Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
My internet keeps stopping and there's a huge Red X on where the Local Disk Icon should be. Could someone please help me fix this?
Please run the following scans and post their results .
Go to the this link:
Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files.
Please download Atribune's VundoFix.exe from the following site to your desktop:
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files,
click "yes".Once you click yes, your desktop will go blank as it starts removing
Vundo.When completed, it will prompt that it will reboot your computer,
click "ok".Please download and install the latest version of HijackThis v2.0.2:
Download the "HijackThis" Installer from this link:
Hijack This
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.Please download ComboFix to the desktop from one of the following links:
Link 3
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.
0 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:06, on 2008-03-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Wintab32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SOUNDMAN.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ZPOINT32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\nvcoi\nvcoi.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Ramona\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?Lin...
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0
\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} -C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {5566186B-8E4A-4D16-BBC7-F2BA16AB5377} -C:\WINDOWS\system32\vturr.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web
Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (nofile)
O2 - BHO: {a1701f50-c5b5-99ea-2c64-f494d7949838} - {8389497d-494f-46c2-ae99-5b5c05f1071a} - C:\WINDOWS\system32\tkjqvagv.dll (file
missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft
Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FCTB00108Pos - {B1BE275B-78BF-4A33-81AB-380699CFF329} -C:\Program Files\Gaia Online Toolbar\Toolbar.dll
O2 - BHO: (no name) - {B3ADDB7B-3DF5-4672-82DD-775FFF180134} -C:\WINDOWS\system32\mljhfgh.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (nofile)
O3 - Toolbar: Gaia Online Toolbar - {B3535C18-0E70-4D4B-B36B-BBFE139BB144} - C:\Program Files\Gaia Online Toolbar\Toolbar.dll
O3 - Toolbar: (no name) - {D0943516-5076-4020-A3B5-AEFAF26AB263} -(no file)
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web
Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia CardReader\shwicon2k.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe"/Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\CommonFiles\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\CommonFiles\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Acecad.Wtxpload] C:\WINDOWS\Acecad\Wtxpload.exeAcecad
O4 - HKLM\..\Run: [ZPOINT32] C:\WINDOWS\system32\ZPOINT32.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3100] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe /P19 "EPSON Stylus CX3100" /O6
"USB001" /M "Stylus CX3100"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\CommonFiles\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CDCreator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\ProgramFiles\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\FreeDownload Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\ProgramFiles\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\ProgramFiles\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\ProgramFiles\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: Download all with Free DownloadManager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free DownloadManager - file://C:\Program Files\Free Download
Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager -file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263}- C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\InternetExplorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo UploadTool) - http://gfx1.hotmail.com/mail/w2/res...
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072}(MessengerStatsClient Class) -
http://messenger.zone.msn.com/binar...
.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper FlagsClass) -
http://messenger.zone.msn.com/binar...
O20 - Winlogon Notify: mljhfgh - C:\WINDOWS\SYSTEM32\mljhfgh.dll
O21 - SSODL: WinApp - {C285CF22-115F-3252-41AC-F686D912C63D} -C:\WINDOWS\system32\clipuser32.dll
O23 - Service: EpsonBidirectionalService - Unknown owner -C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) -SEIKO EPSON CORPORATION - C:\Program Files\Common
Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - MacrovisionCorporation - C:\Program Files\Common Files\InstallShield\Driver\11
\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc.- C:\WINDOWS\system32\LEXBCES.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknownowner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: SmartLinkService (SLService) - -C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Wintab32 - Unknown owner - C:\WINDOWS\system32--
End of file - 8979 bytes
0
ComboFix 08-03-06.3 - Ramona 2008-03-07 16:18:50.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.874.66.1033.18.197 [GMT 11:00]
Running from: C:\Documents and Settings\Ramona\Desktop\ComboFix.exe
* Created a new restore point[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\Program Files\JavaCore
C:\Program Files\JavaCore\UnInstall.exe
C:\Program Files\NoDNS
C:\Program Files\NoDNS\UnInstall.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\InsiDERInst.exe
C:\WINDOWS\BM2b022afc.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\mljhfgh.dll
C:\WINDOWS\system32\rrutv.ini
C:\WINDOWS\system32\service.exe
C:\WINDOWS\system32\vturr.dll.
