Specialty Forums
Security and Virus
General Hardware
CPUs/Overclocking
Networking
Digital Photo/Video
Office Software
PC Gaming
Console Gaming
Programming
Database
Web Development
Digital Home
General Forums
Windows XP
Windows Vista
Windows 95/98
Windows Me
Windows NT
Windows 2000
Win Server 2008
Win Server 2003
Windows 3.1
Linux
PDAs
BeOS
Novell Netware
OpenVMS
Solaris
Disk Op. System
Unix
Mac
OS/2
Drivers
Driver Scan
Driver Forum
Software
Automatic Updates
BIOS Updates
My Computing.Net
Solution Center
Free IT eBook
Howtos
Site Search
Message Find
RSS Feeds
Install Guides
Data Recovery
About
Home
Red X on Local Disk. Please help.
Original Message
Name: Saimog
Date: March 5, 2008 at 21:06:30 Pacific
Subject: Red X on Local Disk. Please help.OS: SP2CPU/Ram: 2.26GHz/504MBModel/Manufacturer: Mercury
Comment: My internet keeps stopping and there's a huge Red X on where the Local Disk Icon should be. Could someone please help me fix this?
Report Offensive Message For Removal
Response Number 1
Name: jabuck
Date: March 6, 2008 at 17:48:10 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit )Please run the following scans and post their results .Go to the this link:
Disable Realtime Protection
Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files.
Please download Atribune's VundoFix.exe from the following site to your desktop:
Vundofix.exe
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click "yes".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click "ok".
Please download and install the latest version of HijackThis v2.0.2:
Download the "HijackThis" Installer from this link: Hijack This
1. Save " HJTInstall.exe" to your desktop. 2. Double click on HJTInstall.exe to run the program. 3. By default it will install to C:\Program Files\Trend Micro\HijackThis. 4. Accept the license agreement by clicking the "I Accept" button. 5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log. 6. Click "Save log" to save the log file and then the log will open in Notepad. 7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log. 8. Paste the log in your next reply. 9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3 Double-click combofix.exe Follow the prompts. (Don't click on the window while the program is running, it may cause your system to hang.) Please post the log it produces.
Report Offensive Follow Up For Removal
Response Number 2
Name: Saimog
Date: March 6, 2008 at 21:15:34 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit )Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:06, on 2008-03-07 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: NormalRunning processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Wintab32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Multimedia Card Reader\shwicon2k.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\system32\ZPOINT32.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\nvcoi\nvcoi.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\slserv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Ramona\Desktop\HiJackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?Lin... R3 - URLSearchHook: (no name) - - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0
\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} -
C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: (no name) - {5566186B-8E4A-4D16-BBC7-F2BA16AB5377} -
C:\WINDOWS\system32\vturr.dll O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-
716BA50C19C7} - C:\Program Files\Google\Web
Accelerator\GoogleWebAccToolbar.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no
file) O2 - BHO: {a1701f50-c5b5-99ea-2c64-f494d7949838} - {8389497d-494f-
46c2-ae99-5b5c05f1071a} - C:\WINDOWS\system32\tkjqvagv.dll (file
missing) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-
5164760863C6} - C:\Program Files\Common Files\Microsoft
Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: FCTB00108Pos - {B1BE275B-78BF-4A33-81AB-380699CFF329} -
C:\Program Files\Gaia Online Toolbar\Toolbar.dll O2 - BHO: (no name) - {B3ADDB7B-3DF5-4672-82DD-775FFF180134} -
C:\WINDOWS\system32\mljhfgh.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no
file) O3 - Toolbar: Gaia Online Toolbar - {B3535C18-0E70-4D4B-B36B-
BBFE139BB144} - C:\Program Files\Gaia Online Toolbar\Toolbar.dll O3 - Toolbar: (no name) - {D0943516-5076-4020-A3B5-AEFAF26AB263} -
(no file) O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-
C89982D87CBF} - C:\Program Files\Google\Web
Accelerator\GoogleWebAccToolbar.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card
Reader\shwicon2k.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE"
/Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32
\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32
\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32
\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32
\NeroCheck.exe O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common
Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common
Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [Acecad.Wtxpload] C:\WINDOWS\Acecad\Wtxpload.exe
Acecad O4 - HKLM\..\Run: [ZPOINT32] C:\WINDOWS\system32\ZPOINT32.exe O4 - HKLM\..\Run: [EPSON Stylus CX3100] C:\WINDOWS\System32
\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3100" /O6
"USB001" /M "Stylus CX3100" O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common
Files\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD
Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free
Download Manager\fdm.exe -autorun O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0
\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32
\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32
\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32
\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User
'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32
\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User
'Default user') O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program
Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program
Files\Google\Web Accelerator\GoogleWebAccWarden.exe O8 - Extra context menu item: Download all with Free Download
Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download
Manager - file://C:\Program Files\Free Download
Manager\dlselected.htm O8 - Extra context menu item: Download with Free Download Manager -
file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF
-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263}
- C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-
A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-
11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload
Tool) - http://gfx1.hotmail.com/mail/w2/res... O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072}
(MessengerStatsClient Class) -
http://messenger.zone.msn.com/binar...
.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags
Class) -
http://messenger.zone.msn.com/binar... O20 - Winlogon Notify: mljhfgh - C:\WINDOWS\SYSTEM32\mljhfgh.dll O21 - SSODL: WinApp - {C285CF22-115F-3252-41AC-F686D912C63D} -
C:\WINDOWS\system32\clipuser32.dll O23 - Service: EpsonBidirectionalService - Unknown owner -
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) -
SEIKO EPSON CORPORATION - C:\Program Files\Common
Files\EPSON\EBAPI\SAgent2.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common Files\InstallShield\Driver\11
\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc.
- C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Microsoft cache control (MSControlService) - Unknown
owner - C:\WINDOWS\system32\windows (file missing) O23 - Service: SmartLinkService (SLService) - -
C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: Wintab32 - Unknown owner - C:\WINDOWS\system32
\Wintab32.exe
-- End of file - 8979 bytes
Report Offensive Follow Up For Removal
Response Number 3
Name: Saimog
Date: March 6, 2008 at 21:38:13 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit )ComboFix 08-03-06.3 - Ramona 2008-03-07 16:18:50.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.874.66.1033.18.197 [GMT 11:00] Running from: C:\Documents and Settings\Ramona\Desktop\ComboFix.exe * Created a new restore point[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] .
((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) .
