BleepingComputer.com: HijackThis.log - Is this clean?

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

HijackThis.log - Is this clean?

#1 User is offline   Croftie 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 5
  • Joined: 13-November 11

Posted 13 November 2011 - 09:04 PM

Hi, can you see anything suspicious in my log?

Noscript is warning of an XSS attempt.

Thanks,
Croftie

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 01:51:39, on 14/11/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Devnz\GBPVR\GBPVRTray.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\Program Files\Devnz\GBPVR\GBPVRRecordingService.exe
C:\Program Files\PhenomMsrTweaker\PhenomMsrTweakerService.exe
C:\Program Files\pycron\pycron.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
J:\Downloads\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - :C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - :C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - :C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (file missing)
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: GB-PVR Tray.lnk = C:\Program Files\Devnz\GBPVR\GBPVRTray.exe
O4 - Startup: ~Disabled
O4 - Global Startup: ~Disabled
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B59FEAC8-A146-433C-8F26-FDC2BE12F942}: NameServer = 62.6.40.178,194.74.65.68,192.168.1.254
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - Winlogon Notify: Antiwpa - antiwpa.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AODService - Unknown owner - C:\Program Files\AMD\OverDrive\AODAssist.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd. - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: GB-PVR Recording Service - WelltonWay - C:\Program Files\Devnz\GBPVR\GBPVRRecordingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NPVR Recording Service - Menten Holdings Ltd - C:\Program Files\NPVR\NRecord.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
O23 - Service: PhenomMsrTweaker service (PhenomMsrTweaker) - Unknown owner - C:\Program Files\PhenomMsrTweaker\PhenomMsrTweakerService.exe
O23 - Service: Python Cron Service (PyCron) - Unknown owner - C:\Program Files\pycron\pycron.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 5903 bytes

#2 User is offline   HelpBot 

  • Bleepin' Binary Bot
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Bots
  • Posts: 5,607
  • Joined: 05-October 07
  • Gender:Male

Posted 18 November 2011 - 09:05 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/427779 <<< CLICK THIS LINK

If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.

  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.


Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 User is offline   nasdaq 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 5,061
  • Joined: 16-June 06
  • Gender:Male
  • Location:Montreal, QC. Canada

Posted 22 November 2011 - 11:05 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

Posted Image
Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt

  • Save both reports to your desktop.


Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.

  • Do not install any other programs until this if fixed.[/b]

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

===

Please post the logs and let me know if the problem persists.

Post the logs for my review.

#4 User is offline   Croftie 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 5
  • Joined: 13-November 11

Posted 22 November 2011 - 03:44 PM

Hi nasdaq, thanks for you help. I should say I got impatient and ran ComboFix.exe myself, it found and removed some stuff and virus scanners now come back clean. I would still appreciate you checking it though incase.

I have followed your instructions and the logs are below. NOTE: ComboFix has removed "Hotfix EXtr4cT0r.exe" which is a compiled Autoit script I made myself so it should be clean unless a virus has infected it.

Anyway here are the logs. Thanks again.

