Specialty Forums
Security and Virus
General Hardware
CPUs/Overclocking
Networking
Digital Photo/Video
Office Software
PC Gaming
Console Gaming
Programming
Database
Web Development
Digital Home

General Forums
Windows XP
Windows Vista
Windows 95/98
Windows Me
Windows NT
Windows 2000
Win Server 2008
Win Server 2003
Windows 3.1
Linux
PDAs
BeOS
Novell Netware
OpenVMS
Solaris
Disk Op. System
Unix
Mac
OS/2

Drivers
Driver Scan
Driver Forum

Software
Automatic Updates

BIOS Updates

My Computing.Net

Solution Center

Free IT eBook

Howtos

Site Search

Message Find

RSS Feeds

Install Guides

Data Recovery

About

Home
Reply to Message Icon Go to Main Page Icon

Red X on Local Disk. Please help.

Original Message
Name: Saimog
Date: March 5, 2008 at 21:06:30 Pacific
Subject: Red X on Local Disk. Please help.
OS: SP2
CPU/Ram: 2.26GHz/504MB
Model/Manufacturer: Mercury
Comment:
My internet keeps stopping and there's a huge Red X on where the Local Disk Icon should be. Could someone please help me fix this?

Report Offensive Message For Removal


Response Number 1
Name: jabuck
Date: March 6, 2008 at 17:48:10 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit)
Please run the following scans and post their results .

Go to the this link:

Disable Realtime Protection

Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files.

Please download Atribune's VundoFix.exe from the following site to your desktop:

Vundofix.exe

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files,
click "yes".

Once you click yes, your desktop will go blank as it starts removing
Vundo.

When completed, it will prompt that it will reboot your computer,
click "ok".

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This


1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.


Report Offensive Follow Up For Removal

Response Number 2
Name: Saimog
Date: March 6, 2008 at 21:15:34 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:06, on 2008-03-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Wintab32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ZPOINT32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\nvcoi\nvcoi.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Ramona\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?Lin...
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-

784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0

\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} -

C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {5566186B-8E4A-4D16-BBC7-F2BA16AB5377} -

C:\WINDOWS\system32\vturr.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-

716BA50C19C7} - C:\Program Files\Google\Web

Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no

file)
O2 - BHO: {a1701f50-c5b5-99ea-2c64-f494d7949838} - {8389497d-494f-

46c2-ae99-5b5c05f1071a} - C:\WINDOWS\system32\tkjqvagv.dll (file

missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-

5164760863C6} - C:\Program Files\Common Files\Microsoft

Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FCTB00108Pos - {B1BE275B-78BF-4A33-81AB-380699CFF329} -

C:\Program Files\Gaia Online Toolbar\Toolbar.dll
O2 - BHO: (no name) - {B3ADDB7B-3DF5-4672-82DD-775FFF180134} -

C:\WINDOWS\system32\mljhfgh.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no

file)
O3 - Toolbar: Gaia Online Toolbar - {B3535C18-0E70-4D4B-B36B-

BBFE139BB144} - C:\Program Files\Gaia Online Toolbar\Toolbar.dll
O3 - Toolbar: (no name) - {D0943516-5076-4020-A3B5-AEFAF26AB263} -

(no file)
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-

C89982D87CBF} - C:\Program Files\Google\Web

Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card

Reader\shwicon2k.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE"

/Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32

\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32

\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32

\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32

\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common

Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common

Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Acecad.Wtxpload] C:\WINDOWS\Acecad\Wtxpload.exe

Acecad
O4 - HKLM\..\Run: [ZPOINT32] C:\WINDOWS\system32\ZPOINT32.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3100] C:\WINDOWS\System32

\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3100" /O6

"USB001" /M "Stylus CX3100"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common

Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD

Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free

Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0

\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32

\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32

\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32

\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User

'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32

\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User

'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program

Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program

Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: Download all with Free Download

Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download

Manager - file://C:\Program Files\Free Download

Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager -

file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF

-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263}

- C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-

A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-

11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload

Tool) - http://gfx1.hotmail.com/mail/w2/res...
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072}

(MessengerStatsClient Class) -

http://messenger.zone.msn.com/binar...

.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags

Class) -

http://messenger.zone.msn.com/binar...
O20 - Winlogon Notify: mljhfgh - C:\WINDOWS\SYSTEM32\mljhfgh.dll
O21 - SSODL: WinApp - {C285CF22-115F-3252-41AC-F686D912C63D} -

C:\WINDOWS\system32\clipuser32.dll
O23 - Service: EpsonBidirectionalService - Unknown owner -

C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) -

SEIKO EPSON CORPORATION - C:\Program Files\Common

Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\11

\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc.

- C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Microsoft cache control (MSControlService) - Unknown

owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: SmartLinkService (SLService) - -

C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Wintab32 - Unknown owner - C:\WINDOWS\system32

\Wintab32.exe

--
End of file - 8979 bytes


Report Offensive Follow Up For Removal

Response Number 3
Name: Saimog
Date: March 6, 2008 at 21:38:13 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit)
ComboFix 08-03-06.3 - Ramona 2008-03-07 16:18:50.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.874.66.1033.18.197 [GMT 11:00]
Running from: C:\Documents and Settings\Ramona\Desktop\ComboFix.exe
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\JavaCore
C:\Program Files\JavaCore\UnInstall.exe
C:\Program Files\NoDNS
C:\Program Files\NoDNS\UnInstall.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\InsiDERInst.exe
C:\WINDOWS\BM2b022afc.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\mljhfgh.dll
C:\WINDOWS\system32\rrutv.ini
C:\WINDOWS\system32\service.exe
C:\WINDOWS\system32\vturr.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-07 to 2008-03-07 )))))))))))))))))))))))))))))))
.