C:\Program Files\JavaCore C:\Program Files\JavaCore\UnInstall.exe C:\Program Files\NoDNS C:\Program Files\NoDNS\UnInstall.exe C:\Program Files\Temporary C:\Program Files\Temporary\InsiDERInst.exe C:\WINDOWS\BM2b022afc.xml C:\WINDOWS\pskt.ini C:\WINDOWS\system32\mljhfgh.dll C:\WINDOWS\system32\rrutv.ini C:\WINDOWS\system32\service.exe C:\WINDOWS\system32\vturr.dll
. ((((((((((((((((((((((((( Files Created from 2008-02-07 to 2008-03-07 ))))))))))))))))))))))))))))))) .
2008-03-07 15:55 . 2008-03-07 16:01 <DIR> d-------- C:\VundoFix Backups 2008-03-07 12:55 . 2008-03-07 12:55 268 --ah----- C:\sqmdata01.sqm 2008-03-07 12:55 . 2008-03-07 12:55 244 --ah----- C:\sqmnoopt01.sqm 2008-03-06 13:00 . 2008-03-06 13:00 260,608 --a------ C:\WINDOWS\system32\sleep32.dll 2008-03-06 12:59 . 2008-03-06 12:59 268 --ah----- C:\sqmdata00.sqm 2008-03-06 12:59 . 2008-03-06 12:59 244 --ah----- C:\sqmnoopt00.sqm 2008-03-05 19:58 . 2008-03-05 19:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-03-05 19:58 . 2008-03-05 19:58 1,409 --a------ C:\WINDOWS\QTFont.for 2008-03-05 16:06 . 2008-03-05 16:06 7,680 --ahs---- C:\WINDOWS\Thumbs.db 2008-03-04 23:20 . 2008-03-05 17:25 23,950 ---hs---- C:\WINDOWS\system32\hdejfhzz.dllbox 2008-03-04 22:10 . 2008-03-04 22:14 20,666 ---hs---- C:\WINDOWS\system32\fsqugdwv.dllbox 2008-03-04 22:06 . 2008-03-04 22:14 <DIR> d-------- C:\WINDOWS\system32\NtmsData 2008-03-04 21:57 . 2008-03-04 21:57 <DIR> d-------- C:\Program Files\PC Drivers HeadQuarters 2008-03-04 21:57 . 2008-03-04 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters 2008-03-04 21:19 . 2008-03-04 21:19 <DIR> d-------- C:\Program Files\nvcoi 2008-03-03 20:30 . 2008-03-03 20:30 29,184 --a------ C:\WINDOWS\system32\drivers\smss.exe 2008-03-03 20:30 . 2008-03-06 14:16 18,368 --a------ C:\WINDOWS\system32\service.sys 2008-03-03 20:29 . 2008-03-03 20:29 262,144 --a------ C:\WINDOWS\system32\clipuser32.dll 2008-03-03 20:29 . 2008-03-06 09:45 37,376 --a------ C:\WINDOWS\mrofinu1535.exe 2008-03-03 03:26 . 2008-03-03 01:26 73,728 --a------ C:\WINDOWS\b153.exe 2008-03-02 14:16 . 2008-03-02 14:16 <DIR> d-------- C:\Program Files\Orban 2008-02-26 02:00 . 2008-02-26 00:00 81,920 --a------ C:\WINDOWS\b154.exe 2008-02-24 18:39 . 2008-02-24 18:39 <DIR> d-------- C:\WINDOWS\vbSkinner 2008-02-24 11:36 . 2008-02-24 11:36 <DIR> d-------- C:\Documents and Settings\Ramona\Application Data\Download Manager 2008-02-09 12:47 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys 2008-02-09 12:47 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys 2008-02-08 21:17 . 2008-02-08 21:17 <DIR> d-------- C:\Mp3 Output 2008-02-08 21:17 . 2006-11-01 14:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll 2008-02-08 21:17 . 2007-02-25 15:36 383,238 --a------ C:\WINDOWS\system32\libmp3lame-0.dll 2008-02-08 20:34 . 2008-02-08 21:28 <DIR> d-------- C:\downloads 2008-02-08 20:34 . 2008-02-08 20:44 <DIR> d-------- C:\Documents and Settings\Ramona\Application Data\FMZilla 2008-02-08 20:33 . 2008-02-08 21:41 <DIR> d-------- C:\Program Files\Free Music Zilla 2008-02-07 20:21 . 2008-02-07 20:21 <DIR> d-------- C:\Program Files\Veoh Networks 2008-02-07 20:01 . 2004-03-29 15:23 90,112 --a------ C:\WINDOWS\unvise32.exe 2008-02-07 20:00 . 2008-02-07 20:00 <DIR> d-------- C:\Program Files\DAZ 2008-02-07 20:00 . 2008-02-07 20:00 <DIR> d-------- C:\Program Files\Common Files\DAZ
. (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-07 05:04 --------- d-----w C:\Documents and Settings\Ramona\Application Data\Free Download Manager 2008-03-04 11:02 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-03-03 09:32 --------- d-----w C:\Program Files\Common Files\Adobe 2008-03-02 03:23 --------- d-----w C:\Program Files\Winamp 2008-02-24 00:57 --------- d-----w C:\Documents and Settings\Ramona\Application Data\LimeWire 2008-02-23 04:33 --------- d-----w C:\Program Files\Google 2008-02-16 04:28 --------- d-----w C:\Documents and Settings\Ramona\Application Data\AdobeUM 2008-02-06 20:58 --------- d-----w C:\Program Files\Crazy Tetris 2008-02-02 08:32 --------- d-----w C:\Documents and Settings\Ramona\Application Data\Secret of the Solstice 2008-02-02 06:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Outspark 2008-02-02 06:31 --------- d-----w C:\Program Files\Outspark 2008-02-01 21:51 --------- d-----w C:\Program Files\Windows Live 2008-02-01 21:45 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition 2008-02-01 21:22 --------- d-----w C:\Program Files\EndlessOnline 2008-02-01 20:57 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller 2008-02-01 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-01-27 20:58 --------- d-----w C:\Program Files\Gaia Online Toolbar 2008-01-27 00:03 --------- d-----w C:\Program Files\Corel 2008-01-23 23:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Emotum 2008-01-23 22:47 --------- d-----w C:\Program Files\DIFX 2008-01-23 22:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 1999-07-07 00:00 6 --sh--r C:\WINDOWS\@@desktop.dat .
