ckvo.exe Manual removal

January 8, 2010
 Introduction
  It creates autorun.inf and a .cmd file on all the partitions mounted on windows.
 
 steps
 This virus is the same as amvo.exe and use same way to remove it.

Posted by Bimal

 

amvo.exe Virus Removal

January 8, 2010

Introduction

This is a nasty virus, dont know who dropped it on me. It spreads via USB Memory Sticks. It cannot be seen in the process list, hides itself and hides all files. And my antivirus doesn't seem to find a problem! 

What it can Do


  • Cannot show hidden files

  • Slows down USB devices

  • Adds infections to plugged in USB devices

  • Drives open in new windows from My Computer



How to remove

 Step 1 
The usual way is to Format the system, but it is not a permanent solution. To get rid run regedit, find all keys related to amvo.exe or the name of the virus.
Run msconfig in the Start Up Tab you can find the amvo.exe or its variants.
Remove all occurrence of the name from regedit.
Reboot the System.

Step 2
Reboot and do the following changes to the Registry using regedit

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer searchidden en 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer searchsystemdirs en 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Advanced hidden en 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Advanced showsuperhiden en 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Advanced superhiden en 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN CheckedValue 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN DefaultValue 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL CheckedValue 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL DefaultValue 1


HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Explorer NoDriveTypeAutoRun 0x00000091 (145)



-- OR --

Reboot into a different OS and do the following

Step 3
From all the drives delete the autorun.inf using command line (if on windows) or from a linux OS. Do not open the drive from the explorer as it would spread the virus again to this OS. If you have linux installed and can access all partitions on the disk, go delete the files and clear the trash on all drives.

Step 4
Reboot the system.
Do necessary changes as in Step 2, if you have not done those.


To disable Autoplay of all drives
Start > Run > gpedit.msc

Enable : Computer Configuration > Administrative Templates > System > Turn Off Autoplay

Posted by Bimal

 

csrcs.exe removal

January 8, 2010

Don't be confuse if csrcs.exe shows as Trojan, or a virus.csrss.exe is a legitimate windows service, 

C:\Windows\System32\
folder.

To remove csrcs.exe and all its effects, first take
regedit
( Start > Run : regedit ). Then search for the string "csrcs.exe", and remove all occurrence of the string from the values. If there is a path given like "C:\Windows\System32\csrcs.exe" delete the entire value from the registry.

Next delete the file, from C:\Windows\System32.
If you do not find it, first show all hidden files. You may have to fix that in the registry to show hidden files. This has been covered in an earlier post. So once thats done delete the exe file.

Restart.

Posted by Bimal

 

Unable to copy and paste

November 24, 2009
Method 1

Tools>options>advanced>security>custom level and under miscellaneous see that "Drag and drop or copy and paste" is checked enable.

Method 2

Try Start/Run and Type sfc /scannow then hit enter
watch the space between sfc and / you will need your XP CD, put it in when asked.
This is a system file restoration and will replace any corrupt or missing files. It will not affect any of your settings or documents.

Method 3

See if System Restore will get you back to a restore point before your problem with Explorer.

Try to run in Safe Mode (Do you have this problem in Safe Mode?).

Run the System File Checker program from the Run Box by typing "Sfc /Scannow" in it.

Method 4

Go to start-->Run--> Then type "SFC /scannnow". That should check all your critical windows files to make sure they haven't been corrupted or removed.




Posted by Bimal

 

Can't open regedit

November 24, 2009
Method 1

go to run and type "gpedit.msc"
click on administrative template>double click on system>double click Prevent access to registry editing tools>click not configure or disable.then apply then click ok..

Method 2

1. Goto C:\Windows
2. Locate Regedit.exe
3. Rename Regedit.exe to Regeditnew.exe
4. Now type REGEDIT in Run dialog box, it will open the REGEDIT.


