Other > Viruses and worms
OLD MAN...help~ autorun.inf trojan problem..failure to remove
flysa:
-- File Associations -----------------------------------------------------------
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys <Not Verified; IVT Corporation; BlueSoleil(c)>
R1 meiudf - c:\windows\system32\drivers\meiudf.sys <Not Verified; Matsushita Electric Industrial Co.,Ltd.; >
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.9.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.9.0>
R2 Netdevio (TOSHIBA Network Device Usermode I/O Protocol) - c:\windows\system32\drivers\netdevio.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Network Device Usermode I/O protocol>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 qkbfiltr (Quanta HotKey Keyboard Filter Driver) - c:\windows\system32\drivers\qkbfiltr.sys <Not Verified; Quanta Computer, Inc.; Quanta HotKey Keyboard Filter Driver>
R3 qmofiltr (Quanta HotKey Mouse Filter Driver) - c:\windows\system32\drivers\qmofiltr.sys <Not Verified; Quanta Computer, Inc.; Quanta Mouse Filter Device Driver>
R3 vaxscsi - c:\windows\system32\drivers\vaxscsi.sys
S3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows (R) 2000 DDK driver>
S3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys <Not Verified; IVT Corporation; BlueSoleil>
S3 Btcsrusb (Bluetooth USB For Bluetooth Service) - c:\windows\system32\drivers\btcusb.sys <Not Verified; IVT Corporation; Bluetooth USB Device Driver>
S3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys
S3 sgdcrtaiuhncd - c:\windows\system32\wincab.sys
S3 UIUSys (Conexant Setup API) - c:\windows\system32\drivers\uiusys.sys (file missing)
S3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys <Not Verified; IVT Corporation; BlueSoleil>
S3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys <Not Verified; IVT Corporation; BlueSoleil>
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree(TM)>
R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe <Not Verified; Matsushita Electric Industrial Co., Ltd.; >
R2 RegSrvc (Intel(R) PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel(R) PROSet/Wireless Registry Service>
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/Wireless 3945ABG Network Connection
Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_10408086&REV_02\4&192AC53F&0&00E0
Manufacturer: Intel Corporation
Name: Intel(R) PRO/Wireless 3945ABG Network Connection
PNP Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_10408086&REV_02\4&192AC53F&0&00E0
Service: w39n51
-- Scheduled Tasks -------------------------------------------------------------
2007-11-14 22:51:11 272 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2007-11-14 22:51:09 394 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
-- Files created between 2007-10-19 and 2007-11-19 -----------------------------
2007-11-19 00:56:22 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-11-19 00:52:53 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-11-19 00:52:53 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-11-19 00:52:53 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-11-19 00:52:53 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-11-19 00:52:53 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-11-19 00:52:53 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-11-19 00:52:53 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-11-19 00:52:53 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-11-19 00:52:53 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-11-19 00:52:53 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-11-19 00:52:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2007-11-19 00:52:53 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-11-19 00:52:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2007-11-19 00:52:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-11-19 00:52:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2007-11-19 00:52:52 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-11-19 00:52:52 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-11-19 00:52:52 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-11-19 00:52:51 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-11-19 00:19:46 0 d-------- C:\Program Files\Trend Micro
2007-11-18 22:03:46 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-18 21:50:03 21907 --a------ C:\WINDOWS\system32\wincab.sys
2007-11-18 21:44:00 97138 -r-hs---- C:\ntde1ect.com
2007-11-18 21:43:32 31120 -r-hs---- C:\WINDOWS\system32\avpo0.dll
2007-11-14 22:51:13 0 d-------- C:\Documents and Settings\angela\Application Data\Uniblue
2007-11-11 16:07:06 5242880 --a------ C:\Documents and Settings\angela\ntuser.dat
2007-11-03 03:29:02 0 d--h----- C:\WINDOWS\PIF
2007-10-28 19:02:00 0 d--hs---- C:\WINDOWS\ftpcache
2007-10-28 19:01:36 0 d-------- C:\Documents and Settings\angela\Application Data\U3
flysa:
-- Find3M Report ---------------------------------------------------------------
2007-11-19 03:16:13 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-18 03:31:10 0 d-------- C:\Program Files\Warcraft III
2007-11-18 03:20:50 0 d-------- C:\Documents and Settings\angela\Application Data\Hamachi
2007-11-15 01:36:52 0 d-------- C:\Program Files\eMule
2007-11-09 17:23:51 0 d-------- C:\Documents and Settings\angela\Application Data\Adobe
2007-10-28 11:59:36 0 d-------- C:\Program Files\Online Services
2007-10-28 11:58:09 0 d-------- C:\Program Files\Common Files
2007-10-26 11:07:07 0 d-------- C:\Documents and Settings\angela\Application Data\ppstream
2007-10-25 02:53:31 0 d-------- C:\Program Files\MSN Messenger
2007-10-21 23:32:20 0 d-------- C:\Documents and Settings\angela\Application Data\AdobeUM
2007-10-09 18:31:41 0 d-------- C:\Program Files\Maxthon2
