Hi. My PC got infected with trojans and other malware. I install Kaspersky AV and it disinfected all (maybe) of them. When I open My Computer to explore any of 2 local drives, a box appears asking me to choose which program I should choose to open the file. Why is it so? C: and D: drives are not files?! I don't know how did that happen.
Help please.
spidey 0 Junior Poster in Training
gerbil 216 Industrious Poster
Hi. Run this script... I think it will solve your problem...
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\Drive\shell]
@="none"
spidey 0 Junior Poster in Training
Thanks for a quick reply.
I did what you told me. fixkey.reg as type "all files" saved on desktop.
Dclicking it will ask...
Are you sure you want to add the information in C:\...\fixkey.reg to the registry?
When I click yes, it says...
Cannot import C:\...\fixkey.reg. The specified file is not a registry script. You can only import binary registry files from within the registry editor."
What could be the problem?
gerbil 216 Industrious Poster
Hi, spidey, make sure when you save it that there is a blank line below the @="none" line in your notepad .reg file, otherwise it will not be accepted.
spidey 0 Junior Poster in Training
Now it's accepted. It says it has been successfully entered into the registry.
But when I dclick C: or D:, it still asks for which program I should choose to open the drive.
gerbil 216 Industrious Poster
Spidey, go Tools, Folder Options, View, choose to Show hidden files n folders. Check if in the root of both C: and D: you have an autorun.inf file. If so, delete them. When you click on a drive those files run... who knows what they are trying to initiate. If there they most likely were emplaced by malware. Run a scan, eg Spybot SD.
c-tech 3 Junior Poster
i don't know if this will solve your problem but considering it worked for me it just might. When the "open with" dialogue box comes up go to Browse. then go to your route folder i.e where you've installed XP either C: or D:. go to the windows folder and select EXPLORER. then make sure before you click OK you select "always use this program to select this kind of file". click ok and exit. hopefully it will work.
spidey 0 Junior Poster in Training
@gerbil
I scanned my PC with Spybot S&D and it works now, but only for the main drive (C: ) and not in the partition D:.
It detected a trojan which I think hides the autorun file at C: that makes it unDclickable. I don't know why it didn't work on D:.
How about transferring all files in D: to C:, then reformat D: and rescan C: (since it seems like it only removes malware from the drive where it is installed)? Well transferring files and reformatting takes time so I hope there's a better and easier way.
@c-tech
Thanks for the help but even if it works, the trojan and the hidden nasty autorun file would still there.
gerbil 216 Industrious Poster
Hello spidey, well that is a start. What trojan did Spybot find?
Run these two scans in order given - the first is a scan for certain specified malwares, the second is also but will give me a look at some information, then make the hijackthis log.
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file to install the application and ensure that it is set to update and start, else start it via the icon.
Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps.
Make sure that everything is checked, and click Remove Selected.
Post the Notepad log [it is also saved under Logs tab in MBAM].
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.
gerbil 216 Industrious Poster
Spidey, I just saw your Kaspersky log in the other forum... do this before you run the other tools above; they will also make new restore points.
==You must clear all your system restore points because some have been infected.... you do this by toggling System Restore Off then On again. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
[[a quick way in is Start > run, paste: control sysdm.cpl,,4 -and OK]]
Now make a fresh, clean restore point: Start > programs > accessories > system tools > system restore and create a restore point now!!
[[the quick way to System Restore is Start > run, paste: %systemroot%\system32\restore\rstrui.exe -and OK]]
We will have to do this again when your sys is clean.
spidey 0 Junior Poster in Training
I have just finished scanning with Malwarebyte's before i saw your last post. Below is the log of that.
Malwarebytes' Anti-Malware 1.23
Database version: 990
Windows 5.1.2600 Service Pack 210:08:40 PM 7/25/2008
mbam-log-7-25-2008 (22-08-40).txtScan type: Full Scan (A:\|C:\|D:\|E:\|)
Objects scanned: 104304
Time elapsed: 27 minute(s), 10 second(s)Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0Memory Processes Infected:
(No malicious items detected)Memory Modules Infected:
(No malicious items detected)Registry Keys Infected:
(No malicious items detected)Registry Values Infected:
(No malicious items detected)Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.Folders Infected:
(No malicious items detected)Files Infected:
(No malicious items detected)
I have also removed all restore points and create a new one. Then rescanned with Spybot. Tomorrow I'll scan again with Malwarebytes then Combofix.
gerbil 216 Industrious Poster
Hi, you don't need a second run with MBAM, just go straight on with combofix and the hijackthis scan.
spidey 0 Junior Poster in Training
Oops, post deleted.
