Here's a description of what the virus does in the computer:
1. when I run cmd, the command prompt window appears for a little while and then suddenly goes closes without any external commands.
2. The folder options under tools>folder options is gone, and I can't view any hidden files.
any thumbdrive that does into an affected computer gets it, and that thumbdrive will spread it around any computer that opens the drive.
My question is, are there any ways to clear the virus from the thumbdrive without formatting it? There's some license thingie inside the thumbdrive that cannot be copied out effectively, the license is used for a program.
Anyway, this is the log after running the combofix program:
ComboFix 09-06-21.01 - Administrator 07/09/2009 10:12.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.591 [GMT 8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Network Edition *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
- REDUCED FUNCTIONALITY MODE -
.((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))
.2009-07-08 02:11 . 2007-10-23 01:27 110592 ----a-w- c:\documents and settings\Administrator\Application Data\U3\temp\cleanup.exe
2009-07-08 02:10 . 2008-05-02 02:41 3493888 ---ha-w- c:\documents and settings\Administrator\Application Data\U3\temp\Launchpad Removal.exe
2009-07-08 01:14 . 2009-06-11 00:58 327688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-07-08 01:14 . 2009-06-11 00:58 3402008 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-08 01:14 . 2009-06-11 00:58 1204504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-07-08 01:14 . 2009-06-17 01:05 906520 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgemc.exe
2009-07-08 01:13 . 2009-06-11 00:58 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-07-01 07:15 . 2009-07-07 05:58 -------- d-----w- c:\documents and settings\chinhau\Local Settings\Application Data\Computers and Structures
2009-07-01 07:07 . 2009-03-21 14:18 16 ---h--w- c:\windows\system32\jprt1ws.dll
2009-07-01 07:07 . 2009-03-21 14:18 16 ---h--w- c:\windows\system32\cr0ng43.dll
2009-07-01 06:07 . 2009-07-09 01:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-06-26 09:17 . 2008-05-02 02:41 3493888 ---ha-w- c:\documents and settings\chinhau\Application Data\U3\temp\Launchpad Removal.exe
2009-06-22 00:57 . 2009-06-22 00:56 2052376 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-06-17 01:05 . 2009-06-17 01:05 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-06-17 01:05 . 2009-06-17 01:05 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-06-17 01:05 . 2009-06-11 00:58 1261344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwd.dll
2009-06-13 06:04 . 2009-06-13 06:04 103080 ----a-w- c:\documents and settings\sengchuan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-13 06:04 . 2009-06-13 06:04 -------- d-----w- c:\documents and settings\sengchuan\Local Settings\Application Data\Bentley
2009-06-13 06:04 . 2009-06-13 06:04 -------- d-----w- c:\documents and settings\sengchuan\Application Data\Bentley
2009-06-11 00:58 . 2009-06-17 01:05 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-08 01:14 . 2008-03-26 00:24 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-07 05:58 . 2004-08-04 08:00 744 ----a-w- c:\windows\system32\bzb2wg9.dll
2009-07-07 05:26 . 2004-08-04 08:00 100 ----a-w- c:\windows\system32\prsgrc.dll
2009-07-06 06:39 . 2008-10-29 05:18 -------- d-----w- c:\documents and settings\chinhau\Application Data\Profis
2009-07-01 06:59 . 2008-11-17 05:41 -------- d-----w- c:\program files\Computers and Structures
2009-06-29 12:31 . 2009-04-17 03:11 -------- d-----w- c:\documents and settings\chinhau\Application Data\U3
2009-06-17 01:05 . 2008-03-26 00:24 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-02 01:15 . 2009-06-02 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-05-07 15:44 . 2004-08-04 08:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-30 01:21 . 2008-03-26 00:24 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-04-30 01:21 . 2008-03-26 00:24 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-04-30 01:21 . 2008-03-26 00:24 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-29 04:56 . 2004-08-04 08:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 08:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-22 04:26 . 2008-11-17 05:44 2380 ----a-w- c:\windows\system32\lsprst7.dll
2009-04-17 10:09 . 2004-08-04 08:00 1847936 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:26 . 2004-08-04 08:00 583168 ----a-w- c:\windows\system32 pcrt4.dll