Posted by Bimal

 

unable to open part-2

November 24, 2009
ComboFix 09-06-03.04 - spartans 06/04/2009 15:29.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1014.574 [GMT 5.5:30]
Running from: c:\documents and settings\spartans\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
(((((((((((((((((((((((((   Files Created from 2009-05-04 to 2009-06-04  )))))))))))))))))))))))))))))))
.
2009-06-02 21:21 . 2009-06-02 21:21 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-06-02 20:44 . 2009-06-04 08:47 -------- d-----w- c:\program files\iColorFolder
2009-06-02 16:17 . 2009-06-02 16:17 -------- d-----w- c:\documents and settings\spartans\Application Data\dvdcss
2009-05-29 19:22 . 2009-05-29 19:22 -------- d-----w- c:\documents and settings\spartans\Application Data\vlc
2009-05-29 14:54 . 2009-05-29 14:54 -------- d-----w- c:\documents and settings\spartans\Local Settings\Application Data\Sony Ericsson
2009-05-23 18:03 . 2001-08-17 09:25 6144 ----a-w- c:\windows\system32\kbd101b.dll
2009-05-23 18:03 . 2008-04-14 00:09 6144 ----a-w- c:\windows\system32\kbd106.dll
2009-05-19 07:11 . 2009-05-19 07:11 -------- d-----w- c:\program files\Microsoft Silverlight
2009-05-17 16:18 . 2009-05-17 16:18 -------- d-----w- c:\windows\system32\XPSViewer
2009-05-17 16:18 . 2009-05-17 16:18 -------- d-----w- c:\program files\MSBuild
2009-05-17 16:18 . 2009-05-17 16:18 -------- d-----w- c:\program files\Reference Assemblies
2009-05-17 16:17 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-17 16:17 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-17 16:17 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-05-17 16:17 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-05-17 16:17 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-17 16:17 . 2009-05-17 16:17 -------- d-----w- C:\65eb453343a1a1f12fd4389dccb8
2009-05-17 16:17 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-05-17 16:17 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-05-17 12:13 . 2002-01-05 10:07 344064 ----a-w- c:\windows\system32\msvcr70.dll
2009-05-17 12:11 . 2009-05-17 12:11 -------- d-sh--w- c:\documents and settings\spartans\IECompatCache
2009-05-17 12:10 . 2009-05-17 12:10 -------- d-sh--w- c:\documents and settings\spartans\PrivacIE
2009-05-17 12:09 . 2009-05-17 12:09 -------- d-sh--w- c:\documents and settings\spartans\IETldCache
2009-05-17 12:07 . 2009-05-17 12:07 -------- d-----w- c:\windows\ie8updates
2009-05-17 12:04 . 2009-06-02 21:37 -------- dc-h--w- c:\windows\ie8
2009-05-17 12:02 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-05-17 11:17 . 2009-05-19 07:33 -------- d-----w- c:\program files\Veoh Networks
2009-05-17 03:33 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-05-17 03:13 . 2008-03-21 08:27 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2009-05-16 21:38 . 2009-06-02 19:40 -------- d-----w- c:\program files\Windows Media Connect 2
2009-05-16 21:36 . 2009-05-16 21:36 24616 ----a-w- c:\windows\system32\drivers\ggsemc.sys
2009-05-16 21:36 . 2009-05-16 21:36 13224 ----a-w- c:\windows\system32\drivers\ggflt.sys
2009-05-16 21:36 . 2009-05-16 21:36 1107296 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2009-05-16 21:36 . 2009-05-16 21:37 -------- d-----w- C:\43d77aebb9cbd7c36c63f584
2009-05-16 21:35 . 2009-05-29 14:58 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-05-16 21:35 . 2009-05-16 21:35 -------- d-----w- c:\windows\system32\LogFiles
2009-05-16 20:48 . 2009-05-29 14:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Ericsson
2009-05-16 20:47 . 2009-05-29 14:30 -------- d-----w- c:\program files\Sony Ericsson