((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8389497d-494f-46c2-ae99-5b5c05f1071a}] C:\WINDOWS\system32\tkjqvagv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1BE275B-78BF-4A33-81AB-380699CFF329}] 2007-12-21 08:09 1404928 --a------ C:\Program Files\Gaia Online Toolbar\Toolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{B3535C18-0E70-4D4B-B36B-BBFE139BB144}"= "C:\Program Files\Gaia Online Toolbar\Toolbar.dll" [2007-12-21 08:09 1404928]
[HKEY_CLASSES_ROOT\clsid\{b3535c18-0e70-4d4b-b36b-bbfe139bb144}] [HKEY_CLASSES_ROOT\FCTB00108.FCTB00108.3] [HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}] [HKEY_CLASSES_ROOT\FCTB00108.FCTB00108]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{B3535C18-0E70-4D4B-B36B-BBFE139BB144}"= C:\Program Files\Gaia Online Toolbar\Toolbar.dll [2007-12-21 08:09 1404928]
[HKEY_CLASSES_ROOT\clsid\{b3535c18-0e70-4d4b-b36b-bbfe139bb144}] [HKEY_CLASSES_ROOT\FCTB00108.FCTB00108.3] [HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}] [HKEY_CLASSES_ROOT\FCTB00108.FCTB00108]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 23:00 15360] "Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [2006-08-21 01:24 2068527] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472] "nvcoi"="C:\Program Files\nvcoi\nvcoi.exe" [2008-03-04 21:19 57344]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [2006-03-04 06:22 577536 C:\WINDOWS\soundman.exe] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-23 15:48 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-23 15:44 126976] "Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2004-09-03 17:46 139264] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 23:00 208952] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 23:00 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:20 155648] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 17:00 249856] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:00 81920] "Acecad.Wtxpload"="C:\WINDOWS\Acecad\Wtxpload.exe" [2002-03-22 02:37 45056] "ZPOINT32"="C:\WINDOWS\system32\ZPOINT32.exe" [2002-07-04 14:19 20480] "EPSON Stylus CX3100"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [2002-07-01 14:05 74752] "RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 18:44 65536] "RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-27 00:21 868352] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00 132496]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 23:00 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2006-02-28 23:00 53760 C:\WINDOWS\system32\narrator.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-21 15:10:19 113664] Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696] Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 22:24:38 1134592]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "WinApp"= {C285CF22-115F-3252-41AC-F686D912C63D} - C:\WINDOWS\system32\clipuser32.dll [2008-03-03 20:29 262144]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\WINDOWS\\system32\\LEXPPS.EXE"= "C:\\WINDOWS\\system32\\rtcshare.exe"= "C:\\Program Files\\NetMeeting\\conf.exe"= "C:\\Sierra\\Empire Earth\\Empire Earth.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows [] S3 service.sys;service.sys;C:\WINDOWS\system32\service.sys [2008-03-06 14:16] S3 SunkFilt6;Alcor Micro Corp - 6360;C:\WINDOWS\System32\Drivers\sunkfilt6.sys [] S3 SunkFilt62;Alcor Micro Corp - 6362;C:\WINDOWS\System32\Drivers\sunkfilt62.sys [2004-07-23 15:25] S3 W2acehid;Acecad HID;C:\WINDOWS\system32\DRIVERS\W2acehid.sys [2002-03-22 02:37] S3 Wtcls2k;Wtcls2k;C:\WINDOWS\system32\DRIVERS\Wtcls2k.sys [2002-03-22 02:37]
. **************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-07 16:25:36 Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MSControlService] "ImagePath"="C:\WINDOWS\system32\windows"
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\qwetab] "ImagePath"="\??\C:\WINDOWS\inf\qwetab.inf" . r Running Proce . C:\WINDOWS\system32\Wintab32.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe . ************************************************************************** . Completion time: 2008-03-07 16:28:50 - machine was rebooted [Ramona] ComboFix-quarantined-files.txt 2008-03-07 05:28:46 ComboFix2.txt 2008-03-05 06:35:16 . 2008-01-31 05:50:42 --- E O F ---
Report Offensive Follow Up For Removal
Response Number 4
Name: jabuck
Date: March 7, 2008 at 19:49:49 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit )Go to start> control panel> administrative tools> services> scroll down to "MSControlService" may be named "Microsoft cache control" and double click it. Click the blue drop down arrow to the far right of "startup type"> click disable> apply>ok. Exit administrative tools.
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX File:: C:\WINDOWS\system32\hdejfhzz.dllbox C:\WINDOWS\system32\fsqugdwv.dllbox C:\WINDOWS\system32\sleep32.dll C:\WINDOWS\mrofinu1535.exe C:\WINDOWS\b153.exe C:\WINDOWS\b154.exe C:\WINDOWS\system32\tkjqvagv.dll Folder:: C:\WINDOWS\system32\windows Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8389497d-494f-46c2-ae99-5b5c05f1071a}]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop. Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".
Go to the following link:
http://virusscan.jotti.org/
Then use the browse button to locate this file:
C:\WINDOWS\system32\service.sys
Once located click submit then post the results.
Post a new Combofix log.
Report Offensive Follow Up For Removal
Response Number 5
Name: Saimog
Date: March 7, 2008 at 20:33:46 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit )Thanks.I'm not sure which part of the result it is but so I'll put it all in.
File: service.sys Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5: a4a777bacfcb1c86d4c2d5b6258de9ef Packers detected: - Bit9 reports: File not found Scanner results Scan taken on 08 Mar 2008 04:20:23 (GMT) A-Squared Found Trojan-Proxy.Win32.Agent.yd AntiVir Found TR/Proxy.Agent.YD ArcaVir Found Trojan.Proxy.Agent.Yd Avast Found nothing AVG Antivirus Found BackDoor.Generic9.SCL BitDefender Found Trojan.Peed.IUO ClamAV Found Trojan.Proxy-2466 CPsecure Found Troj.Proxy.W32.Agent.yd Dr.Web Found Trojan.Spambot.2887 F-Prot Antivirus Found Possibly a new variant of W32/STZ_like!Generic F-Secure Anti-Virus Found Trojan-Proxy.Win32.Agent.yd Fortinet Found W32/Agent.YD!tr Ikarus Found nothing Kaspersky Anti-Virus Found Trojan-Proxy.Win32.Agent.yd NOD32 Found Win32/TrojanProxy.Agent.YD Norman Virus Control Found W32/Tibs.BIWJ Panda Antivirus Found Rootkit/Downloader.SNO Rising Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found Trojan-Proxy.Win32.Agent.yd
Report Offensive Follow Up For Removal
Response Number 6
Name: Saimog
Date: March 7, 2008 at 20:36:03 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit )ComboFix 08-03-06.3 - Ramona 2008-03-08 15:10:08.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.874.66.1033.18.177 [GMT 11:00] Running from: C:\Documents and Settings\Ramona\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Ramona\Desktop\CFScript.txt * Created a new restore point[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE :: C:\WINDOWS\b153.exe C:\WINDOWS\b154.exe C:\WINDOWS\mrofinu1535.exe C:\WINDOWS\system32\fsqugdwv.dllbox C:\WINDOWS\system32\hdejfhzz.dllbox C:\WINDOWS\system32\sleep32.dll C:\WINDOWS\system32\tkjqvagv.dll .