DDS.txt
.
DDS (Ver_2011-08-26.01) - NTFSx86 
Internet Explorer: 6.0.2900.5512
Run by Administrator at 20:28:04 on 2011-11-22
Microsoft Windows XP Professional  5.1.2600.3.1252.44.1033.18.3452.3019 [GMT 0:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\Program Files\Devnz\GBPVR\GBPVRRecordingService.exe
C:\Program Files\PhenomMsrTweaker\PhenomMsrTweakerService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Devnz\GBPVR\GBPVRTray.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: IDM integration (IDMIEHlprObj Class): {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - :c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - :c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\gb-pvr~1.lnk - c:\program files\devnz\gbpvr\GBPVRTray.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\~disab~1\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\~disab~1\nextpv~1.lnk - c:\program files\npvr\NTray.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: NoSMHelp = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoInstrumentation = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{B59FEAC8-A146-433C-8F26-FDC2BE12F942} : NameServer = 62.6.40.178,194.74.65.68,192.168.1.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: Antiwpa - antiwpa.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2011-2-20 210000]
R0 hotcore;hotcore;c:\windows\system32\drivers\hotcore.sys [2011-2-20 18208]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [2011-3-6 98160]
R2 DUMeterSvc;DU Meter Service;c:\program files\du meter\DUMeterSvc.exe [2011-8-12 1412488]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]
R2 PhenomMsrTweaker;PhenomMsrTweaker service;c:\program files\phenommsrtweaker\PhenomMsrTweakerService.exe [2010-6-3 158720]
R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [2011-5-23 66816]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2009-10-22 70704]
R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-5-23 218688]
R3 DUMeterDrv;Hagel Technologies DU Meter traffic accounting driver;c:\program files\du meter\DUM_XP32.sys [2011-8-12 14992]
R3 VME900;VideoMate SAA716X capture service;c:\windows\system32\drivers\CPhilMAS.sys [2011-2-20 1271256]
R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files\phenommsrtweaker\WinRing0.sys [2010-6-3 14416]
S2 AODService;AODService;c:\program files\amd\overdrive\AODAssist.exe [2010-7-1 136616]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\admini~1\locals~1\temp\alsysio.sys --> c:\docume~1\admini~1\locals~1\temp\ALSysIO.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-2-20 1691480]
S3 arusb(TP-LINK);Wireless Network Adapter Service(TP-LINK);c:\windows\system32\drivers\arusb.sys [2011-10-23 598528]
S3 etdrv;etdrv;c:\windows\etdrv.sys [2011-2-21 17488]
S3 NPVR Recording Service;NPVR Recording Service;c:\program files\npvr\NRecord.exe [2011-8-29 46080]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2010-11-19 62208]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2010-11-19 141568]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2009-7-31 341504]
S3 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2009-10-22 563760]
S4 PyCron;Python Cron Service;c:\program files\pycron\pycron.exe [2006-6-5 24576]
.
=============== Created Last 30 ================
.
2011-11-22 20:17:57	599040	------w-	c:\windows\system32\dllcache\crypt32.dll
2011-11-22 18:22:55	--------	d-----w-	c:\windows\SHELLNEW