2009-05-16 19:42 . 2009-05-16 15:52 251392 ----a-w- c:\documents and settings\All Users\Application Data\SpeedBit\DAP\Temp\dapop.dll
2009-05-16 19:40 . 2009-06-04 09:28 95744 ----a-w- c:\documents and settings\All Users\Application Data\SpeedBit\DAP\Updates\Condition.dll
2009-05-16 15:52 . 2009-05-16 15:52 50688 ----a-w- c:\windows\system32\wbhelp2.dll
2009-05-16 15:27 . 2009-05-16 15:27 4141117 ----a-w- c:\documents and settings\spartans\Application Data\Azureus\plugins\vuzexcode\mediainfo.exe
2009-05-16 15:27 . 2009-05-16 15:27 6516755 ----a-w- c:\documents and settings\spartans\Application Data\Azureus\plugins\vuzexcode\ffmpeg.exe
2009-05-16 15:23 . 2009-05-16 15:23 15884 ----a-w- c:\documents and settings\spartans\Application Data\Azureus\plugins\azitunes\libProcessAccess.dll
2009-05-16 15:23 . 2009-05-16 15:23 102400 ----a-w- c:\documents and settings\spartans\Application Data\Azureus\plugins\azitunes\jacob-1.14.3-x86.dll
2009-05-14 17:47 . 2009-05-14 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2009-05-14 17:47 . 2009-05-16 15:31 -------- d-----w- c:\documents and settings\spartans\Application Data\Azureus
2009-05-14 17:45 . 2009-05-14 17:45 -------- d-----w- c:\program files\Common Files\i4j_jres
2009-05-14 17:45 . 2009-05-17 11:14 -------- d-----w- c:\program files\Vuze
2009-05-13 19:11 . 2009-05-13 19:11 -------- d-----w- c:\program files\GameHouse
2009-05-13 19:06 . 2009-05-13 19:06 -------- d-----w- c:\program files\directx
2009-05-13 15:57 . 2009-05-13 15:57 -------- d-----w- c:\windows\system32\scripting
2009-05-13 15:57 . 2009-05-13 15:57 -------- d-----w- c:\windows\l2schemas
2009-05-13 15:57 . 2009-05-13 15:57 -------- d-----w- c:\windows\system32\en
2009-05-13 15:57 . 2009-05-13 15:57 -------- d-----w- c:\windows\system32\bits
2009-05-13 15:54 . 2009-05-13 15:58 -------- d-----w- c:\windows\ServicePackFiles
2009-05-12 09:22 . 2009-05-12 09:22 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-05-12 09:20 . 2009-05-12 09:20 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-12 09:20 . 2009-05-12 09:31 -------- d-----w- c:\documents and settings\spartans\Application Data\DAEMON Tools Pro
2009-05-12 08:59 . 2009-05-12 08:59 -------- d-----w- c:\windows\Downloaded Installations
2009-05-12 08:44 . 2009-05-14 16:15 -------- d-----w- c:\program files\EA SPORTS
2009-05-10 17:55 . 2009-05-10 17:55 -------- d-----w- c:\documents and settings\spartans\Local Settings\Application Data\Identities
2009-05-10 17:45 . 2009-06-04 09:55 -------- d--h--w- c:\windows\FlyakiteOSX
2009-05-10 17:36 . 2009-06-04 02:13 -------- d-----w- c:\windows\system32\ChangeWhenUnLockFace
2009-05-10 17:36 . 2009-06-04 02:13 -------- d-----w- c:\windows\system32\ChangeWhenLockFace
2009-05-10 14:37 . 2004-08-03 16:59 25471 ------w- c:\windows\system32\drivers\watv10nt.sys
2009-05-10 14:37 . 2004-08-03 16:59 22271 ------w- c:\windows\system32\drivers\watv06nt.sys
2009-05-10 14:37 . 2004-08-03 16:59 11935 ------w- c:\windows\system32\drivers\wadv11nt.sys
2009-05-10 14:37 . 2004-08-03 16:59 11871 ------w- c:\windows\system32\drivers\wadv09nt.sys
2009-05-10 14:37 . 2004-08-03 16:59 11807 ------w- c:\windows\system32\drivers\wadv07nt.sys
2009-05-10 14:37 . 2004-08-03 16:59 11295 ------w- c:\windows\system32\drivers\wadv08nt.sys
2009-05-10 14:33 . 2009-05-10 14:34 -------- d-----w- c:\documents and settings\spartans\Application Data\CyberLink
2009-05-10 14:33 . 2009-05-29 14:03 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-05-10 13:32 . 2009-05-10 13:32 -------- d-----w- c:\program files\Common Files\xing shared
2009-05-10 13:32 . 2009-05-10 13:32 -------- d-----w- c:\program files\Real