I'll get back with the result of combofix and hijackthis.
spidey 0 Junior Poster in Training
Hello gerbil.
Here is my combofix log:
ComboFix 08-07-25.4 - Francis 2008-07-26 15:21:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.617 [GMT 8:00]
Running from: C:\Documents and Settings\Francis\Desktop\ComboFix.exe
* Created a new restore pointWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\Documents and Settings\Francis\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\ckvo0.dll
D:\Autorun.inf.
((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.2008-07-25 21:10 . 2008-07-25 21:10 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-25 21:10 . 2008-07-25 21:10 <DIR> d-------- C:\Documents and Settings\Francis\Application Data\Malwarebytes
2008-07-25 21:10 . 2008-07-25 21:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-25 21:10 . 2008-07-23 20:21 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-25 21:10 . 2008-07-23 20:21 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-25 17:36 . 2008-07-25 17:36 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-25 17:36 . 2008-07-25 17:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-24 22:57 . 2008-07-24 22:57 <DIR> d-------- C:\Program Files\Google
2008-07-23 22:36 . 2008-07-23 22:51 49 --a------ C:\WINDOWS\NeroDigital.ini
2008-07-23 22:14 . 2008-07-23 22:14 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-07-23 22:14 . 2004-08-04 06:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-07-23 22:13 . 2008-06-13 21:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-23 22:13 . 2008-06-13 21:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-23 22:08 . 2008-07-23 22:08 <DIR> d-------- C:\WINDOWS\system32\drivers\umdf
2008-07-23 20:11 . 2008-07-23 20:11 <DIR> d-------- C:\Program Files\Macromedia
2008-07-23 20:11 . 2008-07-23 20:11 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-07-23 20:10 . 2008-07-23 20:10 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-07-23 19:13 . 2008-07-24 21:14 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-07-23 19:13 . 2008-07-23 19:13 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-07-23 19:12 . 2008-07-23 19:14 <DIR> d-------- C:\Documents and Settings\Francis\Application Data\SiteAdvisor
2008-07-23 19:12 . 2008-07-26 11:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-07-23 19:12 . 2008-07-23 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-23 18:12 . 2008-07-25 07:47 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-07-23 18:10 . 2008-04-23 12:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-23 18:10 . 2007-04-17 17:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-23 18:10 . 2007-03-08 13:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-23 18:10 . 2008-04-23 12:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-23 18:10 . 2008-04-23 12:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-23 18:10 . 2008-04-23 12:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-23 18:10 . 2008-04-23 12:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-23 18:10 . 2008-04-23 12:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-23 18:10 . 2008-04-22 15:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-23 17:20 . 2008-07-23 17:54 <DIR> d-------- C:\WINDOWS\NV36923908.TMP
2008-07-23 17:20 . 2008-07-23 17:20 <DIR> d-------- C:\NVIDIA
2008-07-23 17:20 . 2008-05-19 18:16 186,407 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-07-23 17:07 . 2008-07-23 17:07 <DIR> d-------- C:\WINDOWS\Sun
2008-07-23 17:07 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-23 17:06 . 2008-07-23 17:07 <DIR> d-------- C:\Program Files\Java
2008-07-23 17:02 . 2008-07-23 17:02 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-23 16:58 . 2008-07-23 16:59 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-07-23 16:30 . 2008-07-23 16:30 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-07-23 16:30 . 2008-07-26 15:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-23 16:30 . 2008-07-26 15:24 2,422,816 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-23 16:30 . 2008-07-26 15:24 344,096 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-23 16:30 . 2008-07-24 18:57 96,559 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-07-23 16:30 . 2008-07-24 18:57 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-07-23 16:30 . 2008-07-26 15:24 21,056 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-23 16:30 . 2008-07-26 15:24 3,304 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-23 16:29 . 2008-07-23 16:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-23 16:27 . 2008-07-23 16:27 <DIR> d-------- C:\Documents and Settings\Francis\Application Data\Ahead
2008-07-23 16:26 . 2008-07-23 16:26 <DIR> d-------- C:\Program Files\Nero
2008-07-23 16:26 . 2008-07-23 16:28 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-07-23 16:26 . 2008-07-23 16:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-07-23 16:23 . 2008-07-23 16:23 <DIR> d-------- C:\MyWorks