2008-03-07 15:55 . 2008-03-07 16:01 <DIR> d-------- C:\VundoFix Backups
2008-03-07 12:55 . 2008-03-07 12:55 268 --ah----- C:\sqmdata01.sqm
2008-03-07 12:55 . 2008-03-07 12:55 244 --ah----- C:\sqmnoopt01.sqm
2008-03-06 13:00 . 2008-03-06 13:00 260,608 --a------ C:\WINDOWS\system32\sleep32.dll
2008-03-06 12:59 . 2008-03-06 12:59 268 --ah----- C:\sqmdata00.sqm
2008-03-06 12:59 . 2008-03-06 12:59 244 --ah----- C:\sqmnoopt00.sqm
2008-03-05 19:58 . 2008-03-05 19:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-05 19:58 . 2008-03-05 19:58 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-05 16:06 . 2008-03-05 16:06 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-03-04 23:20 . 2008-03-05 17:25 23,950 ---hs---- C:\WINDOWS\system32\hdejfhzz.dllbox
2008-03-04 22:10 . 2008-03-04 22:14 20,666 ---hs---- C:\WINDOWS\system32\fsqugdwv.dllbox
2008-03-04 22:06 . 2008-03-04 22:14 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-03-04 21:57 . 2008-03-04 21:57 <DIR> d-------- C:\Program Files\PC Drivers HeadQuarters
2008-03-04 21:57 . 2008-03-04 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-03-04 21:19 . 2008-03-04 21:19 <DIR> d-------- C:\Program Files\nvcoi
2008-03-03 20:30 . 2008-03-03 20:30 29,184 --a------ C:\WINDOWS\system32\drivers\smss.exe
2008-03-03 20:30 . 2008-03-06 14:16 18,368 --a------ C:\WINDOWS\system32\service.sys
2008-03-03 20:29 . 2008-03-03 20:29 262,144 --a------ C:\WINDOWS\system32\clipuser32.dll
2008-03-03 20:29 . 2008-03-06 09:45 37,376 --a------ C:\WINDOWS\mrofinu1535.exe
2008-03-03 03:26 . 2008-03-03 01:26 73,728 --a------ C:\WINDOWS\b153.exe
2008-03-02 14:16 . 2008-03-02 14:16 <DIR> d-------- C:\Program Files\Orban
2008-02-26 02:00 . 2008-02-26 00:00 81,920 --a------ C:\WINDOWS\b154.exe
2008-02-24 18:39 . 2008-02-24 18:39 <DIR> d-------- C:\WINDOWS\vbSkinner
2008-02-24 11:36 . 2008-02-24 11:36 <DIR> d-------- C:\Documents and Settings\Ramona\Application Data\Download Manager
2008-02-09 12:47 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-02-09 12:47 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-02-08 21:17 . 2008-02-08 21:17 <DIR> d-------- C:\Mp3 Output
2008-02-08 21:17 . 2006-11-01 14:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-02-08 21:17 . 2007-02-25 15:36 383,238 --a------ C:\WINDOWS\system32\libmp3lame-0.dll
2008-02-08 20:34 . 2008-02-08 21:28 <DIR> d-------- C:\downloads
2008-02-08 20:34 . 2008-02-08 20:44 <DIR> d-------- C:\Documents and Settings\Ramona\Application Data\FMZilla
2008-02-08 20:33 . 2008-02-08 21:41 <DIR> d-------- C:\Program Files\Free Music Zilla
2008-02-07 20:21 . 2008-02-07 20:21 <DIR> d-------- C:\Program Files\Veoh Networks
2008-02-07 20:01 . 2004-03-29 15:23 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-02-07 20:00 . 2008-02-07 20:00 <DIR> d-------- C:\Program Files\DAZ
2008-02-07 20:00 . 2008-02-07 20:00 <DIR> d-------- C:\Program Files\Common Files\DAZ

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 05:04 --------- d-----w C:\Documents and Settings\Ramona\Application Data\Free Download Manager
2008-03-04 11:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-03 09:32 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-02 03:23 --------- d-----w C:\Program Files\Winamp
2008-02-24 00:57 --------- d-----w C:\Documents and Settings\Ramona\Application Data\LimeWire
2008-02-23 04:33 --------- d-----w C:\Program Files\Google
2008-02-16 04:28 --------- d-----w C:\Documents and Settings\Ramona\Application Data\AdobeUM
2008-02-06 20:58 --------- d-----w C:\Program Files\Crazy Tetris
2008-02-02 08:32 --------- d-----w C:\Documents and Settings\Ramona\Application Data\Secret of the Solstice
2008-02-02 06:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Outspark
2008-02-02 06:31 --------- d-----w C:\Program Files\Outspark
2008-02-01 21:51 --------- d-----w C:\Program Files\Windows Live
2008-02-01 21:45 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-02-01 21:22 --------- d-----w C:\Program Files\EndlessOnline
2008-02-01 20:57 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-01 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-27 20:58 --------- d-----w C:\Program Files\Gaia Online Toolbar
2008-01-27 00:03 --------- d-----w C:\Program Files\Corel
2008-01-23 23:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Emotum
2008-01-23 22:47 --------- d-----w C:\Program Files\DIFX
2008-01-23 22:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
1999-07-07 00:00 6 --sh--r C:\WINDOWS\@@desktop.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8389497d-494f-46c2-ae99-5b5c05f1071a}]
C:\WINDOWS\system32\tkjqvagv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1BE275B-78BF-4A33-81AB-380699CFF329}]
2007-12-21 08:09 1404928 --a------ C:\Program Files\Gaia Online Toolbar\Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B3535C18-0E70-4D4B-B36B-BBFE139BB144}"= "C:\Program Files\Gaia Online Toolbar\Toolbar.dll" [2007-12-21 08:09 1404928]

[HKEY_CLASSES_ROOT\clsid\{b3535c18-0e70-4d4b-b36b-bbfe139bb144}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{B3535C18-0E70-4D4B-B36B-BBFE139BB144}"= C:\Program Files\Gaia Online Toolbar\Toolbar.dll [2007-12-21 08:09 1404928]