((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) .
C:\WINDOWS\b153.exe C:\WINDOWS\b154.exe C:\WINDOWS\mrofinu1535.exe C:\WINDOWS\system32\fsqugdwv.dllbox C:\WINDOWS\system32\hdejfhzz.dllbox C:\WINDOWS\system32\sleep32.dll
. ((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 ))))))))))))))))))))))))))))))) .
2008-03-08 13:32 . 2008-03-08 13:33 <DIR> d-------- C:\Documents and Settings\Family\Application Data\AVG7 2008-03-08 10:33 . 2008-03-08 12:49 <DIR> d-------- C:\Documents and Settings\Ramona\Application Data\AVG7 2008-03-08 10:33 . 2008-03-08 10:33 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2008-03-08 10:33 . 2008-03-08 10:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-03-08 10:33 . 2008-03-08 12:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7 2008-03-07 15:55 . 2008-03-07 16:01 <DIR> d-------- C:\VundoFix Backups 2008-03-07 12:55 . 2008-03-07 12:55 268 --ah----- C:\sqmdata01.sqm 2008-03-07 12:55 . 2008-03-07 12:55 244 --ah----- C:\sqmnoopt01.sqm 2008-03-06 12:59 . 2008-03-06 12:59 268 --ah----- C:\sqmdata00.sqm 2008-03-06 12:59 . 2008-03-06 12:59 244 --ah----- C:\sqmnoopt00.sqm 2008-03-05 16:06 . 2008-03-05 16:06 7,680 --ahs---- C:\WINDOWS\Thumbs.db 2008-03-04 22:06 . 2008-03-04 22:14 <DIR> d-------- C:\WINDOWS\system32\NtmsData 2008-03-04 21:57 . 2008-03-04 21:57 <DIR> d-------- C:\Program Files\PC Drivers HeadQuarters 2008-03-04 21:57 . 2008-03-04 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters 2008-03-04 21:19 . 2008-03-04 21:19 <DIR> d-------- C:\Program Files\nvcoi 2008-03-03 20:30 . 2008-03-03 20:30 29,184 --a------ C:\WINDOWS\system32\drivers\smss.exe 2008-03-03 20:30 . 2008-03-06 14:16 18,368 --a------ C:\WINDOWS\system32\service.sys 2008-03-02 14:16 . 2008-03-02 14:16 <DIR> d-------- C:\Program Files\Orban 2008-02-24 18:39 . 2008-02-24 18:39 <DIR> d-------- C:\WINDOWS\vbSkinner 2008-02-24 11:36 . 2008-02-24 11:36 <DIR> d-------- C:\Documents and Settings\Ramona\Application Data\Download Manager 2008-02-09 12:47 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys 2008-02-09 12:47 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys 2008-02-08 21:17 . 2008-02-08 21:17 <DIR> d-------- C:\Mp3 Output 2008-02-08 21:17 . 2006-11-01 14:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll 2008-02-08 21:17 . 2007-02-25 15:36 383,238 --a------ C:\WINDOWS\system32\libmp3lame-0.dll 2008-02-08 20:34 . 2008-02-08 21:28 <DIR> d-------- C:\downloads 2008-02-08 20:34 . 2008-02-08 20:44 <DIR> d-------- C:\Documents and Settings\Ramona\Application Data\FMZilla 2008-02-08 20:33 . 2008-02-08 21:41 <DIR> d-------- C:\Program Files\Free Music Zilla
. (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-08 04:12 --------- d-----w C:\Documents and Settings\Ramona\Application Data\Free Download Manager 2008-03-04 11:02 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-03-03 09:32 --------- d-----w C:\Program Files\Common Files\Adobe 2008-03-02 03:23 --------- d-----w C:\Program Files\Winamp 2008-02-24 00:57 --------- d-----w C:\Documents and Settings\Ramona\Application Data\LimeWire 2008-02-23 04:33 --------- d-----w C:\Program Files\Google 2008-02-16 04:28 --------- d-----w C:\Documents and Settings\Ramona\Application Data\AdobeUM 2008-02-10 23:58 21,840 -c--atw C:\WINDOWS\system32\SIntfNT.dll 2008-02-10 23:58 17,212 -c--atw C:\WINDOWS\system32\SIntf32.dll 2008-02-10 23:58 12,067 -c--atw C:\WINDOWS\system32\SIntf16.dll 2008-02-07 09:21 --------- d-----w C:\Program Files\Veoh Networks 2008-02-07 09:00 --------- d-----w C:\Program Files\DAZ 2008-02-07 09:00 --------- d-----w C:\Program Files\Common Files\DAZ 2008-02-06 20:58 --------- d-----w C:\Program Files\Crazy Tetris 2008-02-02 08:32 --------- d-----w C:\Documents and Settings\Ramona\Application Data\Secret of the Solstice 2008-02-02 06:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Outspark 2008-02-02 06:31 --------- d-----w C:\Program Files\Outspark 2008-02-01 21:51 --------- d-----w C:\Program Files\Windows Live 2008-02-01 21:45 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition 2008-02-01 21:22 --------- d-----w C:\Program Files\EndlessOnline 2008-02-01 20:57 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller 2008-02-01 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-01-27 20:58 --------- d-----w C:\Program Files\Gaia Online Toolbar 2008-01-27 00:03 --------- d-----w C:\Program Files\Corel 2008-01-23 23:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Emotum 2008-01-23 22:47 --------- d-----w C:\Program Files\DIFX 2008-01-23 22:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-01-10 04:50 32,256 ----a-w C:\WINDOWS\system32\dzbryce6.dll 2008-01-10 04:50 180,224 ----a-w C:\WINDOWS\system32\dzwrapper.dll 2008-01-10 04:46 8,720,384 ----a-w C:\WINDOWS\system32\dzcore.dll 2008-01-10 04:46 65,536 ----a-w C:\WINDOWS\system32\dzcarrara.dll 2008-01-10 02:00 6,131,712 ----a-w C:\WINDOWS\system32\daz-qt-mt.dll 2008-01-10 02:00 1,785,856 ----a-w C:\WINDOWS\system32\daz-qsa.dll 2008-01-10 01:56 2,076,672 ----a-w C:\WINDOWS\system32\dz3delight.dll 1999-07-07 00:00 6 --sh--r C:\WINDOWS\@@desktop.dat .
