0

It only happened after I reinstalled my Windows XP SP2. I can't access microsoft.com, can browse to the windows live site but can't download the live messenger, can't browse to viruslist.com and any anti-virus site such as avg. I had a trial Kaspersky 7.0 that found 7 worms and deleted them but still no luck in being able to browse to microsoft websites. Here's the log of hijackthis I just did :


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:17:25 AM, on 4/23/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\KasperskyAV2009\avp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
E:\MSOffice07\Office12\GrooveMonitor.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\KasperskyAV2009\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\MobilePhoneConnectivity\My Mobile\SyncML Desktop Server\SyncMLDesktopServer.exe
C:\Program Files\TOSHIBA\MobilePhoneConnectivity\My Mobile\SyncML Desktop Server\SyncController.exe
C:\Program Files\TOSHIBA\MobilePhoneConnectivity\My Mobile\Phone Monitor\epmworker.exe
E:\mozillaFirefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
E:\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - E:\KasperskyAV2009\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\MSOFFI~1\Office12\GRA8E1~1.DLL
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [GrooveMonitor] "E:\MSOffice07\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SYS1] C:\WINDOWS\system32\system.exe
O4 - HKLM\..\Run: [SYS2] C:\WINDOWS\system32\bad1.exe
O4 - HKLM\..\Run: [SYS3] C:\WINDOWS\system32\bad2.exe
O4 - HKLM\..\Run: [SYS4] C:\WINDOWS\system32\bad3.exe
O4 - HKLM\..\Run: [Msmsgs] C:\WINDOWS\system32\Msmsgs.exe
O4 - HKLM\..\Run: [AVP] "E:\KasperskyAV2009\avp.exe"
O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = E:\MSOffice07\Office12\ONENOTEM.EXE
O4 - Global Startup: SyncML Desktop Server.lnk = C:\Program Files\Toshiba\MobilePhoneConnectivity\My Mobile\SyncML Desktop Server\SyncMLDesktopServer.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MSOFFI~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - E:\KasperskyAV2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\MSOFFI~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\MSOFFI~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\MSOFFI~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0AD51E5-BAD9-4886-ABF9-FBE59672B679}: NameServer = 192.168.30.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\MSOFFI~1\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: E:\KASPER~1\mzvkbd.dll,E:\KASPER~1\mzvkbd3.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - E:\KasperskyAV2009\avp.exe

--
End of file - 4401 bytes

2
Contributors
3
Replies
4
Views
8 Years
Discussion Span
Last Post by jholland1964
0

The infection you have on the computer is the W32/SillyFDC-AP worm. It is spread via Removable storage devices. I see by your log that it shows both processes running from both "C" drive and "E" drive. I have to assume that "E" drive is a removable drive, correct?
That drive is obviously infected along with your "C" drive. Infected files showing on the auto starting entries are in the "C" drive.

How did you reintstall XP? Did you use an XP disk or was it via a program on the removable drive?

0

No. I have 7 local disks : C, D, E, F, G, H, I and K for the pen drive. Of them, D and I drives make up 20 gigabytes worth of storage space from a secondary hard disk. The other newly bought hard disk is made up of C, E, F,G and H drives. I reinstalled XP on C, installed KAV2009 after posting a log of Hijackthis here and disinfected, deleted and blocked about a thousand instances of the same trojan spread in all the drives and 27 viruses. Now I can browse to microsoft websites and download updates.

However, If I insert the pen drive (K) in its USB port and try to open it, it says " The drive is not formatted. Would you like to format it now?" After I select, " Yes ", a new error message tells me that the disk can't be formatted and that's it. I can't open/ explore my pen drive in anyway.

Also, after the virus scan, I can't double-click on the icons of my disks. If I do, I get a message window that asks me which programs do I want to use to open the drive. I have to right-click and explore to access all the drives. I'm much worried about this because this is exactly how my pen drive used to react after it was infected.

Does this mean my pen drive is absolutely unusable right now? Why am I not being able to open my drives with double-clicks?

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.