2009-05-10 13:32 . 2009-05-10 13:32 -------- d-----w- c:\program files\Common Files\Real
2009-05-10 13:28 . 2009-05-31 03:03 114 ----a-w- c:\windows\system32\{EC4C8FCB-8A0D-47f6-8F3E-2A34527102F5}.dat
2009-05-10 13:05 . 2009-05-10 13:05 -------- d-----w- c:\program files\CyberLink
2009-05-10 13:03 . 2009-05-27 02:13 -------- d-----w- c:\documents and settings\All Users\Application Data\VeriFace
2009-05-10 13:03 . 2009-05-10 13:03 45056 ----a-w- c:\windows\system32\ApBlend.dll
2009-05-10 13:03 . 2009-05-10 13:03 589824 ----a-w- c:\windows\system32\PicNotify.dll
2009-05-10 13:03 . 2009-05-10 13:03 1314816 ----a-w- c:\windows\system32\ImageReog.dll
2009-05-10 13:03 . 2009-05-10 13:03 86016 ----a-w- c:\windows\system32\VideoOp.dll
2009-05-10 13:03 . 2009-05-10 13:03 61440 ----a-w- c:\windows\system32\Momo.dll
2009-05-10 13:03 . 2009-05-10 13:03 5632 ----a-w- c:\windows\system32\biologon.dll
2009-05-10 13:03 . 2009-05-10 13:03 491520 ----a-w- c:\windows\system32\picn.dll
2009-05-10 13:03 . 2009-05-10 13:03 491520 ----a-w- c:\windows\system32\MainOp.dll
2009-05-10 13:03 . 2009-05-10 13:03 49152 ----a-w- c:\windows\system32\DevFilt.dll
2009-05-10 13:03 . 2009-05-10 13:03 208896 ----a-w- c:\windows\system32\Image.dll
2009-05-10 13:02 . 2009-05-10 13:30 89088 ----a-w- c:\windows\Atl71.dll
2009-05-10 13:02 . 2009-05-10 13:30 57344 ----a-w- c:\windows\AsfHelper.dll
2009-05-10 13:02 . 2009-05-10 13:30 339968 ----a-w- c:\windows\VdoEct.dll
2009-05-10 13:02 . 2009-05-10 13:30 241664 ----a-w- c:\windows\EasyCapSrcSaver.scr
2009-05-10 13:02 . 2009-05-10 13:30 2222800 ----a-w- c:\windows\d3dx9_24.dll
2009-05-10 13:02 . 2009-05-10 13:30 626688 ----a-w- c:\windows\msvcr80.dll
2009-05-10 13:02 . 2009-05-10 13:30 22528 ----a-w- c:\windows\ScrSav.dll
2009-05-10 13:02 . 2009-05-10 13:30 1060864 ----a-w- c:\windows\MFC71.dll
2009-05-10 13:02 . 2009-05-10 13:30 17536 ----a-w- c:\windows\system32\drivers\CapFilt.sys
2009-05-10 12:59 . 2009-05-10 12:59 -------- d-----w- c:\program files\Google
2009-05-10 11:37 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-05-10 11:37 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-05-10 11:30 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-05-10 11:30 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-05-10 11:30 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-10 11:30 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-05-10 11:30 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-05-10 11:30 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-10 11:30 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-05-10 11:30 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-05-10 11:30 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-05-10 11:30 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-05-10 11:30 . 2009-02-06 11:08 2189056 -c--a-w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-05-10 11:30 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-05-10 11:22 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-05-10 11:22 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-05-10 11:22 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-05-10 11:21 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-05-10 11:20 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-05-10 11:19 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-05-10 11:19 . 2008-04-21 12:08 215552 -c--a-w- c:\windows\system32\dllcache\wordpad.exe
2009-05-10 11:05 . 2009-05-10 11:05 33808 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\klbg.sys
2009-05-10 11:05 . 2009-05-10 11:05 206088 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\avp.exe