((((((((((((((((((((((((( Files Created from 2008-02-07 to 2008-03-07 )))))))))))))))))))))))))))))))
.2008-03-07 15:55 . 2008-03-07 16:01 <DIR> d-------- C:\VundoFix Backups
2008-03-07 12:55 . 2008-03-07 12:55 268 --ah----- C:\sqmdata01.sqm
2008-03-07 12:55 . 2008-03-07 12:55 244 --ah----- C:\sqmnoopt01.sqm
2008-03-06 13:00 . 2008-03-06 13:00 260,608 --a------ C:\WINDOWS\system32\sleep32.dll
2008-03-06 12:59 . 2008-03-06 12:59 268 --ah----- C:\sqmdata00.sqm
2008-03-06 12:59 . 2008-03-06 12:59 244 --ah----- C:\sqmnoopt00.sqm
2008-03-05 19:58 . 2008-03-05 19:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-05 19:58 . 2008-03-05 19:58 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-05 16:06 . 2008-03-05 16:06 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-03-04 23:20 . 2008-03-05 17:25 23,950 ---hs---- C:\WINDOWS\system32\hdejfhzz.dllbox
2008-03-04 22:10 . 2008-03-04 22:14 20,666 ---hs---- C:\WINDOWS\system32\fsqugdwv.dllbox
2008-03-04 22:06 . 2008-03-04 22:14 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-03-04 21:57 . 2008-03-04 21:57 <DIR> d-------- C:\Program Files\PC Drivers HeadQuarters
2008-03-04 21:57 . 2008-03-04 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-03-04 21:19 . 2008-03-04 21:19 <DIR> d-------- C:\Program Files\nvcoi
2008-03-03 20:30 . 2008-03-03 20:30 29,184 --a------ C:\WINDOWS\system32\drivers\smss.exe
2008-03-03 20:30 . 2008-03-06 14:16 18,368 --a------ C:\WINDOWS\system32\service.sys
2008-03-03 20:29 . 2008-03-03 20:29 262,144 --a------ C:\WINDOWS\system32\clipuser32.dll
2008-03-03 20:29 . 2008-03-06 09:45 37,376 --a------ C:\WINDOWS\mrofinu1535.exe
2008-03-03 03:26 . 2008-03-03 01:26 73,728 --a------ C:\WINDOWS\b153.exe
2008-03-02 14:16 . 2008-03-02 14:16 <DIR> d-------- C:\Program Files\Orban
2008-02-26 02:00 . 2008-02-26 00:00 81,920 --a------ C:\WINDOWS\b154.exe
2008-02-24 18:39 . 2008-02-24 18:39 <DIR> d-------- C:\WINDOWS\vbSkinner
2008-02-24 11:36 . 2008-02-24 11:36 <DIR> d-------- C:\Documents and Settings\Ramona\Application Data\Download Manager
2008-02-09 12:47 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-02-09 12:47 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-02-08 21:17 . 2008-02-08 21:17 <DIR> d-------- C:\Mp3 Output
2008-02-08 21:17 . 2006-11-01 14:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-02-08 21:17 . 2007-02-25 15:36 383,238 --a------ C:\WINDOWS\system32\libmp3lame-0.dll
2008-02-08 20:34 . 2008-02-08 21:28 <DIR> d-------- C:\downloads
2008-02-08 20:34 . 2008-02-08 20:44 <DIR> d-------- C:\Documents and Settings\Ramona\Application Data\FMZilla
2008-02-08 20:33 . 2008-02-08 21:41 <DIR> d-------- C:\Program Files\Free Music Zilla
2008-02-07 20:21 . 2008-02-07 20:21 <DIR> d-------- C:\Program Files\Veoh Networks
2008-02-07 20:01 . 2004-03-29 15:23 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-02-07 20:00 . 2008-02-07 20:00 <DIR> d-------- C:\Program Files\DAZ
2008-02-07 20:00 . 2008-02-07 20:00 <DIR> d-------- C:\Program Files\Common Files\DAZ.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 05:04 --------- d-----w C:\Documents and Settings\Ramona\Application Data\Free Download Manager
2008-03-04 11:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-03 09:32 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-02 03:23 --------- d-----w C:\Program Files\Winamp
2008-02-24 00:57 --------- d-----w C:\Documents and Settings\Ramona\Application Data\LimeWire
2008-02-23 04:33 --------- d-----w C:\Program Files\Google
2008-02-16 04:28 --------- d-----w C:\Documents and Settings\Ramona\Application Data\AdobeUM
2008-02-06 20:58 --------- d-----w C:\Program Files\Crazy Tetris
2008-02-02 08:32 --------- d-----w C:\Documents and Settings\Ramona\Application Data\Secret of the Solstice
2008-02-02 06:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Outspark
2008-02-02 06:31 --------- d-----w C:\Program Files\Outspark
2008-02-01 21:51 --------- d-----w C:\Program Files\Windows Live
2008-02-01 21:45 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-02-01 21:22 --------- d-----w C:\Program Files\EndlessOnline
2008-02-01 20:57 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-01 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-27 20:58 --------- d-----w C:\Program Files\Gaia Online Toolbar
2008-01-27 00:03 --------- d-----w C:\Program Files\Corel
2008-01-23 23:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Emotum
2008-01-23 22:47 --------- d-----w C:\Program Files\DIFX
2008-01-23 22:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
1999-07-07 00:00 6 --sh--r C:\WINDOWS\@@desktop.dat
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8389497d-494f-46c2-ae99-5b5c05f1071a}]
C:\WINDOWS\system32\tkjqvagv.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1BE275B-78BF-4A33-81AB-380699CFF329}]
2007-12-21 08:09 1404928 --a------ C:\Program Files\Gaia Online Toolbar\Toolbar.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B3535C18-0E70-4D4B-B36B-BBFE139BB144}"= "C:\Program Files\Gaia Online Toolbar\Toolbar.dll" [2007-12-21 08:09 1404928][HKEY_CLASSES_ROOT\clsid\{b3535c18-0e70-4d4b-b36b-bbfe139bb144}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108][HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{B3535C18-0E70-4D4B-B36B-BBFE139BB144}"= C:\Program Files\Gaia Online Toolbar\Toolbar.dll [2007-12-21 08:09 1404928][HKEY_CLASSES_ROOT\clsid\{b3535c18-0e70-4d4b-b36b-bbfe139bb144}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 23:00 15360]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [2006-08-21 01:24 2068527]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"nvcoi"="C:\Program Files\nvcoi\nvcoi.exe" [2008-03-04 21:19 57344][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-03-04 06:22 577536 C:\WINDOWS\soundman.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-23 15:48 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-23 15:44 126976]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2004-09-03 17:46 139264]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 23:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 23:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:20 155648]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 17:00 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:00 81920]
"Acecad.Wtxpload"="C:\WINDOWS\Acecad\Wtxpload.exe" [2002-03-22 02:37 45056]
"ZPOINT32"="C:\WINDOWS\system32\ZPOINT32.exe" [2002-07-04 14:19 20480]
"EPSON Stylus CX3100"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [2002-07-01 14:05 74752]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 18:44 65536]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-27 00:21 868352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00 132496][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.exe" [2006-02-28 23:00 15360][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-02-28 23:00 53760 C:\WINDOWS\system32\narrator.exe]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-21 15:10:19 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 22:24:38 1134592][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WinApp"= {C285CF22-115F-3252-41AC-F686D912C63D} - C:\WINDOWS\system32\clipuser32.dll [2008-03-03 20:29 262144][HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Sierra\\Empire Earth\\Empire Earth.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []
S3 service.sys;service.sys;C:\WINDOWS\system32\service.sys [2008-03-06 14:16]
S3 SunkFilt6;Alcor Micro Corp - 6360;C:\WINDOWS\System32\Drivers\sunkfilt6.sys []
S3 SunkFilt62;Alcor Micro Corp - 6362;C:\WINDOWS\System32\Drivers\sunkfilt62.sys [2004-07-23 15:25]
S3 W2acehid;Acecad HID;C:\WINDOWS\system32\DRIVERS\W2acehid.sys [2002-03-22 02:37]
S3 Wtcls2k;Wtcls2k;C:\WINDOWS\system32\DRIVERS\Wtcls2k.sys [2002-03-22 02:37].