((((((((((((((((((((((((((((( snapshot@2008-03-07_16.28.29.57 ))))))))))))))))))))))))))))))))))))))))) . + 2008-03-07 23:33:27 839,936 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys + 2008-03-07 23:33:30 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys + 2008-03-07 23:33:30 27,776 ----a-w C:\WINDOWS\system32\drivers\avg7rsxp.sys + 2008-03-07 23:33:30 3,968 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys + 2008-03-07 23:33:30 18,432 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1BE275B-78BF-4A33-81AB-380699CFF329}] 2007-12-21 08:09 1404928 --a------ C:\Program Files\Gaia Online Toolbar\Toolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{B3535C18-0E70-4D4B-B36B-BBFE139BB144}"= "C:\Program Files\Gaia Online Toolbar\Toolbar.dll" [2007-12-21 08:09 1404928]
[HKEY_CLASSES_ROOT\clsid\{b3535c18-0e70-4d4b-b36b-bbfe139bb144}] [HKEY_CLASSES_ROOT\FCTB00108.FCTB00108.3] [HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}] [HKEY_CLASSES_ROOT\FCTB00108.FCTB00108]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{B3535C18-0E70-4D4B-B36B-BBFE139BB144}"= C:\Program Files\Gaia Online Toolbar\Toolbar.dll [2007-12-21 08:09 1404928]
[HKEY_CLASSES_ROOT\clsid\{b3535c18-0e70-4d4b-b36b-bbfe139bb144}] [HKEY_CLASSES_ROOT\FCTB00108.FCTB00108.3] [HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}] [HKEY_CLASSES_ROOT\FCTB00108.FCTB00108]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 23:00 15360] "Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [2006-08-21 01:24 2068527] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472] "nvcoi"="C:\Program Files\nvcoi\nvcoi.exe" [2008-03-04 21:19 57344]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [2006-03-04 06:22 577536 C:\WINDOWS\soundman.exe] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-23 15:48 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-23 15:44 126976] "Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2004-09-03 17:46 139264] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 23:00 208952] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 23:00 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:20 155648] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 17:00 249856] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:00 81920] "Acecad.Wtxpload"="C:\WINDOWS\Acecad\Wtxpload.exe" [2002-03-22 02:37 45056] "ZPOINT32"="C:\WINDOWS\system32\ZPOINT32.exe" [2002-07-04 14:19 20480] "EPSON Stylus CX3100"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [2002-07-01 14:05 74752] "RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 18:44 65536] "RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-27 00:21 868352] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00 132496] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-08 10:33 411648]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 23:00 15360] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-08 10:33 145920]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2006-02-28 23:00 53760 C:\WINDOWS\system32\narrator.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-21 15:10:19 113664] Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696] Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 22:24:38 1134592]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "SleepApp"= {C315CF32-135F-3112-31AC-F611D777C63D} - C:\WINDOWS\system32\sleep32.dll [ ]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\WINDOWS\\system32\\LEXPPS.EXE"= "C:\\WINDOWS\\system32\\rtcshare.exe"= "C:\\Program Files\\NetMeeting\\conf.exe"= "C:\\Sierra\\Empire Earth\\Empire Earth.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
S3 service.sys;service.sys;C:\WINDOWS\system32\service.sys [2008-03-06 14:16] S3 SunkFilt6;Alcor Micro Corp - 6360;C:\WINDOWS\System32\Drivers\sunkfilt6.sys [] S3 SunkFilt62;Alcor Micro Corp - 6362;C:\WINDOWS\System32\Drivers\sunkfilt62.sys [2004-07-23 15:25] S3 W2acehid;Acecad HID;C:\WINDOWS\system32\DRIVERS\W2acehid.sys [2002-03-22 02:37] S3 Wtcls2k;Wtcls2k;C:\WINDOWS\system32\DRIVERS\Wtcls2k.sys [2002-03-22 02:37] S4 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\LaunchU3.exe -a
. **************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-08 15:12:54 Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MSControlService] "ImagePath"="C:\WINDOWS\system32\windows"
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\qwetab] "ImagePath"="\??\C:\WINDOWS\inf\qwetab.inf" . Completion time: 2008-03-08 15:13:51 ComboFix-quarantined-files.txt 2008-03-08 04:13:36 ComboFix2.txt 2008-03-07 05:28:51 ComboFix3.txt 2008-03-05 06:35:16 . 2008-01-31 05:50:42 --- E O F ---
Report Offensive Follow Up For Removal
Response Number 9
Name: jabuck
Date: March 10, 2008 at 19:55:54 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit )Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX File:: C:\Program Files\nvcoi\nvcoi.exe C:\WINDOWS\system32\drivers\smss.exe C:\WINDOWS\system32\service.sys Folder:: C:\Program Files\nvcoi XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop. Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".
Post a new Combofix log.
Report Offensive Follow Up For Removal
Response Number 10
Name: Saimog
Date: March 10, 2008 at 21:28:09 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit )ComboFix 08-03-06.3 - Ramona 2008-03-11 15:19:18.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.874.66.1033.18.267 [GMT 11:00] Running from: C:\Documents and Settings\Ramona\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Ramona\Desktop\CFScript.txt * Created a new restore point[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE :: C:\Program Files\nvcoi\nvcoi.exe C:\WINDOWS\system32\drivers\smss.exe C:\WINDOWS\system32\service.sys .
((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) .
C:\Program Files\nvcoi C:\Program Files\nvcoi\mst.stt C:\Program Files\nvcoi\nvcoi.exe C:\WINDOWS\system32\drivers\smss.exe C:\WINDOWS\system32\service.sys
. ((((((((((((((((((((((((( Files Created from 2008-02-11 to 2008-03-11 ))))))))))))))))))))))))))))))) .
