Problems with file and folders options

K

killer942

New member
i have this problem..when i try to click on show all files and folders ,its juz not happening and will keep goes back to do not show all files and folders option
i tried to change the registry but also no use
scan my com for virus den cleared but still cnt access my hidden files n folders

this is my hjt log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:09:11 PM, on 2/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Jia Yi\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1185681386977
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

--
End of file - 3053 bytes

please help..thanx
 
HI

Follow the directions here :-

http://forums.spybot.info/showthread.php?t=288

Post the KAV scan results ...

THEN ...

Please follow these instructions for running Combofix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

1. When finished, it will produce a logfile located at C:\ComboFix.txt.
2. Post the contents of that log in your next reply with a new hijackthis log.

Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported

to detect combofix as Worm.Qiv.100.

Please remember to post :-


1. KAV results
2. C:\ComboFix.txt
3. a new hijackthis log.( run after everything else)

steam
 
hi thx for your kind help..there are the followings logs:

Kaspersky Scanner:

KASPERSKY ONLINE SCANNER REPORT
Monday, February 25, 2008 2:10:14 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/02/2008
Kaspersky Anti-Virus database records: 579066
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 23260
Number of viruses found 2
Number of infected objects 5
Number of suspicious objects 0
Duration of the scan process 00:36:45

Infected Object Name Virus Name Last Action
C:\autorun.inf Infected: Worm.Win32.AutoRun.cpr skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Jia Yi\Application Data\Mozilla\Firefox\Profiles\e24bkway.default\cert8.db Object is locked skipped
C:\Documents and Settings\Jia Yi\Application Data\Mozilla\Firefox\Profiles\e24bkway.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Jia Yi\Application Data\Mozilla\Firefox\Profiles\e24bkway.default\history.dat Object is locked skipped
C:\Documents and Settings\Jia Yi\Application Data\Mozilla\Firefox\Profiles\e24bkway.default\key3.db Object is locked skipped
C:\Documents and Settings\Jia Yi\Application Data\Mozilla\Firefox\Profiles\e24bkway.default\parent.lock Object is locked skipped
C:\Documents and Settings\Jia Yi\Application Data\Mozilla\Firefox\Profiles\e24bkway.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Jia Yi\Application Data\Mozilla\Firefox\Profiles\e24bkway.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Jia Yi\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jia Yi\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jia Yi\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jia Yi\Local Settings\Application Data\Microsoft\Windows Live Contacts\killer942@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Jia Yi\Local Settings\Application Data\Microsoft\Windows Live Contacts\killer942@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Jia Yi\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jia Yi\Local Settings\History\History.IE5\MSHist012008022520080226\index.dat Object is locked skipped
C:\Documents and Settings\Jia Yi\Local Settings\Temp\~DF1D04.tmp Object is locked skipped
C:\Documents and Settings\Jia Yi\Local Settings\Temp\~DF1D70.tmp Object is locked skipped
C:\Documents and Settings\Jia Yi\Local Settings\Temp\~DF632F.tmp Object is locked skipped
C:\Documents and Settings\Jia Yi\Local Settings\Temp\~DF635C.tmp Object is locked skipped
C:\Documents and Settings\Jia Yi\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Jia Yi\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jia Yi\ntuser.dat Object is locked skipped
C:\Documents and Settings\Jia Yi\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\gqsk.bat Infected: Worm.Win32.AutoRun.cpr skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{472A2262-60F4-4CDD-B5D0-D6B1C267CF19}\RP47\A0018119.dll Object is locked skipped
C:\System Volume Information\_restore{472A2262-60F4-4CDD-B5D0-D6B1C267CF19}\RP47\A0018121.exe Object is locked skipped
C:\System Volume Information\_restore{472A2262-60F4-4CDD-B5D0-D6B1C267CF19}\RP47\A0018122.dll Object is locked skipped
C:\System Volume Information\_restore{472A2262-60F4-4CDD-B5D0-D6B1C267CF19}\RP58\A0019059.exe Object is locked skipped
C:\System Volume Information\_restore{472A2262-60F4-4CDD-B5D0-D6B1C267CF19}\RP58\A0019060.dll Infected: Trojan-PSW.Win32.OnLineGames.rdu skipped
C:\System Volume Information\_restore{472A2262-60F4-4CDD-B5D0-D6B1C267CF19}\RP58\A0019061.bat Object is locked skipped
C:\System Volume Information\_restore{472A2262-60F4-4CDD-B5D0-D6B1C267CF19}\RP58\A0019062.exe Object is locked skipped
C:\System Volume Information\_restore{472A2262-60F4-4CDD-B5D0-D6B1C267CF19}\RP58\A0019063.dll Object is locked skipped
C:\System Volume Information\_restore{472A2262-60F4-4CDD-B5D0-D6B1C267CF19}\RP60\A0019218.bat Object is locked skipped
C:\System Volume Information\_restore{472A2262-60F4-4CDD-B5D0-D6B1C267CF19}\RP60\A0019219.dll Object is locked skipped
C:\System Volume Information\_restore{472A2262-60F4-4CDD-B5D0-D6B1C267CF19}\RP60\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{6D08C122-DA39-498B-AB0C-9584ADF68DD8}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\kavo.exe Infected: Worm.Win32.AutoRun.cpr skipped
C:\WINDOWS\system32\kavo1.dll Infected: Worm.Win32.AutoRun.cpr skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

