View Full Version : Problems with file and folders options
killer942
2008-02-15, 11:13
i have this problem..when i try to click on show all files and folders ,its juz not happening and will keep goes back to do not show all files and folders option
i tried to change the registry but also no use
scan my com for virus den cleared but still cnt access my hidden files n folders
this is my hjt log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:09:11 PM, on 2/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Jia Yi\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185681386977
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
--
End of file - 3053 bytes
please help..thanx
steamwiz
2008-02-23, 15:36
HI
Follow the directions here :-
http://forums.spybot.info/showthread.php?t=288
Post the KAV scan results ...
THEN ...
Please follow these instructions for running Combofix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
1. When finished, it will produce a logfile located at C:\ComboFix.txt.
2. Post the contents of that log in your next reply with a new hijackthis log.
Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported
to detect combofix as Worm.Qiv.100.
Please remember to post :-
1. KAV results
2. C:\ComboFix.txt
3. a new hijackthis log.( run after everything else)
steam
killer942
2008-02-25, 08:23
hi thx for your kind help..there are the followings logs:
Kaspersky Scanner:
KASPERSKY ONLINE SCANNER REPORT
Monday, February 25, 2008 2:10:14 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/02/2008
Kaspersky Anti-Virus database records: 579066
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 23260
Number of viruses found 2
Number of infected objects 5
Number of suspicious objects 0
Duration of the scan process 00:36:45
Infected Object Name Virus Name Last Action
C:\autorun.inf Infected: Worm.Win32.AutoRun.cpr skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Jia Yi\Application Data\Mozilla\Firefox\Profiles\e24bkway.default\cert8.db Object is locked skipped
C:\Documents and Settings\Jia Yi\Application Data\Mozilla\Firefox\Profiles\e24bkway.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Jia Yi\Application Data\Mozilla\Firefox\Profiles\e24bkway.default\history.dat Object is locked skipped
C:\Documents and Settings\Jia Yi\Application Data\Mozilla\Firefox\Profiles\e24bkway.default\key3.db Object is locked skipped
C:\Documents and Settings\Jia Yi\Application Data\Mozilla\Firefox\Profiles\e24bkway.default\parent.lock Object is locked skipped
C:\Documents and Settings\Jia Yi\Application Data\Mozilla\Firefox\Profiles\e24bkway.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Jia Yi\Application Data\Mozilla\Firefox\Profiles\e24bkway.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Jia Yi\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jia Yi\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jia Yi\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jia Yi\Local Settings\Application Data\Microsoft\Windows Live Contacts\killer942@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Jia Yi\Local Settings\Application Data\Microsoft\Windows Live Contacts\killer942@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Jia Yi\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jia Yi\Local Settings\History\History.IE5\MSHist012008022520080226\index.dat Object is locked skipped
C:\Documents and Settings\Jia Yi\Local Settings\Temp\~DF1D04.tmp Object is locked skipped
C:\Documents and Settings\Jia Yi\Local Settings\Temp\~DF1D70.tmp Object is locked skipped
C:\Documents and Settings\Jia Yi\Local Settings\Temp\~DF632F.tmp Object is locked skipped
C:\Documents and Settings\Jia Yi\Local Settings\Temp\~DF635C.tmp Object is locked skipped
C:\Documents and Settings\Jia Yi\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Jia Yi\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jia Yi\ntuser.dat Object is locked skipped
C:\Documents and Settings\Jia Yi\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\gqsk.bat Infected: Worm.Win32.AutoRun.cpr skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{472A2262-60F4-4CDD-B5D0-D6B1C267CF19}\RP47\A0018119.dll Object is locked skipped
C:\System Volume Information\_restore{472A2262-60F4-4CDD-B5D0-D6B1C267CF19}\RP47\A0018121.exe Object is locked skipped
C:\System Volume Information\_restore{472A2262-60F4-4CDD-B5D0-D6B1C267CF19}\RP47\A0018122.dll Object is locked skipped
C:\System Volume Information\_restore{472A2262-60F4-4CDD-B5D0-D6B1C267CF19}\RP58\A0019059.exe Object is locked skipped
C:\System Volume Information\_restore{472A2262-60F4-4CDD-B5D0-D6B1C267CF19}\RP58\A0019060.dll Infected: Trojan-PSW.Win32.OnLineGames.rdu skipped
C:\System Volume Information\_restore{472A2262-60F4-4CDD-B5D0-D6B1C267CF19}\RP58\A0019061.bat Object is locked skipped
C:\System Volume Information\_restore{472A2262-60F4-4CDD-B5D0-D6B1C267CF19}\RP58\A0019062.exe Object is locked skipped
C:\System Volume Information\_restore{472A2262-60F4-4CDD-B5D0-D6B1C267CF19}\RP58\A0019063.dll Object is locked skipped
C:\System Volume Information\_restore{472A2262-60F4-4CDD-B5D0-D6B1C267CF19}\RP60\A0019218.bat Object is locked skipped
C:\System Volume Information\_restore{472A2262-60F4-4CDD-B5D0-D6B1C267CF19}\RP60\A0019219.dll Object is locked skipped
C:\System Volume Information\_restore{472A2262-60F4-4CDD-B5D0-D6B1C267CF19}\RP60\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{6D08C122-DA39-498B-AB0C-9584ADF68DD8}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\kavo.exe Infected: Worm.Win32.AutoRun.cpr skipped
C:\WINDOWS\system32\kavo1.dll Infected: Worm.Win32.AutoRun.cpr skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Combofix:
ComboFix 08-02-25.2 - Jia Yi 2008-02-25 14:13:46.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.100 [GMT 8:00]
Running from: C:\Documents and Settings\Jia Yi\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
C:\WINDOWS\system32\kavo.exe
C:\WINDOWS\system32\kavo1.dll
.