2008-03-11 07:52 . 2008-03-11 07:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-03-09 19:37 . 2008-03-11 07:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft(2) 2008-03-09 08:27 . 2008-03-09 08:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet 2008-03-08 19:45 . 2008-03-08 19:45 268 --ah----- C:\sqmdata02.sqm 2008-03-08 19:45 . 2008-03-08 19:45 244 --ah----- C:\sqmnoopt02.sqm 2008-03-08 13:32 . 2008-03-08 13:33 <DIR> d-------- C:\Documents and Settings\Family\Application Data\AVG7 2008-03-08 10:33 . 2008-03-10 08:25 <DIR> d-------- C:\Documents and Settings\Ramona\Application Data\AVG7 2008-03-08 10:33 . 2008-03-08 10:33 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2008-03-08 10:33 . 2008-03-09 19:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7 2008-03-07 15:55 . 2008-03-07 16:01 <DIR> d-------- C:\VundoFix Backups 2008-03-07 12:55 . 2008-03-07 12:55 268 --ah----- C:\sqmdata01.sqm 2008-03-07 12:55 . 2008-03-07 12:55 244 --ah----- C:\sqmnoopt01.sqm 2008-03-06 12:59 . 2008-03-06 12:59 268 --ah----- C:\sqmdata00.sqm 2008-03-06 12:59 . 2008-03-06 12:59 244 --ah----- C:\sqmnoopt00.sqm 2008-03-05 16:06 . 2008-03-05 16:06 7,680 --ahs---- C:\WINDOWS\Thumbs.db 2008-03-04 22:06 . 2008-03-04 22:14 <DIR> d-------- C:\WINDOWS\system32\NtmsData 2008-03-04 21:57 . 2008-03-04 21:57 <DIR> d-------- C:\Program Files\PC Drivers HeadQuarters 2008-03-04 21:57 . 2008-03-04 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters 2008-03-02 14:16 . 2008-03-02 14:16 <DIR> d-------- C:\Program Files\Orban 2008-02-24 18:39 . 2008-02-24 18:39 <DIR> d-------- C:\WINDOWS\vbSkinner 2008-02-24 11:36 . 2008-02-24 11:36 <DIR> d-------- C:\Documents and Settings\Ramona\Application Data\Download Manager
. (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-11 04:21 --------- d-----w C:\Documents and Settings\Ramona\Application Data\Free Download Manager 2008-03-09 08:20 --------- d-----w C:\Program Files\Winamp 2008-03-09 06:33 --------- d-----w C:\Program Files\Common Files\Adobe 2008-03-04 11:02 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-02-24 00:57 --------- d-----w C:\Documents and Settings\Ramona\Application Data\LimeWire 2008-02-23 04:33 --------- d-----w C:\Program Files\Google 2008-02-16 04:28 --------- d-----w C:\Documents and Settings\Ramona\Application Data\AdobeUM 2008-02-10 23:58 21,840 -c--atw C:\WINDOWS\system32\SIntfNT.dll 2008-02-10 23:58 17,212 -c--atw C:\WINDOWS\system32\SIntf32.dll 2008-02-10 23:58 12,067 -c--atw C:\WINDOWS\system32\SIntf16.dll 2008-02-08 10:41 --------- d-----w C:\Program Files\Free Music Zilla 2008-02-08 09:44 --------- d-----w C:\Documents and Settings\Ramona\Application Data\FMZilla 2008-02-07 09:21 --------- d-----w C:\Program Files\Veoh Networks 2008-02-07 09:00 --------- d-----w C:\Program Files\DAZ 2008-02-07 09:00 --------- d-----w C:\Program Files\Common Files\DAZ 2008-02-06 20:58 --------- d-----w C:\Program Files\Crazy Tetris 2008-02-02 08:32 --------- d-----w C:\Documents and Settings\Ramona\Application Data\Secret of the Solstice 2008-02-02 06:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Outspark 2008-02-02 06:31 --------- d-----w C:\Program Files\Outspark 2008-02-01 21:51 --------- d-----w C:\Program Files\Windows Live 2008-02-01 21:45 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition 2008-02-01 21:22 --------- d-----w C:\Program Files\EndlessOnline 2008-02-01 20:57 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller 2008-02-01 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-01-27 20:58 --------- d-----w C:\Program Files\Gaia Online Toolbar 2008-01-27 00:03 --------- d-----w C:\Program Files\Corel 2008-01-23 23:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Emotum 2008-01-23 22:47 --------- d-----w C:\Program Files\DIFX 2008-01-23 22:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-01-10 04:50 32,256 ----a-w C:\WINDOWS\system32\dzbryce6.dll 2008-01-10 04:50 180,224 ----a-w C:\WINDOWS\system32\dzwrapper.dll 2008-01-10 04:46 8,720,384 ----a-w C:\WINDOWS\system32\dzcore.dll 2008-01-10 04:46 65,536 ----a-w C:\WINDOWS\system32\dzcarrara.dll 2008-01-10 02:00 6,131,712 ----a-w C:\WINDOWS\system32\daz-qt-mt.dll 2008-01-10 02:00 1,785,856 ----a-w C:\WINDOWS\system32\daz-qsa.dll 2008-01-10 01:56 2,076,672 ----a-w C:\WINDOWS\system32\dz3delight.dll 1999-07-07 00:00 6 --sh--r C:\WINDOWS\@@desktop.dat .
((((((((((((((((((((((((((((( snapshot@2008-03-07_16.28.29.57 ))))))))))))))))))))))))))))))))))))))))) . + 2008-03-07 23:33:27 839,936 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys + 2008-03-07 23:33:30 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys + 2008-03-07 23:33:30 27,776 ----a-w C:\WINDOWS\system32\drivers\avg7rsxp.sys + 2008-03-07 23:33:30 3,968 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys + 2008-03-07 23:33:30 18,432 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys - 2008-02-25 06:10:01 298,848 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT + 2008-03-09 00:05:46 1,611,896 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT + 2007-02-12 05:10:12 2,451,312 ------w C:\WINDOWS\system32\ieapfltr.dat - 2008-03-06 03:14:03 735,140 -c--a-w C:\WINDOWS\system32\Restore\rstrlog.dat + 2008-03-10 20:53:25 1,908,988 -c--a-w C:\WINDOWS\system32\Restore\rstrlog.dat + 2007-03-21 09:54:16 77,312 ----a-w C:\WINDOWS\system32\TWAIN_32.DLL + 2007-03-21 09:54:16 48,560 ----a-w C:\WINDOWS\system32\TWUNK_16.EXE + 2007-03-21 09:54:16 69,632 ----a-w C:\WINDOWS\system32\TWUNK_32.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1BE275B-78BF-4A33-81AB-380699CFF329}] 2007-12-21 08:09 1404928 --a------ C:\Program Files\Gaia Online Toolbar\Toolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{B3535C18-0E70-4D4B-B36B-BBFE139BB144}"= "C:\Program Files\Gaia Online Toolbar\Toolbar.dll" [2007-12-21 08:09 1404928]
[HKEY_CLASSES_ROOT\clsid\{b3535c18-0e70-4d4b-b36b-bbfe139bb144}] [HKEY_CLASSES_ROOT\FCTB00108.FCTB00108.3] [HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}] [HKEY_CLASSES_ROOT\FCTB00108.FCTB00108]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{B3535C18-0E70-4D4B-B36B-BBFE139BB144}"= C:\Program Files\Gaia Online Toolbar\Toolbar.dll [2007-12-21 08:09 1404928]
[HKEY_CLASSES_ROOT\clsid\{b3535c18-0e70-4d4b-b36b-bbfe139bb144}] [HKEY_CLASSES_ROOT\FCTB00108.FCTB00108.3] [HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}] [HKEY_CLASSES_ROOT\FCTB00108.FCTB00108]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 23:00 15360] "Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [2006-08-21 01:24 2068527] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472] "nvcoi"="C:\Program Files\nvcoi\nvcoi.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [2006-03-04 06:22 577536 C:\WINDOWS\soundman.exe] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-23 15:48 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-23 15:44 126976] "Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2004-09-03 17:46 139264] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 23:00 208952] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 23:00 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:20 155648] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 17:00 249856] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:00 81920] "Acecad.Wtxpload"="C:\WINDOWS\Acecad\Wtxpload.exe" [2002-03-22 02:37 45056] "ZPOINT32"="C:\WINDOWS\system32\ZPOINT32.exe" [2002-07-04 14:19 20480] "EPSON Stylus CX3100"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [2002-07-01 14:05 74752] "RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 18:44 65536] "RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-27 00:21 868352] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00 132496] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-08 10:33 411648]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 23:00 15360] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-08 10:33 145920]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2006-02-28 23:00 53760 C:\WINDOWS\system32\narrator.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-21 15:10:19 113664] Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696] Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 22:24:38 1134592]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "SleepApp"= {C315CF32-135F-3112-31AC-F611D777C63D} - C:\WINDOWS\system32\sleep32.dll [ ]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\WINDOWS\\system32\\LEXPPS.EXE"= "C:\\WINDOWS\\system32\\rtcshare.exe"= "C:\\Program Files\\NetMeeting\\conf.exe"= "C:\\Sierra\\Empire Earth\\Empire Earth.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