2008-08-04 07:27 . 2008-08-04 07:27 774144 ----a-w- c:\program files\RngInterstitial.dll
.((((((((((((((((((((((((((((( SnapShot@2009-07-01_06.24.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-01 07:05 . 2009-07-01 07:05 23558 c:\windows\Installer\{DB40E154-E5E8-43A8-A0D4-5C9C62AC0769}\NewShortcut9_38F808F6CB73485BB173C741F705F9EC.exe
+ 2009-07-01 07:05 . 2009-07-01 07:05 23558 c:\windows\Installer\{DB40E154-E5E8-43A8-A0D4-5C9C62AC0769}\NewShortcut8_38F808F6CB73485BB173C741F705F9EC.exe
+ 2009-07-01 07:05 . 2009-07-01 07:05 23558 c:\windows\Installer\{DB40E154-E5E8-43A8-A0D4-5C9C62AC0769}\NewShortcut6_38F808F6CB73485BB173C741F705F9EC.exe
+ 2009-07-01 07:05 . 2009-07-01 07:05 23558 c:\windows\Installer\{DB40E154-E5E8-43A8-A0D4-5C9C62AC0769}\NewShortcut5_38F808F6CB73485BB173C741F705F9EC.exe
+ 2009-07-01 07:05 . 2009-07-01 07:05 23558 c:\windows\Installer\{DB40E154-E5E8-43A8-A0D4-5C9C62AC0769}\NewShortcut4_38F808F6CB73485BB173C741F705F9EC.exe
+ 2009-07-01 07:05 . 2009-07-01 07:05 23558 c:\windows\Installer\{DB40E154-E5E8-43A8-A0D4-5C9C62AC0769}\NewShortcut3_38F808F6CB73485BB173C741F705F9EC.exe
+ 2009-07-01 07:05 . 2009-07-01 07:05 23558 c:\windows\Installer\{DB40E154-E5E8-43A8-A0D4-5C9C62AC0769}\NewShortcut1_38F808F6CB73485BB173C741F705F9EC.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OSTIC"="http://ostic/" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-08-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-08-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-08-24 114688]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-06 524800]
"HP Network Registry Agent"="c:\windows\system32\hpnra.exe" [2002-04-30 61440]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-11 1948440]c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader eader_sl.exe [2004-12-14 29696]
Sonic CinePlayer Quick Launch.lnk - c:\program files\Common Files\Sonic Shared\CineTray.exe [2005-7-30 114688][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon otify\avgrsstarter]
2009-04-30 01:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [3/26/2008 8:24 AM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/26/2008 8:24 AM 335752]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/26/2008 8:24 AM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/8/2009 8:50 AM 907032]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/8/2009 8:50 AM 298776]
R2 IEGLicSrv;Bentley License Client;c:\program files\Common Files\Bentley Shared\IEG\IEGLCS\IEGLicSrv.exe [7/14/2006 7:44 AM 32768]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [8/22/2006 1:00 AM 316992]
S2 SentinelFilter;SentinelFilter;\??\c:\documents and settings aytun\Desktop\MIDAS_CIVIL_V7.01_R2-LND\LEGEND\SENTINELFILTER.SYS --> c:\documents and settings aytun\Desktop\MIDAS_CIVIL_V7.01_R2-LND\LEGEND\SENTINELFILTER.SYS [?][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{204fc5fe-6c2a-11de-8d6a-0014c2c5455f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe
\Shell\Explore\command - E:\system.exe
\Shell\Open\command - E:\system.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{204fc5ff-6c2a-11de-8d6a-0014c2c5455f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe
\Shell\Explore\command - E:\system.exe
\Shell\Open\command - E:\system.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{204fc600-6c2a-11de-8d6a-0014c2c5455f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe
\Shell\Explore\command - F:\system.exe
\Shell\Open\command - F:\system.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b2f7c5f-6b64-11de-8d65-0014c2c5455f}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b2f7c63-6b64-11de-8d65-0014c2c5455f}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e188429-6b96-11de-8d67-0014c2c5455f}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ostic/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {1200DFE4-AD41-4022-A766-B74437B9637B} = 192.168.0.238
.**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 10:13
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-07-09 10:15
ComboFix-quarantined-files.txt 2009-07-09 02:15
ComboFix2.txt 2009-07-09 01:00
ComboFix3.txt 2009-07-09 00:49
ComboFix4.txt 2009-07-08 09:40
ComboFix5.txt 2009-07-09 02:12Pre-Run: 17,200,668,672 bytes free
Post-Run: 17,184,677,888 bytes free148 --- E O F --- 2009-07-01 07:01
Help is appreciated :)
My question is, are there any ways to clear the virus from the thumbdrive without formatting it? There's some license thingie inside the thumbdrive that cannot be copied out effectively, the license is used for a program.