((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.
2008-02-25 01:47 . 2008-02-25 01:47 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-25 01:47 . 2008-02-25 01:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-23 08:00 . 2008-02-25 08:25 <DIR> d-------- C:\Documents and Settings\All Use\Application Data\AVG7
2008-02-22 23:24 . 2008-02-22 23:24 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-20 23:01 . 2008-02-20 23:01 115,221 -r-hs---- C:\gqsk.bat
2008-02-18 16:16 . 2008-02-18 16:37 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-02-18 16:15 . 2008-02-18 16:53 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-18 16:15 . 2008-02-18 16:15 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-02-18 15:55 . 2008-02-18 15:55 <DIR> d-------- C:\Documents and Settings\Jia Yi\Application Data\Apple Computer
2008-02-18 15:53 . 2008-02-18 16:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-15 16:54 . 2008-02-15 16:54 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-15 15:53 . 2008-02-15 15:53 <DIR> d-------- C:\Documents and Settings\Jia Yi\Application Data\Uniblue
2008-02-15 15:36 . 2008-02-25 01:41 <DIR> d-------- C:\Documents and Settings\Jia Yi\Application Data\AVG7
2008-02-15 15:36 . 2008-02-22 23:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVG7
2008-02-15 14:56 . 2008-02-15 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-14 21:47 . 2008-02-20 23:00 112,194 -r-hs---- C:\WINDOWS\system32\tavo.exe
2008-02-14 21:47 . 2008-02-20 23:00 81,408 -r-hs---- C:\WINDOWS\system32\tavo0.dll
2008-02-12 23:30 . 2008-02-12 23:30 <DIR> d-------- C:\Program Files\DIFX
2008-02-10 10:36 . 2006-01-09 15:01 86,016 --a------ C:\WINDOWS\system32\gigagetbho_v10.dll
2008-02-07 02:19 . 2007-02-22 10:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-02-07 02:18 . 2008-02-07 02:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-01-31 18:24 . 2008-02-10 11:42 <DIR> d-------- C:\Documents and Settings\All Use\Application Data\IDM
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 05:28 --------- d-----w C:\Program Files\Warcraft III
2008-02-23 16:13 39,824 -c--a-w C:\Documents and Settings\Jia Yi\Application Data\GDIPFONTCACHEV1.DAT
2008-02-14 03:40 --------- d-----w C:\Documents and Settings\All Use\Application Data\DMCache
2008-01-06 04:29 --------- d-----w C:\Documents and Settings\All Use\Application Data\DNA
2008-01-01 06:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-01 06:53 --------- d-----w C:\Program Files\Ocean Technology
2008-01-01 06:53 --------- d-----w C:\Documents and Settings\Jia Yi\Application Data\InstallShield
2007-12-11 15:01 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:31 208952]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:32 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:32 455168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 21:10 335872]
"SoundMan"="SOUNDMAN.EXE" [2007-07-29 13:15 577536 C:\WINDOWS\soundman.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 09:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-22 23:26 579072]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-22 23:24 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\GGclient.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
S3 XDva037;XDva037;C:\WINDOWS\system32\XDva037.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a945841a-d48c-11dc-8dc0-000d614b0e23}]
\Shell\AutoRun\command - G:\ntdelect.com
\Shell\explore\Command - G:\ntdelect.com
\Shell\open\Command - G:\ntdelect.com
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 14:15:38
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-25 14:16:47
ComboFix-quarantined-files.txt 2008-02-25 06:16:25
.
