Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"your Computer Is Infected!" Message Bubble Displayed In System Tray


  • This topic is locked This topic is locked
25 replies to this topic

#1 whiplash000

whiplash000

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 28 February 2008 - 09:02 PM

(I don't know the name of the infection because I was at least not dumb enough to click the box)
From my own research, I found out (thanks to spybot's resident) that it is somehow involved with "braviax.exe". I looked up all kinds of solutions for it and tried all of the following:

1. smitrem (did nothing except get rid of my desktop)
2. smitfraudfix
3. installed ad-aware 2007, which gave me a BSOD halfway through the scan
4. installed avg anti-spyware, which didn't even start when I clicked on it
5. combofix
6. DSS (Deckard's system scanner)
7. ran this batch file seperately from windows (used the xp cd)
del C:\Windows\braviax.exe
del C:\Windows\cru629.dat
del C:\Windows\System32\braviax.exe
del C:\Windows\System32\cru629.dat
del C:\Windows\System32\Dllcache\beep.sys
del C:\Windows\System32\Drivers\beep.sys
8. used avenger to delete the same files
9. and finally, used spybot (which would only run if i renamed the main executable, I read this thing selectively prevents certain processes from running) and it detected some spyware but when I restarted the icon was still there

(not to say I won't try these things again, perhaps I didn't run them right)

This thing also constantly tries to add braviax and some other file (with a cryptic name) to the registry to the point where the computer wouldn't respond because the windows would appear to the left so quickly. Finally, when I start my computer, I get a dialog box that says something like: "windows doesn't recognize the filetype for 'menu.exe~'"

...that's all I can think of. Here's my hijackthis log (which I also couldn't run until I renamed it):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:48 PM, on 2/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\system32\nvsvc32.exe
E:\Programs\andLinux\colinux-daemon.exe
E:\Programs\andLinux\colinux-slirp-net-daemon.exe
E:\Programs\andLinux\colinux-net-daemon.exe
D:\WINDOWS\RTHDCPL.EXE
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
D:\WINDOWS\system32\Rundll32.exe
E:\Programs\PeerGuardian2\pg2.exe
E:\Programs\Spybot - Search & Destroy\TeaTimer.exe
E:\Programs\DAEMON Tools Lite\daemon.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Programs\andLinux\Xming\Xming.exe
D:\Program Files\MSI\DualCoreCenter\DualCoreCenter.exe
D:\Program Files\MagicDisc\MagicDisc.exe
D:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
D:\WINDOWS\system32\msiexec.exe
E:\Programs\Firefox\firefox.exe
D:\WINDOWS\system32\cmd.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\whiplash\Desktop\LoPhat.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: (no name) - {45C2A50F-8F4A-496E-AF02-D0207525BF5A} - D:\WINDOWS\system32\rqrommm.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7EE5638A-2EB2-41C7-BCF8-47A673D2165B} - D:\WINDOWS\system32\ssttr.dll
O2 - BHO: (no name) - {80728775-DB8D-45BC-94EE-F41B0B7D1475} - (no file)
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Programs\Adobe Reader 8.1.2\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] D:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] D:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [clydjsor] D:\deffjuns.bat
O4 - HKLM\..\Run: [BMe7f30dc1] Rundll32.exe "D:\WINDOWS\system32\fgsuswxp.dll",s
O4 - HKCU\..\Run: [uTorrent] "E:\Programs\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [PeerGuardian] E:\Programs\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "E:\Programs\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "D:\Program Files\Steam\Steam.exe" -silent
O4 - Startup: MagicDisc.lnk = D:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: DualCoreCenter.lnk = D:\Program Files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe
O4 - Global Startup: KDE Menu (andLinux).lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Xming (andLinux).lnk = E:\Programs\andLinux\Xming\Xming.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Programs\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Programs\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_01) -
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: dlftqgdo - dlftqgdo.dll (file missing)
O20 - Winlogon Notify: rqrommm - D:\WINDOWS\SYSTEM32\rqrommm.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: andLinux - Unknown owner - E:\Programs\andLinux\colinux-daemon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7103 bytes


Any help would be greatly appreciated...

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:06 AM

Posted 28 February 2008 - 09:21 PM

Hello whiplash000,

Welcome to Bleeping Computer :blink:

From now on out, please don't run anything unless I ask you to, okay? :thumbsup:

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with the fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 whiplash000

whiplash000
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 29 February 2008 - 01:15 PM

Well, I did like you said, but when I tried to run the file, nothing happened. I renamed it to something else on a hunch, and now it shows a tiny box with a progress bar that says combofix and when it finishes it just closes. Does it display the log file, or does it just write it to the hard drive? Anyway, here's my hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:15:04 PM, on 2/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\RTHDCPL.EXE
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
D:\WINDOWS\system32\Rundll32.exe
E:\Programs\PeerGuardian2\pg2.exe
E:\Programs\DAEMON Tools Lite\daemon.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\system32\nvsvc32.exe
E:\Programs\andLinux\colinux-daemon.exe
E:\Programs\andLinux\colinux-slirp-net-daemon.exe
E:\Programs\andLinux\colinux-net-daemon.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Programs\andLinux\Xming\Xming.exe
D:\Program Files\MagicDisc\MagicDisc.exe
D:\Program Files\MSI\DualCoreCenter\DualCoreCenter.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
E:\Programs\Firefox\firefox.exe
D:\Documents and Settings\whiplash\Desktop\LoPhat.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: (no name) - {1E38A24C-7750-4D57-BBC5-3E5002DBD267} - D:\WINDOWS\system32\ssttr.dll
O2 - BHO: (no name) - {45C2A50F-8F4A-496E-AF02-D0207525BF5A} - D:\WINDOWS\system32\rqrommm.dll
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Programs\Adobe Reader 8.1.2\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] D:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] D:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [clydjsor] D:\deffjuns.bat
O4 - HKLM\..\Run: [BMe7f30dc1] Rundll32.exe "D:\WINDOWS\system32\fgsuswxp.dll",s
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKCU\..\Run: [uTorrent] "E:\Programs\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [PeerGuardian] E:\Programs\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "E:\Programs\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "D:\Program Files\Steam\Steam.exe" -silent
O4 - Startup: MagicDisc.lnk = D:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: DualCoreCenter.lnk = D:\Program Files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe
O4 - Global Startup: KDE Menu (andLinux).lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Xming (andLinux).lnk = E:\Programs\andLinux\Xming\Xming.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_01) -
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: dlftqgdo - dlftqgdo.dll (file missing)
O20 - Winlogon Notify: rqrommm - D:\WINDOWS\SYSTEM32\rqrommm.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: andLinux - Unknown owner - E:\Programs\andLinux\colinux-daemon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6343 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:06 AM

Posted 29 February 2008 - 09:55 PM

Hello,

So you did get it to run, right? Let's see if this will run then:


* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
D:\WINDOWS\system32\ssttr.dll
D:\WINDOWS\system32\rqrommm.dll
D:\WINDOWS\system32\fgsuswxp.dll
D:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\cru629.dat


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Let me know how it's running, please. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 whiplash000

whiplash000
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 29 February 2008 - 10:34 PM

Okay, I both tried it and restarted my computer and then tried it, but I got the same result as the first time. That little box's progress bar would go to 100% and that's the last I'd see of it.
Here's another hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:49 PM, on 2/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\RTHDCPL.EXE
D:\WINDOWS\system32\RUNDLL32.EXE
E:\Programs\Adobe Reader 8.1.2\Reader\Reader_sl.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\system32\Rundll32.exe
D:\WINDOWS\system32\nvsvc32.exe
E:\Programs\uTorrent\uTorrent.exe
E:\Programs\PeerGuardian2\pg2.exe
E:\Programs\DAEMON Tools Lite\daemon.exe
D:\WINDOWS\system32\ctfmon.exe
E:\Programs\andLinux\colinux-daemon.exe
E:\Programs\andLinux\colinux-slirp-net-daemon.exe
E:\Programs\andLinux\colinux-net-daemon.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Programs\andLinux\Xming\Xming.exe
D:\Program Files\MSI\DualCoreCenter\DualCoreCenter.exe
D:\Program Files\MagicDisc\MagicDisc.exe
D:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\whiplash\Desktop\wtf.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: (no name) - {45C2A50F-8F4A-496E-AF02-D0207525BF5A} - D:\WINDOWS\system32\rqrommm.dll
O2 - BHO: (no name) - {EAAE0A4F-646B-4F31-A031-48DD7A276B1F} - D:\WINDOWS\system32\ssttr.dll
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Programs\Adobe Reader 8.1.2\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] D:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] D:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [clydjsor] D:\deffjuns.bat
O4 - HKLM\..\Run: [BMe7f30dc1] Rundll32.exe "D:\WINDOWS\system32\fgsuswxp.dll",s
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKCU\..\Run: [uTorrent] "E:\Programs\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [PeerGuardian] E:\Programs\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "E:\Programs\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "D:\Program Files\Steam\Steam.exe" -silent
O4 - Startup: MagicDisc.lnk = D:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: DualCoreCenter.lnk = D:\Program Files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe
O4 - Global Startup: KDE Menu (andLinux).lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Xming (andLinux).lnk = E:\Programs\andLinux\Xming\Xming.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_01) -
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: dlftqgdo - dlftqgdo.dll (file missing)
O20 - Winlogon Notify: rqrommm - D:\WINDOWS\SYSTEM32\rqrommm.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: andLinux - Unknown owner - E:\Programs\andLinux\colinux-daemon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6429 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:06 AM

Posted 29 February 2008 - 11:09 PM

Hello,

Okie dokie, then we'll see about doing this a different way huh? We may have to rip it out of there little by little. Delete ComboFix and its folder, C:\Qoobox.

Please download and run Bit Defender 8 online scanner
  • Install the program and then follow the prompts to download all available updates.
  • Select Antivirus and then click the Settings button. Click Default. Click Ok.
  • Select Local Drives and click Scan.
  • When the scan is complete save the log and post it back here in your next reply.
You need to get an AntiVirus program running, and run a full system scan. AVG, Avira OR Avast are good FREE antivirus.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 whiplash000

whiplash000
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 01 March 2008 - 09:19 AM

Hey, it kinda worked! When I woke up this morning and checked the computer, the tray apps were all gone, including the red x! When I restarted, it was gone there too! But, when I started it up, I got some sorta error message that looks (literally) like this:

A potential problem has been detected and Windows has been shutdown buggy application to prevent damage to your computer.
****WXYZ.SYS - Address F73120E base at C00000, DateStamp 36b072A3
Kernel Debugger Using: COM2 (Port 0x28f, Baud rate 192000)

Looks a little suspicious to me. Terrible grammar and an odd file name...
Also, I still get a dialog box that says "Windows does not recognize this file: Menu.exe~". Lastly, I still get icons on my desktop that say: "Windows Update" and "Help and Support" that assume I will believe their crappy anti-aliasing and click on them. Every time I delete them, they come back almost instantly. On a final note, all the anti-virus and anti-spyware apps I madly installed before asking for your help and the ones calmly installed since started working now.

Well, here's that log:



BitDefender Online Scanner







Scan report generated at: Sat, Mar 01, 2008 - 02:29:42









Scan path: C:\;D:\;E:\;F:\;G:\;I:\;















Statistics

Time


02:32:10

Files


742541

Folders


24882

Boot Sectors


4

Archives


24380

Packed Files


38600







Results

Identified Viruses


15

Infected Files


23

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


17







Engines Info

Virus Definitions


984669

Engine build


AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins


16

Archive plugins


41

Unpack plugins


7

E-mail plugins


6

System plugins


5







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\Users\whiplash\Downloads\uTorrent\Norton Ghost 12 With KeyGen new\Norton Ghost12.iso=>keygen.exe


Infected with: Packer.Krunchy.A

C:\Users\whiplash\Downloads\uTorrent\Norton Ghost 12 With KeyGen new\Norton Ghost12.iso=>keygen.exe


Disinfection failed

C:\Users\whiplash\Downloads\uTorrent\Norton Ghost 12 With KeyGen new\Norton Ghost12.iso=>keygen.exe


Deleted

C:\Users\whiplash\Downloads\uTorrent\Norton Ghost 12 With KeyGen new\Norton Ghost12.iso


Update failed

D:\!KillBox\braviax.exe


Infected with: Trojan.Downloader.WinAntivirus.A

D:\!KillBox\braviax.exe


Disinfection failed

D:\!KillBox\braviax.exe


Deleted

D:\!KillBox\braviax.exe( 1)


Infected with: Trojan.Downloader.WinAntivirus.A

D:\!KillBox\braviax.exe( 1)


Disinfection failed

D:\!KillBox\braviax.exe( 1)


Deleted

D:\!KillBox\braviax.exe( 3)


Infected with: Trojan.Downloader.WinAntivirus.A

D:\!KillBox\braviax.exe( 3)


Disinfection failed

D:\!KillBox\braviax.exe( 3)


Deleted

D:\System Volume Information\_restore{291EEEAA-FE90-49E3-9CE5-64601B769B8B}\RP37\A0015784.exe


Infected with: Trojan.Downloader.WinAntivirus.A

D:\System Volume Information\_restore{291EEEAA-FE90-49E3-9CE5-64601B769B8B}\RP37\A0015784.exe


Disinfection failed

D:\System Volume Information\_restore{291EEEAA-FE90-49E3-9CE5-64601B769B8B}\RP37\A0015784.exe


Deleted

D:\WINDOWS\braviax.exe


Infected with: Trojan.Downloader.WinAntivirus.A

D:\WINDOWS\braviax.exe


Disinfection failed

D:\WINDOWS\braviax.exe


Deleted

D:\WINDOWS\system32\braviax.exe


Infected with: Trojan.Downloader.WinAntivirus.A

D:\WINDOWS\system32\braviax.exe


Disinfection failed

D:\WINDOWS\system32\braviax.exe


Delete failed

D:\WINDOWS\system32\drivers\beep.sys


Infected with: Generic.Malware.P!.2ED54E55

D:\WINDOWS\system32\drivers\beep.sys


Disinfection failed

D:\WINDOWS\system32\drivers\beep.sys


Deleted

D:\WINDOWS\system32\ergjimws.dll


Infected with: Trojan.Vundo.EAE

D:\WINDOWS\system32\ergjimws.dll


Deleted

D:\WINDOWS\system32\fgsuswxp.dll


Infected with: Trojan.Vundo.DZK

D:\WINDOWS\system32\fgsuswxp.dll


Disinfection failed

D:\WINDOWS\system32\fgsuswxp.dll


Delete failed

D:\WINDOWS\system32\rqrommm.dll


Infected with: Trojan.Virtumonde.IR

D:\WINDOWS\system32\rqrommm.dll


Disinfection failed

D:\WINDOWS\system32\rqrommm.dll


Delete failed

D:\WINDOWS\system32\ssttr.dll


Infected with: Trojan.Vundo.EAD

D:\WINDOWS\system32\ssttr.dll


Disinfection failed

D:\WINDOWS\system32\ssttr.dll


Delete failed

D:\WINDOWS\system32\users32.dat


Infected with: Trojan.Downloader.Agent.ZAK

D:\WINDOWS\system32\users32.dat


Disinfection failed

D:\WINDOWS\system32\users32.dat


Delete failed

D:\WINDOWS\system32\vbbimema.dll


Infected with: Trojan.Vundo.DWB

D:\WINDOWS\system32\vbbimema.dll


Deleted

D:\WINDOWS\system32\winlogon.exe


Infected with: Trojan.Agent.AVD

D:\WINDOWS\system32\winlogon.exe


Disinfection failed

D:\WINDOWS\system32\winlogon.exe


Delete failed

E:\Downloads\Firefox\call of duty 4 code generator.exe.DANGER-CONTAINS PARTICULARLY NASTY SPYWARE=>(RAR Sfx o)=>crack.exe


Infected with: Trojan.Vundo.DZP

E:\Downloads\Firefox\call of duty 4 code generator.exe.DANGER-CONTAINS PARTICULARLY NASTY SPYWARE=>(RAR Sfx o)=>crack.exe


Deleted

E:\Downloads\Firefox\call of duty 4 code generator.exe.DANGER-CONTAINS PARTICULARLY NASTY SPYWARE=>(RAR Sfx o)


Update failed

E:\Downloads\Firefox\call of duty 4 code generator.exe.DANGER-CONTAINS PARTICULARLY NASTY SPYWARE=>(RAR Sfx o)=>keygen.exe


Infected with: Trojan.Downloader.JJMX

E:\Downloads\Firefox\call of duty 4 code generator.exe.DANGER-CONTAINS PARTICULARLY NASTY SPYWARE=>(RAR Sfx o)=>keygen.exe


Deleted

E:\Downloads\Firefox\call of duty 4 code generator.exe.DANGER-CONTAINS PARTICULARLY NASTY SPYWARE=>(RAR Sfx o)


Update failed

E:\Downloads\Firefox\call of duty 4 code generator.exe.DANGER-CONTAINS PARTICULARLY NASTY SPYWARE=>(RAR Sfx o)=>serial.exe


Infected with: Trojan.Retapu.D

E:\Downloads\Firefox\call of duty 4 code generator.exe.DANGER-CONTAINS PARTICULARLY NASTY SPYWARE=>(RAR Sfx o)=>serial.exe


Disinfection failed

E:\Downloads\Firefox\call of duty 4 code generator.exe.DANGER-CONTAINS PARTICULARLY NASTY SPYWARE=>(RAR Sfx o)=>serial.exe


Deleted

E:\Downloads\Firefox\call of duty 4 code generator.exe.DANGER-CONTAINS PARTICULARLY NASTY SPYWARE=>(RAR Sfx o)


Update failed

E:\Downloads\Firefox\hypertunnelNT.zip=>hts.exe


Detected with: Spyware.Tool.Http.B

E:\Downloads\Firefox\hypertunnelNT.zip=>hts.exe


Deleted

E:\Downloads\Firefox\hypertunnelNT.zip


Updated

E:\Games\Garry's Mod v10\Launcher.exe


Infected with: Trojan.Downloader.Delf.OC

E:\Games\Garry's Mod v10\Launcher.exe


Deleted

E:\Programs\hypertunnel\hts.exe


Detected with: Spyware.Tool.Http.B

E:\Programs\hypertunnel\hts.exe


Deleted

E:\System Volume Information\_restore{291EEEAA-FE90-49E3-9CE5-64601B769B8B}\RP37\A0015791.exe


Infected with: Trojan.Downloader.Delf.OC

E:\System Volume Information\_restore{291EEEAA-FE90-49E3-9CE5-64601B769B8B}\RP37\A0015791.exe


Deleted

E:\System Volume Information\_restore{291EEEAA-FE90-49E3-9CE5-64601B769B8B}\RP37\A0015792.exe


Detected with: Spyware.Tool.Http.B

E:\System Volume Information\_restore{291EEEAA-FE90-49E3-9CE5-64601B769B8B}\RP37\A0015792.exe


Deleted

Edited by whiplash000, 01 March 2008 - 09:29 AM.


#8 whiplash000

whiplash000
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 02 March 2008 - 10:38 AM

Hey! Good news! I got combofix to run by reading the guide on this website (all I did was install the recovery console), so now I have a log from it. Also, it seems that the icons on my desktop can be deleted for good now. Anyway, here's the log it produced:
ComboFix 08-02-25.3 - whiplash 2008-03-02 10:21:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1070 [GMT -5:00]
Running from: D:\Documents and Settings\whiplash\Desktop\ComboNOTFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Documents and Settings\whiplash\Start Menu\Programs\Uninstall.lnk
D:\WINDOWS\system32\aujlctix.dll
D:\WINDOWS\system32\aujlctix.dllbox
D:\WINDOWS\system32\cfqodllj.dll
D:\WINDOWS\system32\dcvhrtdy.dll
D:\WINDOWS\system32\dlftqgdo.dllbox
D:\WINDOWS\system32\fgsuswxp.dll
D:\WINDOWS\system32\llwaolvu.dll
D:\WINDOWS\system32\mcrh.tmp
D:\WINDOWS\system32\odlfnihv.ini
D:\WINDOWS\system32\onldahqe.dll
D:\WINDOWS\system32\rqrommm.dll
D:\WINDOWS\system32\rttss.ini
D:\WINDOWS\system32\rttss.ini2
D:\WINDOWS\system32\sgjqdqtr.dll
D:\WINDOWS\system32\ssttr.dll
D:\WINDOWS\system32\tomweqsq.dll
D:\WINDOWS\system32\users32.dat
D:\WINDOWS\system32\uvloawll.ini
D:\WINDOWS\system32\vhinfldo.dll
D:\WINDOWS\system32\wemwuxpu.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-02 to 2008-03-02 )))))))))))))))))))))))))))))))
.

2008-03-01 21:32 . 2001-08-17 13:28 771,581 --a--c--- D:\WINDOWS\system32\dllcache\winacisa.sys
2008-03-01 21:31 . 2001-08-17 13:28 794,399 --a--c--- D:\WINDOWS\system32\dllcache\usr1806v.sys
2008-03-01 21:30 . 2001-08-17 13:28 794,654 --a--c--- D:\WINDOWS\system32\dllcache\usr1801.sys
2008-03-01 21:29 . 2001-08-17 22:36 525,568 --a--c--- D:\WINDOWS\system32\dllcache\tridxp.dll
2008-03-01 21:28 . 2001-08-17 14:56 172,768 --a--c--- D:\WINDOWS\system32\dllcache\t2r4disp.dll
2008-03-01 21:27 . 2001-08-17 12:18 285,760 --a--c--- D:\WINDOWS\system32\dllcache\stlnata.sys
2008-03-01 21:26 . 2001-08-17 14:56 147,200 --a--c--- D:\WINDOWS\system32\dllcache\smidispb.dll
2008-03-01 21:25 . 2004-08-03 22:41 404,990 --a--c--- D:\WINDOWS\system32\dllcache\slntamr.sys
2008-03-01 21:24 . 2001-08-17 22:36 386,560 --a--c--- D:\WINDOWS\system32\dllcache\sgiul50.dll
2008-03-01 21:23 . 2001-08-17 22:36 495,616 --a--c--- D:\WINDOWS\system32\dllcache\sblfx.dll
2008-03-01 21:22 . 2001-08-17 13:28 714,762 --a--c--- D:\WINDOWS\system32\dllcache\r2mdmkxx.sys
2008-03-01 21:21 . 2001-08-17 13:28 899,146 --a--c--- D:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-03-01 21:20 . 2004-08-04 00:56 259,328 --a--c--- D:\WINDOWS\system32\dllcache\perm3dd.dll
2008-03-01 21:19 . 2001-08-17 14:05 351,616 --a--c--- D:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-03-01 21:18 . 2001-08-17 12:50 198,144 --a--c--- D:\WINDOWS\system32\dllcache\nv3.sys
2008-03-01 21:17 . 2004-08-04 00:56 1,737,856 --a--c--- D:\WINDOWS\system32\dllcache\mtxparhd.dll
2008-03-01 21:16 . 2001-08-17 12:50 320,384 --a--c--- D:\WINDOWS\system32\dllcache\mgaum.sys
2008-03-01 21:15 . 2001-08-17 13:28 802,683 --a--c--- D:\WINDOWS\system32\dllcache\ltsm.sys
2008-03-01 21:14 . 2001-08-17 22:36 242,176 --a--c--- D:\WINDOWS\system32\dllcache\kdsusd.dll
2008-03-01 21:13 . 2001-08-17 22:36 372,824 --a--c--- D:\WINDOWS\system32\dllcache\iconf32.dll
2008-03-01 21:12 . 2004-08-03 22:41 1,041,536 --a--c--- D:\WINDOWS\system32\dllcache\hsfdpsp2.sys
2008-03-01 21:11 . 2001-08-17 13:28 907,456 --a--c--- D:\WINDOWS\system32\dllcache\hcf_msft.sys
2008-03-01 21:10 . 2001-08-17 13:51 82,304 --a--c--- D:\WINDOWS\system32\dllcache\grclass.sys
2008-03-01 21:10 . 2004-08-03 23:08 59,136 --a--c--- D:\WINDOWS\system32\dllcache\gckernel.sys
2008-03-01 21:10 . 2004-08-03 23:07 46,464 --a--c--- D:\WINDOWS\system32\dllcache\gagp30kx.sys
2008-03-01 21:10 . 2004-08-03 22:59 28,288 --a--c--- D:\WINDOWS\system32\dllcache\grserial.sys
2008-03-01 21:10 . 2001-08-17 13:51 17,408 --a--c--- D:\WINDOWS\system32\dllcache\gpr400.sys
2008-03-01 21:10 . 2004-08-03 23:08 10,624 --a--c--- D:\WINDOWS\system32\dllcache\gameenum.sys
2008-03-01 21:00 . 2008-03-01 21:32 <DIR> d-------- D:\WINDOWS\LastGood.Tmp
2008-03-01 09:05 . 2008-03-01 09:05 <DIR> d-------- D:\Documents and Settings\whiplash\Application Data\Grisoft
2008-03-01 08:58 . 2004-08-04 07:00 4,224 --a------ D:\WINDOWS\system32\drivers\beep.sys
2008-03-01 08:58 . 2004-08-04 07:00 4,224 --a--c--- D:\WINDOWS\system32\dllcache\beep.sys
2008-03-01 04:54 . 2008-03-02 04:54 99,436 --a------ D:\WINDOWS\BMe7f30dc1.xml
2008-02-29 23:17 . 2008-03-01 02:29 <DIR> d-------- D:\WINDOWS\BDOSCAN8
2008-02-29 22:45 . 2008-03-02 10:30 782,368 --ahs---- D:\WINDOWS\system32\drivers\fidbox.dat
2008-02-29 22:45 . 2008-03-02 10:24 12,308 --ahs---- D:\WINDOWS\system32\drivers\fidbox.idx
2008-02-29 22:42 . 2008-02-29 22:42 <DIR> d-------- D:\Program Files\Zone Labs
2008-02-29 22:42 . 2008-02-29 22:42 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-29 22:41 . 2008-03-01 23:35 <DIR> d-------- D:\WINDOWS\Internet Logs
2008-02-28 20:14 . 2008-03-01 09:21 <DIR> d-------- D:\Program Files\Windows Defender
2008-02-28 20:02 . 2008-03-02 00:06 261 --a------ D:\WINDOWS\wininit.ini
2008-02-28 19:36 . 2008-02-28 19:42 691,545 --a------ D:\WINDOWS\unins000.exe
2008-02-28 19:36 . 2008-02-28 19:42 4,658 --a------ D:\WINDOWS\unins000.dat
2008-02-28 15:11 . 2008-02-28 15:11 <DIR> d-------- D:\Deckard
2008-02-28 06:47 . 2008-02-28 06:47 73 --a------ D:\WINDOWS\system32\pfdnnt_actions.sys
2008-02-28 04:53 . 2008-02-28 15:07 354 ---hs---- D:\WINDOWS\system32\swmijgre.ini
2008-02-28 04:53 . 2008-03-02 10:21 21 --a------ D:\WINDOWS\pskt.ini
2008-02-27 22:42 . 2008-02-28 06:45 <DIR> d-------- D:\WINDOWS\system32\ActiveScan
2008-02-27 22:42 . 2008-02-27 22:42 30,590 --a------ D:\WINDOWS\system32\pavas.ico
2008-02-27 22:42 . 2008-02-27 22:42 2,550 --a------ D:\WINDOWS\system32\Uninstall.ico
2008-02-27 22:42 . 2008-02-27 22:42 1,406 --a------ D:\WINDOWS\system32\Help.ico
2008-02-27 21:51 . 2008-02-27 21:51 <DIR> d-------- D:\Program Files\Trend Micro
2008-02-27 21:23 . 2008-02-29 22:55 6,144 --a------ D:\WINDOWS\system32\cru629.dat
2008-02-27 21:23 . 2008-02-29 22:55 6,144 --a------ D:\WINDOWS\cru629.dat
2008-02-27 21:16 . 2008-02-27 21:15 211 --a------ D:\del_f.bat
2008-02-27 21:16 . 2008-02-27 21:15 211 --a------ D:\del_e.bat
2008-02-27 21:16 . 2008-02-27 21:15 211 --a------ D:\del_d.bat
2008-02-27 21:16 . 2008-02-27 21:14 211 --a------ D:\del_c.bat
2008-02-27 20:50 . 2008-02-27 20:50 <DIR> d-------- D:\WINDOWS\system32\LogFiles
2008-02-27 20:33 . 2008-02-27 20:33 <DIR> d-------- D:\WINDOWS\system32\Kaspersky Lab
2008-02-27 20:33 . 2008-02-27 20:33 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-27 20:23 . 2008-02-27 20:23 3,726 --a------ D:\WINDOWS\system32\tmp.reg
2008-02-27 20:19 . 2008-02-27 20:19 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-27 20:19 . 2007-05-30 07:10 10,872 --a------ D:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-27 19:06 . 2008-02-27 19:06 <DIR> d-------- D:\Program Files\Lavasoft
2008-02-27 19:06 . 2008-02-27 19:06 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-27 18:48 . 2008-02-27 18:48 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard
2008-02-27 16:43 . 2008-02-29 22:56 308,712 --a------ D:\WINDOWS\system32\winistr.exe
2008-02-27 16:39 . 2008-02-27 16:39 54,764 --a------ D:\WINDOWS\system\hipsrv.mm
2008-02-27 16:30 . 2008-03-01 20:08 <DIR> d-------- D:\Program Files\Steam
2008-02-26 21:05 . 2008-02-26 21:05 <DIR> d-------- D:\Program Files\Xfire
2008-02-26 21:05 . 2008-02-27 18:54 <DIR> d-------- D:\Documents and Settings\whiplash\Application Data\Xfire
2008-02-26 20:50 . 2008-02-26 21:05 <DIR> d-------- D:\Program Files\The All-Seeing Eye
2008-02-26 17:12 . 2008-02-26 17:12 <DIR> d-------- D:\Program Files\Java
2008-02-26 17:12 . 2008-02-26 17:12 <DIR> d-------- D:\Program Files\Common Files\Java
2008-02-26 17:12 . 2004-12-06 21:31 49,265 --a------ D:\WINDOWS\system32\jpicpl32.cpl
2008-02-25 00:28 . 2007-07-30 19:19 271,224 --a------ D:\WINDOWS\system32\mucltui.dll
2008-02-25 00:28 . 2007-07-30 19:19 207,736 --a------ D:\WINDOWS\system32\muweb.dll
2008-02-25 00:28 . 2007-07-30 19:19 30,072 --a------ D:\WINDOWS\system32\mucltui.dll.mui
2008-02-25 00:22 . 2006-10-26 19:56 32,592 --a------ D:\WINDOWS\system32\msonpmon.dll
2008-02-25 00:16 . 2008-02-25 00:16 <DIR> d-------- D:\Program Files\MSBuild
2008-02-25 00:16 . 2008-02-25 00:16 <DIR> d-------- D:\Program Files\Microsoft Works
2008-02-25 00:15 . 2008-02-25 00:15 <DIR> d-------- D:\Program Files\Microsoft.NET
2008-02-25 00:13 . 2008-02-25 00:16 <DIR> d-------- D:\WINDOWS\SHELLNEW
2008-02-25 00:13 . 2008-02-25 00:14 <DIR> d-------- D:\Program Files\Microsoft Visual Studio 8
2008-02-25 00:12 . 2008-02-25 00:12 <DIR> dr-h----- D:\MSOCache
2008-02-25 00:12 . 2008-02-28 23:38 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-25 00:11 . 2008-02-28 06:36 <DIR> d-------- D:\Program Files\MagicDisc
2008-02-25 00:11 . 2008-02-18 17:29 96,256 --a------ D:\WINDOWS\system32\drivers\mcdbus.sys
2008-02-24 15:04 . 2001-08-17 14:56 1,733,120 --a--c--- D:\WINDOWS\system32\dllcache\g400d.dll
2008-02-24 15:04 . 2001-08-17 14:56 470,144 --a--c--- D:\WINDOWS\system32\dllcache\g200d.dll
2008-02-24 15:04 . 2001-08-17 12:15 454,912 --a--c--- D:\WINDOWS\system32\dllcache\fxusbase.sys
2008-02-24 15:04 . 2001-08-17 12:49 322,432 --a--c--- D:\WINDOWS\system32\dllcache\g400m.sys
2008-02-24 15:04 . 2001-08-17 12:49 320,384 --a--c--- D:\WINDOWS\system32\dllcache\g200m.sys
2008-02-24 15:02 . 2001-08-17 13:28 634,134 --a--c--- D:\WINDOWS\system32\dllcache\el656ct5.sys
2008-02-24 15:01 . 2001-08-17 12:14 952,007 --a--c--- D:\WINDOWS\system32\dllcache\diwan.sys
2008-02-24 15:00 . 2001-08-17 12:13 980,034 --a--c--- D:\WINDOWS\system32\dllcache\cicap.sys
2008-02-24 14:59 . 2001-08-17 13:28 871,388 --a--c--- D:\WINDOWS\system32\dllcache\bcmdm.sys
2008-02-24 14:58 . 2004-08-04 00:56 1,888,992 --a--c--- D:\WINDOWS\system32\dllcache\ati3duag.dll
2008-02-24 14:57 . 2001-08-17 13:28 762,780 --a--c--- D:\WINDOWS\system32\dllcache\3cwmcru.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-01 22:49 673,792 ----a-w D:\WINDOWS\Internet Logs\xDB22.tmp
2008-03-01 22:49 1,334,272 ----a-w D:\WINDOWS\Internet Logs\xDB72.tmp
2008-02-19 21:26 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-02-17 20:14 0 ---ha-w D:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-02-17 20:14 0 ---ha-w D:\WINDOWS\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2008-02-17 20:14 0 ---ha-w D:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-02-15 23:45 --------- d-----w D:\Documents and Settings\whiplash\Application Data\InstallShield
2008-02-15 23:40 315,392 ----a-w D:\WINDOWS\HideWin.exe
2008-02-15 23:40 --------- d-----w D:\Program Files\Realtek
2008-02-15 23:40 --------- d-----w D:\Program Files\Common Files\InstallShield
2008-02-15 23:38 --------- d-----w D:\Program Files\NeoSmart Technologies
2008-02-15 23:32 --------- d-----w D:\Program Files\microsoft frontpage
2008-01-09 20:01 53,248 ----a-w D:\WINDOWS\bdoscandel.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="E:\Programs\uTorrent\uTorrent.exe" [2008-02-09 09:37 219952]
"PeerGuardian"="E:\Programs\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]
"DAEMON Tools Lite"="E:\Programs\DAEMON Tools Lite\daemon.exe" [2008-02-13 18:09 486856]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Steam"="D:\Program Files\Steam\Steam.exe" [2008-02-27 16:31 1266936]
"SpybotSD TeaTimer"="E:\Programs\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingD3976"="cmd /c del D:\WINDOWS\system32\aujlctix.dll_old" [ ]
"SpybotDeletingB2426"="command /c del D:\WINDOWS\system32\aujlctix.dll" [ ]
"SpybotDeletingD8454"="cmd /c del D:\WINDOWS\system32\aujlctix.dll" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2007-10-04 17:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 17:14 1626112 D:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="D:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 17:14 81920]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 D:\WINDOWS\KHALMNPR.Exe]
"Adobe Reader Speed Launcher"="E:\Programs\Adobe Reader 8.1.2\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"IMJPMIG8.1"="D:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 07:00 208952]
"IMEKRMIG6.1"="D:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 07:00 44032]
"MSPY2002"="D:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 07:00 59392]
"PHIME2002ASync"="D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
"PHIME2002A"="D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
"GrooveMonitor"="D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" [2004-12-06 21:31 36975]
"!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"Windows Defender"="D:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-20 02:38 16384512 D:\WINDOWS\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA5050"="command /c del D:\WINDOWS\system32\aujlctix.dll_old" [ ]
"SpybotDeletingC1144"="cmd /c del D:\WINDOWS\system32\aujlctix.dll_old" [ ]
"SpybotDeletingA8817"="command /c del D:\WINDOWS\system32\aujlctix.dll" [ ]
"SpybotDeletingC8121"="cmd /c del D:\WINDOWS\system32\aujlctix.dll" [ ]

D:\Documents and Settings\whiplash\Start Menu\Programs\Startup\
MagicDisc.lnk - D:\Program Files\MagicDisc\MagicDisc.exe [2008-02-25 00:11:00 546816]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DualCoreCenter.lnk - D:\Program Files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe [2008-02-15 16:22:11 192512]
KDE Menu (andLinux).lnk - E:\Programs\andLinux\Launcher\menu.exe~ [2008-02-20 19:21:04 66560]
Logitech SetPoint.lnk - D:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-02-17 15:14:21 692224]
Xming (andLinux).lnk - E:\Programs\andLinux\Xming\Xming.exe [2008-02-20 19:20:37 2489344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dlftqgdo]
dlftqgdo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrommm]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RasMan"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RTHDCPL"=RTHDCPL.EXE
"BMe7f30dc1"=Rundll32.exe "D:\WINDOWS\system32\dcvhrtdy.dll",s
"clydjsor"=D:\deffjuns.bat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"E:\\Programs\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Microsoft Games\\Halo\\1-4--1-5.exe"=
"E:\\Programs\\andLinux\\Xming\\Xming.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"D:\\Program Files\\The All-Seeing Eye\\eye.exe"=
"E:\\Games\\The Orange Box\\team fortress 2\\hl2.exe"=
"D:\\Program Files\\MSI\\i-Speeder\\i-Speeder.exe"=
"D:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"D:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"D:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"D:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\WINDOWS\\system32\\sessmgr.exe"=

R2 andLinux;andLinux;"E:\Programs\andLinux\colinux-daemon.exe" [2007-07-14 12:15]
R2 CoLinuxDriver;CoLinuxDriver;E:\Programs\andLinux\linux.sys [2007-07-14 12:15]
R3 nvsmu;nvsmu;D:\WINDOWS\system32\DRIVERS\nvsmu.sys [2007-07-07 02:13]
R3 tap0801co;TAP-Win32 Adapter V8 (coLinux);D:\WINDOWS\system32\DRIVERS\tap0801co.sys [2006-08-31 02:47]
S3 MSControlService;Microsoft cache control;D:\WINDOWS\system32\windows []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\Launcher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{705db7ff-df63-11dc-b4f1-0019dbe74fa2}]
\Shell\AutoRun\command - H:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-02 06:50:32 D:\WINDOWS\Tasks\MP Scheduled Scan.job"
- D:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-02 10:30:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files\Windows Defender\MsMpEng.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\nvsvc32.exe
E:\Programs\andLinux\colinux-slirp-net-daemon.exe
E:\Programs\andLinux\colinux-net-daemon.exe
.
**************************************************************************
.
Completion time: 2008-03-02 10:32:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-02 15:32:49
.
2008-02-26 08:01:30 --- E O F ---




And here's a hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38:50 AM, on 3/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\system32\nvsvc32.exe
E:\Programs\andLinux\colinux-daemon.exe
E:\Programs\andLinux\colinux-slirp-net-daemon.exe
E:\Programs\andLinux\colinux-net-daemon.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\notepad.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\System32\svchost.exe
E:\Programs\Firefox\firefox.exe
E:\Programs\Spybot - Search & Destroy\SpybotSD2.exe
D:\Documents and Settings\whiplash\Desktop\wtf.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\Programs\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Programs\Adobe Reader 8.1.2\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] D:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] D:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\RunOnce: [SpybotDeletingA5050] command /c del "D:\WINDOWS\system32\aujlctix.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1144] cmd /c del "D:\WINDOWS\system32\aujlctix.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8817] command /c del "D:\WINDOWS\system32\aujlctix.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8121] cmd /c del "D:\WINDOWS\system32\aujlctix.dll"
O4 - HKCU\..\Run: [uTorrent] "E:\Programs\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [PeerGuardian] E:\Programs\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "E:\Programs\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "D:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: MagicDisc.lnk = D:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: DualCoreCenter.lnk = D:\Program Files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe
O4 - Global Startup: KDE Menu (andLinux).lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Xming (andLinux).lnk = E:\Programs\andLinux\Xming\Xming.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Programs\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Programs\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_01) -
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: dlftqgdo - dlftqgdo.dll (file missing)
O20 - Winlogon Notify: rqrommm - D:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: andLinux - Unknown owner - E:\Programs\andLinux\colinux-daemon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - D:\WINDOWS\system32\windows (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7008 bytes

The only real problem left is that services.exe is making tons of SMTP connections. Even though they are all shot down by my router's firewall, it still slows down my internet connection significantly. Is there any app (zonealarm doesn't have this feature in the free version) that lets me block just a single port?

Edited by whiplash000, 02 March 2008 - 11:06 AM.


#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:06 AM

Posted 02 March 2008 - 02:34 PM

Hello,

Whoa! Slow down cowboy.....we still have plenty to do here, okay? You need an AntiVirus program on your system right away. AVG, Avira OR Avast are good FREE antivirus. When you install the one you chose, please run a full system scan with it and let it delete/quarantine all it finds.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O4 - HKLM\..\RunOnce: [SpybotDeletingA5050] command /c del "D:\WINDOWS\system32\aujlctix.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1144] cmd /c del "D:\WINDOWS\system32\aujlctix.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8817] command /c del "D:\WINDOWS\system32\aujlctix.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8121] cmd /c del "D:\WINDOWS\system32\aujlctix.dll"
O20 - Winlogon Notify: dlftqgdo - dlftqgdo.dll (file missing)
O20 - Winlogon Notify: rqrommm - D:\WINDOWS\
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - D:\WINDOWS\system32\windows (file missing)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

Your Java is way out of date, which leaves your computer vulnerable.

Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6u4.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
In your reply, please post a new HijackThis log and let me know how it's running now.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 whiplash000

whiplash000
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 02 March 2008 - 09:26 PM

Wow, that really made spybot's resident go crazy! The right side of my screen is filled with little resident boxes saying they denied the change of "dlftqgdo" based on the black list I made (I hit "remember this decision" before clicking deny change when it showed up the first time, like before posting here for the first time) Also, peerguardian shows tons of connections made over port 25 to various IPs... if my router's firewall wasn't already blocking that port, I'd be spamming all sorts of people now :thumbsup: What I really wanna do is run a packet sniffer and see the spam my computer could've been sending...
EDIT: Yep, it's spam all right. I read some spam it sent when I disabled the firewall and ran a packet sniffer, and I noticed has much better grammar than the ones I get...

I found out that the menu.exe~ thing was actually this thing called andLinux that I had installed a while ago. It's not a problem anymore.

Also, I noticed that my c: drive (which hosts a broken Vista installation) is filled with pos**.tmp files and the icon on "My Computer" for drive c: has changed from a normal drive picture to a red x...

Okay, I'm done ranting. Here's my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:38 PM, on 3/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\system32\nvsvc32.exe
E:\Programs\andLinux\colinux-daemon.exe
E:\Programs\andLinux\colinux-slirp-net-daemon.exe
E:\Programs\andLinux\colinux-net-daemon.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\WINDOWS\RTHDCPL.EXE
D:\WINDOWS\System32\svchost.exe
E:\Programs\PeerGuardian2\pg2.exe
E:\Programs\DAEMON Tools Lite\daemon.exe
D:\WINDOWS\system32\ctfmon.exe
E:\Programs\Spybot - Search & Destroy\TeaTimer.exe
E:\Programs\andLinux\Launcher\menu.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Programs\andLinux\Xming\Xming.exe
D:\Program Files\MagicDisc\MagicDisc.exe
D:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
D:\Program Files\MSI\DualCoreCenter\DualCoreCenter.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Documents and Settings\whiplash\Desktop\braviax\wtf.exe
E:\Programs\Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: (no name) - {45C2A50F-8F4A-496E-AF02-D0207525BF5A} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {59F5B347-98AE-4EBD-A50C-B8A3FD8250E7} - (no file)
O2 - BHO: (no name) - {7EE5638A-2EB2-41C7-BCF8-47A673D2165B} - (no file)
O2 - BHO: (no name) - {80728775-DB8D-45BC-94EE-F41B0B7D1475} - (no file)
O2 - BHO: (no name) - {8191729C-C4F2-464D-A622-836E0899F644} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Programs\Adobe Reader 8.1.2\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] D:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] D:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKCU\..\Run: [uTorrent] "E:\Programs\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [PeerGuardian] E:\Programs\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "E:\Programs\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "D:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: MagicDisc.lnk = D:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: DualCoreCenter.lnk = D:\Program Files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe
O4 - Global Startup: KDE Menu (andLinux).lnk = E:\Programs\andLinux\Launcher\menu.exe
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Xming (andLinux).lnk = E:\Programs\andLinux\Xming\Xming.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Programs\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Programs\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_01) -
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: andLinux - Unknown owner - E:\Programs\andLinux\colinux-daemon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - D:\WINDOWS\system32\windows (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7528 bytes

Edited by whiplash000, 02 March 2008 - 10:03 PM.


#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:06 AM

Posted 02 March 2008 - 09:59 PM

Hello,

It wasn't in the log that Tea Timer was on, or I would have had you disable it to do the fixes. That would have avoided all those messages. You still didn't update Java or install an AntiVirus. Please do that now. :thumbsup: Also, are you saying the red X next to your C drive is back?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 whiplash000

whiplash000
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 03 March 2008 - 01:18 AM

Well, I updated java right after I did the hijackthis scan, maybe I should've done it in the opposite order... :blink:
And I never even saw the red x on drive c: until just now, and I looked at drive c: tons of times while working on this computer since it got infected. That can't be a good sign o_0

Oh, and to clarify on teatimer, the changes being denied were the creation of the entry, not the removal triggered by hijackthis. The spyware (or whatever's left of it) is constantly checking that specific registry entry and changing/recreating it if it's not what it wants it to be.

I also downloaded avg anti-virus like you asked :thumbsup: I'll edit this post when it finishes its scan.

EDIT: Okay, I can't export a log in avg but i'll give you the rundown:
Most of it was stuff already quarintined inside of d:\qoobox\dir\to\file or d:\!killbox\
It found cru629.dat in both d:\windows and d:\windows\system32
It found the file that originally infected me in the first place >_>

Edited by whiplash000, 03 March 2008 - 02:41 AM.


#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:06 AM

Posted 03 March 2008 - 01:46 PM

Hi,

Do this for that red x:


Click Start > Run > copy and paste the following into the box and hit enter/ok

cmd /c Reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons


If it asks you are you sure....choose Y

How is it running please?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 whiplash000

whiplash000
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 03 March 2008 - 04:38 PM

That seems to have done it. I can't find anything else that I would consider to be a problem left on this computer. Thanks a lot for your help.

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:06 AM

Posted 03 March 2008 - 04:52 PM

Excellent. :wacko: You're most welcome for the help. :blink:

Don't forget to turn Tea Timer back on. :thumbsup: Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

It is very important to maintain your Firewall.
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users