[HKEY_CLASSES_ROOT\clsid\{b3535c18-0e70-4d4b-b36b-bbfe139bb144}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 23:00 15360]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [2006-08-21 01:24 2068527]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"nvcoi"="C:\Program Files\nvcoi\nvcoi.exe" [2008-03-04 21:19 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-03-04 06:22 577536 C:\WINDOWS\soundman.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-23 15:48 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-23 15:44 126976]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2004-09-03 17:46 139264]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 23:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 23:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:20 155648]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 17:00 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:00 81920]
"Acecad.Wtxpload"="C:\WINDOWS\Acecad\Wtxpload.exe" [2002-03-22 02:37 45056]
"ZPOINT32"="C:\WINDOWS\system32\ZPOINT32.exe" [2002-07-04 14:19 20480]
"EPSON Stylus CX3100"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [2002-07-01 14:05 74752]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 18:44 65536]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-27 00:21 868352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 23:00 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-02-28 23:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-21 15:10:19 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 22:24:38 1134592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WinApp"= {C285CF22-115F-3252-41AC-F686D912C63D} - C:\WINDOWS\system32\clipuser32.dll [2008-03-03 20:29 262144]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Sierra\\Empire Earth\\Empire Earth.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []
S3 service.sys;service.sys;C:\WINDOWS\system32\service.sys [2008-03-06 14:16]
S3 SunkFilt6;Alcor Micro Corp - 6360;C:\WINDOWS\System32\Drivers\sunkfilt6.sys []
S3 SunkFilt62;Alcor Micro Corp - 6362;C:\WINDOWS\System32\Drivers\sunkfilt62.sys [2004-07-23 15:25]
S3 W2acehid;Acecad HID;C:\WINDOWS\system32\DRIVERS\W2acehid.sys [2002-03-22 02:37]
S3 Wtcls2k;Wtcls2k;C:\WINDOWS\system32\DRIVERS\Wtcls2k.sys [2002-03-22 02:37]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-07 16:25:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MSControlService]
"ImagePath"="C:\WINDOWS\system32\windows"

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\qwetab]
"ImagePath"="\??\C:\WINDOWS\inf\qwetab.inf"
.
r Running Proce
.
C:\WINDOWS\system32\Wintab32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
.
**************************************************************************
.
Completion time: 2008-03-07 16:28:50 - machine was rebooted [Ramona]
ComboFix-quarantined-files.txt 2008-03-07 05:28:46
ComboFix2.txt 2008-03-05 06:35:16
.
2008-01-31 05:50:42 --- E O F ---


Report Offensive Follow Up For Removal

Response Number 4
Name: jabuck
Date: March 7, 2008 at 19:49:49 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit)
Go to start> control panel> administrative tools> services> scroll down to "MSControlService" may be named "Microsoft cache control" and double click it. Click the blue drop down arrow to the far right of "startup type"> click disable> apply>ok.

Exit administrative tools.

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\system32\hdejfhzz.dllbox
C:\WINDOWS\system32\fsqugdwv.dllbox
C:\WINDOWS\system32\sleep32.dll
C:\WINDOWS\mrofinu1535.exe
C:\WINDOWS\b153.exe
C:\WINDOWS\b154.exe
C:\WINDOWS\system32\tkjqvagv.dll

Folder::
C:\WINDOWS\system32\windows

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8389497d-494f-46c2-ae99-5b5c05f1071a}]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Go to the following link:

http://virusscan.jotti.org/

Then use the browse button to locate this file:

C:\WINDOWS\system32\service.sys

Once located click submit then post the results.

Post a new Combofix log.


Report Offensive Follow Up For Removal

Response Number 5
Name: Saimog
Date: March 7, 2008 at 20:33:46 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit)
Thanks.I'm not sure which part of the result it is but so I'll put it all in.

File: service.sys
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: a4a777bacfcb1c86d4c2d5b6258de9ef
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 08 Mar 2008 04:20:23 (GMT)
A-Squared
Found Trojan-Proxy.Win32.Agent.yd
AntiVir
Found TR/Proxy.Agent.YD
ArcaVir
Found Trojan.Proxy.Agent.Yd
Avast
Found nothing
AVG Antivirus
Found BackDoor.Generic9.SCL
BitDefender
Found Trojan.Peed.IUO
ClamAV
Found Trojan.Proxy-2466
CPsecure
Found Troj.Proxy.W32.Agent.yd
Dr.Web
Found Trojan.Spambot.2887
F-Prot Antivirus
Found Possibly a new variant of W32/STZ_like!Generic
F-Secure Anti-Virus
Found Trojan-Proxy.Win32.Agent.yd
Fortinet
Found W32/Agent.YD!tr
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Trojan-Proxy.Win32.Agent.yd
NOD32
Found Win32/TrojanProxy.Agent.YD
Norman Virus Control
Found W32/Tibs.BIWJ
Panda Antivirus
Found Rootkit/Downloader.SNO
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found Trojan-Proxy.Win32.Agent.yd


Report Offensive Follow Up For Removal


Response Number 6
Name: Saimog
Date: March 7, 2008 at 20:36:03 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit)
ComboFix 08-03-06.3 - Ramona 2008-03-08 15:10:08.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.874.66.1033.18.177 [GMT 11:00]
Running from: C:\Documents and Settings\Ramona\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ramona\Desktop\CFScript.txt
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE ::
C:\WINDOWS\b153.exe
C:\WINDOWS\b154.exe
C:\WINDOWS\mrofinu1535.exe
C:\WINDOWS\system32\fsqugdwv.dllbox
C:\WINDOWS\system32\hdejfhzz.dllbox
C:\WINDOWS\system32\sleep32.dll
C:\WINDOWS\system32\tkjqvagv.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\b153.exe
C:\WINDOWS\b154.exe
C:\WINDOWS\mrofinu1535.exe
C:\WINDOWS\system32\fsqugdwv.dllbox
C:\WINDOWS\system32\hdejfhzz.dllbox
C:\WINDOWS\system32\sleep32.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.