2011-11-22 17:55:16	--------	d-----w-	C:\1
2011-11-22 17:18:14	--------	d-----w-	c:\program files\Quick Batch File Compiler
2011-11-18 12:42:34	--------	d-----w-	c:\documents and settings\administrator\local settings\application data\ISL
2011-11-18 12:42:11	--------	d-----w-	c:\program files\ISL
2011-11-18 11:59:24	--------	d-----w-	c:\documents and settings\administrator\.gimp-2.6
2011-11-18 11:59:02	--------	d-----w-	c:\program files\GIMP-2.0
2011-11-18 11:48:44	--------	d-----w-	c:\program files\common files\GTK
2011-11-18 11:46:12	--------	d-----w-	c:\program files\UFRaw
2011-11-16 08:53:34	--------	d-----w-	c:\windows\system32\wbem\framework\root\OpenHardwareMonitor
2011-11-16 08:53:34	--------	d-----w-	c:\windows\system32\wbem\framework\root
2011-11-16 08:53:34	--------	d-----w-	c:\windows\system32\wbem\Framework
2011-11-14 17:32:33	22032	----a-w-	c:\windows\DCEBoot.exe
2011-11-09 11:12:02	--------	d--h--w-	c:\windows\$hf_mig$
2011-11-09 11:12:00	692736	------w-	c:\windows\system32\dllcache\inetcomm.dll
2011-11-08 17:33:02	53472	----a-w-	c:\windows\system32\dllcache\wuauclt.exe
2011-11-08 00:53:38	--------	d-----w-	c:\windows\system32\xircom
2011-11-08 00:53:38	--------	d-----w-	c:\windows\system32\wbem\snmp
2011-11-08 00:53:38	--------	d-----w-	c:\program files\msn gaming zone
2011-11-08 00:42:22	98816	----a-w-	c:\windows\sed.exe
2011-11-08 00:42:22	518144	----a-w-	c:\windows\SWREG.exe
2011-11-08 00:42:22	256000	----a-w-	c:\windows\PEV.exe
2011-11-08 00:42:22	208896	----a-w-	c:\windows\MBR.exe
2011-11-08 00:21:29	--------	d-----w-	c:\program files\ESET
2011-10-31 18:07:54	--------	d-----w-	c:\documents and settings\all users\application data\NPVR
2011-10-31 18:07:36	--------	d-----w-	c:\program files\NPVR
2011-10-28 04:10:32	--------	d-----w-	c:\program files\GSpot270a
2011-10-27 00:26:01	--------	d-----w-	c:\documents and settings\administrator\local settings\application data\HandBrake
2011-10-27 00:26:01	--------	d-----w-	c:\documents and settings\administrator\application data\HandBrake
2011-10-27 00:25:58	--------	d-----w-	c:\program files\Handbrake
.
==================== Find3M  ====================
.
2011-11-16 21:03:50	414368	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-23 16:57:55	376832	----a-w-	c:\windows\system32\AegisI5Installer.exe
2011-10-23 16:57:55	21361	----a-w-	c:\windows\system32\drivers\AegisP.sys
2011-10-11 01:34:23	2238952	----a-w-	c:\windows\system32\cpuz158.exe
2011-10-10 14:22:41	692736	----a-w-	c:\windows\system32\inetcomm.dll
2011-10-03 05:06:03	472808	----a-w-	c:\windows\system32\deployJava1.dll
2011-10-03 02:37:52	73728	----a-w-	c:\windows\system32\javacpl.cpl
2011-09-28 07:06:50	599040	----a-w-	c:\windows\system32\crypt32.dll
2011-09-26 10:41:20	611328	----a-w-	c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41:20	220160	----a-w-	c:\windows\system32\oleacc.dll
2011-09-26 10:41:14	20480	----a-w-	c:\windows\system32\oleaccrc.dll
2011-09-06 13:20:51	1858944	----a-w-	c:\windows\system32\win32k.sys
2011-09-05 13:56:22	667136	----a-w-	c:\windows\system32\wininet.dll
2011-09-05 13:56:22	61952	----a-w-	c:\windows\system32\tdc.ocx
2011-09-05 13:56:21	81920	----a-w-	c:\windows\system32\ieencode.dll
2011-09-05 12:35:09	369664	----a-w-	c:\windows\system32\html.iec
2010-08-15 16:22:10	48640	----a-w-	c:\program files\FLVExtract.exe
.
============= FINISH: 20:28:08.15 ===============