R3 Wtcls2k;Wtcls2k;C:\WINDOWS\system32\DRIVERS\Wtcls2k.sys [2002-03-22 02:37] S3 service.sys;service.sys;C:\WINDOWS\system32\service.sys [] S3 SunkFilt6;Alcor Micro Corp - 6360;C:\WINDOWS\System32\Drivers\sunkfilt6.sys [] S3 SunkFilt62;Alcor Micro Corp - 6362;C:\WINDOWS\System32\Drivers\sunkfilt62.sys [2004-07-23 15:25] S3 W2acehid;Acecad HID;C:\WINDOWS\system32\DRIVERS\W2acehid.sys [2002-03-22 02:37] S4 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []
. **************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-11 15:22:18 Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MSControlService] "ImagePath"="C:\WINDOWS\system32\windows"
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\qwetab] "ImagePath"="\??\C:\WINDOWS\inf\qwetab.inf" . Completion time: 2008-03-11 15:23:52 ComboFix-quarantined-files.txt 2008-03-11 04:23:50 ComboFix2.txt 2008-03-08 04:13:52 ComboFix3.txt 2008-03-07 05:28:51 ComboFix4.txt 2008-03-05 06:35:16 . 2008-01-31 05:50:42 --- E O F ---
Report Offensive Follow Up For Removal
Response Number 11
Name: jabuck
Date: March 11, 2008 at 03:26:54 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit )Go to start> control panel> administrative tools> services> scroll down to "service.sys" and double click it. Click the blue drop down arrow to the far right of "startup type"> click disable> apply> ok. Exit administrative tools.
Next go to start> run type in the following two commands a press ok after each command:
sc delete service.sys (press ok)sc delete MSControlService (press ok)
Post a new combofix log.
Is the computer operating better?
Report Offensive Follow Up For Removal
Response Number 13
Name: jabuck
Date: March 11, 2008 at 18:31:33 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit )Download SDFix to your desktop from the following link:SDFix.exe .
Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, the Advanced Options Menu should appear; Select the first option, to run Windows in Safe Mode, then press Enter. Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). Finally paste the contents of the Report.txt.
Report Offensive Follow Up For Removal
Response Number 14
Name: Saimog
Date: March 11, 2008 at 22:19:05 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit ) [b]SDFix: Version 1.156 [/b]Run by Ramona on Wed 12/03/2008 at 04:06 PM
Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix
[b]Checking Services [/b]:
Name: qwetab
Path: \??\C:\WINDOWS\inf\qwetab.inf
qwetab - Deleted
Restoring Windows Registry Values Restoring Windows Default Hosts File
Rebooting
[b]Checking Files [/b]:
Trojan Files Found:
C:\WINDOWS\inf\qwetab.inf - Deleted
Removing Temp Files
[b]ADS Check [/b]:
[b]Final Check [/b]:
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-12 16:13:04 Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Indeo\xe0e Software] "SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,e0,26,00,00,00,00,00,ff,ff,ff,ff,ff,.. "Changed"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Indeo\xe0e Software] "UninstallString"="C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Ligos\Indeo\Uninst.isu" -c"C:\Program Files\Ligos\Indeo\Indeo System Files\indounin.dll"" "DisplayName"="Indeo\xae Software" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Hoyle\xe0e] "Order"=hex:08,00,00,00,02,00,00,00,14,01,00,00,01,00,00,00,02,00,00,00,88,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Hoyle\xe0e\Hoyle Card Games 2005] "Order"=hex:08,00,00,00,02,00,00,00,6c,04,00,00,01,00,00,00,07,00,00,00,88,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Hoyle\xe0e\Hoyle Casino 2003] "Order"=hex:08,00,00,00,02,00,00,00,96,04,00,00,01,00,00,00,08,00,00,00,8c,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Hoyle\xe0e\Hoyle Friday Night Poker] "Order"=hex:08,00,00,00,02,00,00,00,d2,03,00,00,01,00,00,00,06,00,00,00,88,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Nero\"\169\16*\16@\16\v\16-\16#\16L\16D\16\1\16\24\16L\16] "Order"=hex:08,00,00,00,02,00,00,00,6c,05,00,00,01,00,00,00,07,00,00,00,c2,..
scanning hidden files ...
scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 1
[b]Remaining Services [/b]:
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger" "C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE" "C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe:*:Enabled:RTC App Sharing" "C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windows? NetMeeting?" "C:\\Sierra\\Empire Earth\\Empire Earth.exe"="C:\\Sierra\\Empire Earth\\Empire Earth.exe:*:Enabled:Empire Earth" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" "C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client" "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe" "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe" "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
[b]Remaining Files [/b]:
File Backups: - C:\SDFix\backups\backups.zip
[b]Files with Hidden Attributes [/b]:
Sun 24 Feb 2008 88 ..SHR --- "C:\WINDOWS\system32\2A6DAF9BEB.sys" Fri 29 Feb 2008 2,516 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys" Fri 2 Mar 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Tue 11 Sep 2007 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv14.bak" Wed 26 Dec 2007 0 A..H. --- "C:\Program Files\Google\Google Desktop Search\BIT26.tmp" Thu 14 Feb 2008 11,898 A..H. --- "C:\Program Files\InterActual\InterActual Player\itiF.tmp" Tue 13 Nov 2007 18,163,438 A..H. --- "C:\Documents and Settings\Ramona\My Documents\Shtuff\white_eclipse.zip" Thu 31 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab59ac72525ea90a47679441587835c9\BIT1.tmp" Fri 2 Mar 2007 4,348 ...H. --- "C:\Documents and Settings\Ramona\My Documents\My Music\License Backup\drmv1key.bak" Tue 11 Sep 2007 401 A..H. --- "C:\Documents and Settings\Ramona\My Documents\My Music\License Backup\drmv1lic.bak" Fri 2 Feb 2007 312 ...H. --- "C:\Documents and Settings\Ramona\My Documents\My Music\License Backup\drmv2key.bak" Tue 11 Sep 2007 1,536 A..H. --- "C:\Documents and Settings\Ramona\My Documents\My Music\License Backup\drmv2lic.bak"
[b]Finished![/b]
Report Offensive Follow Up For Removal
Response Number 15
Name: jabuck
Date: March 12, 2008 at 19:42:10 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit )Please go to Virus Total and upload the following file for analysis:C:\WINDOWS\system32\2A6DAF9BEB.sys
Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file".