2008-03-08 13:32 . 2008-03-08 13:33 <DIR> d-------- C:\Documents and Settings\Family\Application Data\AVG7
2008-03-08 10:33 . 2008-03-08 12:49 <DIR> d-------- C:\Documents and Settings\Ramona\Application Data\AVG7
2008-03-08 10:33 . 2008-03-08 10:33 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-08 10:33 . 2008-03-08 10:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-08 10:33 . 2008-03-08 12:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-07 15:55 . 2008-03-07 16:01 <DIR> d-------- C:\VundoFix Backups
2008-03-07 12:55 . 2008-03-07 12:55 268 --ah----- C:\sqmdata01.sqm
2008-03-07 12:55 . 2008-03-07 12:55 244 --ah----- C:\sqmnoopt01.sqm
2008-03-06 12:59 . 2008-03-06 12:59 268 --ah----- C:\sqmdata00.sqm
2008-03-06 12:59 . 2008-03-06 12:59 244 --ah----- C:\sqmnoopt00.sqm
2008-03-05 16:06 . 2008-03-05 16:06 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-03-04 22:06 . 2008-03-04 22:14 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-03-04 21:57 . 2008-03-04 21:57 <DIR> d-------- C:\Program Files\PC Drivers HeadQuarters
2008-03-04 21:57 . 2008-03-04 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-03-04 21:19 . 2008-03-04 21:19 <DIR> d-------- C:\Program Files\nvcoi
2008-03-03 20:30 . 2008-03-03 20:30 29,184 --a------ C:\WINDOWS\system32\drivers\smss.exe
2008-03-03 20:30 . 2008-03-06 14:16 18,368 --a------ C:\WINDOWS\system32\service.sys
2008-03-02 14:16 . 2008-03-02 14:16 <DIR> d-------- C:\Program Files\Orban
2008-02-24 18:39 . 2008-02-24 18:39 <DIR> d-------- C:\WINDOWS\vbSkinner
2008-02-24 11:36 . 2008-02-24 11:36 <DIR> d-------- C:\Documents and Settings\Ramona\Application Data\Download Manager
2008-02-09 12:47 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-02-09 12:47 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-02-08 21:17 . 2008-02-08 21:17 <DIR> d-------- C:\Mp3 Output
2008-02-08 21:17 . 2006-11-01 14:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-02-08 21:17 . 2007-02-25 15:36 383,238 --a------ C:\WINDOWS\system32\libmp3lame-0.dll
2008-02-08 20:34 . 2008-02-08 21:28 <DIR> d-------- C:\downloads
2008-02-08 20:34 . 2008-02-08 20:44 <DIR> d-------- C:\Documents and Settings\Ramona\Application Data\FMZilla
2008-02-08 20:33 . 2008-02-08 21:41 <DIR> d-------- C:\Program Files\Free Music Zilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 04:12 --------- d-----w C:\Documents and Settings\Ramona\Application Data\Free Download Manager
2008-03-04 11:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-03 09:32 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-02 03:23 --------- d-----w C:\Program Files\Winamp
2008-02-24 00:57 --------- d-----w C:\Documents and Settings\Ramona\Application Data\LimeWire
2008-02-23 04:33 --------- d-----w C:\Program Files\Google
2008-02-16 04:28 --------- d-----w C:\Documents and Settings\Ramona\Application Data\AdobeUM
2008-02-10 23:58 21,840 -c--atw C:\WINDOWS\system32\SIntfNT.dll
2008-02-10 23:58 17,212 -c--atw C:\WINDOWS\system32\SIntf32.dll
2008-02-10 23:58 12,067 -c--atw C:\WINDOWS\system32\SIntf16.dll
2008-02-07 09:21 --------- d-----w C:\Program Files\Veoh Networks
2008-02-07 09:00 --------- d-----w C:\Program Files\DAZ
2008-02-07 09:00 --------- d-----w C:\Program Files\Common Files\DAZ
2008-02-06 20:58 --------- d-----w C:\Program Files\Crazy Tetris
2008-02-02 08:32 --------- d-----w C:\Documents and Settings\Ramona\Application Data\Secret of the Solstice
2008-02-02 06:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Outspark
2008-02-02 06:31 --------- d-----w C:\Program Files\Outspark
2008-02-01 21:51 --------- d-----w C:\Program Files\Windows Live
2008-02-01 21:45 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-02-01 21:22 --------- d-----w C:\Program Files\EndlessOnline
2008-02-01 20:57 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-01 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-27 20:58 --------- d-----w C:\Program Files\Gaia Online Toolbar
2008-01-27 00:03 --------- d-----w C:\Program Files\Corel
2008-01-23 23:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Emotum
2008-01-23 22:47 --------- d-----w C:\Program Files\DIFX
2008-01-23 22:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-10 04:50 32,256 ----a-w C:\WINDOWS\system32\dzbryce6.dll
2008-01-10 04:50 180,224 ----a-w C:\WINDOWS\system32\dzwrapper.dll
2008-01-10 04:46 8,720,384 ----a-w C:\WINDOWS\system32\dzcore.dll
2008-01-10 04:46 65,536 ----a-w C:\WINDOWS\system32\dzcarrara.dll
2008-01-10 02:00 6,131,712 ----a-w C:\WINDOWS\system32\daz-qt-mt.dll
2008-01-10 02:00 1,785,856 ----a-w C:\WINDOWS\system32\daz-qsa.dll
2008-01-10 01:56 2,076,672 ----a-w C:\WINDOWS\system32\dz3delight.dll
1999-07-07 00:00 6 --sh--r C:\WINDOWS\@@desktop.dat
.

((((((((((((((((((((((((((((( snapshot@2008-03-07_16.28.29.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-07 23:33:27 839,936 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
+ 2008-03-07 23:33:30 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys
+ 2008-03-07 23:33:30 27,776 ----a-w C:\WINDOWS\system32\drivers\avg7rsxp.sys
+ 2008-03-07 23:33:30 3,968 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
+ 2008-03-07 23:33:30 18,432 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1BE275B-78BF-4A33-81AB-380699CFF329}]
2007-12-21 08:09 1404928 --a------ C:\Program Files\Gaia Online Toolbar\Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B3535C18-0E70-4D4B-B36B-BBFE139BB144}"= "C:\Program Files\Gaia Online Toolbar\Toolbar.dll" [2007-12-21 08:09 1404928]

[HKEY_CLASSES_ROOT\clsid\{b3535c18-0e70-4d4b-b36b-bbfe139bb144}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{B3535C18-0E70-4D4B-B36B-BBFE139BB144}"= C:\Program Files\Gaia Online Toolbar\Toolbar.dll [2007-12-21 08:09 1404928]