**************************************************************************catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-07 16:25:36
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MSControlService]
"ImagePath"="C:\WINDOWS\system32\windows"[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\qwetab]
"ImagePath"="\??\C:\WINDOWS\inf\qwetab.inf"
.
r Running Proce
.
C:\WINDOWS\system32\Wintab32.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
.
**************************************************************************
.
Completion time: 2008-03-07 16:28:50 - machine was rebooted [Ramona]
ComboFix-quarantined-files.txt 2008-03-07 05:28:46
ComboFix2.txt 2008-03-05 06:35:16
.
2008-01-31 05:50:42 --- E O F ---
0
Go to start> control panel> administrative tools> services> scroll down to "MSControlService" may be named "Microsoft cache control" and double click it. Click the blue drop down arrow to the far right of "startup type"> click disable> apply>ok.
Exit administrative tools.
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\system32\hdejfhzz.dllbox
C:\WINDOWS\system32\fsqugdwv.dllbox
C:\WINDOWS\system32\sleep32.dll
C:\WINDOWS\mrofinu1535.exe
C:\WINDOWS\b153.exe
C:\WINDOWS\b154.exe
C:\WINDOWS\system32\tkjqvagv.dll
Folder::
C:\WINDOWS\system32\windows
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8389497d-494f-46c2-ae99-5b5c05f1071a}]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".Go to the following link:
Then use the browse button to locate this file:
C:\WINDOWS\system32\service.sys
Once located click submit then post the results.
Post a new Combofix log.
0
Thanks.I'm not sure which part of the result it is but so I'll put it all in.
File: service.sys
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: a4a777bacfcb1c86d4c2d5b6258de9ef
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 08 Mar 2008 04:20:23 (GMT)
A-Squared
Found Trojan-Proxy.Win32.Agent.yd
AntiVir
Found TR/Proxy.Agent.YD
ArcaVir
Found Trojan.Proxy.Agent.Yd
Avast
Found nothing
AVG Antivirus
Found BackDoor.Generic9.SCL
BitDefender
Found Trojan.Peed.IUO
ClamAV
Found Trojan.Proxy-2466
CPsecure
Found Troj.Proxy.W32.Agent.yd
Dr.Web
Found Trojan.Spambot.2887
F-Prot Antivirus
Found Possibly a new variant of W32/STZ_like!Generic
F-Secure Anti-Virus
Found Trojan-Proxy.Win32.Agent.yd
Fortinet
Found W32/Agent.YD!tr
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Trojan-Proxy.Win32.Agent.yd
NOD32
Found Win32/TrojanProxy.Agent.YD
Norman Virus Control
Found W32/Tibs.BIWJ
Panda Antivirus
Found Rootkit/Downloader.SNO
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found Trojan-Proxy.Win32.Agent.yd
0
ComboFix 08-03-06.3 - Ramona 2008-03-08 15:10:08.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.874.66.1033.18.177 [GMT 11:00]
Running from: C:\Documents and Settings\Ramona\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ramona\Desktop\CFScript.txt
* Created a new restore point[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE ::
C:\WINDOWS\b153.exe
C:\WINDOWS\b154.exe
C:\WINDOWS\mrofinu1535.exe
C:\WINDOWS\system32\fsqugdwv.dllbox
C:\WINDOWS\system32\hdejfhzz.dllbox
C:\WINDOWS\system32\sleep32.dll
C:\WINDOWS\system32\tkjqvagv.dll
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\WINDOWS\b153.exe
C:\WINDOWS\b154.exe
C:\WINDOWS\mrofinu1535.exe
C:\WINDOWS\system32\fsqugdwv.dllbox
C:\WINDOWS\system32\hdejfhzz.dllbox
C:\WINDOWS\system32\sleep32.dll.
