Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan-Infected - Can't Remove!


  • This topic is locked This topic is locked
35 replies to this topic

#1 goddessdeath

goddessdeath

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 02 October 2010 - 02:05 PM

Trying to figure out what is wrong with this laptop for a friend. We've tried scanning it with various antivirus programs, it kept rebooting. Finally got a couple to run through, found a few things, can access the internet again, but still getting this tab that opens on its own with the URL of consumernewsonline.org or some motorcycle safety website, and when you try to close the tab, it pops up asking if you are sure, blah blah blah. It has been a supposed antivirus thing as well as a "work from home kit".

Ran ESET Online Scanner and it came up with six infections, but didn't give me any options of removing them.

Target: C:\Program Files\HBLite\bin\11.0.181.0\HBLiteSAAX.dll
Threat: a variant of Win32/Adware.HotBar.E application

Target: C:\Users\Jordan\AppData\Local\itecuzuhi.dll
Threat: a variant of Win32/Cimag.CK trojan

Target: C:\Users\Jordan\AppData\Local\Meebo\Meebo Notifier\MeeboNotifier .exe
Threat: Win32/TrojanDownloader.Uruy.BN trojan

Target: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PFEQC5F\lpkezhfmu[1].htm
Threat: a variant of Win32/TrojanDownloader.FakeAlert.BDE trojan

Target: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PFEQC5F\vvqkfy[1].htm
Threat: Win32/Agent.QNF trojan

Target: C:\Windows\Temp\ccqq\setup.exe
Threat: Win32/TrojanDownloader.Unruy.BN trojan


Anyway, here is the DDS log. Also, the ark.text and Attach.txt are attached.


DDS (Ver_10-03-17.01) - NTFSx86
Run by admin at 20:29:12.52 on Wed 09/29/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.1013.200 [GMT -4:00]

AV: My Security Shield *On-access scanning enabled* (Updated) {DE06E198-0BA1-4CEE-B144-A7B189641699}
FW: My Security Shield *enabled* {EF661568-CC6E-419B-B7B8-8BB4EADD2CA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Launch Manager\dsiwmis.exe
C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe
C:\Program Files\Gateway\Registration\GregHSRW.exe
C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\taskhost.exe
C:\Windows\system32\LogonUI.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\admin\Downloads\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=lt21&r=27b506108605l0464ww35a4542y27s
uDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=lt21&r=27b506108605l0464ww35a4542y27s
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AC-Pro: {0fb6a909-6086-458f-bd92-1f8ee10042a0} - c:\program files\autocompletepro\AutocompletePro.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
IFEO: image file execution options - svchost.exe

================= FIREFOX ===================

FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\g49jwbb9.default\
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_availa ble_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2010-9-10 17256]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-9-10 236088]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-9-10 30112]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\drivers\L1C62x86.sys [2010-2-12 54784]
R3 mvb35316;mvb35316;c:\windows\system32\drivers\mvb35316.sys [2010-6-22 12800]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 EUCR;EUCR;c:\windows\system32\drivers\EUCR6SK.sys [2010-2-12 82384]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-9-8 15008]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-2-13 11520]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 17920]