ComboFix.txt
ComboFix 11-11-22.01 - Administrator 22/11/2011  20:30:20.4.6 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.44.1033.18.3452.2934 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\chrtmp
c:\documents and settings\Administrator\Application Data\crack.exe
c:\documents and settings\Administrator\SendTo\Hotfix EXtr4cT0r.exe
c:\documents and settings\All Users\Application Data\TEMP
C:\Documents
.
.
(((((((((((((((((((((((((   Files Created from 2011-10-22 to 2011-11-22  )))))))))))))))))))))))))))))))
.
.
2011-11-22 20:17 . 2011-09-28 07:06	599040	------w-	c:\windows\system32\dllcache\crypt32.dll
2011-11-22 18:22 . 2011-11-22 18:22	--------	d-----w-	c:\windows\SHELLNEW
2011-11-22 18:22 . 2011-11-22 18:22	--------	d-----r-	C:\MSOCache
2011-11-22 17:55 . 2011-11-22 17:55	--------	d-----w-	C:\1
2011-11-22 17:18 . 2011-11-22 17:18	--------	d-----w-	c:\program files\Quick Batch File Compiler
2011-11-18 12:42 . 2011-11-18 12:42	--------	d-----w-	c:\documents and settings\Administrator\Local Settings\Application Data\ISL
2011-11-18 12:42 . 2011-11-18 12:42	--------	d-----w-	c:\program files\ISL
2011-11-18 11:59 . 2011-11-18 12:06	--------	d-----w-	c:\documents and settings\Administrator\.gimp-2.6
2011-11-18 11:59 . 2011-11-18 11:59	--------	d-----w-	c:\program files\GIMP-2.0
2011-11-18 11:48 . 2011-11-18 11:48	--------	d-----w-	c:\program files\Common Files\GTK
2011-11-18 11:46 . 2011-11-18 11:51	--------	d-----w-	c:\program files\UFRaw
2011-11-16 08:53 . 2011-11-16 08:53	--------	d-----w-	c:\windows\system32\wbem\Framework
2011-11-14 17:32 . 2011-11-14 17:32	22032	----a-w-	c:\windows\DCEBoot.exe
2011-11-09 11:12 . 2011-11-22 20:22	--------	d--h--w-	c:\windows\$hf_mig$
2011-11-09 11:12 . 2011-10-10 14:22	692736	------w-	c:\windows\system32\dllcache\inetcomm.dll
2011-11-08 17:33 . 2009-08-06 19:24	53472	----a-w-	c:\windows\system32\wuauclt.exe
2011-11-08 17:33 . 2009-08-06 19:24	53472	----a-w-	c:\windows\system32\dllcache\wuauclt.exe
2011-11-08 00:53 . 2011-11-08 00:53	--------	d-----w-	c:\windows\system32\xircom
2011-11-08 00:53 . 2011-11-08 00:53	--------	d-----w-	c:\windows\system32\wbem\snmp
2011-11-08 00:53 . 2011-11-08 00:53	--------	d-----w-	c:\program files\microsoft frontpage
2011-11-08 00:33 . 2011-11-08 00:33	--------	d-----w-	c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2011-11-08 00:21 . 2011-11-14 17:34	--------	d-----w-	c:\program files\ESET
2011-11-08 00:20 . 2011-11-08 00:20	--------	d-----w-	c:\program files\Common Files\Java
2011-11-07 23:13 . 2011-11-07 23:13	--------	d-s---w-	c:\documents and settings\LocalService\UserData
2011-10-31 18:07 . 2011-11-12 04:48	--------	d-----w-	c:\documents and settings\All Users\Application Data\NPVR
2011-10-31 18:07 . 2011-10-31 18:07	--------	d-----w-	c:\program files\NPVR
2011-10-28 04:10 . 2011-10-28 04:10	--------	d-----w-	c:\program files\GSpot270a
2011-10-27 00:26 . 2011-10-27 00:26	--------	d-----w-	c:\documents and settings\Administrator\Local Settings\Application Data\HandBrake
2011-10-27 00:26 . 2011-10-27 00:26	--------	d-----w-	c:\documents and settings\Administrator\Application Data\HandBrake
2011-10-27 00:25 . 2011-10-27 00:25	--------	d-----w-	c:\program files\Handbrake
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-16 21:03 . 2011-05-12 22:37	414368	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-23 16:57 . 2011-10-23 16:57	376832	----a-w-	c:\windows\system32\AegisI5Installer.exe
2011-10-23 16:57 . 2011-10-23 16:57	21361	----a-w-	c:\windows\system32\drivers\AegisP.sys
2011-10-11 01:34 . 2011-10-11 01:34	2238952	----a-w-	c:\windows\system32\cpuz158.exe
2011-10-10 14:22 . 2011-02-20 22:14	692736	----a-w-	c:\windows\system32\inetcomm.dll
2011-10-03 05:06 . 2011-03-25 01:57	472808	----a-w-	c:\windows\system32\deployJava1.dll
2011-10-03 02:37 . 2011-03-25 01:57	73728	----a-w-	c:\windows\system32\javacpl.cpl
2011-09-28 07:06 . 2008-04-14 11:00	599040	----a-w-	c:\windows\system32\crypt32.dll
2011-09-26 10:41 . 2008-07-29 19:59	611328	----a-w-	c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41 . 2008-04-14 11:00	220160	----a-w-	c:\windows\system32\oleacc.dll
2011-09-26 10:41 . 2008-04-14 11:00	20480	----a-w-	c:\windows\system32\oleaccrc.dll
2011-09-06 13:20 . 2011-02-20 18:19	1858944	----a-w-	c:\windows\system32\win32k.sys
2011-09-05 13:56 . 2011-02-20 18:19	667136	----a-w-	c:\windows\system32\wininet.dll
2011-09-05 13:56 . 2011-02-20 18:19	61952	----a-w-	c:\windows\system32\tdc.ocx
2011-09-05 13:56 . 2011-02-20 18:19	81920	----a-w-	c:\windows\system32\ieencode.dll
2011-09-05 12:35 . 2011-02-20 18:19	369664	----a-w-	c:\windows\system32\html.iec
2010-08-15 16:22 . 2011-08-12 13:41	48640	----a-w-	c:\program files\FLVExtract.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-04-29 . D24EA301E2B36C4E975FD216CA85D8E7 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\TCPIP.SYS