2009-05-10 11:05 . 2009-05-10 11:05 226832 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\XP\klif.sys
2009-05-08 17:25 . 2001-08-17 08:18 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2009-05-08 17:25 . 2001-08-17 08:18 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-04 09:55 . 2009-05-04 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-06-04 09:54 . 2009-05-04 21:52 565280 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-06-04 09:54 . 2009-05-04 21:52 5108 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-04 09:54 . 2009-05-04 21:52 2444320 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-04 09:54 . 2009-05-04 21:52 22272 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-04 09:26 . 2009-05-04 22:34 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-01 11:58 . 2009-05-29 14:53 -------- d-----w- c:\program files\Avanquest update
2009-05-31 19:26 . 2009-05-04 21:50 -------- d-----w- c:\program files\Winamp
2009-05-31 06:07 . 2009-05-04 21:37 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-31 06:07 . 2009-05-04 22:26 -------- d-----w- c:\program files\Roxio
2009-05-31 06:04 . 2009-05-04 22:27 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-05-30 09:40 . 2009-05-04 21:50 -------- d-----w- c:\documents and settings\spartans\Application Data\Winamp
2009-05-30 07:25 . 2009-05-04 22:31 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-29 14:53 . 2009-05-29 14:53 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2009-05-29 14:53 . 2009-05-04 21:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-21 03:12 . 2009-05-04 21:53 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-05-21 03:12 . 2009-05-04 21:53 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-05-16 15:52 . 2009-05-04 22:34 -------- d-----w- c:\program files\DAP
2009-05-13 16:01 . 2009-05-04 21:25 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-10 13:32 . 2003-03-18 14:44 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-05-10 13:32 . 2003-02-20 23:12 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-05-10 13:05 . 2009-05-04 21:39 -------- d-----w- c:\program files\Lenovo
2009-05-10 11:05 . 2008-01-29 11:59 33808 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-05-08 07:12 . 2009-05-05 07:45 -------- d-----w- c:\program files\Need for Speed Most Wanted - Black Edition
2009-05-05 10:18 . 2009-05-05 10:18 -------- d-----w- c:\program files\Common Files\Nokia
2009-05-05 10:18 . 2009-05-05 10:18 -------- d-----w- c:\program files\Common Files\PCSuite
2009-05-05 10:18 . 2009-05-05 10:18 -------- d-----w- c:\program files\Nokia
2009-05-05 10:18 . 2009-05-05 10:18 -------- d-----w- c:\program files\DIFX
2009-05-05 10:18 . 2009-05-05 10:18 -------- d-----w- c:\program files\PC Connectivity Solution
2009-05-05 07:59 . 2009-05-05 07:59 -------- d-----w- c:\program files\KONAMI
2009-05-04 22:40 . 2009-05-04 22:40 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-05-04 22:40 . 2009-05-04 22:40 -------- d-----w- c:\program files\Microsoft.NET
2009-05-04 22:34 . 2009-05-04 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedBit
2009-05-04 22:32 . 2009-05-04 22:32 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-04 22:29 . 2009-05-04 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-05-04 22:28 . 2009-05-04 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-05-04 21:52 . 2009-05-04 21:52 -------- d-----w- c:\program files\Kaspersky Lab
2009-05-04 21:51 . 2009-05-04 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-05-04 21:49 . 2009-05-04 21:49 -------- d-----w- c:\program files\VideoLAN