[HKEY_CLASSES_ROOT\clsid\{b3535c18-0e70-4d4b-b36b-bbfe139bb144}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 23:00 15360]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [2006-08-21 01:24 2068527]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"nvcoi"="C:\Program Files\nvcoi\nvcoi.exe" [2008-03-04 21:19 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-03-04 06:22 577536 C:\WINDOWS\soundman.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-23 15:48 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-23 15:44 126976]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2004-09-03 17:46 139264]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 23:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 23:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:20 155648]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 17:00 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:00 81920]
"Acecad.Wtxpload"="C:\WINDOWS\Acecad\Wtxpload.exe" [2002-03-22 02:37 45056]
"ZPOINT32"="C:\WINDOWS\system32\ZPOINT32.exe" [2002-07-04 14:19 20480]
"EPSON Stylus CX3100"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [2002-07-01 14:05 74752]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 18:44 65536]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-27 00:21 868352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-08 10:33 411648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 23:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-08 10:33 145920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-02-28 23:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-21 15:10:19 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 22:24:38 1134592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SleepApp"= {C315CF32-135F-3112-31AC-F611D777C63D} - C:\WINDOWS\system32\sleep32.dll [ ]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Sierra\\Empire Earth\\Empire Earth.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

S3 service.sys;service.sys;C:\WINDOWS\system32\service.sys [2008-03-06 14:16]
S3 SunkFilt6;Alcor Micro Corp - 6360;C:\WINDOWS\System32\Drivers\sunkfilt6.sys []
S3 SunkFilt62;Alcor Micro Corp - 6362;C:\WINDOWS\System32\Drivers\sunkfilt62.sys [2004-07-23 15:25]
S3 W2acehid;Acecad HID;C:\WINDOWS\system32\DRIVERS\W2acehid.sys [2002-03-22 02:37]
S3 Wtcls2k;Wtcls2k;C:\WINDOWS\system32\DRIVERS\Wtcls2k.sys [2002-03-22 02:37]
S4 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 15:12:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MSControlService]
"ImagePath"="C:\WINDOWS\system32\windows"

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\qwetab]
"ImagePath"="\??\C:\WINDOWS\inf\qwetab.inf"
.
Completion time: 2008-03-08 15:13:51
ComboFix-quarantined-files.txt 2008-03-08 04:13:36
ComboFix2.txt 2008-03-07 05:28:51
ComboFix3.txt 2008-03-05 06:35:16
.
2008-01-31 05:50:42 --- E O F ---


Report Offensive Follow Up For Removal

Response Number 7
Name: Saimog
Date: March 10, 2008 at 15:27:13 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit)
Ah? Where'd he go?

Report Offensive Follow Up For Removal

Response Number 8
Name: Saimog
Date: March 10, 2008 at 16:44:30 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit)
Sorry. Having trouble with the internet still.

Report Offensive Follow Up For Removal

Response Number 9
Name: jabuck
Date: March 10, 2008 at 19:55:54 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit)
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\Program Files\nvcoi\nvcoi.exe
C:\WINDOWS\system32\drivers\smss.exe
C:\WINDOWS\system32\service.sys

Folder::
C:\Program Files\nvcoi

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Post a new Combofix log.


Report Offensive Follow Up For Removal

Response Number 10
Name: Saimog
Date: March 10, 2008 at 21:28:09 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit)
ComboFix 08-03-06.3 - Ramona 2008-03-11 15:19:18.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.874.66.1033.18.267 [GMT 11:00]
Running from: C:\Documents and Settings\Ramona\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ramona\Desktop\CFScript.txt
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE ::
C:\Program Files\nvcoi\nvcoi.exe
C:\WINDOWS\system32\drivers\smss.exe
C:\WINDOWS\system32\service.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\nvcoi
C:\Program Files\nvcoi\mst.stt
C:\Program Files\nvcoi\nvcoi.exe
C:\WINDOWS\system32\drivers\smss.exe
C:\WINDOWS\system32\service.sys

.
((((((((((((((((((((((((( Files Created from 2008-02-11 to 2008-03-11 )))))))))))))))))))))))))))))))
.