((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.2008-03-08 13:32 . 2008-03-08 13:33 <DIR> d-------- C:\Documents and Settings\Family\Application Data\AVG7
2008-03-08 10:33 . 2008-03-08 12:49 <DIR> d-------- C:\Documents and Settings\Ramona\Application Data\AVG7
2008-03-08 10:33 . 2008-03-08 10:33 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-08 10:33 . 2008-03-08 10:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-08 10:33 . 2008-03-08 12:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-07 15:55 . 2008-03-07 16:01 <DIR> d-------- C:\VundoFix Backups
2008-03-07 12:55 . 2008-03-07 12:55 268 --ah----- C:\sqmdata01.sqm
2008-03-07 12:55 . 2008-03-07 12:55 244 --ah----- C:\sqmnoopt01.sqm
2008-03-06 12:59 . 2008-03-06 12:59 268 --ah----- C:\sqmdata00.sqm
2008-03-06 12:59 . 2008-03-06 12:59 244 --ah----- C:\sqmnoopt00.sqm
2008-03-05 16:06 . 2008-03-05 16:06 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-03-04 22:06 . 2008-03-04 22:14 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-03-04 21:57 . 2008-03-04 21:57 <DIR> d-------- C:\Program Files\PC Drivers HeadQuarters
2008-03-04 21:57 . 2008-03-04 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-03-04 21:19 . 2008-03-04 21:19 <DIR> d-------- C:\Program Files\nvcoi
2008-03-03 20:30 . 2008-03-03 20:30 29,184 --a------ C:\WINDOWS\system32\drivers\smss.exe
2008-03-03 20:30 . 2008-03-06 14:16 18,368 --a------ C:\WINDOWS\system32\service.sys
2008-03-02 14:16 . 2008-03-02 14:16 <DIR> d-------- C:\Program Files\Orban
2008-02-24 18:39 . 2008-02-24 18:39 <DIR> d-------- C:\WINDOWS\vbSkinner
2008-02-24 11:36 . 2008-02-24 11:36 <DIR> d-------- C:\Documents and Settings\Ramona\Application Data\Download Manager
2008-02-09 12:47 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-02-09 12:47 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-02-08 21:17 . 2008-02-08 21:17 <DIR> d-------- C:\Mp3 Output
2008-02-08 21:17 . 2006-11-01 14:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-02-08 21:17 . 2007-02-25 15:36 383,238 --a------ C:\WINDOWS\system32\libmp3lame-0.dll
2008-02-08 20:34 . 2008-02-08 21:28 <DIR> d-------- C:\downloads
2008-02-08 20:34 . 2008-02-08 20:44 <DIR> d-------- C:\Documents and Settings\Ramona\Application Data\FMZilla
2008-02-08 20:33 . 2008-02-08 21:41 <DIR> d-------- C:\Program Files\Free Music Zilla.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 04:12 --------- d-----w C:\Documents and Settings\Ramona\Application Data\Free Download Manager
2008-03-04 11:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-03 09:32 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-02 03:23 --------- d-----w C:\Program Files\Winamp
2008-02-24 00:57 --------- d-----w C:\Documents and Settings\Ramona\Application Data\LimeWire
2008-02-23 04:33 --------- d-----w C:\Program Files\Google
2008-02-16 04:28 --------- d-----w C:\Documents and Settings\Ramona\Application Data\AdobeUM
2008-02-10 23:58 21,840 -c--atw C:\WINDOWS\system32\SIntfNT.dll
2008-02-10 23:58 17,212 -c--atw C:\WINDOWS\system32\SIntf32.dll
2008-02-10 23:58 12,067 -c--atw C:\WINDOWS\system32\SIntf16.dll
2008-02-07 09:21 --------- d-----w C:\Program Files\Veoh Networks
2008-02-07 09:00 --------- d-----w C:\Program Files\DAZ
2008-02-07 09:00 --------- d-----w C:\Program Files\Common Files\DAZ
2008-02-06 20:58 --------- d-----w C:\Program Files\Crazy Tetris
2008-02-02 08:32 --------- d-----w C:\Documents and Settings\Ramona\Application Data\Secret of the Solstice
2008-02-02 06:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Outspark
2008-02-02 06:31 --------- d-----w C:\Program Files\Outspark
2008-02-01 21:51 --------- d-----w C:\Program Files\Windows Live
2008-02-01 21:45 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-02-01 21:22 --------- d-----w C:\Program Files\EndlessOnline
2008-02-01 20:57 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-01 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-27 20:58 --------- d-----w C:\Program Files\Gaia Online Toolbar
2008-01-27 00:03 --------- d-----w C:\Program Files\Corel
2008-01-23 23:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Emotum
2008-01-23 22:47 --------- d-----w C:\Program Files\DIFX
2008-01-23 22:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-10 04:50 32,256 ----a-w C:\WINDOWS\system32\dzbryce6.dll
2008-01-10 04:50 180,224 ----a-w C:\WINDOWS\system32\dzwrapper.dll
2008-01-10 04:46 8,720,384 ----a-w C:\WINDOWS\system32\dzcore.dll
2008-01-10 04:46 65,536 ----a-w C:\WINDOWS\system32\dzcarrara.dll
2008-01-10 02:00 6,131,712 ----a-w C:\WINDOWS\system32\daz-qt-mt.dll
2008-01-10 02:00 1,785,856 ----a-w C:\WINDOWS\system32\daz-qsa.dll
2008-01-10 01:56 2,076,672 ----a-w C:\WINDOWS\system32\dz3delight.dll
1999-07-07 00:00 6 --sh--r C:\WINDOWS\@@desktop.dat
.((((((((((((((((((((((((((((( snapshot@2008-03-07_16.28.29.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-07 23:33:27 839,936 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
+ 2008-03-07 23:33:30 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys
+ 2008-03-07 23:33:30 27,776 ----a-w C:\WINDOWS\system32\drivers\avg7rsxp.sys
+ 2008-03-07 23:33:30 3,968 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
+ 2008-03-07 23:33:30 18,432 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1BE275B-78BF-4A33-81AB-380699CFF329}]
2007-12-21 08:09 1404928 --a------ C:\Program Files\Gaia Online Toolbar\Toolbar.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B3535C18-0E70-4D4B-B36B-BBFE139BB144}"= "C:\Program Files\Gaia Online Toolbar\Toolbar.dll" [2007-12-21 08:09 1404928][HKEY_CLASSES_ROOT\clsid\{b3535c18-0e70-4d4b-b36b-bbfe139bb144}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108][HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{B3535C18-0E70-4D4B-B36B-BBFE139BB144}"= C:\Program Files\Gaia Online Toolbar\Toolbar.dll [2007-12-21 08:09 1404928][HKEY_CLASSES_ROOT\clsid\{b3535c18-0e70-4d4b-b36b-bbfe139bb144}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 23:00 15360]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [2006-08-21 01:24 2068527]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"nvcoi"="C:\Program Files\nvcoi\nvcoi.exe" [2008-03-04 21:19 57344][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-03-04 06:22 577536 C:\WINDOWS\soundman.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-23 15:48 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-23 15:44 126976]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2004-09-03 17:46 139264]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 23:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 23:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:20 155648]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 17:00 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:00 81920]