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2011-05-30 16:50	21864	----a-w-	c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2008-04-14 99840]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
GB-PVR Tray.lnk - c:\program files\Devnz\GBPVR\GBPVRTray.exe [2009-8-30 208896]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\~Disabled
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2011-5-23 576000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\~Disabled
NextPVR Tray.lnk - c:\program files\NPVR\NTray.exe [2011-8-29 26624]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ   	PDBoot.exe\0autocheck autochk *
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [20/02/2011 18:20 210000]
R0 hotcore;hotcore;c:\windows\system32\drivers\hotcore.sys [20/02/2011 22:54 18208]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [06/03/2011 17:54 98160]
R2 DUMeterSvc;DU Meter Service;c:\program files\DU Meter\DUMeterSvc.exe [12/08/2011 13:38 1412488]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [09/10/2007 12:13 38144]
R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [23/05/2011 13:48 66816]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [22/10/2009 05:00 70704]
R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [23/05/2011 15:03 218688]
R3 DUMeterDrv;Hagel Technologies DU Meter traffic accounting driver;c:\program files\DU Meter\DUM_XP32.sys [12/08/2011 13:38 14992]
R3 VME900;VideoMate SAA716X capture service;c:\windows\system32\drivers\CPhilMAS.sys [20/02/2011 23:42 1271256]
R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files\PhenomMsrTweaker\WinRing0.sys [03/06/2010 13:54 14416]
S2 AODService;AODService;c:\program files\AMD\OverDrive\AODAssist.exe [01/07/2010 04:45 136616]
S2 PhenomMsrTweaker;PhenomMsrTweaker service;c:\program files\PhenomMsrTweaker\PhenomMsrTweakerService.exe [03/06/2010 13:54 158720]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\ALSysIO.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [20/02/2011 22:52 1691480]
S3 arusb(TP-LINK);Wireless Network Adapter Service(TP-LINK);c:\windows\system32\drivers\arusb.sys [23/10/2011 17:11 598528]
S3 etdrv;etdrv;c:\windows\etdrv.sys [21/02/2011 23:11 17488]
S3 NPVR Recording Service;NPVR Recording Service;c:\program files\NPVR\NRecord.exe [29/08/2011 20:07 46080]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [19/11/2010 02:34 62208]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [19/11/2010 02:34 141568]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 21:37 4640000]
S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [31/07/2009 14:12 341504]
S3 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [22/10/2009 03:47 563760]
S4 PyCron;Python Cron Service;c:\program files\pycron\pycron.exe [05/06/2006 19:57 24576]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WINRING0_1_2_0
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
TCP: Interfaces\{B59FEAC8-A146-433C-8F26-FDC2BE12F942}: NameServer = 62.6.40.178,194.74.65.68,192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-22 20:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\DUMeterSvc]
"ImagePath"="c:\program files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1644491937-616249376-682003330-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6D61FD0F-1826-F63F-7E8B-4611F376F911}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iafmjdkhiehcabkmpp"=hex:6b,61,62,6e,63,6e,63,67,6b,62,6f,67,70,63,6e,6d,69,64,
   70,69,66,6d,00,00
"haljpggnbhjenlmk"=hex:6b,61,62,6e,63,6e,63,67,6b,62,6f,67,70,63,6e,6d,69,64,
   70,69,66,6d,00,00
"gaelodijgkcmga"=hex:61,63,69,6f,63,6d,63,62,61,64,70,69,65,69,66,6f,70,64,64,
   6a,6f,63,6a,62,68,64,63,63,61,63,6e,67,69,6f,65,6d,69,6e,6b,6c,6c,6d,68,6d,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{376f9565-9d4e-4b1b-8c9a-d265e6adb91c}]
@Denied: (Full) (Everyone)
"Model"=dword:00000125
"Therad"=dword:00000015
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
   1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):62,49,01,22,7d,2d,4b,2d,ee,1d,ec,ff,1d,fd,ae,76,2d,b2,a2,c3,4d,
   50,04,20,8a,7c,1d,5b,98,9a,6b,9a,7d,63,b4,1f,9d,b2,db,16,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):42,49,ec,4e,be,89,43,d7,11,26,26,58,e0,2c,37,f9,74,32,0b,d9,84,
   74,2e,de,2d,26,43,bb,bd,90,30,c8,46,35,5a,ff,e7,95,80,33,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ce98564e-99bf-430e-926a-4ef4b8bed1ff}]
@Denied: (Full) (Everyone)
"Model"=dword:000000df
"Therad"=dword:00000018
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(808)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\windows\system32\antiwpa.dll
.
Completion time: 2011-11-22  20:31:50
ComboFix-quarantined-files.txt  2011-11-22 20:31
ComboFix2.txt  2011-11-08 02:59
.
Pre-Run: 5,907,677,184 bytes free
Post-Run: 5,895,909,376 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="0" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(3)partition(1)\WINDOWS="3" /noexecute=optin /fastdetect
.
- - End Of File - - B9387C0C41AAA2D2DD224CF19E0F23C9