2008-03-11 07:52 . 2008-03-11 07:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-09 19:37 . 2008-03-11 07:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft(2)
2008-03-09 08:27 . 2008-03-09 08:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-03-08 19:45 . 2008-03-08 19:45 268 --ah----- C:\sqmdata02.sqm
2008-03-08 19:45 . 2008-03-08 19:45 244 --ah----- C:\sqmnoopt02.sqm
2008-03-08 13:32 . 2008-03-08 13:33 <DIR> d-------- C:\Documents and Settings\Family\Application Data\AVG7
2008-03-08 10:33 . 2008-03-10 08:25 <DIR> d-------- C:\Documents and Settings\Ramona\Application Data\AVG7
2008-03-08 10:33 . 2008-03-08 10:33 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-08 10:33 . 2008-03-09 19:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-07 15:55 . 2008-03-07 16:01 <DIR> d-------- C:\VundoFix Backups
2008-03-07 12:55 . 2008-03-07 12:55 268 --ah----- C:\sqmdata01.sqm
2008-03-07 12:55 . 2008-03-07 12:55 244 --ah----- C:\sqmnoopt01.sqm
2008-03-06 12:59 . 2008-03-06 12:59 268 --ah----- C:\sqmdata00.sqm
2008-03-06 12:59 . 2008-03-06 12:59 244 --ah----- C:\sqmnoopt00.sqm
2008-03-05 16:06 . 2008-03-05 16:06 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-03-04 22:06 . 2008-03-04 22:14 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-03-04 21:57 . 2008-03-04 21:57 <DIR> d-------- C:\Program Files\PC Drivers HeadQuarters
2008-03-04 21:57 . 2008-03-04 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-03-02 14:16 . 2008-03-02 14:16 <DIR> d-------- C:\Program Files\Orban
2008-02-24 18:39 . 2008-02-24 18:39 <DIR> d-------- C:\WINDOWS\vbSkinner
2008-02-24 11:36 . 2008-02-24 11:36 <DIR> d-------- C:\Documents and Settings\Ramona\Application Data\Download Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-11 04:21 --------- d-----w C:\Documents and Settings\Ramona\Application Data\Free Download Manager
2008-03-09 08:20 --------- d-----w C:\Program Files\Winamp
2008-03-09 06:33 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-04 11:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-24 00:57 --------- d-----w C:\Documents and Settings\Ramona\Application Data\LimeWire
2008-02-23 04:33 --------- d-----w C:\Program Files\Google
2008-02-16 04:28 --------- d-----w C:\Documents and Settings\Ramona\Application Data\AdobeUM
2008-02-10 23:58 21,840 -c--atw C:\WINDOWS\system32\SIntfNT.dll
2008-02-10 23:58 17,212 -c--atw C:\WINDOWS\system32\SIntf32.dll
2008-02-10 23:58 12,067 -c--atw C:\WINDOWS\system32\SIntf16.dll
2008-02-08 10:41 --------- d-----w C:\Program Files\Free Music Zilla
2008-02-08 09:44 --------- d-----w C:\Documents and Settings\Ramona\Application Data\FMZilla
2008-02-07 09:21 --------- d-----w C:\Program Files\Veoh Networks
2008-02-07 09:00 --------- d-----w C:\Program Files\DAZ
2008-02-07 09:00 --------- d-----w C:\Program Files\Common Files\DAZ
2008-02-06 20:58 --------- d-----w C:\Program Files\Crazy Tetris
2008-02-02 08:32 --------- d-----w C:\Documents and Settings\Ramona\Application Data\Secret of the Solstice
2008-02-02 06:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Outspark
2008-02-02 06:31 --------- d-----w C:\Program Files\Outspark
2008-02-01 21:51 --------- d-----w C:\Program Files\Windows Live
2008-02-01 21:45 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-02-01 21:22 --------- d-----w C:\Program Files\EndlessOnline
2008-02-01 20:57 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-01 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-27 20:58 --------- d-----w C:\Program Files\Gaia Online Toolbar
2008-01-27 00:03 --------- d-----w C:\Program Files\Corel
2008-01-23 23:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Emotum
2008-01-23 22:47 --------- d-----w C:\Program Files\DIFX
2008-01-23 22:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-10 04:50 32,256 ----a-w C:\WINDOWS\system32\dzbryce6.dll
2008-01-10 04:50 180,224 ----a-w C:\WINDOWS\system32\dzwrapper.dll
2008-01-10 04:46 8,720,384 ----a-w C:\WINDOWS\system32\dzcore.dll
2008-01-10 04:46 65,536 ----a-w C:\WINDOWS\system32\dzcarrara.dll
2008-01-10 02:00 6,131,712 ----a-w C:\WINDOWS\system32\daz-qt-mt.dll
2008-01-10 02:00 1,785,856 ----a-w C:\WINDOWS\system32\daz-qsa.dll
2008-01-10 01:56 2,076,672 ----a-w C:\WINDOWS\system32\dz3delight.dll
1999-07-07 00:00 6 --sh--r C:\WINDOWS\@@desktop.dat
.

((((((((((((((((((((((((((((( snapshot@2008-03-07_16.28.29.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-07 23:33:27 839,936 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
+ 2008-03-07 23:33:30 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys
+ 2008-03-07 23:33:30 27,776 ----a-w C:\WINDOWS\system32\drivers\avg7rsxp.sys
+ 2008-03-07 23:33:30 3,968 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
+ 2008-03-07 23:33:30 18,432 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
- 2008-02-25 06:10:01 298,848 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-03-09 00:05:46 1,611,896 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-02-12 05:10:12 2,451,312 ------w C:\WINDOWS\system32\ieapfltr.dat
- 2008-03-06 03:14:03 735,140 -c--a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2008-03-10 20:53:25 1,908,988 -c--a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2007-03-21 09:54:16 77,312 ----a-w C:\WINDOWS\system32\TWAIN_32.DLL
+ 2007-03-21 09:54:16 48,560 ----a-w C:\WINDOWS\system32\TWUNK_16.EXE
+ 2007-03-21 09:54:16 69,632 ----a-w C:\WINDOWS\system32\TWUNK_32.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1BE275B-78BF-4A33-81AB-380699CFF329}]
2007-12-21 08:09 1404928 --a------ C:\Program Files\Gaia Online Toolbar\Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B3535C18-0E70-4D4B-B36B-BBFE139BB144}"= "C:\Program Files\Gaia Online Toolbar\Toolbar.dll" [2007-12-21 08:09 1404928]

[HKEY_CLASSES_ROOT\clsid\{b3535c18-0e70-4d4b-b36b-bbfe139bb144}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{B3535C18-0E70-4D4B-B36B-BBFE139BB144}"= C:\Program Files\Gaia Online Toolbar\Toolbar.dll [2007-12-21 08:09 1404928]

[HKEY_CLASSES_ROOT\clsid\{b3535c18-0e70-4d4b-b36b-bbfe139bb144}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 23:00 15360]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [2006-08-21 01:24 2068527]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"nvcoi"="C:\Program Files\nvcoi\nvcoi.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-03-04 06:22 577536 C:\WINDOWS\soundman.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-23 15:48 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-23 15:44 126976]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2004-09-03 17:46 139264]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 23:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 23:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:20 155648]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 17:00 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:00 81920]
"Acecad.Wtxpload"="C:\WINDOWS\Acecad\Wtxpload.exe" [2002-03-22 02:37 45056]
"ZPOINT32"="C:\WINDOWS\system32\ZPOINT32.exe" [2002-07-04 14:19 20480]
"EPSON Stylus CX3100"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [2002-07-01 14:05 74752]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 18:44 65536]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-27 00:21 868352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-08 10:33 411648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 23:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-08 10:33 145920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-02-28 23:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-21 15:10:19 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 22:24:38 1134592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SleepApp"= {C315CF32-135F-3112-31AC-F611D777C63D} - C:\WINDOWS\system32\sleep32.dll [ ]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Sierra\\Empire Earth\\Empire Earth.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