2008-07-23 16:23 . 2001-03-08 18:30 24,064 --------- C:\WINDOWS\system32\msxml3a.dll
2008-07-23 16:22 . 2008-07-23 16:23 <DIR> d-------- C:\Program Files\CyberLink
2008-07-23 16:22 . 2003-03-18 20:14 499,712 --------- C:\WINDOWS\system32\msvcp71.dll
2008-07-23 16:22 . 2003-02-21 04:42 348,160 --------- C:\WINDOWS\system32\msvcr71.dll
2008-07-23 16:21 . 2008-07-23 16:21 <DIR> d-------- C:\Program Files\ASUS
2008-07-23 16:17 . 2008-07-23 16:17 <DIR> d-------- C:\WINDOWS\system32\Attansic
2008-07-23 16:17 . 2008-07-23 16:17 <DIR> d-------- C:\Program Files\Attansic
2008-07-23 16:17 . 2006-11-01 11:10 35,840 -ra------ C:\WINDOWS\system32\drivers\atl01_xp.sys
2008-07-23 16:16 . 2008-07-23 16:16 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-07-23 16:16 . 2008-07-23 16:16 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-07-23 16:16 . 2008-07-23 16:16 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-07-23 16:13 . 2008-07-23 16:13 <DIR> d-------- C:\Program Files\Realtek
2008-07-23 16:13 . 2008-07-23 16:23 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-07-23 16:10 . 2008-07-23 16:10 <DIR> d-------- C:\Program Files\Intel
2008-07-23 16:09 . 2008-07-23 16:19 13,734 --a------ C:\WINDOWS\Ascd_tmp.ini
2008-07-23 16:09 . 2006-10-11 03:33 10,288 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2008-07-23 16:09 . 2004-08-15 02:56 5,810 -ra------ C:\WINDOWS\system32\drivers\ASACPI.sys
2008-07-23 16:06 . 2008-07-26 15:25 178,842 --a------ C:\WINDOWS\system32\nvapps.xml
2008-07-23 16:05 . 2008-07-23 17:54 <DIR> d-------- C:\WINDOWS\nview
2008-07-23 16:05 . 2008-05-16 11:48 446,464 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-07-23 16:05 . 2008-05-16 14:01 446,464 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-07-23 16:05 . 2008-05-16 14:01 18,070 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-07-23 16:04 . 2008-07-23 20:10 <DIR> d-------- C:\Program Files\Common Files\InstallShield.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-23 07:49 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05 143360]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 14:01 13529088]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 15:10 56928]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55 54832]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 14:01 86016]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-12-05 05:03 36640]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-04-25 18:21 201992]
"nwiz"="nwiz.exe" [2008-05-16 14:01 1630208 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-13 02:36 16267776 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-18 02:04 2879488 C:\WINDOWS\SkyTel.exe][HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\english\\setup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2006-11-01 11:10]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]
.
**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-26 15:25:25
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6261\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-26 15:26:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-26 07:26:44Pre-Run: 178,098,335,744 bytes free
Post-Run: 178,128,859,136 bytes free163 --- E O F --- 2008-07-25 00:13:26
Here is my Highjackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:33:23 PM, on 7/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Francis\Desktop\New Folder\imabunny.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ph.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe--
End of file - 5518 bytes
Man this looks more complicated than i thought. lol!
Thanks for the patience.
gerbil 216 Industrious Poster
Pieceacake... :)
Well, that got rid of the D:\autorun.inf for you, one other file deleted was a remnant of some adware, the other is as yet unclassified. I see nothing els, so I suspect your sys is now clean, and you should be able to also open D:?
spidey 0 Junior Poster in Training
Yes, I can open D: now! Problem solved.
I learned a lot from you. One thing is that best things are indeed free.;)
Now what I want to do next is format again coz i don't feel comfy with the settings and registries these several anti-malware programs installed has done. I want them all back to their original settings. I'm sure those nasties won't hurt my PC anymore.
Thank you very much! More power to you and to DaniWeb.
gerbil 216 Industrious Poster
Format? What the...?
To remove Combofix and its files, just go Start, Run, type or paste in...
C:\Documents and Settings\Francis\Desktop\ComboFix.exe /u
Change Folder Options to the View setting for Hidden Files that you prefer.
Uninstall MBAM.
And your sys will be normal again. No fancy reg settings have been made.
Cheers.
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.