checkup.txt
 Results of screen317's Security Check version 0.99.28  
 Windows XP Service Pack 3 x86   
 Internet Explorer 6 [color=red][b]Out of date![/b][/color] 
[b]`````````````````````````````` 
[u]Antivirus/Firewall Check:[/u][/b] 
 [color=red][b]Windows Security Center service is not running! This report may not be accurate![/b][/color] 
 ESET Online Scanner v3   
 [size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size] 
[b]``````````````````````````````` 
[u]Anti-malware/Other Utilities Check:[/u][/b] 
 Java(TM) 6 Update 29  
 Java(TM) SE Development Kit 6 Update 24 
 Adobe Flash Player 	11.1.102.55  
 Mozilla Firefox ((3.6.24)) [color=red][b]Firefox Out of Date![/b][/color]  
 Mozilla Thunderbird (3.1.16) [color=red][b]Thunderbird Out of Date![/b][/color]  
[b]```````````````````````````````` 
Process Check:  
[u]objlist.exe by Laurent[/u][/b] 
[b]``````````End of Log````````````[/b]

#5 User is offline   nasdaq 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 5,061
  • Joined: 16-June 06
  • Gender:Male
  • Location:Montreal, QC. Canada

Posted 23 November 2011 - 09:45 AM

Your logs are clean.

If you know that this file Hotfix EXtr4cT0r.exe is clean you can restore it from quanrantine.
The script below will also clean your Java Cache.

Open notepad and copy/paste the text in the quote box below into it:

DEQUARANTINE::
c:\qoobox\quarantine\c\documents and settings\Administrator\SendTo\Hotfix EXtr4cT0r.exe.vir

ClearJavaCache::


Save this as CFScript on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

===

Quote

Noscript is warning of an XSS attempt.


This may be a false positive. Have a look at this page.

http://noscript.net/features

You may be able to find the culprit.

#6 User is offline   Croftie 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 5
  • Joined: 13-November 11

Posted 23 November 2011 - 11:54 AM

Thanks, that's good to know :)

I'll have a look at that link and here are the latest logs. ComboFix asked if I wanted to update to a new version when dropping that file onto it and I said yes.

DeQuarantine.txt
c:\qoobox\quarantine\c\documents and settings\Administrator\SendTo\Hotfix EXtr4cT0r.exe.vir -> c:\documents and settings\Administrator\SendTo\Hotfix EXtr4cT0r.exe ( 1004562 bytes )


btw the hotfix extractor wasn't infected, it's MD5 matched an origional copy.