Yes. Specifics won't be detailed.
Also, please do not run Combofix without supervision. Given today's infections, if a fix fail and cause boot failures, without any pre-fix diagnosis made, it's very hard to tell what caused failures.
All logs need to be uploaded to a website such as Mediafire because the forum will cut off certain characters.
Please download DDS from Bleeping Computer and save it to your desktop.
Double click on dds to run it.
When done, DDS.txt will open. Another file, Attach.txt will open after a short while. Please save these 2 files to your desktop as they will be deleted once you close them.
Next, please download gmer.zip from Gmer and save it to your desktop.
Double click on gmer.exe to run it. It will start running a scan. If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes.
If you receive no notice, click on the Scan button.
Note: Do not run any programs while Gmer is running.
Please upload all the logs (DDS.txt, Attach.txt and Gmer.txt) to a website such as Mediafire and post back the links to the logs.
my vista will normally ask me whether i want to scan my thumbdrive before opening, and when i click yes, it will start scanning, after done with that, if found any virus, will delete without losing any information
Originally posted by ndmmxiaomayi:Yes. Specifics won't be detailed.
Also, please do not run Combofix without supervision. Given today's infections, if a fix fail and cause boot failures, without any pre-fix diagnosis made, it's very hard to tell what caused failures.
All logs need to be uploaded to a website such as Mediafire because the forum will cut off certain characters.
Please download DDS from Bleeping Computer and save it to your desktop.
Double click on dds to run it.
When done, DDS.txt will open. Another file, Attach.txt will open after a short while. Please save these 2 files to your desktop as they will be deleted once you close them.
Next, please download gmer.zip from Gmer and save it to your desktop.
- Right click on gmer.zip and select Extract All....
- Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
- Click on the Browse button. Click on Desktop. Then click OK.
- Click Next. It will start extracting.
- Once done, check the Show extracted files box and click Finish.
Double click on gmer.exe to run it. It will start running a scan. If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes.
- When done, you may receive another notice. Click OK.
- Click on Save ... to save a log.
- Copy and paste in Gmer.txt and click Save.
- Close Gmer.
If you receive no notice, click on the Scan button.
- It will start scanning again.
- When done, click on Save ... to save a log.
- Copy and paste in Gmer.txt and click Save.
- Close Gmer.
Note: Do not run any programs while Gmer is running.
Please upload all the logs (DDS.txt, Attach.txt and Gmer.txt) to a website such as Mediafire and post back the links to the logs.
HI Moderator,
Is it possible to wipe out all the virus in a thumbdrive using just the reformatting function in Windows ? or do I need any other programmes or softwares to do so ?
I have an infected thumbdrive. When I put the thumbdrive into the USB port, it will escape the autoscanning by Mcafee Internet Security while my other thumbdrives will be scanned by Mcafee.
Thanks.
Originally posted by Lee012lee:HI Moderator,
Is it possible to wipe out all the virus in a thumbdrive using just the reformatting function in Windows ? or do I need any other programmes or softwares to do so ?
I have an infected thumbdrive. When I put the thumbdrive into the USB port, it will escape the autoscanning by Mcafee Internet Security while my other thumbdrives will be scanned by Mcafee.
Thanks.
Yes. However, that won't help because the thumbdrive has already infected your PC, and re-plugging it in will infect your thumbdrive again, and the whole process restarts.
The way to prevent these infections is to remove it from your computer and disable autorun.
If you would like to clear the infection, please let me know. It's pretty easy to clear this infection usually.
hi may i know how to disable auto run for thumbdrive? :)
thanks.
Hi Moderator,
Thank you very much for your prompt reply.
It is probably my laptop being affected. My other computers are probably not affected as I do not use thumbdrives on these computers especially my 2 desktop computers.