Combofix:

ComboFix 08-02-25.2 - Jia Yi 2008-02-25 14:13:46.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.100 [GMT 8:00]
Running from: C:\Documents and Settings\Jia Yi\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\WINDOWS\system32\kavo.exe
C:\WINDOWS\system32\kavo1.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.

2008-02-25 01:47 . 2008-02-25 01:47 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-25 01:47 . 2008-02-25 01:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-23 08:00 . 2008-02-25 08:25 <DIR> d-------- C:\Documents and Settings\All Use\Application Data\AVG7
2008-02-22 23:24 . 2008-02-22 23:24 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-20 23:01 . 2008-02-20 23:01 115,221 -r-hs---- C:\gqsk.bat
2008-02-18 16:16 . 2008-02-18 16:37 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-02-18 16:15 . 2008-02-18 16:53 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-18 16:15 . 2008-02-18 16:15 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-02-18 15:55 . 2008-02-18 15:55 <DIR> d-------- C:\Documents and Settings\Jia Yi\Application Data\Apple Computer
2008-02-18 15:53 . 2008-02-18 16:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-15 16:54 . 2008-02-15 16:54 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-15 15:53 . 2008-02-15 15:53 <DIR> d-------- C:\Documents and Settings\Jia Yi\Application Data\Uniblue
2008-02-15 15:36 . 2008-02-25 01:41 <DIR> d-------- C:\Documents and Settings\Jia Yi\Application Data\AVG7
2008-02-15 15:36 . 2008-02-22 23:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVG7
2008-02-15 14:56 . 2008-02-15 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-14 21:47 . 2008-02-20 23:00 112,194 -r-hs---- C:\WINDOWS\system32\tavo.exe
2008-02-14 21:47 . 2008-02-20 23:00 81,408 -r-hs---- C:\WINDOWS\system32\tavo0.dll
2008-02-12 23:30 . 2008-02-12 23:30 <DIR> d-------- C:\Program Files\DIFX
2008-02-10 10:36 . 2006-01-09 15:01 86,016 --a------ C:\WINDOWS\system32\gigagetbho_v10.dll
2008-02-07 02:19 . 2007-02-22 10:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-02-07 02:18 . 2008-02-07 02:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-01-31 18:24 . 2008-02-10 11:42 <DIR> d-------- C:\Documents and Settings\All Use\Application Data\IDM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 05:28 --------- d-----w C:\Program Files\Warcraft III
2008-02-23 16:13 39,824 -c--a-w C:\Documents and Settings\Jia Yi\Application Data\GDIPFONTCACHEV1.DAT
2008-02-14 03:40 --------- d-----w C:\Documents and Settings\All Use\Application Data\DMCache
2008-01-06 04:29 --------- d-----w C:\Documents and Settings\All Use\Application Data\DNA
2008-01-01 06:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-01 06:53 --------- d-----w C:\Program Files\Ocean Technology
2008-01-01 06:53 --------- d-----w C:\Documents and Settings\Jia Yi\Application Data\InstallShield
2007-12-11 15:01 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:31 208952]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:32 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:32 455168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 21:10 335872]
"SoundMan"="SOUNDMAN.EXE" [2007-07-29 13:15 577536 C:\WINDOWS\soundman.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 09:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-22 23:26 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-22 23:24 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\GGclient.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

S3 XDva037;XDva037;C:\WINDOWS\system32\XDva037.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a945841a-d48c-11dc-8dc0-000d614b0e23}]
\Shell\AutoRun\command - G:\ntdelect.com
\Shell\explore\Command - G:\ntdelect.com
\Shell\open\Command - G:\ntdelect.com