2007-10-08 22:50:42 19 --a------ C:\WINDOWS\popcinfo.dat
2007-09-29 01:16:28 0 d-------- C:\Documents and Settings\angela\Application Data\Sun
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="launchapp" []
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [11/28/2005 10:55 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [11/28/2005 10:52 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [11/28/2005 10:55 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [12/17/2005 01:32 AM]
"NDSTray.exe"="NDSTray.exe" []
"Toshiba Hotkey Utility"="C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" [01/28/2006 06:13 AM]
"TPSMain"="TPSMain.exe" [06/01/2005 01:00 PM C:\WINDOWS\system32\TPSMain.exe]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [12/05/2005 12:37 PM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [11/28/2005 11:41 AM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/04/2004 01:00 PM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [08/04/2004 01:00 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 01:00 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [09/06/2007 06:06 PM]
"snpstd"="C:\WINDOWS\vsnpstd.exe" [06/10/2004 01:48 PM]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [04/27/2005 08:13 AM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 12:56 AM C:\WINDOWS\system32\bthprops.cpl]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:00 PM]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [01/19/2007 12:54 PM]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2/7/2006 5:33:52 AM]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
C:\Program Files\FlashGet\flashget.exe /min
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
CHDAudPropShortcut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BlueSoleil Hid Service"=2 (0x2)
"Spooler"=2 (0x2)
"O&O Defrag"=2 (0x2)
"MSSQL$SQLEXPRESS"=2 (0x2)
"helpsvc"=2 (0x2)
"avast! Mail Scanner"=3 (0x3)
"StarWindService"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0366f18e-2d45-11dc-9c34-0019d286ed86}]
Auto\command- I:\auto.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3298cd0a-850a-11dc-9cb5-00163696e195}]
AutoRun\command- F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3298cd0b-850a-11dc-9cb5-00163696e195}]
Auto\command- infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3338c07d-337a-11dc-9c40-0019d286ed86}]
AutoRun\command- G:\ntde1ect.com
explore\Command- G:\ntde1ect.com
open\Command- G:\ntde1ect.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a079145-4bb8-11dc-9c75-0019d286ed86}]
Auto\command- RavMonE.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c8171e8-40d1-11dc-9c5d-00116712dd0b}]
Auto\command- F:\auto.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c8171e9-40d1-11dc-9c5d-00116712dd0b}]
Auto\command- auto.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b97d4e17-23a6-11dc-9c23-0019d286ed86}]
AutoRun\command- H:\oxfordec.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e63a7aec-3a7d-11dc-9c4c-0019d286ed86}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6669414-7b42-11dc-9ca3-00163696e195}]
Auto\command- F:\RavMonE.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e
-- End of Deckard's System Scanner: finished at 2007-11-19 03:22:15 ------------
flysa:
thanks for help.... :'(
i will be waiting for ur good news even in dreams....
:-\
DavidR:
--- Quote from: flysa on November 18, 2007, 07:50:58 PM ---1)i had tried to set it as "show hidden files and folders"..but even i click ok or apply
its seems like workless bcoz when i opened da folder option again..its already auto set back to " dont show hidden files and folders"
in my folder option didn't hav this--'Don't show hidden files and system files'
--- End quote ---
It may be that the malware has disabled this ability to stop is getting at the file/s.
That is why I posted the image as the order should be the same even if the language is different.
--- Quote from: flysa on November 18, 2007, 07:50:58 PM ---2)i just only using da window firewall which provide by window XP
--- End quote ---
An active firewall can help by blocking unauthorised outbound Internet Connections. This can stop downloaders downloading more malware making getting your system clean harder. Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
- There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.
See http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php.
--- Quote from: flysa on November 18, 2007, 07:50:58 PM ---3)U3 device? i'm not really get da meaning...i do plug in my pendrive and external hardisk, both of them also infected virus :'(
--- End quote ---
Some USB pen drives are a little more specialised in that they have a application launcher so when you plug them in they start running some programs (this is different to the autorun.inf). These are called U3 drives and if you don't know about it, then it is unlikely you have one of these type of pen drives.
If you have an acer laptop this might well be a legit O4 Run entry, http://www.spywareterminator.com/item/1696/LaunchApp.html.
--- Quote from: flysa on November 18, 2007, 07:50:58 PM ---4)bout' da application u mention , i juz uninstall them.. juznow
--- End quote ---
If you don't use or need them, then no problem, but the suggestion was one to confirm your installed them rather than something else installed them.
--- Quote from: flysa on November 18, 2007, 07:50:58 PM ---5)izit necessary to updated my J2SE runtime environment?
--- End quote ---
It is important to keep the JAVA runtime environment updated, the reason for the updates is often to close exploits. The latest is JRE version 6 update 3 (1.6.0_3)
oldman:
New plan see below. ;D
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version