"Acecad.Wtxpload"="C:\WINDOWS\Acecad\Wtxpload.exe" [2002-03-22 02:37 45056]
"ZPOINT32"="C:\WINDOWS\system32\ZPOINT32.exe" [2002-07-04 14:19 20480]
"EPSON Stylus CX3100"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [2002-07-01 14:05 74752]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 18:44 65536]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-27 00:21 868352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-08 10:33 411648][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.exe" [2006-02-28 23:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-08 10:33 145920][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-02-28 23:00 53760 C:\WINDOWS\system32\narrator.exe]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-21 15:10:19 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 22:24:38 1134592][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SleepApp"= {C315CF32-135F-3112-31AC-F611D777C63D} - C:\WINDOWS\system32\sleep32.dll [ ][HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Sierra\\Empire Earth\\Empire Earth.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=S3 service.sys;service.sys;C:\WINDOWS\system32\service.sys [2008-03-06 14:16]
S3 SunkFilt6;Alcor Micro Corp - 6360;C:\WINDOWS\System32\Drivers\sunkfilt6.sys []
S3 SunkFilt62;Alcor Micro Corp - 6362;C:\WINDOWS\System32\Drivers\sunkfilt62.sys [2004-07-23 15:25]
S3 W2acehid;Acecad HID;C:\WINDOWS\system32\DRIVERS\W2acehid.sys [2002-03-22 02:37]
S3 Wtcls2k;Wtcls2k;C:\WINDOWS\system32\DRIVERS\Wtcls2k.sys [2002-03-22 02:37]
S4 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows [][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a.
**************************************************************************catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 15:12:54
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MSControlService]
"ImagePath"="C:\WINDOWS\system32\windows"[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\qwetab]
"ImagePath"="\??\C:\WINDOWS\inf\qwetab.inf"
.
Completion time: 2008-03-08 15:13:51
ComboFix-quarantined-files.txt 2008-03-08 04:13:36
ComboFix2.txt 2008-03-07 05:28:51
ComboFix3.txt 2008-03-05 06:35:16
.
2008-01-31 05:50:42 --- E O F ---
0
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\Program Files\nvcoi\nvcoi.exe
C:\WINDOWS\system32\drivers\smss.exe
C:\WINDOWS\system32\service.sys
Folder::
C:\Program Files\nvcoi
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".Post a new Combofix log.
0
ComboFix 08-03-06.3 - Ramona 2008-03-11 15:19:18.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.874.66.1033.18.267 [GMT 11:00]
Running from: C:\Documents and Settings\Ramona\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ramona\Desktop\CFScript.txt
* Created a new restore point[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE ::
C:\Program Files\nvcoi\nvcoi.exe
C:\WINDOWS\system32\drivers\smss.exe
C:\WINDOWS\system32\service.sys
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\Program Files\nvcoi
C:\Program Files\nvcoi\mst.stt
C:\Program Files\nvcoi\nvcoi.exe
C:\WINDOWS\system32\drivers\smss.exe
C:\WINDOWS\system32\service.sys.
((((((((((((((((((((((((( Files Created from 2008-02-11 to 2008-03-11 )))))))))))))))))))))))))))))))
.2008-03-11 07:52 . 2008-03-11 07:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-09 19:37 . 2008-03-11 07:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft(2)
2008-03-09 08:27 . 2008-03-09 08:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-03-08 19:45 . 2008-03-08 19:45 268 --ah----- C:\sqmdata02.sqm
2008-03-08 19:45 . 2008-03-08 19:45 244 --ah----- C:\sqmnoopt02.sqm
2008-03-08 13:32 . 2008-03-08 13:33 <DIR> d-------- C:\Documents and Settings\Family\Application Data\AVG7
2008-03-08 10:33 . 2008-03-10 08:25 <DIR> d-------- C:\Documents and Settings\Ramona\Application Data\AVG7
2008-03-08 10:33 . 2008-03-08 10:33 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-08 10:33 . 2008-03-09 19:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-07 15:55 . 2008-03-07 16:01 <DIR> d-------- C:\VundoFix Backups
2008-03-07 12:55 . 2008-03-07 12:55 268 --ah----- C:\sqmdata01.sqm
2008-03-07 12:55 . 2008-03-07 12:55 244 --ah----- C:\sqmnoopt01.sqm
2008-03-06 12:59 . 2008-03-06 12:59 268 --ah----- C:\sqmdata00.sqm
2008-03-06 12:59 . 2008-03-06 12:59 244 --ah----- C:\sqmnoopt00.sqm
2008-03-05 16:06 . 2008-03-05 16:06 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-03-04 22:06 . 2008-03-04 22:14 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-03-04 21:57 . 2008-03-04 21:57 <DIR> d-------- C:\Program Files\PC Drivers HeadQuarters
2008-03-04 21:57 . 2008-03-04 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-03-02 14:16 . 2008-03-02 14:16 <DIR> d-------- C:\Program Files\Orban
2008-02-24 18:39 . 2008-02-24 18:39 <DIR> d-------- C:\WINDOWS\vbSkinner
2008-02-24 11:36 . 2008-02-24 11:36 <DIR> d-------- C:\Documents and Settings\Ramona\Application Data\Download Manager.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-11 04:21 --------- d-----w C:\Documents and Settings\Ramona\Application Data\Free Download Manager
2008-03-09 08:20 --------- d-----w C:\Program Files\Winamp
2008-03-09 06:33 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-04 11:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-24 00:57 --------- d-----w C:\Documents and Settings\Ramona\Application Data\LimeWire
2008-02-23 04:33 --------- d-----w C:\Program Files\Google
2008-02-16 04:28 --------- d-----w C:\Documents and Settings\Ramona\Application Data\AdobeUM
2008-02-10 23:58 21,840 -c--atw C:\WINDOWS\system32\SIntfNT.dll
2008-02-10 23:58 17,212 -c--atw C:\WINDOWS\system32\SIntf32.dll