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 14:15:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-25 14:16:47
ComboFix-quarantined-files.txt 2008-02-25 06:16:25
.
2008-02-19 04:21:46 --- E O F ---

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:17:41 PM, on 2/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jia Yi\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1185681386977
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

--
End of file - 4016 bytes
 
HI

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code: 
File::
C:\gqsk.bat
C:\WINDOWS\system32\tavo.exe
C:\WINDOWS\system32\tavo0.dll

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a945841a-d48c-11dc-8dc0-000d614b0e23}]

Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Is your problem resolved ?

steam
 
hi..this are the logs:

Combofix:
ComboFix 08-02-25.2 - Jia Yi 2008-02-26 12:08:45.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.78 [GMT 8:00]
Running from: C:\Documents and Settings\Jia Yi\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jia Yi\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\gqsk.bat
C:\WINDOWS\system32\tavo.exe
C:\WINDOWS\system32\tavo0.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\gqsk.bat
C:\WINDOWS\system32\tavo.exe
C:\WINDOWS\system32\tavo0.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.

2008-02-25 17:56 . 2008-02-25 17:56 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-02-23 08:00 . 2008-02-26 08:46 <DIR> d-------- C:\Documents and Settings\All Use\Application Data\AVG7
2008-02-22 23:24 . 2008-02-22 23:24 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-18 16:16 . 2008-02-18 16:37 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-02-18 16:15 . 2008-02-18 16:53 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-18 16:15 . 2008-02-18 16:15 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-02-18 15:55 . 2008-02-18 15:55 <DIR> d-------- C:\Documents and Settings\Jia Yi\Application Data\Apple Computer
2008-02-18 15:53 . 2008-02-18 16:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-15 16:54 . 2008-02-15 16:54 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-15 15:53 . 2008-02-15 15:53 <DIR> d-------- C:\Documents and Settings\Jia Yi\Application Data\Uniblue
2008-02-15 15:36 . 2008-02-25 21:28 <DIR> d-------- C:\Documents and Settings\Jia Yi\Application Data\AVG7
2008-02-15 15:36 . 2008-02-22 23:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVG7
2008-02-15 14:56 . 2008-02-15 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-12 23:30 . 2008-02-12 23:30 <DIR> d-------- C:\Program Files\DIFX
2008-02-10 10:36 . 2006-01-09 15:01 86,016 --a------ C:\WINDOWS\system32\gigagetbho_v10.dll
2008-02-07 02:19 . 2007-02-22 10:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-02-07 02:18 . 2008-02-07 02:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations
2008-01-31 18:24 . 2008-02-10 11:42 <DIR> d-------- C:\Documents and Settings\All Use\Application Data\IDM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 18:08 --------- d-----w C:\Program Files\Warcraft III
2008-02-23 16:13 39,824 -c--a-w C:\Documents and Settings\Jia Yi\Application Data\GDIPFONTCACHEV1.DAT
2008-02-14 03:40 --------- d-----w C:\Documents and Settings\All Use\Application Data\DMCache
2008-01-06 04:29 --------- d-----w C:\Documents and Settings\All Use\Application Data\DNA
2008-01-01 06:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-01 06:53 --------- d-----w C:\Program Files\Ocean Technology
2008-01-01 06:53 --------- d-----w C:\Documents and Settings\Jia Yi\Application Data\InstallShield
2007-12-11 15:01 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:31 208952]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:32 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:32 455168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 21:10 335872]
"SoundMan"="SOUNDMAN.EXE" [2007-07-29 13:15 577536 C:\WINDOWS\soundman.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 09:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-22 23:26 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-22 23:24 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\GGclient.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

S3 XDva037;XDva037;C:\WINDOWS\system32\XDva037.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 12:10:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-26 12:11:22
ComboFix-quarantined-files.txt 2008-02-26 04:10:55
ComboFix2.txt 2008-02-25 06:16:47
.
2008-02-19 04:21:46 --- E O F ---

Hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:39 PM, on 2/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jia Yi\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1185681386977
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

--
End of file - 3840 bytes

yes..im able to access my hidden file and folders, but the problem is when i actually uninstalled Combofix,i saw a program call kmd in my C drive..can i know what is this kmd?
 
Hi

Glad to hear your problem is resolved :)

kmd.exe is Combofix's renamed copy of cmd.exe

cmd.exe was being attacked by malware stopping Combofix from running, so Combofix uses a the renamed version...

New malware is already attacking kmd.exe So now Combofix uses a yet another way to run ( it's a never ending job trying to stay one step ahead of the malware writers)

steam
 
You must log in or register to reply here.
Back
Top