[RESOLVED] Virus - I Cannot Access My Hard Disk

  1. 18-01-2008  #1
    smokinguns69
    smokinguns69 is offline Newbie

    [RESOLVED] Virus - I Cannot Access My Hard Disk

    Hey,

    There is some bug in my computer which does not allow me to open any of my hard disks when I click on them. Instead of opening the disk, windows throws up an option to choose the program I want to open a file with.

    I have attached a screen shot of what happens when I click on any of my disks.

    Also, here is a copy of my Hijack Log -
    ---------------------------------------
    Logfile of HijackThis v1.99.1
    Scan saved at 3:31:15 PM, on 1/18/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\carpserv.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Sony\HotKey Utility\HKserv.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\program files\support.com\client\bin\tgcmd.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Sony\HotKey Utility\HKWnd.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Apoint\Apvfb.exe
    C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    D:\Software\HijackThis\HijackThis.exe
    C:\Program Files\Mozilla Firefox\firefox.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 172.32.0.253:3128
    F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system\svchost.ex e
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.sony.com/vaiopeople"); (C:\Documents and Settings\anju\Application Data\Mozilla\Profiles\default\las77z4g.slt\prefs.j s)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\anju\Application Data\Mozilla\Profiles\default\las77z4g.slt\prefs.j s)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: &Google Notebook - {CCCCCCD3-666F-4F81-8B69-745DE9F6D897} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1665343706.dll
    O3 - Toolbar: Google Notebook - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1665343706.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
    O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AtiPTA] C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
    O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Note this (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1665343706.dll/gn_menu1.html
    O8 - Extra context menu item: Note this item (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1665343706.dll/gn_menu2.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7F77357E-527F-4B59-9639-32786ED24344}: NameServer = 4.2.2.2,202.156.250.5
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DL L
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
    O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
    O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
    O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
    -----------------------------------------------------------------------
    Please Help.
    Any and all assistance will be deeply appreciated.

    Arijit
    Attached Images
  2. 18-01-2008  #2
    VopThis
    VopThis is offline Senior Member (Canada)
    Download and run a program called Flash Disinfector:
    http://www.techsupportforum.com/sect...isinfector.exe




    SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

    O4 - HKCU\..\Run: [AMVA] C:\WINDOWS\system32\amvo.exe

    Make sure that all browser windows and internet links are closed, even this one!
    CLICK ’FIX CHECKED’ with HijackThis.






    Download ComboFix from one of the following links below:

    Here or Here to your Desktop.


    If you already have Combofix (more than ten days old), please delete the existing copy and download it again as it's being updated regularly:
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply

    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    ComboFix SHOULD NOT be used unless requested by a forum helper.



    There will be more to do after this.
  3. 18-01-2008  #3
    smokinguns69
    smokinguns69 is offline Newbie
    Hey Vincent,

    I have followed your instructions to a 'T' and performed the steps you asked for.
    Please find below a HijackThis log as well as the log generated by ComboFix.

    It seems to have solved the problem of accessing my hard disks properly.

    However, I would wish to consult you on another related matter. I purchased an external seagate hard disk recently which I connect to my computer via a USB cable. Quite recently one partition of that disk crashed. When that disk is connected I can see the two partitions in 'My Computer' however once I click on one of them it says "Corrupted or unrecognizable". I have a lot of important data on that disk and I was planning to restore that data using any Professional Data recovery software that my wallet allows.

    Now this is related because according to your instructions I ran Flash Disinfector on all my removable storage medium (including the external hard disk which has crashed!). Though, at the end a message informed me that the process was "Done", I am not too sure about the state of the external drive. Also, the one partition which was working refuses to work after running flash disinfector and the error message pops up "Corrupted or Unrecognizable". Even a chkdsk does not run on either of the partitions

    My question is this:
    1. Do you think the virus in my computer was responsible for my external hard disk crashing?

    2. Is it possible to recover that data by virus removal or should I go ahead with a data recovery software?

    3. Where can I get help on data recovery on a crashed disk?

    Thanks for all the help so far and I await further instructions.
    -----------------------
    My Combo Fix Log:-
    -----------------------

    ComboFix 08-01-18.5 - anju 2008-01-18 23:55:55.1 - NTFSx86
    Running from: C:\Documents and Settings\anju\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Autorun.inf
    D:\Autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
    .

    2008-01-18 23:54 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2008-01-08 20:09 . 2008-01-08 20:17 <DIR> d-------- C:\WINDOWS\system32\NtmsData
    2007-12-30 18:30 . 2007-12-30 18:30 <DIR> d-------- C:\Program Files\Windows Defender
    2007-12-30 18:23 . 2007-12-30 18:23 <DIR> d-------- C:\Program Files\Microsoft Silverlight

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
    .
    2008-01-18 10:22 --------- d-----w C:\Documents and Settings\anju\Application Data\AVG7
    2008-01-16 07:26 --------- d-----w C:\Program Files\Picasa2
    2008-01-07 10:09 --------- d-----w C:\Documents and Settings\anju\Application Data\uTorrent
    2007-12-15 12:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
    2007-12-15 10:13 --------- d-----w C:\Program Files\uTorrent
    2007-12-12 20:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
    2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
    2007-10-27 12:10 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
    2006-02-12 13:40 52,120 ----a-w C:\Documents and Settings\anju\Application Data\GDIPFONTCACHEV1.DAT
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
    "CARPService"="carpserv.exe" [2003-03-19 04:19 4608 C:\WINDOWS\system32\carpserv.exe]
    "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2003-06-14 04:22 114688]
    "HKSERV.EXE"="C:\Program Files\Sony\HotKey Utility\HKserv.exe" [2003-04-01 22:30 81920]
    "ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 22:59 40960]
    "ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2003-06-24 06:02 1409024]
    "VAIO Recovery"="C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 10:38 28672]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc. exe" [2007-12-22 20:50 579072]
    "AtiPTA"="C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE" [2005-03-23 06:35 339968]
    "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
    "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw. exe" [2007-10-25 15:04 219136]
    "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-24 02:48 443968]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2004-08-04 00:56 53760 C:\WINDOWS\system32\narrator.exe]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-03-26 22:44:08]

    [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 13:11 233472]
    "{35B2861B-2B26-4691-9FF0-09083722C736}"= C:\WINDOWS\system32\RadExe.dll [2005-04-28 00:30 188416]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^anju^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=C:\Documents and Settings\anju\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2007-04-27 11:25 257088 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
    --a------ 2003-07-18 17:23 868352 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
    --a------ 2003-05-01 18:44 65536 C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
    "Mouse Suite 98 Daemon"=ICO.EXE


    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{103cc3d0-e3a6-11db-8574-000fb5897c7b}]
    \Shell\AutoRun\command - ie.exe
    \Shell\explore\Command - ie.exe
    \Shell\open\Command - ie.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{1d249bc0-296e-11d9-812c-080046c09459}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{2b5ca340-39b6-11dc-85f4-000fb5897c7b}]
    \Shell\AutoRun\command - ie.exe
    \Shell\explore\Command - ie.exe
    \Shell\open\Command - ie.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{2b5ca343-39b6-11dc-85f4-000fb5897c7b}]
    \Shell\Auto\command - sal.xls.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{2b5ca344-39b6-11dc-85f4-000fb5897c7b}]
    \Shell\Auto\command - sal.xls.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{35265fba-5de1-11db-843b-000fb5897c7b}]
    \Shell\AutoRun\command - G:\LaunchU3.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{3f350860-e20f-11db-856e-000fb5897c7b}]
    \Shell\AutoRun\command - ie.exe
    \Shell\explore\Command - ie.exe
    \Shell\open\Command - ie.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{56004e24-7703-11dc-8647-000fb5897c7b}]
    \Shell\Auto\command - H:\MicrosoftPowerPoint.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{5936c772-3840-11dc-85f2-000fb5897c7b}]
    \Shell\Auto\command - sal.xls.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{828350c0-4e6b-11dc-860c-000fb5897c7b}]
    \Shell\Auto\command - G:\sal.xls.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{985760a0-0750-11da-8203-080046c09459}]
    \Shell\Auto\command - G:\sal.xls.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{a5464060-c52e-11dc-86ac-000fb5897c7b}]
    \Shell\AutoRun\command - G:\juok3st.bat
    \Shell\explore\Command - G:\juok3st.bat
    \Shell\open\Command - G:\juok3st.bat

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{aaaecc72-beb4-11dc-86a5-000fb5897c7b}]
    \Shell\AutoRun\command - d.com
    \Shell\explore\Command - d.com
    \Shell\open\Command - d.com

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{b88cb0c5-497a-11db-8407-000fb5897c7b}]
    \Shell\AutoRun\command - fooool.exe
    \Shell\explore\Command - fooool.exe
    \Shell\open\Command - fooool.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{d305b4a0-32f5-11dc-85ef-000fb5897c7b}]
    \Shell\Auto\command - sal.xls.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{da9375b2-74c7-11dc-8642-000fb5897c7b}]
    \Shell\Auto\command - G:\MicrosoftPowerPoint.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{dc1be580-2a0f-11dc-85e4-000fb5897c7b}]
    \Shell\AutoRun\command - ie.exe
    \Shell\explore\Command - ie.exe
    \Shell\open\Command - ie.exe

    *Newly Created Service* - PROCEXP90
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-01-18 12:16:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2008-01-18 11:38:01 C:\WINDOWS\Tasks\At1.job"
    - C:\Documents and Settings\anju\Templates\WowTumpeh.com
    "2008-01-18 10:01:49 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
    - C:\Program Files\Windows Defender\MpCmdRun.exe
    "2003-11-26 09:34:24 C:\WINDOWS\Tasks\Registration reminder 1.job"
    - C:\WINDOWS\System32\OOBE\oobebaln.exe
    "2003-11-26 09:34:25 C:\WINDOWS\Tasks\Registration reminder 3.job"
    - C:\WINDOWS\System32\OOBE\oobebaln.exe
    "2008-01-18 18:17:32 C:\WINDOWS\Tasks\User_Feed_Synchronization-{6878E72B-5AE6-484B-8976-829D91F0DB0C}.job"
    - C:\WINDOWS\system32\msfeedssync.exe
    .
    ************************************************** ************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-19 00:01:37
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    ************************************************** ************************
    .
    Completion time: 2008-01-19 0:04:29
    ComboFix-quarantined-files.txt 2008-01-18 18:34:13
    .
    2008-01-18 06:20:50 --- E O F ---
    __________________________________________________ ________________