2008-02-10 23:58 12,067 -c--atw C:\WINDOWS\system32\SIntf16.dll
2008-02-08 10:41 --------- d-----w C:\Program Files\Free Music Zilla
2008-02-08 09:44 --------- d-----w C:\Documents and Settings\Ramona\Application Data\FMZilla
2008-02-07 09:21 --------- d-----w C:\Program Files\Veoh Networks
2008-02-07 09:00 --------- d-----w C:\Program Files\DAZ
2008-02-07 09:00 --------- d-----w C:\Program Files\Common Files\DAZ
2008-02-06 20:58 --------- d-----w C:\Program Files\Crazy Tetris
2008-02-02 08:32 --------- d-----w C:\Documents and Settings\Ramona\Application Data\Secret of the Solstice
2008-02-02 06:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Outspark
2008-02-02 06:31 --------- d-----w C:\Program Files\Outspark
2008-02-01 21:51 --------- d-----w C:\Program Files\Windows Live
2008-02-01 21:45 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-02-01 21:22 --------- d-----w C:\Program Files\EndlessOnline
2008-02-01 20:57 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-01 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-27 20:58 --------- d-----w C:\Program Files\Gaia Online Toolbar
2008-01-27 00:03 --------- d-----w C:\Program Files\Corel
2008-01-23 23:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Emotum
2008-01-23 22:47 --------- d-----w C:\Program Files\DIFX
2008-01-23 22:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-10 04:50 32,256 ----a-w C:\WINDOWS\system32\dzbryce6.dll
2008-01-10 04:50 180,224 ----a-w C:\WINDOWS\system32\dzwrapper.dll
2008-01-10 04:46 8,720,384 ----a-w C:\WINDOWS\system32\dzcore.dll
2008-01-10 04:46 65,536 ----a-w C:\WINDOWS\system32\dzcarrara.dll
2008-01-10 02:00 6,131,712 ----a-w C:\WINDOWS\system32\daz-qt-mt.dll
2008-01-10 02:00 1,785,856 ----a-w C:\WINDOWS\system32\daz-qsa.dll
2008-01-10 01:56 2,076,672 ----a-w C:\WINDOWS\system32\dz3delight.dll
1999-07-07 00:00 6 --sh--r C:\WINDOWS\@@desktop.dat
.((((((((((((((((((((((((((((( snapshot@2008-03-07_16.28.29.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-07 23:33:27 839,936 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
+ 2008-03-07 23:33:30 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys
+ 2008-03-07 23:33:30 27,776 ----a-w C:\WINDOWS\system32\drivers\avg7rsxp.sys
+ 2008-03-07 23:33:30 3,968 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
+ 2008-03-07 23:33:30 18,432 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
- 2008-02-25 06:10:01 298,848 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-03-09 00:05:46 1,611,896 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-02-12 05:10:12 2,451,312 ------w C:\WINDOWS\system32\ieapfltr.dat
- 2008-03-06 03:14:03 735,140 -c--a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2008-03-10 20:53:25 1,908,988 -c--a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2007-03-21 09:54:16 77,312 ----a-w C:\WINDOWS\system32\TWAIN_32.DLL
+ 2007-03-21 09:54:16 48,560 ----a-w C:\WINDOWS\system32\TWUNK_16.exe
+ 2007-03-21 09:54:16 69,632 ----a-w C:\WINDOWS\system32\TWUNK_32.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1BE275B-78BF-4A33-81AB-380699CFF329}]
2007-12-21 08:09 1404928 --a------ C:\Program Files\Gaia Online Toolbar\Toolbar.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B3535C18-0E70-4D4B-B36B-BBFE139BB144}"= "C:\Program Files\Gaia Online Toolbar\Toolbar.dll" [2007-12-21 08:09 1404928][HKEY_CLASSES_ROOT\clsid\{b3535c18-0e70-4d4b-b36b-bbfe139bb144}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108][HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{B3535C18-0E70-4D4B-B36B-BBFE139BB144}"= C:\Program Files\Gaia Online Toolbar\Toolbar.dll [2007-12-21 08:09 1404928][HKEY_CLASSES_ROOT\clsid\{b3535c18-0e70-4d4b-b36b-bbfe139bb144}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB00108.FCTB00108][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 23:00 15360]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [2006-08-21 01:24 2068527]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"nvcoi"="C:\Program Files\nvcoi\nvcoi.exe" [ ][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-03-04 06:22 577536 C:\WINDOWS\soundman.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-23 15:48 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-23 15:44 126976]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2004-09-03 17:46 139264]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 23:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 23:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 23:00 455168]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:20 155648]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 17:00 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:00 81920]
"Acecad.Wtxpload"="C:\WINDOWS\Acecad\Wtxpload.exe" [2002-03-22 02:37 45056]
"ZPOINT32"="C:\WINDOWS\system32\ZPOINT32.exe" [2002-07-04 14:19 20480]
"EPSON Stylus CX3100"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [2002-07-01 14:05 74752]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 18:44 65536]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-27 00:21 868352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-08 10:33 411648][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.exe" [2006-02-28 23:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-08 10:33 145920][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-02-28 23:00 53760 C:\WINDOWS\system32\narrator.exe]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-21 15:10:19 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 22:24:38 1134592][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SleepApp"= {C315CF32-135F-3112-31AC-F611D777C63D} - C:\WINDOWS\system32\sleep32.dll [ ][HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Sierra\\Empire Earth\\Empire Earth.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=R3 Wtcls2k;Wtcls2k;C:\WINDOWS\system32\DRIVERS\Wtcls2k.sys [2002-03-22 02:37]
S3 service.sys;service.sys;C:\WINDOWS\system32\service.sys []
S3 SunkFilt6;Alcor Micro Corp - 6360;C:\WINDOWS\System32\Drivers\sunkfilt6.sys []
S3 SunkFilt62;Alcor Micro Corp - 6362;C:\WINDOWS\System32\Drivers\sunkfilt62.sys [2004-07-23 15:25]
S3 W2acehid;Acecad HID;C:\WINDOWS\system32\DRIVERS\W2acehid.sys [2002-03-22 02:37]
S4 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows [].