Post the results in your reply.
Report Offensive Follow Up For Removal
Response Number 16
Name: Saimog
Date: March 12, 2008 at 21:47:50 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit )File 2A6DAF9BEB.sys received on 03.13.2008 05:39:24 (CET) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 0/32 (0%)
Report Offensive Follow Up For Removal
Response Number 17
Name: jabuck
Date: March 14, 2008 at 19:22:55 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit )Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.Download CCleaner from the following link:
http://filehippo.com/download_ccleaner/
After you download it to your desktop and begin installing it only allow the "install icon on desktop" to install . Then run it, use only as suggested, it's powerful use only the prechecked items.
Please run the BitDefender online scan this link:Bitdefender Online Scanner
You will need to allow an active x install for the scan to run. Leave the scanning options at default and press "click here to scan" When finished scanning, click on "click here to export the scan report" Save it to your desktop, at "file name" type in "bdscan" then click save. Post a log in your reply.
Report Offensive Follow Up For Removal
Response Number 18
Name: Saimog
Date: March 15, 2008 at 05:56:47 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit )BitDefender Online Scanner Scan report generated at: Sat, Mar 15, 2008 - 23:48:08 Scan path: C:\;D:\; Statistics Time 01:27:39 Files 291981 Folders 7248 Boot Sectors 2 Archives 2113 Packed Files 21626 Results Identified Viruses 10 Infected Files 14 Suspect Files 0 Warnings 0 Disinfected 0 Deleted Files 14 Engines Info Virus Definitions 997175 Engine build AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36) Scan plugins 16 Archive plugins 41 Unpack plugins 7 E-mail plugins 6 System plugins 5 Scan Settings First Action Disinfect Second Action Delete Heuristics Yes Enable Warnings Yes Scanned Extensions *; Exclude Extensions Scan Emails Yes Scan Archives Yes Scan Packed Yes Scan Files Yes Scan Boot Yes Scanned File Status C:\Documents and Settings\Ramona\Desktop\backups\backup-20080306-144951-732.dll Infected with: Trojan.Downloader.Zlob.ABMP C:\Documents and Settings\Ramona\Desktop\backups\backup-20080306-144951-732.dll Disinfection failed C:\Documents and Settings\Ramona\Desktop\backups\backup-20080306-144951-732.dll Deleted C:\Documents and Settings\Ramona\Desktop\VundoFix.exe Infected with: DeepScan:Generic.Virtumod.A39D278C C:\Documents and Settings\Ramona\Desktop\VundoFix.exe Disinfection failed C:\Documents and Settings\Ramona\Desktop\VundoFix.exe Deleted C:\Documents and Settings\Ramona\My Documents\Shtuff\Install1279.exe Infected with: Trojan.Renos.N C:\Documents and Settings\Ramona\My Documents\Shtuff\Install1279.exe Deleted C:\QooBox\Quarantine\C\Program Files\Helper\1204536690.dll.vir Infected with: Trojan.Downloader.Zlob.ABMP C:\QooBox\Quarantine\C\Program Files\Helper\1204536690.dll.vir Disinfection failed C:\QooBox\Quarantine\C\Program Files\Helper\1204536690.dll.vir Deleted C:\QooBox\Quarantine\C\Program Files\JavaCore\UnInstall.exe.vir Detected with: Adware.JCore.A C:\QooBox\Quarantine\C\Program Files\JavaCore\UnInstall.exe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\b154.exe.vir Infected with: Trojan.Matcash.DLN C:\QooBox\Quarantine\C\WINDOWS\b154.exe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\mrofinu1535.exe.vir Infected with: Trojan.Downloader.Matcash.F C:\QooBox\Quarantine\C\WINDOWS\mrofinu1535.exe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\system32\service.exe.vir Infected with: Trojan.Dropper.LDPinch.Q C:\QooBox\Quarantine\C\WINDOWS\system32\service.exe.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\system32\service.exe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\system32\service.sys.vir Infected with: Trojan.Peed.IUO C:\QooBox\Quarantine\C\WINDOWS\system32\service.sys.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\system32\service.sys.vir Deleted C:\SDFix\backups\catchme.zip=>qwetab.inf Infected with: Backdoor.Rustock.NCK C:\SDFix\backups\catchme.zip=>qwetab.inf Disinfection failed C:\SDFix\backups\catchme.zip=>qwetab.inf Deleted C:\SDFix\backups\catchme.zip Updated C:\System Volume Information\_restore{64D828EA-F8A8-4360-B657-379570604CBB}\RP20\A0006339.dll Infected with: Trojan.Downloader.Zlob.ABMP C:\System Volume Information\_restore{64D828EA-F8A8-4360-B657-379570604CBB}\RP20\A0006339.dll Disinfection failed C:\System Volume Information\_restore{64D828EA-F8A8-4360-B657-379570604CBB}\RP20\A0006339.dll Deleted C:\System Volume Information\_restore{64D828EA-F8A8-4360-B657-379570604CBB}\RP20\A0006340.exe Infected with: DeepScan:Generic.Virtumod.A39D278C C:\System Volume Information\_restore{64D828EA-F8A8-4360-B657-379570604CBB}\RP20\A0006340.exe Disinfection failed C:\System Volume Information\_restore{64D828EA-F8A8-4360-B657-379570604CBB}\RP20\A0006340.exe Deleted C:\WINDOWS\system32\ascbalo3N.dll Detected with: Adware.Balloon.A C:\WINDOWS\system32\ascbalo3N.dll Deleted C:\WINDOWS\system32\ascbalon.dll Detected with: Adware.Balloon.A C:\WINDOWS\system32\ascbalon.dll Deleted
Report Offensive Follow Up For Removal
Use following form to reply to current message: