The '!' icon in system tray, and more

[Swen1]

Hi all, Swen here from The Netherlands,
Since I installed nero8 with a key generator (at least, I think that did the damage), I have this little yellow triangle with a '!' in it appearing in my systems tray. If I hoover over the icon, it does not display any message on what it wants to tell me, and when I click on it, it disappears. Also when watching video, my pc gives, at some moment, but not any specific moment, a little 'click' sound from within my computer case, after which the whole video (played in vlc player) will freeze. Also games get stuck, and even my virusscanner (antivir) got stuck a few times when scanning. I found your website, and did the 8 step program. I use antivir, and the windows xp sp3 firewall. I did not use any of the programs listed at the wiki website mentioned at the 8 step thread. I did remove nero again with controlpanel>remove software, as also this program got stuck 2 times when burning a cd. Since my last reboot (20 minutes ago) I did not see the '!' return, so it might be that the problem is solved now.
I attached the logs of Malwarebytes Anti Malware and Hijackthis (taken directly after the reboot). SuperAntiSpyware did not find anything, so I did not include this log.
I'm not very experienced with software in this detail, but maybe you guys can see if I removed a possible troian or virus with the 7 steps (as this is step 8 ) or not.
Thank you very much for the help,
Swen Bos


Edit: Looking at the HijackThis log, I found these two lines that look strange, as I already removed nero from my pc. Are these two things (what are they really?) the problem?
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero 8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

Hi, I had the same trouble again. I was able to make a printscreen of the strange '!' icon in the taskbar, I added a picture of it. With the icon still there in the taskbar, I was 'lucky' it stayed that long, I was able to do a new hijackthis scan. of which I also added the log file. Hope this allows someone to analyze the problem.

 

[rf6647]

Welcome to TS.

I see no significant issues.

Your image denotes trouble, obviously. One difference in the process list:
C:\Program Files\DC++\DCPlusPlus.exe

You have added applications that enhance the taskbar. Read your documentation. I would first concentrate if this monitors voltages on the motherboard.

Delete the application, if it still exists.
Use HJT if startup item remains.
Delete file/folder as appropriate.

O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero 8\Nero BackItUp\NBKeyScan.exe"
Part of the BackItUp backup software bundled with Nero8

O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
Related to Nero Home

This is UNKNOWN. I strongly recommend DELETE.
It has the same form as "CoolWebSearch" parasite.
Contra indication: SAS did not complain
User Choice

O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

 

[mflynn]

Opps sorry guys.....

I need to kep my eye on you guys.

No the entry's in both posts are legit do not delete!

Swen1 we need a clean mbam log especially because of what it found and said it cleared.

Before running MBAM again do the below

Dbl click the runmbam icon.
When it opens do not scan first UPDATE then click settings and confirm all checked if not check them. The click Scanner Tab chose Full scan the confirm your windows drive is selected/checked then click start Scan.

I want to see a clean log if not run again.

Then and only then do this next step.

ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: http://www.techsupportforum.com/sect...s/ComboFix.exe

Or here: http://download.bleepingcomputer.com...a/ComboFix.exe

Double click combofix.exe follow the prompts.

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall

This will take some time!!!!!!!!

Mike

 

[Swen1]

Thanks Mike

Hi Mike, thanks for your time.
I updated the MBAM, and only had to check the box next to the internet explorer option only.
I have about 1,3 TB with music series and movies, so the scan takes about 3,5 hours to complete. The last scan I did was without the last update, but it said it was clean. As soon as I get back from my voluntary bartending job tonight, I hope to be able to provide you a new log file. Then I will also try to use Combofix. I'll expect to be able to post those results after a bit of sleep. (central european time atm: 2300)

I deleted the two nero associated things after posting my first messege, as I completely removed nero from my system, I figured that those two were not needed as well. Hope I'm not in trouble now...

I'll get back to you guys as soon as I got something.

 

[mflynn]

On one partition?

You should have partitioned and put all that music on another partition and skip scanning that drive until you go to bed

Mike

 

[Swen1]

Back from bartending... My pc was stuck again, had to reboot, running the scan again. Got 5 different harddrives, if you guys think the problem is really on just one, I could skip scanning the other ones, or pull the sata connectors out of motherboard. If I were a virus/troijan, I would hide some of my data among files/folders on other drives just to make sure I'm spotted more difficult. I'll get back as soon as the new scan of MBAM is finished, with the results. Hope it does not crash this time...

 

[mflynn]

Hi Swen1

Ok what I am saying is, it is typically the boot drive and Windows that get the infections.

If we clean that one stabilize the running then we would go back and scan the other drives while we are asleep or something. Understand?

Scan only the windows boot drive for now.

We will handle the yellow ! when clean.

Mike

 

[Swen1]

Ahh, ok. I'm sorry, I think I misunderstood you, English is not my native language, and I'm quite tired, I'll read more carefully next time.
I think I have a new symptom, when I reboot, the preferences for displaying folders, and also the taskbar, are changed/reset.

We will handle the yellow ! when clean.

My personal humble idea is that all problems are directly linked to this yellow !. Everytime my pc crashes, it is in the lower corner.

I added the latest MBAM log, which I aborted as soon as it started scanning a non-OS partition/drive. It says it is clean. So I'll now go to the next step, with Combofix. I'll post results when awake (5 o clock now)
Thank you very much for your time Mike!\
Swen

This is the combofix log,
Hope this brings us any further.

 

[mflynn]

OK good on the MBAM.

Remove any CD's in the drives.

Shut down disconnect all external devices including printers fkash drives and cameras. Then boot up.

Then go to Device manager. In view select Show hidden devices.

Any device that has an issue will have a red X or yellow Exclamation (!).

Rt click these items and try to update, if they won't update then rt click and uninstall! Also uninstall all from Unknown devices if you have an Unknown Devices category.

Then run Combofix again as there was one item I need to confirm it cleaned the first time. Get me the new log.

Mike

 

[Swen1]

Hi Mike,
Back awake and ready to get my machine running!
My pc did not get stuck last night, quite an hopefull sign.
Here are the devices that are having a yellow '?' (Logitech Driver Interface 2X), having a red cross (1394-netwerkkaart & Hamachi Network Interface), and have a yellow '!' (Serial)
I expect the serial item to be the bad guy, its (in dutch) Apparaatinstantie-id (deviceinstance?) is: ROOT\LEGACY_SERIAL\0000
I added pictures of my device manager list, hope they are usefull.
I will remove the Serial item, I think the two network things are related to my Hamachi program, so I think its best to keep them just turned off at this moment (turned them off myself some time ago)

I'll post the ComboFix log as soon as its done.
Edit: The combofix log is added, looking forward to your reply
Edit 2: Avira AntiVir sees ComboFix as a virus, I chose to ignore the call of the virus protection program. Hope I did this correctly.

Hmm,again the '!' Icon in my system tray... Hmm... This after some clicking in my pc case. I'd almost say a hardware problem is related to the virus. Maybe it altered some voltage things? I have my pc quite loaded with hardware. And maybe my power supply is a bit weak for what I currently have (bit short on money atm).
Got a asus striker extreme mobo, asus 8400gt and 8800gt videocards, 5 hd's, q6600 cpu, 4 gb ocz memory, a dvd burner and a cardreader all at 550 watt power supply.
But the trouble (and clicking) happend after to infection, as I have all the hardware in for some time now.

 

[mflynn]

OK good on the Combofix and MBAM now get the SAS.

Not now, but the yellow exclamations (not red X's) need to be uninstalled and the computer rebooted in order for them it try and reinstall. Disabling them is useless as they are already not working.

Firstly let's get you clean of Malware.

I will watch for the other logs.

For a time sync. It is 09:05 AM here.

Mike

 

[Swen1]

Hi Mike, good morning to you :wave:
I did the SAS, MBAM, CCleaner and HijackThis, and have the logs attached. SAS did not find anything, and did not provide a log.
I hope I understood correctly that I do not have to do a new ComboFix scan at this moment. I did scan my systemdisk (C only.

The file: C:\WINDOWS\System32\wbem\logs\wbemcore.log keeps on showing up in CCleaner, scan after scan. Is it related to my malware problem?

 

[mflynn]

Hi Swen

Use HJT Scan only select and remove the below
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

These are harmless and will reinstall if you run another BitDefender online scan but get them for the sake od cleaning
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

wbemcore.log may be a small part of the problem.

So for that do the below.

Download Dial-A-Fix (DAF)
http://wiki.djlizard.net/Dial-a-fix#...C_and_articles
http://djlizard.net.nyud.net:8080/software/Dial-a-fix-v0.60.0.24.zip

Have XP CD available in case DAF needs a file.

Check all boxes on the screen (clear any restrictions if it shows any)
Then click GO!

When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

Here 1 at a time do the below

Reinstall BITS
Reinstall Windows Firewall
Repair Permissions
Reset WMI/WBEM (not reinstall)

Watch for any File not found or other errors and make note as this may lead to the fix!

Reboot retest!

Remove those devices as advised, not red x's tho!

Mike

 

[Swen1]

Hi Mike,
I used deal-a-fix, and the only 'error' that the program gave was that it requested the location of the xp cd (I mounted an image). After the deal-a-fix, and a reboot, I ran CCleaner, SAS, MBAM and Hijack this. SAS came up clean again, so no log. The other logs I attached. I only scanned my C: drive/partition. If you'd like me to scan my whole pc, please let me know.

 

[NunjaBusiness]

Hi all, Swen here from The Netherlands,
Since I installed nero8 with a key generator (at least, I think that did the damage), I have this little yellow triangle with a '!' in it appearing in my systems tray. If I hoover over the icon, it does not display any message on what it wants to tell me, and when I click on it, it disappears.

Swen,

If your only problem is the systray icon,

My experience is that the triangular yellow sign with the exclamation point indicates that an error has been written to one of your system event logs - nothing more. It is there to prompt you to go and check your logs. Do that.

Here's how you do that in XP:
type the following line exactly in your "Run" command window, then click OK:

%SystemRoot%\system32\eventvwr.msc /s

When it opens, go straight to the "System" log and look for errors.

You may find a disk error or device driver malfunction, but it is hard to say. I usually see what you describe with an "unable to write to disk" involving the MFT.

Any viruses and such are a different matter.

 

[Swen1]

When it opens, go straight to the "System" log and look for errors.

Hi Nunjabusiness, indeed, 'quite', which is an understatement, some problems are shown in this log. all starting 3 days ago. All invoIving faults and warnings on ntfs, ftdisk and disk level or something. I think Mike must have known already, as he talked about 'solving the '!' problem lateron. Thanks for your input NunjaBusiness, I'll see if I can do some disc-scans to see if all sectors and such are still okay.

 

[mflynn]

Great Swen

Have you uninstalled the items in device manager yet and rebooted. They may all clear or some my clear or none but whatever you will be no worse off as they are not working anyway.

Leave all devices disconnected as I asked earlier until we are clean.

Even with the Exclamations you now should have better control and better performance.

Give me a status of look and feel.

Then do the below:

ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html

Or here: http://subs.geekstogo.com/ComboFix.exe
Double click combofix.exe follow the prompts.

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall

No need to post another HJT until I request it.

Mike

 

[Swen1]

Hi Mike
In device manager, there are no 'devices' with a '!' anymore for quite some time now. I checked it after every reboot. I did not connect any device to my pc the last 5 days, I'll continue to do so. The pc runs quite smooth again, at least, it did not get stuck since last night. I did dare to watch some video, but no games yet. I think the videodisplay and clicking might indeed be because one, or maybe more, harddrives are not performing well, I'm currently running a test and repair session on the first partition, which was mentioned in the log, which I found via nunjabusiness. Its in Phase 4 for a while now, not sure it crashed or not.

The two links on ComboFix do not work for me. First time I got it from a dutch website. I must confess I am not sure it is the latest version. If you could provide me with the latest version by a different link or attachment, I would be gratefull.

 

[mflynn]

Great news now it is coming togather!

I fixed the links!

Run the combofix when disk operation is finished. Post log.

Based on the mbam and sa I think we have more malware.

Mike

 

[Swen1]

Before I open Combofix again, I'm just back-uping some stuff I do not dare loosing, after that I'll do the fix, and report back to you (got to pump 100gb, a movie I made, but is not finished yet to another drive, just to make sure it is not lost)

The links worked, I'll do a checkdisk first, just to make sure the file system is not damaged, which might be endangering my rare movies and series stored on the D: drive (the same drive as I had the keygenerator due to which all started, I think)

Ok I did a 2 hour scan of my D: drive, the one showing the most problems. the report was clean, so I feel like my data is more or less safe at this moment.
The Combofix program was unable to update itself, maybe because it was blocked by my firewall, maybe because of the program was not able to. I manually allowed Combofix to enter the internet just now, so I'll test again in a moment. in the meantime, here is my latest Combofix log.

The second Combofix scan did not ask if I would like an update. and did a lot more 'steps' before finishing. Here is the latest log. Don't know if there are any differences.
Edit: Forgot the Hijack this log, now it is uploaded as well...

 

[mflynn]

Good job Swen

I usually leave those jobs running when I go to bed.

Because of all your issues hardware and software/malware.

I want to do one other scan.

Is system still running well now? And device mgr is still clear?


Download SD Fix to Desktop among other things it runs GMER and Catchme to look for RootKits.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-clickto RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.

Then post hopefully one final HJT log.

After that we will do a close out of this thread.

Mike

 

[Swen1]

Device manager still clear, brb, going into safemode now...

Ok here is the result of the SDFix attached as 'report'.

We might not be finished yet though, as now, after the safemode (without network assistance) and sdfix being finished, I have two Items in my device manager displaying a '!'One is called 'Serial', just as earlier, the other one is called 'Parport'. They are both in the catagory of 'stuurprogramma's die niet Plug and Play-compatible zijn'.
I added a new Hijack This log also.

I'm off to bed, I guess it is best to shut my pc down,
thanks for the help Mike!

 

[mflynn]

Hi Swen

Run mbam Click More Tools-Run tool then paste the below lines into "File Name:" and click open.

Both files 1 at a time.

C:\WINDOWS\system32\6612DE02CC.sys
C:\WINDOWS\system32\KGyGaAvL.sys

Uninstall the Devices in device mgr again.

Reboot rerun SDFix.

The last after SDFix post new HJT log!

Then finally download and run the below

http://majorgeeks.com/Kaspersky_AVP_Tool_d4515.html

Mike

 

[Swen1]

Here are the logs of Hijackthis and SDfix. Going to do the AVP tool now.

 

[mflynn]

Good morning Swen

All Right!!!!!!!!!!

Unless the AVP Tool finds something it can't fix very unlikely!

Or there is more issues with your devices or other not covered yet!

Then we are finished!!

You have done a fabulous job been a joy to work with you!

Later I will post a final thread closing process.

Mike