DaniWeb Forum Index > Hardware and Software > Microsoft Windows > Windows NT / 2000 / XP

Urgent Query-What SHud i Do?? What Kind Of Virus?How To Remove It??

•

Join Date: Nov 2005

Posts: 317

Reputation: jaishankar is an unknown quantity at this point

Solved Threads: 14

jaishankar jaishankar is offline

Offline

Posting Whiz

Urgent Query-What SHud i Do?? What Kind Of Virus?How To Remove It??

May 31st, 2007

My friends system is have hdd partitioned as C: D: and E

FAT32)

E: is having some 35gb of music files

but aoutomaticcaly half of the folders have been disappered and number of unknown folders have been created which niether opens nor gets deleted

most of the folder names are as eMARTM~1

This is the screenshot of the drive and folders

http://i19.tinypic.com/4u936eq.jpg

http://i10.tinypic.com/4vqupsx.jpg

Here is the Hijackthis log

here is the log file

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:19:46 AM, on 5/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\eHome\ehRecvr.exe
D:\WINDOWS\eHome\ehSched.exe
D:\WINDOWS\system32\dllhost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\ehome\ehtray.exe
D:\WINDOWS\system32\RunDll32.exe
D:\WINDOWS\system32\igfxtray.exe
D:\WINDOWS\system32\hkcmd.exe
D:\Program Files\InterVideo\WinDVR\WinRemote.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINDOWS\eHome\ehmsas.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Program Files\Internet Download Manager\IDMIECC.dll
O4 - HKLM\..\Run: [ehTray] D:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [WinRemote] "D:\Program Files\InterVideo\WinDVR\WinRemote.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [IDMan] D:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] E:\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [svcshare] D:\WINDOWS\system32\drivers\spoclsv.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe

6 rules to be happy:
Free your heart from hatred; Free your mind from worries; Live simply; Expect less; Give more & always have me as Ur Friend.

•

Join Date: May 2005

Posts: 3,204

Reputation: gerbil will become famous soon enough

Solved Threads: 188

gerbil

Offline

Nearly a Senior Poster

Re: Urgent Query-What SHud i Do?? What Kind Of Virus?How To Remove It??

May 31st, 2007

You have an annoying little trojan, a worm... please delete hijackthis from the folder where it is and follow this:
==download a fresh copy of hijackthis: http://216.180.233.162/~merijn/files/HijackThis.exe
-install it to a new folder alongside your program files.
-in that folder start HijackThis by dclicking the .exe;
-select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - HKCU\..\Run: [svcshare] D:\WINDOWS\system32\drivers\spoclsv.exe

Browse to this file and delete it: D:\WINDOWS\system32\drivers\spoclsv.exe
Find D:\setup.exe and delete it.
Get ATF Cleaner:
===Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
[If you wish, save ATF Cleaner to your desktop or a cleaning folder somewhere as it is a fairly useful tool for occasional use.]
Now please do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here, plus a fresh hijack this log..

Deep, deep in the woods, but walking about.

•

Join Date: Mar 2005

Posts: 1,522

Reputation: dcc is an unknown quantity at this point

Solved Threads: 36

dcc

Offline

Posting Virtuoso

Re: Urgent Query-What SHud i Do?? What Kind Of Virus?How To Remove It??

Jun 1st, 2007

Before going through all of that try downloading Asquared and run it in safe mode, this is important as certain applications aren't running when you are in safe mode. Unless you have something particularly nasty this will usually do the trick.