Tanks
360? Yessum.
Level: 121
   
Posts: 2234/4170
EXP: 19810860
For next: 245836
Since: 07-10-07
From: VA
Since last post: 9.5 years
Last activity: 9.5 years
|
| Posted on 03-08-09 02:03:19 PM (last edited by Fajita-chan at 03-08-09 11:07 AM) |
Link | Quote
| |
I got a virus yesterday which didn't do much... It just ran a stupid setup process over and over... I killed it. Deleted it from my system files. The only issue is that every time I click my C:\ in My Computer it send me an error saying 'blah blah blah.com cannot be run from Recycler.' Well I'm not too worried because I can still get in C:\ by using 'explore,' But it'd be helpful if I could somehow get rid of this issue here....
Here's an image of the actual error:
____________________
|
|  |
|
Tanks
360? Yessum.
Level: 121
Posts: 2235/4170
EXP: 19810860
For next: 245836
Since: 07-10-07
From: VA
Since last post: 9.5 years
Last activity: 9.5 years
|
|
Originally posted by Prince Kassad
Your C:\ drive might have a hidden autorun.inf file. You should look for it (it's best to use dir /a autorun.inf in the command line) and if it exists, delete it.
Command Line search was a negative...
____________________
|
| |
|
messiaen
Catgirl
Level: 68
Posts: 508/1085
EXP: 2596635
For next: 132165
Since: 11-20-07
Since last post: 8.1 years
Last activity: 7.2 years
|
|
Have you tried emptying the recycle bin? It seems there's a .com file trying to run from c:\recycler. Perhaps also search the registry using the Registry Editor ("regedit") and search for some string containing that .com file.
Also, launch "msconfig" and see if there are still something related to the virus in there. As a last resource, do a system restoration.
____________________
Mario 64 notes @ http://sites.google.com/site/messiaen64/ |
Hiryuu
Level: 207
Posts: 7422/14435
EXP: 127636421
For next: 2147733
Since: 07-06-07
Since last post: 11.8 years
Last activity: 11.7 years
|
|
Almost makes me wonder if you've got something like Fool.exe virus on there. Just got done with that one not but three weeks ago.
Can you navigate to other drives and then, in the address bar, type 'C:\' and get to it then at all?
____________________
|  |
| |
|
Tanks
360? Yessum.
Level: 121
Posts: 2236/4170
EXP: 19810860
For next: 245836
Since: 07-10-07
From: VA
Since last post: 9.5 years
Last activity: 9.5 years
|
|
Originally posted by Nao
Almost makes me wonder if you've got something like Fool.exe virus on there. Just got done with that one not but three weeks ago.
Can you navigate to other drives and then, in the address bar, type 'C:\' and get to it then at all?
Yea, easily. It's simply when I click the drive icon that the error comes up. It pisses me off.
And yes messiaen, I did empty the trash can.
I'm not seeing much from the Hijackthis log either...
I also never set a restore date... so that's not an option...
____________________
|
| |
|
Hiryuu
Level: 207
Posts: 7426/14435
EXP: 127636421
For next: 2147733
Since: 07-06-07
Since last post: 11.8 years
Last activity: 11.7 years
|
|
Originally posted by Fajita-chan
Originally posted by Nao
Almost makes me wonder if you've got something like Fool.exe virus on there. Just got done with that one not but three weeks ago.
Can you navigate to other drives and then, in the address bar, type 'C:\' and get to it then at all?
Yea, easily. It's simply when I click the drive icon that the error comes up. It pisses me off.
And yes messiaen, I did empty the trash can.
I'm not seeing much from the Hijackthis log either...
I also never set a restore date... so that's not an option...
Ought to grab Stinger since I think FOOL.EXE falls under what it picks up. Sounds exactly like what I just got done frying at the office.
What are you using for anti-virus, anyways?
____________________
| |
| |
|
Tanks
360? Yessum.
Level: 121
Posts: 2237/4170
EXP: 19810860
For next: 245836
Since: 07-10-07
From: VA
Since last post: 9.5 years
Last activity: 9.5 years
|
| Posted on 03-08-09 09:44:47 PM (last edited by Fajita-chan at 03-08-09 06:45 PM) |
Link | Quote
| |
Originally posted by Joe
Delete the file and see if the error message changes.
del /f C:\RECYCLER\*.com
That's the thing. The file doesn't exist. So naturally, that won't work.
