\Start.exe
.
‘計劃任務’ 文件夾 裡的內容

2009-01-18 c:\windows\Tasks\Norton Security Scan for user1.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PWRISOVM.EXE - c:\program files\PowerISO\PWRISOVM.EXE
SafeBoot-Symantec Antvirus
MSConfigStartUp-foxy - k:\software\_FOXY\綠化FOXY\Foxy.exe
MSConfigStartUp-DXDllRegExe - dxdllreg.exe


.
------- 而外的掃描 -------
.
uStart Page = hxxp://www.netvigator.com/
IE: 匯出至 Microsoft Office Excel(&X) - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {BE34BAB0-0580-45BC-AEC8-E0EF00C11F57} - hxxp://hkma.towergame.com/common/GTWebCom.cab
FF - ProfilePath - c:\documents and settings\user1\Application Data\Mozilla\Firefox\Profiles\fbvk8mrx.default\
FF - prefs.js: browser.startup.homepage - chrome://ietab/content/reloaded.html?url=hxxp://www.netvigator.com/

---- 火狐配置文件 ----
c:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("network.protocol-handler.external.foxy", true);
c:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("network.protocol-handler.warn-external.foxy", false);
c:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("network.protocol-handler.expose.foxy", true);
c:\program files\Mozilla Firefox\defaults\profile\foxy.js - user_pref("general.useragent.extra.foxy1", "Foxy/1");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 00:34:08
Windows 5.1.2600 Service Pack 3 NTFS

掃描被隱藏的進程 。。。

掃描被隱藏的啟動組 。。。

掃描被隱藏的文件 。。。

掃描完成
被隱藏的檔案: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\ODBC\ODBC.INI\V*i*s*i*o* *?兗糰\Engines\Jet]
"Threads"=dword:00000003
"UserCommitSync"="Yes"
"ImplicitCommitSync"=""

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CLSID]
@="{809B6661-94C4-49E6-B6EC-3F0F862215AA}"

[HKEY_LOCAL_MACHINE\software\Classes\B*D*A*T*u*n*e*r*.*CQ譸\CurVer]
@="BDATuner.元件.1"
.
完成時間: 2009-01-20 0:35:49
ComboFix-quarantined-files.txt 2009-01-19 16:35:46

Pre-Run: 21,596,205,056 位元組可用
Post-Run: 21,833,093,120 位元組可用

267 --- E O F --- 2009-01-15 05:11:02


Report •

#9
January 19, 2009 at 15:40:31
Just wanted to say THANK YOU SO MUCH for this page!! You've saved me ?70 which Symantec wanted to charge me to remove this virus and I said no thanks, I'd try and remove it myself (after they declared their experts were the best in the business and any other tech support would just format my hard drive!!). Anyway, couldn't get internet on my desktop or norton after it (or something appearing to be Norton)flashed a warning that a trojan had been detected and to restart the pc, after which Norton wouldn't work and couldn't get the internet. Anyway, after getting the suspicious error when trying to open my c drive in My Comp I realised I prob had a virus and used the laptop to contact Symantec who couldn't help (despite paying them vast sums in subscription fees). Will NOT EVER renew with them again!
To cut a very long story short, I followed your instructions, ran the brillian Malwarebytes followed by ComboFix and its all, including Norton, miraculously working normally again!
Thank you so much once again and virtual case (or several) of beer to you (as well as virtual ?70!).
Kind regards,

Report •

#10
January 19, 2009 at 18:41:43
amazingkitkat, If you are not Zunos you need to start you own thread, if you are you need to post as Zunos in this thread.

Report •

#11
January 20, 2009 at 23:33:33
Hello i have the problem the only differance is that i get the message when i try to open my external hardrive. can you help me pease

Report •

#12
January 27, 2009 at 12:07:41
i have delete samething, and now when i try to open C or D i have this message

"Windows cannot find 'resycled\ntldr.com'. Make sure you typed the name correctly, and try again.
To search for a file, click the Start button, and then click Search."


Report •

#13
January 27, 2009 at 16:22:54
Thank you so much!

I had tried the first two things mentioned and had no luck, then i ran combofix and everything was back to normal.

Thank you!


Report •

#14
January 27, 2009 at 16:33:12
If you need help it would be best to start your own thread and let a helper work with you to remove the malware as many times these tools only remove part of the baddies and they will regenerate.

If you do decide to start a new thread just state your problem, do not post any logs until requested to by a helper.


Report •


Ask Question