2009-05-04 21:46 . 2009-05-04 21:46 -------- d-----w- c:\program files\Motorola
2009-05-04 21:45 . 2009-05-04 21:45 -------- d-----w- c:\program files\Realtek
2009-05-04 21:45 . 2009-05-04 21:45 315392 ----a-w- c:\windows\HideWin.exe
2009-05-04 21:44 . 2009-05-04 21:44 -------- d-----w- c:\program files\EzButton
2009-05-04 21:44 . 2009-05-04 21:44 -------- d-----w- c:\program files\Broadcom
2009-05-04 21:39 . 2009-05-04 21:39 -------- d-----w- c:\program files\Apoint2K
2009-05-04 21:39 . 2009-05-04 21:39 -------- d-----w- c:\documents and settings\spartans\Application Data\InstallShield
2009-05-04 21:37 . 2009-05-04 21:37 -------- d-----w- c:\program files\Intel
2009-05-04 21:26 . 2009-05-04 21:26 -------- d-----w- c:\program files\microsoft frontpage
2009-05-04 21:22 . 2009-05-04 21:22 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-03-07 23:04 . 2004-08-03 19:26 914944 ----a-w- c:\windows\system32\wininet.dll
2009-03-07 23:04 . 2004-08-03 19:26 43008 ----a-w- c:\windows\system32\licmgr10.dll
2009-03-07 23:03 . 2004-08-03 19:26 18944 ----a-w- c:\windows\system32\corpol.dll
2009-03-07 23:03 . 2004-08-03 19:26 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-03-07 23:02 . 2004-08-03 19:26 72704 ----a-w- c:\windows\system32\admparse.dll
2009-03-07 23:02 . 2004-08-03 19:26 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-03-07 23:01 . 2004-08-03 19:26 34816 ----a-w- c:\windows\system32\imgutil.dll
2009-03-07 23:01 . 2004-08-03 19:26 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-03-07 23:01 . 2004-08-03 19:26 45568 ----a-w- c:\windows\system32\mshta.exe
2009-03-07 22:52 . 2003-03-31 12:00 156160 ----a-w- c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-08-03 19:26 284160 ----a-w- c:\windows\system32\pdh.dll
.
------- Sigcheck -------
[-] 2004-08-03 19:26 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2004-08-03 19:26 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\FlyakiteOSX\Backup\user32.dll
[-] 2004-08-03 19:26 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\ServicePackFiles\i386\user32.dll
[7] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\user32.dll
[-] 2004-08-03 19:26 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\system32\user32.dll
[-] 2004-08-03 19:26 1032192 A0732187050030AE399B241436565E64 c:\windows\explorer.exe
[-] 2004-08-03 19:26 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2004-08-03 19:26 1032192 A0732187050030AE399B241436565E64 c:\windows\FlyakiteOSX\Backup\explorer.exe
[-] 2004-08-03 19:26 1032192 A0732187050030AE399B241436565E64 c:\windows\ServicePackFiles\i386\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
.
(((((((((((((((((((((((((((((   SnapShot@2009-06-04_09.48.20   )))))))))))))))))))))))))))))))))))))))))
.
- 2003-03-31 12:00 . 2009-06-04 09:41 68558              c:\windows\system32\perfc009.dat
+ 2003-03-31 12:00 . 2009-06-04 10:00 68558              c:\windows\system32\perfc009.dat
- 2009-05-04 21:30 . 2009-06-04 09:46 32768              c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-05-04 21:30 . 2009-06-04 09:55 32768              c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-05-04 21:30 . 2009-06-04 09:46 32768              c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-05-04 21:30 . 2009-06-04 09:55 32768              c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-05-04 21:30 . 2009-06-04 09:46 16384              c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-05-04 21:30 . 2009-06-04 09:55 16384              c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2003-03-31 12:00 . 2009-06-04 10:00 435828              c:\windows\system32\perfh009.dat