R3 Wtcls2k;Wtcls2k;C:\WINDOWS\system32\DRIVERS\Wtcls2k.sys [2002-03-22 02:37]
S3 service.sys;service.sys;C:\WINDOWS\system32\service.sys []
S3 SunkFilt6;Alcor Micro Corp - 6360;C:\WINDOWS\System32\Drivers\sunkfilt6.sys []
S3 SunkFilt62;Alcor Micro Corp - 6362;C:\WINDOWS\System32\Drivers\sunkfilt62.sys [2004-07-23 15:25]
S3 W2acehid;Acecad HID;C:\WINDOWS\system32\DRIVERS\W2acehid.sys [2002-03-22 02:37]
S4 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-11 15:22:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MSControlService]
"ImagePath"="C:\WINDOWS\system32\windows"

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\qwetab]
"ImagePath"="\??\C:\WINDOWS\inf\qwetab.inf"
.
Completion time: 2008-03-11 15:23:52
ComboFix-quarantined-files.txt 2008-03-11 04:23:50
ComboFix2.txt 2008-03-08 04:13:52
ComboFix3.txt 2008-03-07 05:28:51
ComboFix4.txt 2008-03-05 06:35:16
.
2008-01-31 05:50:42 --- E O F ---


Report Offensive Follow Up For Removal

Response Number 11
Name: jabuck
Date: March 11, 2008 at 03:26:54 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit)
Go to start> control panel> administrative tools> services> scroll down to "service.sys" and double click it. Click the blue drop down arrow to the far right of "startup type"> click disable> apply> ok.

Exit administrative tools.

Next go to start> run type in the following two commands a press ok after each command:


sc delete service.sys (press ok)
sc delete MSControlService (press ok)

Post a new combofix log.

Is the computer operating better?


Report Offensive Follow Up For Removal

Response Number 12
Name: Saimog
Date: March 11, 2008 at 13:46:10 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit)
I can't find it.
Here's a screencap of the services menu.
http://i47.photobucket.com/albums/f...

Report Offensive Follow Up For Removal

Response Number 13
Name: jabuck
Date: March 11, 2008 at 18:31:33 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit)
Download SDFix to your desktop from the following link:

SDFix.exe.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.


Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.


Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.


Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt.


Report Offensive Follow Up For Removal

Response Number 14
Name: Saimog
Date: March 11, 2008 at 22:19:05 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit)

[b]SDFix: Version 1.156 [/b]

Run by Ramona on Wed 12/03/2008 at 04:06 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:

Name:
qwetab

Path:
\??\C:\WINDOWS\inf\qwetab.inf

qwetab - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


[b]Checking Files [/b]:

Trojan Files Found:

C:\WINDOWS\inf\qwetab.inf - Deleted

Removing Temp Files

[b]ADS Check [/b]:


[b]Final Check [/b]:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 16:13:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Indeo\xe0e Software]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,e0,26,00,00,00,00,00,ff,ff,ff,ff,ff,..
"Changed"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Indeo\xe0e Software]
"UninstallString"="C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Ligos\Indeo\Uninst.isu" -c"C:\Program Files\Ligos\Indeo\Indeo System Files\indounin.dll""
"DisplayName"="Indeo\xae Software"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Hoyle\xe0e]
"Order"=hex:08,00,00,00,02,00,00,00,14,01,00,00,01,00,00,00,02,00,00,00,88,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Hoyle\xe0e\Hoyle Card Games 2005]
"Order"=hex:08,00,00,00,02,00,00,00,6c,04,00,00,01,00,00,00,07,00,00,00,88,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Hoyle\xe0e\Hoyle Casino 2003]
"Order"=hex:08,00,00,00,02,00,00,00,96,04,00,00,01,00,00,00,08,00,00,00,8c,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Hoyle\xe0e\Hoyle Friday Night Poker]
"Order"=hex:08,00,00,00,02,00,00,00,d2,03,00,00,01,00,00,00,06,00,00,00,88,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Nero\"\169\16*\16@\16\v\16-\16#\16L\16D\16\1\16\24\16L\16]
"Order"=hex:08,00,00,00,02,00,00,00,6c,05,00,00,01,00,00,00,07,00,00,00,c2,..

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1


[b]Remaining Services [/b]:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe:*:Enabled:RTC App Sharing"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windows? NetMeeting?"
"C:\\Sierra\\Empire Earth\\Empire Earth.exe"="C:\\Sierra\\Empire Earth\\Empire Earth.exe:*:Enabled:Empire Earth"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[b]Remaining Files [/b]:


File Backups: - C:\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Sun 24 Feb 2008 88 ..SHR --- "C:\WINDOWS\system32\2A6DAF9BEB.sys"
Fri 29 Feb 2008 2,516 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Fri 2 Mar 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 11 Sep 2007 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv14.bak"
Wed 26 Dec 2007 0 A..H. --- "C:\Program Files\Google\Google Desktop Search\BIT26.tmp"
Thu 14 Feb 2008 11,898 A..H. --- "C:\Program Files\InterActual\InterActual Player\itiF.tmp"
Tue 13 Nov 2007 18,163,438 A..H. --- "C:\Documents and Settings\Ramona\My Documents\Shtuff\white_eclipse.zip"
Thu 31 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab59ac72525ea90a47679441587835c9\BIT1.tmp"
Fri 2 Mar 2007 4,348 ...H. --- "C:\Documents and Settings\Ramona\My Documents\My Music\License Backup\drmv1key.bak"
Tue 11 Sep 2007 401 A..H. --- "C:\Documents and Settings\Ramona\My Documents\My Music\License Backup\drmv1lic.bak"
Fri 2 Feb 2007 312 ...H. --- "C:\Documents and Settings\Ramona\My Documents\My Music\License Backup\drmv2key.bak"
Tue 11 Sep 2007 1,536 A..H. --- "C:\Documents and Settings\Ramona\My Documents\My Music\License Backup\drmv2lic.bak"

[b]Finished![/b]


Report Offensive Follow Up For Removal

Response Number 15
Name: jabuck
Date: March 12, 2008 at 19:42:10 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit)
Please go to Virus Total and upload the following file for analysis:

C:\WINDOWS\system32\2A6DAF9BEB.sys

Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file".