**************************************************************************catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-11 15:22:18
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MSControlService]
"ImagePath"="C:\WINDOWS\system32\windows"[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\qwetab]
"ImagePath"="\??\C:\WINDOWS\inf\qwetab.inf"
.
Completion time: 2008-03-11 15:23:52
ComboFix-quarantined-files.txt 2008-03-11 04:23:50
ComboFix2.txt 2008-03-08 04:13:52
ComboFix3.txt 2008-03-07 05:28:51
ComboFix4.txt 2008-03-05 06:35:16
.
2008-01-31 05:50:42 --- E O F ---
0
Go to start> control panel> administrative tools> services> scroll down to "service.sys" and double click it. Click the blue drop down arrow to the far right of "startup type"> click disable> apply> ok.
Exit administrative tools.
Next go to start> run type in the following two commands a press ok after each command:
sc delete service.sys (press ok)
sc delete MSControlService (press ok)Post a new combofix log.
Is the computer operating better?
0
I can't find it.
Here's a screencap of the services menu.
http://i47.photobucket.com/albums/f...
0
Download SDFix to your desktop from the following link:
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt.
0
[b]SDFix: Version 1.156 [/b]Run by Ramona on Wed 12/03/2008 at 04:06 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix[b]Checking Services [/b]:
Name:
qwetabPath:
\??\C:\WINDOWS\inf\qwetab.infqwetab - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts FileRebooting
[b]Checking Files [/b]:Trojan Files Found:
C:\WINDOWS\inf\qwetab.inf - Deleted
Removing Temp Files
[b]ADS Check [/b]:
[b]Final Check [/b]:catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 16:13:04
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Indeo\xe0e Software]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,e0,26,00,00,00,00,00,ff,ff,ff,ff,ff,..
"Changed"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Indeo\xe0e Software]
"UninstallString"="C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Ligos\Indeo\Uninst.isu" -c"C:\Program Files\Ligos\Indeo\Indeo System Files\indounin.dll""
"DisplayName"="Indeo\xae Software"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Hoyle\xe0e]
"Order"=hex:08,00,00,00,02,00,00,00,14,01,00,00,01,00,00,00,02,00,00,00,88,..[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Hoyle\xe0e\Hoyle Card Games 2005]
"Order"=hex:08,00,00,00,02,00,00,00,6c,04,00,00,01,00,00,00,07,00,00,00,88,..[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Hoyle\xe0e\Hoyle Casino 2003]
"Order"=hex:08,00,00,00,02,00,00,00,96,04,00,00,01,00,00,00,08,00,00,00,8c,..[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Hoyle\xe0e\Hoyle Friday Night Poker]
"Order"=hex:08,00,00,00,02,00,00,00,d2,03,00,00,01,00,00,00,06,00,00,00,88,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Nero\"\169\16*\16@\16\v\16-\16#\16L\16D\16\1\16\24\16L\16]
"Order"=hex:08,00,00,00,02,00,00,00,6c,05,00,00,01,00,00,00,07,00,00,00,c2,..scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1
[b]Remaining Services [/b]:Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\system32\\LEXPPS.exe"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe:*:Enabled:RTC App Sharing"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windows? NetMeeting?"
"C:\\Sierra\\Empire Earth\\Empire Earth.exe"="C:\\Sierra\\Empire Earth\\Empire Earth.exe:*:Enabled:Empire Earth"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"[b]Remaining Files [/b]:
File Backups: - C:\SDFix\backups\backups.zip[b]Files with Hidden Attributes [/b]:
Sun 24 Feb 2008 88 ..SHR --- "C:\WINDOWS\system32\2A6DAF9BEB.sys"
Fri 29 Feb 2008 2,516 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Fri 2 Mar 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 11 Sep 2007 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv14.bak"
Wed 26 Dec 2007 0 A..H. --- "C:\Program Files\Google\Google Desktop Search\BIT26.tmp"
Thu 14 Feb 2008 11,898 A..H. --- "C:\Program Files\InterActual\InterActual Player\itiF.tmp"
Tue 13 Nov 2007 18,163,438 A..H. --- "C:\Documents and Settings\Ramona\My Documents\Shtuff\white_eclipse.zip"
Thu 31 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab59ac72525ea90a47679441587835c9\BIT1.tmp"
Fri 2 Mar 2007 4,348 ...H. --- "C:\Documents and Settings\Ramona\My Documents\My Music\License Backup\drmv1key.bak"
Tue 11 Sep 2007 401 A..H. --- "C:\Documents and Settings\Ramona\My Documents\My Music\License Backup\drmv1lic.bak"
Fri 2 Feb 2007 312 ...H. --- "C:\Documents and Settings\Ramona\My Documents\My Music\License Backup\drmv2key.bak"
Tue 11 Sep 2007 1,536 A..H. --- "C:\Documents and Settings\Ramona\My Documents\My Music\License Backup\drmv2lic.bak"[b]Finished![/b]
0
Please go to Virus Total and upload the following file for analysis:
C:\WINDOWS\system32\2A6DAF9BEB.sys
Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file".