- 2003-03-31 12:00 . 2009-06-04 09:41 435828              c:\windows\system32\perfh009.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc]
@="{771C7324-DA80-49D3-8017-753B0AF60951}"
[HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}]
2009-05-10 13:03 241752 ----a-w- c:\program files\Lenovo\VeriFace\IcnOvrly.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\spartans\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-06 133104]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-03 1667584]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-04-03 3558648]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Sony Ericsson PC Suite"="e:\sony ericsson pc suite\SEPCSuite.exe" [2008-07-02 393216]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EnergyUtility"="c:\program files\Lenovo\EnergyCut\utilty.exe" [2007-04-29 1486848]
"EnergyCut"="c:\program files\Lenovo\EnergyCut\EnergyCut.exe" [2007-04-29 1191936]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-11-01 151552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-11-01 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-11-01 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-11-01 138008]
"EzButton"="c:\progra~1\EzButton\EzButton.EXE" [2007-11-01 502544]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-11-01 630784]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-05-10 206088]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"VeriFacePassManager"="c:\program files\Lenovo\VeriFace\PManage.exe" [2009-05-10 241664]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-10 198160]
"System Files Updater"="c:\windows\FlyakiteOSX\Tools\System Files Updater.exe" [2006-02-25 118485]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-11-01 16342528]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\Lenovo\Bluetooth Software\BTTray.exe [2006-11-13 561213]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PicNotify]
2009-05-10 13:03 589824 ----a-w- c:\windows\system32\PicNotify.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 5:29 PM 33808]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [5/5/2009 3:09 AM 9344]
R3 CapFilt;CapFilt;c:\windows\system32\drivers\CapFilt.sys [5/10/2009 6:32 PM 17536]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 6:02 PM 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 5:06 PM 24592]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [5/17/2009 3:06 AM 13224]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-06-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-1085031214-1801674531-1003.job
- c:\documents and settings\spartans\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-06 04:47]
2009-06-04 c:\windows\Tasks\User_Feed_Synchronization-{1E35D4A0-8717-477C-A90E-FF1B2D55D67C}.job
- c:\windows\system32\msfeedssync.exe [2009-03-07 23:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.in/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-04 15:31
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ...
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1332)
c:\windows\system32\PicNotify.dll
c:\windows\system32\Momo.dll
c:\windows\system32\VideoOp.dll
c:\windows\system32\Image.dll
c:\windows\system32\MainOp.dll
c:\windows\system32\picn.dll
c:\windows\system32\ieframe.dll
- - - - - - - > 'explorer.exe'(2384)
c:\program files\Lenovo\VeriFace\IcnOvrly.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-04 15:33
ComboFix-quarantined-files.txt  2009-06-04 10:03
ComboFix2.txt  2009-06-04 09:50
Pre-Run: 51,930,083,328 bytes free
Post-Run: 51,900,915,712 bytes free
332 --- E O F --- 2009-06-02 21:32