=============== Created Last 30 ================

2010-09-29 03:40:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-29 03:40:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-29 03:40:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-29 03:03:45 0 d-----w- c:\program files\Trend Micro
2010-09-29 02:54:55 15560704 ----a-w- c:\windows\system32\YTSCK
2010-09-29 01:24:16 0 dc-h--w- c:\programdata\{437292BE-95BD-4B12-B699-6D217A03ACAF}
2010-09-29 01:22:58 0 d-----w- c:\programdata\Lavasoft
2010-09-29 01:22:58 0 d-----w- c:\program files\Lavasoft
2010-09-28 16:20:58 173436635 ----a-w- c:\windows\MEMORY.DMP
2010-09-28 15:24:41 131 ----a-w- c:\windows\CRC.INI
2010-09-28 02:33:16 0 d--h--w- C:\VritualRoot
2010-09-28 02:31:00 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-09-28 02:27:25 0 d-----w- c:\program files\COMODO
2010-09-28 02:24:40 0 d-----w- c:\programdata\Comodo
2010-09-28 02:00:20 0 d-----w- c:\users\admin\appdata\roaming\Malwarebytes
2010-09-27 04:50:30 0 d-----w- c:\users\admin\appdata\roaming\Western Digital
2010-09-27 04:35:54 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-09-27 04:35:54 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-09-27 00:51:33 0 d-----w- c:\program files\CCleaner
2010-09-27 00:17:54 0 d-----w- c:\program files\AVG
2010-09-27 00:04:38 0 d-----w- c:\programdata\NOS
2010-09-26 23:24:30 112 ----a-w- c:\programdata\6A1U4xmxl.dat
2010-09-26 23:23:42 0 d-----w- c:\programdata\Malwarebytes
2010-09-24 03:00:39 0 d-----w- c:\windows\pss
2010-09-22 11:24:48 0 d-sh--w- c:\programdata\MSVCJSDGS
2010-09-22 11:24:13 0 d-sh--w- c:\programdata\6e257a
2010-09-22 11:04:26 155648 --sha-r- c:\windows\system32\ro-ROA.dll
2010-09-22 11:02:07 349184 ----a-w- c:\windows\system32\uvqru.exe
2010-09-22 11:02:04 52 ----a-w- c:\windows\system32\winset.ini
2010-09-17 08:37:55 316928 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-11 03:41:40 285480 ----a-w- c:\windows\system32\guard32.dll
2010-09-11 03:40:40 30112 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-09-11 03:40:40 236088 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-09-11 03:40:38 17256 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-08 00:49:27 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2010-09-07 07:53:53 0 d-----w- c:\program files\iPod
2010-09-07 04:04:14 2326016 ----a-w- c:\windows\system32\win32k.sys
2010-09-07 04:04:13 224256 ----a-w- c:\windows\system32\schannel.dll
2010-09-07 04:04:11 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-09-02 20:53:46 221568 ------w- c:\windows\system32\MpSigStub.exe

==================== Find3M ====================

2010-08-01 13:29:57 144384 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-29 06:30:49 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30:34 82944 ----a-w- c:\windows\system32\iccvid.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 20:33:29.02 ===============










Attached Files



BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Instructor
  • 7,128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:05:12 AM

Posted 08 October 2010 - 05:48 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 goddessdeath

goddessdeath
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 09 October 2010 - 02:49 PM

I'll have to post it again later because that netbook is freezing up when I'm trying to run DDS again. I'm sure nothing has changed on the log because I haven't touched it after posting it, but I will post a new one as requested.

What it's doing is the same as before - We've tried scanning it with various antivirus programs, it kept rebooting. Finally got a couple to run through, found a few things, can access the internet again, but still getting this tab that opens on its own with the URL of consumernewsonline.org or some motorcycle safety website, and when you try to close the tab, it pops up asking if you are sure, blah blah blah. It has been a supposed antivirus thing as well as a "work from home kit".

I'm ready to smash this thing.

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:12 PM

Posted 10 October 2010 - 12:01 AM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.


=======================================================


Please post the new logs needed as mentioned by Casey_boy, this to make sure that we're seeing the current status of the machine, thanks.

~Semp

Posted Image
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) and ASAP (Alliance of Security Analysis Professionals)

#5 goddessdeath

goddessdeath
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 10 October 2010 - 12:03 AM

Now when I try to log on as an Admin, it sits on "Preparing your desktop" forever and a day and then goes to a black screen where nothing loads, even after several minutes. I can hit CTRL+ALT+DEL and bring up the task manager. Rebooted, logged on in safe mode. Ran DDS and tried running GMER, got this error:

gmer.exe - Application Error

The instruction at 0x0040c4b1 referenced memory at 0x8963ae6e. The memory could not be read.