2008-02-19 04:21:46 --- E O F ---
Hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:17:41 PM, on 2/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jia Yi\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185681386977
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
--
End of file - 4016 bytes
steamwiz
2008-02-26, 01:37
HI
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\gqsk.bat
C:\WINDOWS\system32\tavo.exe
C:\WINDOWS\system32\tavo0.dll
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a945841a-d48c-11dc-8dc0-000d614b0e23}]
Save this as "CFScript.txt"
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Is your problem resolved ?
steam
killer942
2008-02-26, 06:20
hi..this are the logs:
Combofix:
ComboFix 08-02-25.2 - Jia Yi 2008-02-26 12:08:45.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.78 [GMT 8:00]
Running from: C:\Documents and Settings\Jia Yi\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jia Yi\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\gqsk.bat
C:\WINDOWS\system32\tavo.exe
C:\WINDOWS\system32\tavo0.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\gqsk.bat
C:\WINDOWS\system32\tavo.exe
C:\WINDOWS\system32\tavo0.dll
.
((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.
2008-02-25 17:56 . 2008-02-25 17:56 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-02-23 08:00 . 2008-02-26 08:46 <DIR> d-------- C:\Documents and Settings\All Use\Application Data\AVG7
2008-02-22 23:24 . 2008-02-22 23:24 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-18 16:16 . 2008-02-18 16:37 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-02-18 16:15 . 2008-02-18 16:53 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-18 16:15 . 2008-02-18 16:15 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-02-18 15:55 . 2008-02-18 15:55 <DIR> d-------- C:\Documents and Settings\Jia Yi\Application Data\Apple Computer
2008-02-18 15:53 . 2008-02-18 16:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-15 16:54 . 2008-02-15 16:54 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-15 15:53 . 2008-02-15 15:53 <DIR> d-------- C:\Documents and Settings\Jia Yi\Application Data\Uniblue
2008-02-15 15:36 . 2008-02-25 21:28 <DIR> d-------- C:\Documents and Settings\Jia Yi\Application Data\AVG7
2008-02-15 15:36 . 2008-02-22 23:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVG7
2008-02-15 14:56 . 2008-02-15 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-12 23:30 . 2008-02-12 23:30 <DIR> d-------- C:\Program Files\DIFX
2008-02-10 10:36 . 2006-01-09 15:01 86,016 --a------ C:\WINDOWS\system32\gigagetbho_v10.dll
2008-02-07 02:19 . 2007-02-22 10:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-02-07 02:18 . 2008-02-07 02:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-01-31 18:24 . 2008-02-10 11:42 <DIR> d-------- C:\Documents and Settings\All Use\Application Data\IDM
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 18:08 --------- d-----w C:\Program Files\Warcraft III
2008-02-23 16:13 39,824 -c--a-w C:\Documents and Settings\Jia Yi\Application Data\GDIPFONTCACHEV1.DAT
2008-02-14 03:40 --------- d-----w C:\Documents and Settings\All Use\Application Data\DMCache
2008-01-06 04:29 --------- d-----w C:\Documents and Settings\All Use\Application Data\DNA
2008-01-01 06:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-01 06:53 --------- d-----w C:\Program Files\Ocean Technology
2008-01-01 06:53 --------- d-----w C:\Documents and Settings\Jia Yi\Application Data\InstallShield
2007-12-11 15:01 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:31 208952]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:32 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:32 455168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 21:10 335872]
"SoundMan"="SOUNDMAN.EXE" [2007-07-29 13:15 577536 C:\WINDOWS\soundman.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 09:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-22 23:26 579072]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-22 23:24 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\GGclient.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
S3 XDva037;XDva037;C:\WINDOWS\system32\XDva037.sys []
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 12:10:14
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-26 12:11:22
ComboFix-quarantined-files.txt 2008-02-26 04:10:55
ComboFix2.txt 2008-02-25 06:16:47
.
2008-02-19 04:21:46 --- E O F ---
Hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:39 PM, on 2/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jia Yi\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185681386977
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
--
End of file - 3840 bytes
yes..im able to access my hidden file and folders, but the problem is when i actually uninstalled Combofix,i saw a program call kmd in my C drive..can i know what is this kmd?
steamwiz
2008-02-26, 22:04
Hi
Glad to hear your problem is resolved :)
kmd.exe is Combofix's renamed copy of cmd.exe
cmd.exe was being attacked by malware stopping Combofix from running, so Combofix uses a the renamed version...
New malware is already attacking kmd.exe So now Combofix uses a yet another way to run ( it's a never ending job trying to stay one step ahead of the malware writers)
steam
killer942
2008-02-26, 22:10
so..i juz let e kmd stay on in my c drive?..or to delete it?
steamwiz
2008-02-27, 00:10
HI
As you've removed Combofix, you can delete it. :)
cheers
steam