Posted by Bimal

 

Unable to open

November 24, 2009
Unable to open device manager
Unable to open regedit
Unable to open gpedit
Unable to open task manager
Unable to show hidden folders 
 
 
virus shd be transferred to the computer by an flash drive which is unable to open by double-clicking the drive.

download Combofix:

 

And save to the desktop.


Close all other browser windows.

 

Please connect your all your external hard drive/flash drive before running Combofix

Important Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with combofix or remove some of its embedded files which may cause "unpredictable results".  

 

Double-click on the combofix icon found on your desktop.

 

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.  


 When finished, it will produce a logfile located at C:\combofix.txt.


Post the contents of that log in your next reply with a new hijackthis log.


NB. If you are using any P2P (file sharing) programs, please remove them before we clean your computer.. We do not clean logs that have P2P applications installed as this can cause reinfection during your cleaning.

 


Posted by Bimal

 

Desktop MyComputer Icon not worked

November 24, 2009

[HKEY_CLASSES_ROOT\Folder\shell]

[HKEY_CLASSES_ROOT\Folder\shell\explore]
"BrowserFlags"=dword:00000022
"ExplorerFlags"=dword:00000021

[HKEY_CLASSES_ROOT\Folder\shell\explore\command]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
  00,5c,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,00,\
  65,00,20,00,2f,00,65,00,2c,00,2f,00,69,00,64,00,6c,00,69,00,73,00,74,00,2c,\
  00,25,00,49,00,2c,00,25,00,4c,00,00,00

[HKEY_CLASSES_ROOT\Folder\shell\explore\ddeexec]
@="[ExploreFolder(\"%l\", %I, %S)]"
"NoActivateHandler"=""

[HKEY_CLASSES_ROOT\Folder\shell\explore\ddeexec\application]
@="Folders"

[HKEY_CLASSES_ROOT\Folder\shell\explore\ddeexec\ifexec]
@="[]"


Here is a shorter registry fix, but is not in the form of a reg file, you'll have to make the change manually:

Back up the registry first of course.
  1. Start-->Run-->Regedit
  2. Navigate down to HKEY_CLASSES_ROOT\Directory\Shell
  3. double-click on '(Default)'
  4. Where it says 'Value Data', type exactly the following line:
    C:\WINDOWS\explorer.exe "%1"
  5. Close Regedit
Obviously you need the right basic settings in the folder options-->file types of Explorer, this is assuming you did all that and nothing else worked.

Posted by Bimal

 

How to Access Task Manager If Admin Is Blocked By a Virus

November 24, 2009
The Task Manager is a system tool that allows a user to see and modify the programs that are running on a computer and to monitor the memory the programs are using at any given time. A user can open and close programs with the Task Manager, which gives the user total control over the processes on the computer. That is the reason why malicious software programmers give some of the viruses they create the ability to block the Task Manager as soon as it infects a computer system. If the Task Manager is blocked, the user can't see the virus working on the computer or stop the malicious program from working, thus enabling the program and its maker to take control of the entire system. To stop the program, you'll have to regain control of the Task Manager. A simple change in the Registry Editor is all you'll need to do it.

  1. Step 1

    Click on "Start" and then click on "Run."

  2. Step 2

    Type "regedit" in the box and click on "OK" to enter the Registry Editor.

  3. Step 3

    Navigate to the "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" sub key. You'll do this by clicking on each of these items: HKEY_LOCAL_MACHINE, Software, Microsoft Windows, Current Version, Policies and System.

  4. Step 4

    In the "System" sub key, double-click on "DisableTaskMgr" in the right-pane (the right side of the screen).

  5. Step 5

    Type a "0" in the box that says "Value Data" and click on "OK" to disable the "DisableTaskMgr" function for all users of the computer--this includes the virus that is acting as a user.

  6. Step 6

    Restart the computer to allow the changes to take effect. When the computer is finished rebooting, the Task Manager will work. The virus will still be on the system, however, and you'll have to delete it immediately to avoid further damage to your computer.


Posted by Bimal

 

If Task Manager Blocked

November 24, 2009

Method 1

Click Start, Run and type this command exactly as given below: (better - Copy and paste)

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

Method 2

Download and run this REG fix and double-click it.

Method 3

  • Click Start, Run and type Regedit.exe
  • Navigate to the following branch:

HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies\ System

  • In the right-pane, delete the value named DisableTaskMgr
  • Close Regedit.exe

Method 4:  Using Group Policy Editor - for Windows XP Professional

  • Click Start, Run, type gpedit.msc and click OK.
  • Navigate to this branch:

User Configuration / Administrative Templates / System / Ctrl+Alt+Delete Options / Remove Task Manager

  • Double-click the Remove Task Manager option.
  • Set the policy to Not Configured.

Posted by Bimal

 

Unable to open hidden folders

November 24, 2009
Step

Start---Run---Regedit  and find

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersionĀ­\Explorer\Advanced\Folder\Hidden\SHOWALL

changethe "Checked value" to 1

If not work above

open text also check there is value is @shell32.dll,-30500

copy it to notpade and save it at desktop. now delete this @shell32.dll,-30500 from value data and check at oll menu there is no hidden folder check-uncheck box. now reopen text at regedit window and pest this @shell32.dll,-30500 at value data now check at toll menu you can active both box hidden or not.

Posted by Bimal

 

Blogroll

free templates
 
Make a Free Website with Yola.