Post the results in your reply.


Report Offensive Follow Up For Removal

Response Number 16
Name: Saimog
Date: March 12, 2008 at 21:47:50 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit)
File 2A6DAF9BEB.sys received on 03.13.2008 05:39:24 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)

Report Offensive Follow Up For Removal

Response Number 17
Name: jabuck
Date: March 14, 2008 at 19:22:55 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit)
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Download CCleaner from the following link:

http://filehippo.com/download_ccleaner/

After you download it to your desktop and begin installing it only allow the "install icon on desktop" to install . Then run it, use only as suggested, it's powerful use only the prechecked items.

Please run the BitDefender online scan this link:
Bitdefender Online Scanner

You will need to allow an active x install for the scan to run.
Leave the scanning options at default and press "click here to scan"
When finished scanning, click on "click here to export the scan report"
Save it to your desktop, at "file name" type in "bdscan" then click save.
Post a log in your reply.


Report Offensive Follow Up For Removal

Response Number 18
Name: Saimog
Date: March 15, 2008 at 05:56:47 Pacific
Subject: Red X on Local Disk. Please help.
Reply: (edit)
BitDefender Online Scanner



Scan report generated at: Sat, Mar 15, 2008 - 23:48:08

Scan path: C:\;D:\;

Statistics

Time
01:27:39

Files
291981

Folders
7248

Boot Sectors
2

Archives
2113

Packed Files
21626




Results

Identified Viruses
10

Infected Files
14

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
14




Engines Info

Virus Definitions
997175

Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins
16

Archive plugins
41

Unpack plugins
7

E-mail plugins
6

System plugins
5




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\Ramona\Desktop\backups\backup-20080306-144951-732.dll
Infected with: Trojan.Downloader.Zlob.ABMP

C:\Documents and Settings\Ramona\Desktop\backups\backup-20080306-144951-732.dll
Disinfection failed

C:\Documents and Settings\Ramona\Desktop\backups\backup-20080306-144951-732.dll
Deleted

C:\Documents and Settings\Ramona\Desktop\VundoFix.exe
Infected with: DeepScan:Generic.Virtumod.A39D278C

C:\Documents and Settings\Ramona\Desktop\VundoFix.exe
Disinfection failed

C:\Documents and Settings\Ramona\Desktop\VundoFix.exe
Deleted

C:\Documents and Settings\Ramona\My Documents\Shtuff\Install1279.exe
Infected with: Trojan.Renos.N

C:\Documents and Settings\Ramona\My Documents\Shtuff\Install1279.exe
Deleted

C:\QooBox\Quarantine\C\Program Files\Helper\1204536690.dll.vir
Infected with: Trojan.Downloader.Zlob.ABMP

C:\QooBox\Quarantine\C\Program Files\Helper\1204536690.dll.vir
Disinfection failed

C:\QooBox\Quarantine\C\Program Files\Helper\1204536690.dll.vir
Deleted

C:\QooBox\Quarantine\C\Program Files\JavaCore\UnInstall.exe.vir
Detected with: Adware.JCore.A

C:\QooBox\Quarantine\C\Program Files\JavaCore\UnInstall.exe.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\b154.exe.vir
Infected with: Trojan.Matcash.DLN

C:\QooBox\Quarantine\C\WINDOWS\b154.exe.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\mrofinu1535.exe.vir
Infected with: Trojan.Downloader.Matcash.F

C:\QooBox\Quarantine\C\WINDOWS\mrofinu1535.exe.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\service.exe.vir
Infected with: Trojan.Dropper.LDPinch.Q

C:\QooBox\Quarantine\C\WINDOWS\system32\service.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\system32\service.exe.vir
Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\service.sys.vir
Infected with: Trojan.Peed.IUO

C:\QooBox\Quarantine\C\WINDOWS\system32\service.sys.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\system32\service.sys.vir
Deleted

C:\SDFix\backups\catchme.zip=>qwetab.inf
Infected with: Backdoor.Rustock.NCK

C:\SDFix\backups\catchme.zip=>qwetab.inf
Disinfection failed

C:\SDFix\backups\catchme.zip=>qwetab.inf
Deleted

C:\SDFix\backups\catchme.zip
Updated

C:\System Volume Information\_restore{64D828EA-F8A8-4360-B657-379570604CBB}\RP20\A0006339.dll
Infected with: Trojan.Downloader.Zlob.ABMP

C:\System Volume Information\_restore{64D828EA-F8A8-4360-B657-379570604CBB}\RP20\A0006339.dll
Disinfection failed

C:\System Volume Information\_restore{64D828EA-F8A8-4360-B657-379570604CBB}\RP20\A0006339.dll
Deleted

C:\System Volume Information\_restore{64D828EA-F8A8-4360-B657-379570604CBB}\RP20\A0006340.exe
Infected with: DeepScan:Generic.Virtumod.A39D278C

C:\System Volume Information\_restore{64D828EA-F8A8-4360-B657-379570604CBB}\RP20\A0006340.exe
Disinfection failed

C:\System Volume Information\_restore{64D828EA-F8A8-4360-B657-379570604CBB}\RP20\A0006340.exe
Deleted

C:\WINDOWS\system32\ascbalo3N.dll
Detected with: Adware.Balloon.A

C:\WINDOWS\system32\ascbalo3N.dll
Deleted

C:\WINDOWS\system32\ascbalon.dll
Detected with: Adware.Balloon.A

C:\WINDOWS\system32\ascbalon.dll
Deleted

Report Offensive Follow Up For Removal



Use following form to reply to current message: 

   Name: From My Computing.Net Settings
 E-Mail: From My Computing.Net Settings

Subject: Red X on Local Disk. Please help.

Comments:
         

 
  Homepage URL (*): 
Homepage Title (*): 
         Image URL:
 


Data Recovery Software



XP Installed to G?

exessive internet traffic

ZoneAlarm Question. Blocked Connect

Windows Live Messenger Problem

Delete $Uninstall after SP3 updates

The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net, LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE

All content ©1996-2007 Computing.Net, LLC