Click on OK to terminate the program.

Made sure all windows were closed, ran the program again and it blue screened and rebooted. I didn't get a chance to read any errors on the blue screen. Rebooted in safe mode.

Ran it again with nothing else open, and got the same Application Error once again. I didn't touch the mouse pad or anything while it was scanning. I got it to scan once before obviously since I posted that log, so I don't know what's preventing it this time.

I have the DDS logs to post, but I'm posting this from my own computer, so I'll get on that one and make another post and attach the Attach.txt file and post the contents of the other one. I just ran the scan a few minutes ago.

#6 goddessdeath

goddessdeath
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 10 October 2010 - 12:10 AM

When I got on the computer with the issue again just now to post the DDS stuff, I tried running GMER one more time, and got the blue screen and reboot sequence again.

Here, however, is the DDS stuff.


DDS (Ver_10-10-10.02) - NTFSx86 NETWORK
Run by admin at 0:42:55.32 on Sun 10/10/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.1013.512 [GMT -4:00]

AV: My Security Shield *On-access scanning enabled* (Updated) {DE06E198-0BA1-4CEE-B144-A7B189641699}
FW: My Security Shield *enabled* {EF661568-CC6E-419B-B7B8-8BB4EADD2CA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\userinit.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\admin\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=lt21&r=27b506108605l0464ww35a4542y27s
uDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=lt21&r=27b506108605l0464ww35a4542y27s
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AC-Pro: {0fb6a909-6086-458f-bd92-1f8ee10042a0} - c:\program files\autocompletepro\AutocompletePro.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
IFEO: image file execution options - svchost.exe

================= FIREFOX ===================

FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\g49jwbb9.default\
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2010-9-10 17256]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-9-10 30112]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\drivers\L1C62x86.sys [2010-2-12 54784]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-9-10 236088]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 DsiWMIService;Dritek WMI Service;c:\program files\launch manager\dsiwmis.exe [2010-2-12 109648]
S2 ePowerSvc;Acer ePower Service;c:\program files\gateway\gateway power management\ePowerSvc.exe [2010-2-12 727584]
S2 Greg_Service;GRegService;c:\program files\gateway\registration\GregHSRW.exe [2009-8-28 1150496]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-15 136176]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-9-8 1355928]
S2 Updater Service;Updater Service;c:\program files\gateway\gateway updater\UpdaterService.exe [2010-2-12 240160]
S2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2010-1-21 110592]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 EUCR;EUCR;c:\windows\system32\drivers\EUCR6SK.sys [2010-2-12 82384]
S3 FWYWUIZDJWI;FWYWUIZDJWI;c:\users\jordan\appdata\local\temp\FWYWUIZDJWI.exe [2010-9-28 445312]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-9-8 15008]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2009-7-13 20992]
S3 UIFMOHHWBP;UIFMOHHWBP;c:\users\jordan\appdata\local\temp\UIFMOHHWBP.exe [2010-9-28 424832]
S3 VLBRYFHNKTE;VLBRYFHNKTE;c:\users\jordan\appdata\local\temp\VLBRYFHNKTE.exe [2010-9-28 576384]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-2-13 11520]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 17920]