Post the results in your reply.
0
File 2A6DAF9BEB.sys received on 03.13.2008 05:39:24 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
0
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Download CCleaner from the following link:
http://filehippo.com/download_ccleaner/
After you download it to your desktop and begin installing it only allow the "install icon on desktop" to install . Then run it, use only as suggested, it's powerful use only the prechecked items.
Please run the BitDefender online scan this link:
Bitdefender Online Scanner
You will need to allow an active x install for the scan to run.
Leave the scanning options at default and press "click here to scan"
When finished scanning, click on "click here to export the scan report"
Save it to your desktop, at "file name" type in "bdscan" then click save.
Post a log in your reply.
0
BitDefender Online Scanner
Scan report generated at: Sat, Mar 15, 2008 - 23:48:08
Scan path: C:\;D:\;
Statistics
Time
01:27:39
Files
291981
Folders
7248
Boot Sectors
2
Archives
2113
Packed Files
21626
Results
Identified Viruses
10
Infected Files
14
Suspect Files
0
Warnings
0
Disinfected
0
Deleted Files
14
Engines Info
Virus Definitions
997175
Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)
Scan plugins
16
Archive plugins
41
Unpack plugins
7
E-mail plugins
6
System plugins
5
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes
Scanned File
Status
C:\Documents and Settings\Ramona\Desktop\backups\backup-20080306-144951-732.dll
Infected with: Trojan.Downloader.Zlob.ABMP
C:\Documents and Settings\Ramona\Desktop\backups\backup-20080306-144951-732.dll
Disinfection failed
C:\Documents and Settings\Ramona\Desktop\backups\backup-20080306-144951-732.dll
Deleted
C:\Documents and Settings\Ramona\Desktop\VundoFix.exe
Infected with: DeepScan:Generic.Virtumod.A39D278C
C:\Documents and Settings\Ramona\Desktop\VundoFix.exe
Disinfection failed
C:\Documents and Settings\Ramona\Desktop\VundoFix.exe
Deleted
C:\Documents and Settings\Ramona\My Documents\Shtuff\Install1279.exe
Infected with: Trojan.Renos.N
C:\Documents and Settings\Ramona\My Documents\Shtuff\Install1279.exe
Deleted
C:\QooBox\Quarantine\C\Program Files\Helper\1204536690.dll.vir
Infected with: Trojan.Downloader.Zlob.ABMP
C:\QooBox\Quarantine\C\Program Files\Helper\1204536690.dll.vir
Disinfection failed
C:\QooBox\Quarantine\C\Program Files\Helper\1204536690.dll.vir
Deleted
C:\QooBox\Quarantine\C\Program Files\JavaCore\UnInstall.exe.vir
Detected with: Adware.JCore.A
C:\QooBox\Quarantine\C\Program Files\JavaCore\UnInstall.exe.vir
Deleted
C:\QooBox\Quarantine\C\WINDOWS\b154.exe.vir
Infected with: Trojan.Matcash.DLN
C:\QooBox\Quarantine\C\WINDOWS\b154.exe.vir
Deleted
C:\QooBox\Quarantine\C\WINDOWS\mrofinu1535.exe.vir
Infected with: Trojan.Downloader.Matcash.F
C:\QooBox\Quarantine\C\WINDOWS\mrofinu1535.exe.vir
Deleted
C:\QooBox\Quarantine\C\WINDOWS\system32\service.exe.vir
Infected with: Trojan.Dropper.LDPinch.Q
C:\QooBox\Quarantine\C\WINDOWS\system32\service.exe.vir
Disinfection failed
C:\QooBox\Quarantine\C\WINDOWS\system32\service.exe.vir
Deleted
C:\QooBox\Quarantine\C\WINDOWS\system32\service.sys.vir
Infected with: Trojan.Peed.IUO
C:\QooBox\Quarantine\C\WINDOWS\system32\service.sys.vir
Disinfection failed
C:\QooBox\Quarantine\C\WINDOWS\system32\service.sys.vir
Deleted
C:\SDFix\backups\catchme.zip=>qwetab.inf
Infected with: Backdoor.Rustock.NCK
C:\SDFix\backups\catchme.zip=>qwetab.inf
Disinfection failed
C:\SDFix\backups\catchme.zip=>qwetab.inf
Deleted
C:\SDFix\backups\catchme.zip
Updated
C:\System Volume Information\_restore{64D828EA-F8A8-4360-B657-379570604CBB}\RP20\A0006339.dll
Infected with: Trojan.Downloader.Zlob.ABMP
C:\System Volume Information\_restore{64D828EA-F8A8-4360-B657-379570604CBB}\RP20\A0006339.dll
Disinfection failed
C:\System Volume Information\_restore{64D828EA-F8A8-4360-B657-379570604CBB}\RP20\A0006339.dll
Deleted
C:\System Volume Information\_restore{64D828EA-F8A8-4360-B657-379570604CBB}\RP20\A0006340.exe
Infected with: DeepScan:Generic.Virtumod.A39D278C
C:\System Volume Information\_restore{64D828EA-F8A8-4360-B657-379570604CBB}\RP20\A0006340.exe
Disinfection failed
C:\System Volume Information\_restore{64D828EA-F8A8-4360-B657-379570604CBB}\RP20\A0006340.exe
Deleted
C:\WINDOWS\system32\ascbalo3N.dll
Detected with: Adware.Balloon.A
C:\WINDOWS\system32\ascbalo3N.dll
Deleted
C:\WINDOWS\system32\ascbalon.dll
Detected with: Adware.Balloon.A
C:\WINDOWS\system32\ascbalon.dll
Deleted
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