    -----------------
    My HijackThis Log
    -----------------
    Logfile of HijackThis v1.99.1
    Scan saved at 12:10:47 AM, on 1/19/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\carpserv.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Sony\HotKey Utility\HKserv.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\program files\support.com\client\bin\tgcmd.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Sony\HotKey Utility\HKWnd.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Apoint\Apvfb.exe
    C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    D:\Software\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 172.32.0.253:3128
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.sony.com/vaiopeople"); (C:\Documents and Settings\anju\Application Data\Mozilla\Profiles\default\las77z4g.slt\prefs.j s)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\anju\Application Data\Mozilla\Profiles\default\las77z4g.slt\prefs.j s)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: &Google Notebook - {CCCCCCD3-666F-4F81-8B69-745DE9F6D897} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1665343706.dll
    O3 - Toolbar: Google Notebook - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1665343706.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
    O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AtiPTA] C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Note this (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1665343706.dll/gn_menu1.html
    O8 - Extra context menu item: Note this item (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1665343706.dll/gn_menu2.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7F77357E-527F-4B59-9639-32786ED24344}: NameServer = 4.2.2.2,202.156.250.5
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DL L
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
    O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
    O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
    O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

    __________________________________________________ ______________

    Thanks for all the help so far.

    Arijit
  4. 18-01-2008  #4
    VopThis
    VopThis is offline Senior Member (Canada)
    1. Do you think the virus in my computer was responsible for my external hard disk crashing?
    2. Is it possible to recover that data by virus removal or should I go ahead with a data recovery software?
    A virus is probably not responsible for your external drive issues. Why would it not similarly impact your fixed hard drive?


    3. Where can I get help on data recovery on a crashed disk?
    A local repair shop might be advisable in many instances but that does not guarantee complete satisfaction, either. Otherwise, if you are game, consider the following:

    Many data recovery tools can only provide limited hope for recovery. The results can vary widely as reflected by these user experiences and time commitment invested accordingly:

    I crashed my hard drive which held all my essential business data and had no back-ups. Suddenly, I was downloading every HD recovery program I could find. Most wouldn't even recognize the ruined partition more less read my data.
    I downloaded close to two dozen free/trial recovery tools off the net to recover data off one of my bosses' flash drive. Not only did every one of them fail to even detect the drive, but they all were limited [in capability].
    A cheaper, but good, alternative may potentially only yield less than complete success - Scavenger [1] found nearly all my files and was able to recover most of them. For slightly more cost, you might get a significantly better result –‘SpinRite’ [2] is arguably one of the best tools for this purpose:
    http://www.grc.com/sroverview.htm
    Post-Disaster Data Recovery is perhaps SpinRite's strongest and most unique capability since so much more can be done than any other disk utility has ever bothered to do.

    [1] http://www.snapfiles.com/get/filescavenger.html
    [2] http://www.grc.com/spinrite.htm
    Is SpinRite compatible with USB and Firewire devices?

    The best answer to this is a firm "maybe". DOS device drivers are available for most USB and Firewire controllers. If such drivers are added to a DOS boot diskette so that your USB or Firewire drive is "seen" by DOS, SpinRite will also be able to "see" and operate with it. However, the performance of the drive through the DOS drivers and the serial (USB/Firewire) cable will likely be far lower than if the external drive were connected directly to a PC's motherboard controller. If you have the ability to temporarily relocate the IDE drive inside of the external enclosure to a PC— plugging it directly into the motherboard's controller — SpinRite will be able to operate at the drive's highest possible performance.


    Other Possible Data Recovery Tools (ranked by rating):

    Read the posted ‘user opinions’ for each product of interest.

    SHAREWARE: http://www.snapfiles.com/shareware/s...ecovery_r.html
    FREEWARE: http://www.snapfiles.com/Freeware/sy...ecovery_r.html
    Last edited by VopThis; 18-01-2008 at 11:49 PM.
  5. 21-01-2008  #5
    smokinguns69
    smokinguns69 is offline Newbie
    Save 20% on AVG Internet Security 2012 Suite!
    Hey,

    Thanks for the suggestions.

    I got my hands on "OnTrack" Easy Recovery Professional.

    It seems to be doing the job ... though the file names are all messed up and the directory structure is gone ... also all my music is now named randomly (thank heaven for ID3 tags !!)

    Lemme see how much of my data can recover

    Thanks again for all the help
    Arijit
+ Reply to Thread
« AVG Trojan horse SHeur.ALJL? | CID back again »