=============== Created Last 30 ================

2010-09-29 03:40:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-29 03:40:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-29 03:40:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-29 03:03:45 -------- d-----w- c:\program files\Trend Micro
2010-09-29 01:24:16 -------- dc-h--w- c:\progra~2\{437292BE-95BD-4B12-B699-6D217A03ACAF}
2010-09-29 01:22:58 -------- d-----w- c:\program files\Lavasoft
2010-09-28 02:33:16 -------- d--h--w- C:\VritualRoot
2010-09-28 02:31:00 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-09-28 02:27:25 -------- d-----w- c:\program files\COMODO
2010-09-28 02:24:40 -------- d-----w- c:\progra~2\Comodo
2010-09-28 02:00:20 -------- d-----w- c:\users\admin\appdata\roaming\Malwarebytes
2010-09-27 11:40:53 -------- d-----w- c:\users\admin\appdata\local\Mozilla
2010-09-27 04:50:51 -------- d-----w- c:\users\admin\appdata\local\Western_Digital
2010-09-27 04:50:30 -------- d-----w- c:\users\admin\appdata\roaming\Western Digital
2010-09-27 04:50:19 79136 ----a-w- c:\users\admin\appdata\local\GDIPFONTCACHEV1.DAT
2010-09-27 04:50:18 -------- d-----w- c:\users\admin\appdata\local\Western Digital
2010-09-27 04:50:00 -------- d-----w- c:\users\admin\appdata\local\Apple Computer
2010-09-27 04:35:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-27 04:35:54 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2010-09-27 00:51:33 -------- d-----w- c:\program files\CCleaner
2010-09-27 00:17:54 -------- d-----w- c:\program files\AVG
2010-09-26 23:24:30 112 ----a-w- c:\progra~2\6A1U4xmxl.dat
2010-09-26 23:23:42 -------- d-----w- c:\progra~2\Malwarebytes
2010-09-24 03:00:39 -------- d-----w- c:\windows\pss
2010-09-22 11:24:48 -------- d-sh--w- c:\progra~2\MSVCJSDGS
2010-09-22 11:24:13 -------- d-sh--w- c:\progra~2\6e257a
2010-09-22 11:04:26 155648 --sha-r- c:\windows\system32\ro-ROA.dll
2010-09-22 11:02:07 349184 ----a-w- c:\windows\system32\uvqru.exe
2010-09-21 23:42:03 6084944 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{ec162733-1ef0-4a0b-b1a9-6be250754a35}\mpengine.dll
2010-09-17 08:49:19 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2010-09-17 08:49:19 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2010-09-17 08:49:19 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2010-09-17 08:49:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2010-09-17 08:49:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2010-09-17 08:49:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2010-09-17 08:49:18 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2010-09-17 08:37:55 316928 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-11 03:41:40 285480 ----a-w- c:\windows\system32\guard32.dll
2010-09-11 03:40:40 30112 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-09-11 03:40:40 236088 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-09-11 03:40:38 17256 ----a-w- c:\windows\system32\drivers\cmderd.sys

==================== Find3M ====================

2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-08-01 13:29:57 144384 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-29 06:30:49 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30:34 82944 ----a-w- c:\windows\system32\iccvid.dll

============= FINISH: 0:44:49.12 ===============


Attached is the attach file zipped.

Attached Files



#7 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:12 PM

Posted 10 October 2010 - 12:11 AM

Hi,

Please confirm that you can boot on safe mode. Thanks.

Sorry we crossed post.

Edited by sempai, 10 October 2010 - 12:13 AM.

~Semp

Posted Image
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) and ASAP (Alliance of Security Analysis Professionals)

#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:12 PM

Posted 10 October 2010 - 12:25 AM

Please reboot in safe mode with networking and then download and run combofix.


Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

Posted Image
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) and ASAP (Alliance of Security Analysis Professionals)

#9 goddessdeath

goddessdeath
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 10 October 2010 - 12:34 AM

Okay, running that on that machine right now...

#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:12 PM

Posted 10 October 2010 - 12:43 AM

thumbup2.gif
~Semp

Posted Image
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) and ASAP (Alliance of Security Analysis Professionals)

#11 goddessdeath

goddessdeath
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 10 October 2010 - 01:03 AM

Okay, ran ComboFix. First it came up with a message that it detected the presence of rootkit activity and needed to reboot. Rebooted, got through it all the way and it got to the screen where it says Preparing Log Report. Do not run any programs until ComboFix has finished. I haven't touched a thing. An error message came up over the ComboFix screen that says:

HIDEC.exe

Windows cannot find 'HIDEC.exe'. Make sure you typed the name correctly, and then try again.