So, is it safe to plug the infected thumbdrive into the desktop computers and use the reformatting function of Windows to wipe off all the virus ? Will it affect my desktop computers too ? I have Mcafee Internet Security 2009 on all my computers.
Yes, I would like to know how to clear the infection on the thumbdrive too. Please explain to me how to clear the infection.
Thank you very much.
An easy way is to enforce it via Group Policy (only available in XP Pro and Vista Business editions and above).
The other way is to use a registry script to enforce the policy.
The above two methods can be done with a tool - http://download.bleepingcomputer.com//sUBs/Flash_Disinfector.exe
Another way is to tell Windows that the autorun.inf file is a configuration file so it won't run.
Hi Moderator ndmmxiaomayi,
Thank you for your advice.
Microsoft is launching Windows 7 and giving discounts to Vista Home Premium users to pre-order it.
I have google it to find whether there is any discount for Windows XP Professional users to pre-order the Windows 7. But it does not seem to have any information on this.
Please let me know if you have any information on this as I intent to upgrade my Windows XP Professional to Windows 7 as I have read many positive reviews on it.
Thanks.
Originally posted by Lee012lee:Hi Moderator,
Thank you very much for your prompt reply.
It is probably my laptop being affected. My other computers are probably not affected as I do not use thumbdrives on these computers especially my 2 desktop computers.
So, is it safe to plug the infected thumbdrive into the desktop computers and use the reformatting function of Windows to wipe off all the virus ? Will it affect my desktop computers too ? I have Mcafee Internet Security 2009 on all my computers.
Yes, I would like to know how to clear the infection on the thumbdrive too. Please explain to me how to clear the infection.
Thank you very much.
Nope, it won't be safe to do so. That will infect the other two computers (assuming that they are not infected).
To clear the infection, you will need to run this tool - http://download.bleepingcomputer.com//sUBs/Flash_Disinfector.exe
This shouldn't take long. If your desktop doesn't re-appear, press Ctrl + Shift + Esc to bring up Task Manager.
Click on File > New Task (Run...) and type in explorer.exe and click OK. Your desktop will be back.
After that, please run this tool - http://www.mediafire.com/?zztykiiyjmk
This will produce a Notepad file which should open in less than 5 seconds.
Upload this Notepad file to a file hosting server such as Mediafire. If there are no infections, that will be good. If there are infections, you will see a next post.
Originally posted by ndmmxiaomayi:Nope, it won't be safe to do so. That will infect the other two computers (assuming that they are not infected).
To clear the infection, you will need to run this tool - http://download.bleepingcomputer.com//sUBs/Flash_Disinfector.exe
This shouldn't take long. If your desktop doesn't re-appear, press Ctrl + Shift + Esc to bring up Task Manager.
Click on File > New Task (Run...) and type in explorer.exe and click OK. Your desktop will be back.
After that, please run this tool - http://www.mediafire.com/?zztykiiyjmk
This will produce a Notepad file which should open in less than 5 seconds.
Upload this Notepad file to a file hosting server such as Mediafire. If there are no infections, that will be good. If there are infections, you will see a next post.
Hi Moderator ndmmxiaomayi,
Thank you for your advice.
Originally posted by Lee012lee:Hi Moderator ndmmxiaomayi,
Thank you for your advice.
Microsoft is launching Windows 7 and giving discounts to Vista Home Premium users to pre-order it.
I have google it to find whether there is any discount for Windows XP Professional users to pre-order the Windows 7. But it does not seem to have any information on this.
Please let me know if you have any information on this as I intent to upgrade my Windows XP Professional to Windows 7 as I have read many positive reviews on it.
Thanks.
Hmm... not too sure about this, but looking at Micrsoft's website, pre-order appears to be available for XP as well. Discounts, as far as I'm aware, applies only to certain countries within a certain time period.
http://store.microsoft.com/microsoft/Windows-7-Home-Premium-Upgrade/product/B0F9E641
http://store.microsoft.com/microsoft/Windows-7-Professional-Upgrade/product/8BB1A4B4
http://store.microsoft.com/microsoft/Windows-7-Ultimate-Upgrade/product/592F5AF5
Hi Moderator ndmmxiaomayi,
Thanks for the information.