Yea, I'm using Avast!
____________________
|
| |
|
Hiryuu
Level: 207
Posts: 7428/14435
EXP: 127636421
For next: 2147733
Since: 07-06-07
Since last post: 11.8 years
Last activity: 11.7 years
|
| Posted on 03-08-09 09:49:40 PM (last edited by Nao at 03-08-09 06:50 PM) |
Link | Quote
| |
Got under Avast! huh?
Aside from Stinger, you might want to try your luck at such things as Spybot and Malwarebytes if you've not done so already.
Also, if you have HiJackThis, post the log here anyways.
____________________
| |
| |
|
Tanks
360? Yessum.
Level: 121
Posts: 2238/4170
EXP: 19810860
For next: 245836
Since: 07-10-07
From: VA
Since last post: 9.5 years
Last activity: 9.5 years
|
|
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:51:38 PM, on 3/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\steam\steam.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\mIRC\mirc.exe
C:\Documents and Settings\Christian\Desktop\stinger10000482.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Taskbar Shuffle] C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5AE027D-CE50-4581-8AB8-735762096B1A}: NameServer = 85.255.112.229,85.255.112.140
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.229,85.255.112.140
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.229,85.255.112.140
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe
____________________
|
| |
|
Hiryuu
Level: 207
Posts: 7430/14435
EXP: 127636421
For next: 2147733
Since: 07-06-07
Since last post: 11.8 years
Last activity: 11.7 years
|
|
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5AE027D-CE50-4581-8AB8-735762096B1A}: NameServer = 85.255.112.229,85.255.112.140
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.229,85.255.112.140
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.229,85.255.112.140
This right here looks suspicious...
[checks]
Closest I find against that IP range set is some trojan: here.
Aside from that piece...there's really nothing I see here that I can point to running. I would also check your MSCONFIG by going to Start --> Run... as a means of checking around for other suspicious programs...but everything you've listed past this one piece comes up fine.
But that should be part of a trojan that's on there, if what Symantec says is correct.
____________________
| |
| |
|
Tanks
360? Yessum.
Level: 121
Posts: 2239/4170
EXP: 19810860
For next: 245836
Since: 07-10-07
From: VA
Since last post: 9.5 years
Last activity: 9.5 years
|
|
yea, I'm getting an error of 'C:\ cannot run under win32' now...
____________________
|
| |
|
Hiryuu
Level: 207
Posts: 7433/14435
EXP: 127636421
For next: 2147733
Since: 07-06-07
Since last post: 11.8 years
Last activity: 11.7 years
|
|
I think it'll be easiest to re-install at this point.
____________________
| |
| |
|
Tina
Beep boop
Level: 79
Posts: 653/1549
EXP: 4472112
For next: 107355
Since: 08-10-07
Since last post: 3.4 years
Last activity: 3.4 years
|
|
85.255.112.140 is trusted dns. not suspicious, probably by choice.
reading rest.
____________________
|
|
|
Tina
Beep boop
Level: 79
Posts: 654/1549
EXP: 4472112
For next: 107355
Since: 08-10-07
Since last post: 3.4 years
Last activity: 3.4 years
|
|
I would recommend picking a string of numbers from that error dialog (e.g., "10029715" or whatever, no -s) and seeing if it brings up anything.
Aside from that, if all else fails, reinstall.
____________________
|
|
|
Tanks
360? Yessum.
Level: 121
Posts: 2240/4170
EXP: 19810860
For next: 245836
Since: 07-10-07
From: VA
Since last post: 9.5 years
Last activity: 9.5 years
|
|
I honestly think it's the way the system handled the virus. Instead of containing, it deleted it. Now the system may be looking for said virus and that's somehow affecting my ability to directly access C:\...
____________________
|
| |
|
Tanks
360? Yessum.
Level: 121
Posts: 2241/4170
EXP: 19810860
For next: 245836
Since: 07-10-07
From: VA
Since last post: 9.5 years
Last activity: 9.5 years
|
|
Yea, I think I'll do a reinstall sometime. As of right now, I'm pretty busy and this issue is bearable at the least... It's not like I can't access C:\ at all...
____________________
|
| |
|
- 
- 