Should I just go ahead and click OK on that message and hope the log generates?

#12 goddessdeath

goddessdeath
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 10 October 2010 - 01:12 AM

I waited awhile to see if it would do anything, it didn't so I hit OK and it says:

The system cannot find the file HIDEC.exe.
'HIDEC' is not recognized as an internal or external command, operable program or batch file.

Hmm?

#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:12 PM

Posted 10 October 2010 - 01:15 AM

Hi,

What happen after that? Can you please check for the log located at C:\ComboFix.txt.
~Semp

Posted Image
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) and ASAP (Alliance of Security Analysis Professionals)

#14 goddessdeath

goddessdeath
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 10 October 2010 - 01:18 AM

Whew!!! It created the log just now:

ComboFix 10-10-09.04 - admin 10/10/2010 1:40.1.2 - x86
Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.1013.483 [GMT -4:00]
Running from: c:\users\admin\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\HBLite
c:\program files\HBLite\bin\11.0.181.0\firefox\extensions\chrome.manifest
c:\program files\HBLite\bin\11.0.181.0\firefox\extensions\install.rdf
c:\program files\HBLite\bin\11.0.181.0\firefox\extensions\plugins\npclntax_HBLiteSA.dll
c:\program files\HBLite\bin\11.0.181.0\HBLiteSAAX.dll
c:\programdata\6e257a
c:\programdata\6e257a\MSSSys\vd952342.bd
c:\programdata\HBLiteSA
c:\programdata\HBLiteSA\HBLiteSA.dat
c:\programdata\HBLiteSA\HBLiteSAAbout.mht
c:\programdata\HBLiteSA\HBLiteSAEULA.mht
c:\users\Jordan\AppData\Local\itecuzuhi.dll
c:\users\Jordan\AppData\Roaming\My Security Shield

Infected copy of c:\windows\system32\drivers\rdyboost.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-09-10 to 2010-10-10 )))))))))))))))))))))))))))))))
.

2010-10-10 06:00 . 2010-10-10 06:00 -------- d-----w- c:\users\Jordan\AppData\Local\temp
2010-10-10 06:00 . 2010-10-10 06:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-10-10 05:30 . 2010-10-10 05:31 -------- d-----w- C:\32788R22FWJFW
2010-09-29 03:40 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-29 03:40 . 2010-09-29 03:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-29 03:40 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-29 03:03 . 2010-09-29 03:03 388096 ----a-r- c:\users\Jordan\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-29 03:03 . 2010-09-29 03:03 -------- d-----w- c:\program files\Trend Micro
2010-09-29 01:25 . 2010-09-29 01:25 -------- d-----w- c:\users\Jordan\AppData\Local\Sunbelt Software
2010-09-29 01:24 . 2010-09-29 01:24 -------- dc-h--w- c:\programdata\{437292BE-95BD-4B12-B699-6D217A03ACAF}
2010-09-29 01:22 . 2010-09-29 02:21 -------- d-----w- c:\programdata\Lavasoft
2010-09-29 01:22 . 2010-09-29 01:22 -------- d-----w- c:\program files\Lavasoft
2010-09-28 02:33 . 2010-09-28 02:33 -------- d-----w- C:\VritualRoot
2010-09-28 02:31 . 2010-10-10 06:08 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-09-28 02:27 . 2010-09-28 12:41 -------- d-----w- c:\program files\COMODO
2010-09-28 02:24 . 2010-09-28 02:33 -------- d-----w- c:\programdata\Comodo
2010-09-27 04:47 . 2010-09-27 04:48 -------- d-----w- c:\users\admin
2010-09-27 04:35 . 2010-09-28 01:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-27 04:35 . 2010-09-28 01:55 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-09-27 02:39 . 2010-09-27 02:39 -------- d-----w- c:\users\Jordan\AppData\Local\ESET
2010-09-27 00:51 . 2010-09-27 00:51 -------- d-----w- c:\program files\CCleaner
2010-09-27 00:17 . 2010-09-27 00:17 -------- d-----w- c:\program files\AVG
2010-09-27 00:04 . 2010-09-27 00:23 -------- d-----w- c:\programdata\NOS
2010-09-27 00:04 . 2010-09-27 00:04 -------- d-----w- c:\program files\NOS
2010-09-26 23:58 . 2010-09-26 23:58 -------- d-----w- c:\users\Jordan\AppData\Local\Mozilla
2010-09-26 23:23 . 2010-09-26 23:23 -------- d-----w- c:\users\Jordan\AppData\Roaming\Malwarebytes
2010-09-26 23:23 . 2010-09-26 23:23 -------- d-----w- c:\programdata\Malwarebytes
2010-09-26 23:03 . 2010-09-26 23:30 -------- d-----w- c:\users\Jordan\AppData\Local\ElevatedDiagnostics
2010-09-22 11:24 . 2010-09-22 11:24 -------- d-sh--w- c:\programdata\MSVCJSDGS
2010-09-22 11:04 . 2010-09-22 11:04 155648 --sha-r- c:\windows\system32\ro-ROA.dll
2010-09-22 11:03 . 2010-09-24 02:50 0 ----a-w- c:\users\Jordan\AppData\Local\Exoganaw.bin
2010-09-22 11:03 . 2010-09-22 11:03 -------- d-----w- c:\users\Jordan\AppData\Local\{2130AB45-9182-44B9-BC96-6CBC6FAE55E7}
2010-09-22 11:02 . 2010-09-22 11:02 349184 ----a-w- c:\windows\system32\uvqru.exe
2010-09-21 23:42 . 2010-09-09 22:52 6084944 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EC162733-1EF0-4A0B-B1A9-6BE250754A35}\mpengine.dll
2010-09-17 08:49 . 2010-09-17 08:49 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2010-09-17 08:49 . 2010-09-17 08:49 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2010-09-17 08:49 . 2010-09-17 08:49 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2010-09-17 08:49 . 2010-09-17 08:49 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2010-09-17 08:49 . 2010-09-17 08:49 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2010-09-17 08:49 . 2010-09-17 08:49 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2010-09-17 08:49 . 2010-09-17 08:49 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2010-09-17 08:37 . 2010-08-21 05:32 316928 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-11 03:41 . 2010-09-11 03:41 285480 ----a-w- c:\windows\system32\guard32.dll
2010-09-11 03:40 . 2010-09-11 03:40 78504 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-09-11 03:40 . 2010-09-11 03:40 30112 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-09-11 03:40 . 2010-09-11 03:40 236088 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-09-11 03:40 . 2010-09-11 03:40 17256 ----a-w- c:\windows\system32\drivers\cmderd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
CODE
<pre>
c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier .exe
c:\program files\Gateway\Gateway Power Management\ePowerTray .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Launch Manager\LManager .exe
c:\program files\QuickTime\QTTask .exe
c:\program files\RegWork\RegWork .exe
c:\program files\Symantec\Norton Online Backup\Activation\NobuActivation .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\windows\AutosetFrequency .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-10-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-10-05 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-10-05 150552]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-01-19 8452640]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-09-11 2500552]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-1-21 2057536]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2010-1-21 9136960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Users^Jordan^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^IMVU.lnk]
backup=c:\windows\pss\IMVU.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jordan^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jordan^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3FWHZQA3LT
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Online Backup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Osizadiyuregad

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 01:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
2010-01-29 22:51 600688 ----a-w- c:\program files\Video Web Camera\traybar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cftmon]
2010-09-22 11:02 349184 ----a-w- c:\windows\System32\uvqru.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wwekidur]
c:\users\Jordan\AppData\Local\itecuzuhi.dll [N/A]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-15 136176]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-09-08 1355928]
R3 EUCR;EUCR;c:\windows\system32\DRIVERS\EUCR6SK.SYS [2010-02-03 82384]
R3 FWYWUIZDJWI;FWYWUIZDJWI;c:\users\Jordan\AppData\Local\Temp\FWYWUIZDJWI.exe [x]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2010-09-08 15008]
R3 mvb35316;mvb35316; [x]
R3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 UIFMOHHWBP;UIFMOHHWBP;c:\users\Jordan\AppData\Local\Temp\UIFMOHHWBP.exe [x]
R3 VLBRYFHNKTE;VLBRYFHNKTE;c:\users\Jordan\AppData\Local\Temp\VLBRYFHNKTE.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2009-02-13 11520]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [2010-09-11 17256]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2010-09-11 236088]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2010-09-11 30112]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 DsiWMIService;Dritek WMI Service;c:\program files\Launch Manager\dsiwmis.exe [2010-01-13 109648]
S2 ePowerSvc;Acer ePower Service;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe [2009-09-30 727584]
S2 Greg_Service;GRegService;c:\program files\Gateway\Registration\GregHSRW.exe [2009-08-28 1150496]
S2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [2009-07-04 240160]
S2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2010-01-21 110592]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x86.sys [2009-09-04 54784]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-10-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-15 20:09]

2010-10-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-15 20:09]

2010-09-28 c:\windows\Tasks\Regwork.job
- c:\program files\RegWork\RegWork .exe [2010-04-29 17:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=lt21&r=27b506108605l0464ww35a4542y27s
mStart Page = hxxp://www.yahoo.com
FF - ProfilePath - c:\users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\g49jwbb9.default\
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
AddRemove-Malwarebytes' Anti-Malware_is1 - d:\frappe\Malwarebytes' Anti-Malware\unins000.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(620)
c:\windows\system32\guard32.dll
.
Completion time: 2010-10-10 02:16:40
ComboFix-quarantined-files.txt 2010-10-10 06:16

Pre-Run: 202,762,100,736 bytes free
Post-Run: 202,770,173,952 bytes free

- - End Of File - - 527E65307C79CA751893E0B56547E636


#15 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:12 PM

Posted 10 October 2010 - 01:48 AM

Hi,

What is your Anti Virus program?

Please run the CF script below in safe mode, if combofix restart the PC during its run.. make sure to reboot it again in safe mode to complete the process.


We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
http://www.bleepingcomputer.com/forums/topic351156.html

KillAll::

Collect::
c:\windows\system32\ro-ROA.dll
c:\windows\system32\uvqru.exe
c:\users\Jordan\AppData\Local\itecuzuhi.dll

File::
c:\users\Jordan\AppData\Local\Exoganaw.bin
c:\users\jordan\appdata\local\temp\FWYWUIZDJWI.exe
c:\users\jordan\appdata\local\temp\UIFMOHHWBP.exe
c:\users\jordan\appdata\local\temp\VLBRYFHNKTE.exe
c:\windows\Tasks\Regwork.job

Driver::
FWYWUIZDJWI
UIFMOHHWBP
VLBRYFHNKTE
mvb35316

Folder::
c:\program files\RegWork

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3FWHZQA3LT]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Osizadiyuregad]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wwekidur]

RenV::
c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier .exe
c:\program files\Gateway\Gateway Power Management\ePowerTray .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Launch Manager\LManager .exe
c:\program files\QuickTime\QTTask .exe
c:\program files\RegWork\RegWork .exe
c:\program files\Symantec\Norton Online Backup\Activation\NobuActivation .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\windows\AutosetFrequency .exe

DDS::
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File

RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

DirLook::
c:\progra~2\MSVCJSDGS


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


~Semp

Posted Image
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) and ASAP (Alliance of Security Analysis Professionals)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users