ComboFix.txt
ComboFix 11-11-23.01 - Administrator 23/11/2011  16:39:09.5.6 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.44.1033.18.3452.2896 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\SendTo\Hotfix EXtr4cT0r.exe
c:\documents and settings\All Users\Application Data\TEMP
.
.
(((((((((((((((((((((((((   Files Created from 2011-10-23 to 2011-11-23  )))))))))))))))))))))))))))))))
.
.
2011-11-23 01:06 . 2011-11-23 01:08	--------	d-----w-	c:\documents and settings\Administrator\Application Data\HandBrake
2011-11-23 01:06 . 2011-11-23 01:06	--------	d-----w-	c:\documents and settings\Administrator\Local Settings\Application Data\HandBrake
2011-11-23 01:06 . 2011-11-23 01:06	--------	d-----w-	c:\program files\Handbrake
2011-11-22 20:17 . 2011-09-28 07:06	599040	------w-	c:\windows\system32\dllcache\crypt32.dll
2011-11-22 18:22 . 2011-11-22 18:22	--------	d-----w-	c:\windows\SHELLNEW
2011-11-22 18:22 . 2011-11-22 18:22	--------	d-----r-	C:\MSOCache
2011-11-22 17:55 . 2011-11-22 17:55	--------	d-----w-	C:\1
2011-11-22 17:18 . 2011-11-22 17:18	--------	d-----w-	c:\program files\Quick Batch File Compiler
2011-11-18 12:42 . 2011-11-18 12:42	--------	d-----w-	c:\documents and settings\Administrator\Local Settings\Application Data\ISL
2011-11-18 12:42 . 2011-11-18 12:42	--------	d-----w-	c:\program files\ISL
2011-11-18 11:59 . 2011-11-18 12:06	--------	d-----w-	c:\documents and settings\Administrator\.gimp-2.6
2011-11-18 11:59 . 2011-11-18 11:59	--------	d-----w-	c:\program files\GIMP-2.0
2011-11-18 11:48 . 2011-11-18 11:48	--------	d-----w-	c:\program files\Common Files\GTK
2011-11-18 11:46 . 2011-11-18 11:51	--------	d-----w-	c:\program files\UFRaw
2011-11-16 08:53 . 2011-11-16 08:53	--------	d-----w-	c:\windows\system32\wbem\Framework
2011-11-14 17:32 . 2011-11-14 17:32	22032	----a-w-	c:\windows\DCEBoot.exe
2011-11-09 11:12 . 2011-11-22 20:22	--------	d--h--w-	c:\windows\$hf_mig$
2011-11-09 11:12 . 2011-10-10 14:22	692736	------w-	c:\windows\system32\dllcache\inetcomm.dll
2011-11-08 17:33 . 2009-08-06 19:24	53472	----a-w-	c:\windows\system32\wuauclt.exe
2011-11-08 17:33 . 2009-08-06 19:24	53472	----a-w-	c:\windows\system32\dllcache\wuauclt.exe
2011-11-08 00:53 . 2011-11-08 00:53	--------	d-----w-	c:\windows\system32\xircom
2011-11-08 00:53 . 2011-11-08 00:53	--------	d-----w-	c:\windows\system32\wbem\snmp
2011-11-08 00:53 . 2011-11-08 00:53	--------	d-----w-	c:\program files\microsoft frontpage
2011-11-08 00:33 . 2011-11-08 00:33	--------	d-----w-	c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2011-11-08 00:21 . 2011-11-14 17:34	--------	d-----w-	c:\program files\ESET
2011-11-08 00:20 . 2011-11-08 00:20	--------	d-----w-	c:\program files\Common Files\Java
2011-11-07 23:13 . 2011-11-07 23:13	--------	d-s---w-	c:\documents and settings\LocalService\UserData
2011-10-31 18:07 . 2011-11-12 04:48	--------	d-----w-	c:\documents and settings\All Users\Application Data\NPVR
2011-10-31 18:07 . 2011-10-31 18:07	--------	d-----w-	c:\program files\NPVR
2011-10-28 04:10 . 2011-10-28 04:10	--------	d-----w-	c:\program files\GSpot270a
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-16 21:03 . 2011-05-12 22:37	414368	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-23 16:57 . 2011-10-23 16:57	376832	----a-w-	c:\windows\system32\AegisI5Installer.exe
2011-10-23 16:57 . 2011-10-23 16:57	21361	----a-w-	c:\windows\system32\drivers\AegisP.sys
2011-10-11 01:34 . 2011-10-11 01:34	2238952	----a-w-	c:\windows\system32\cpuz158.exe
2011-10-10 14:22 . 2011-02-20 22:14	692736	----a-w-	c:\windows\system32\inetcomm.dll
2011-10-03 05:06 . 2011-03-25 01:57	472808	----a-w-	c:\windows\system32\deployJava1.dll
2011-10-03 02:37 . 2011-03-25 01:57	73728	----a-w-	c:\windows\system32\javacpl.cpl
2011-09-28 07:06 . 2008-04-14 11:00	599040	----a-w-	c:\windows\system32\crypt32.dll
2011-09-26 10:41 . 2008-07-29 19:59	611328	----a-w-	c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41 . 2008-04-14 11:00	220160	----a-w-	c:\windows\system32\oleacc.dll
2011-09-26 10:41 . 2008-04-14 11:00	20480	----a-w-	c:\windows\system32\oleaccrc.dll
2011-09-06 13:20 . 2011-02-20 18:19	1858944	----a-w-	c:\windows\system32\win32k.sys
2011-09-05 13:56 . 2011-02-20 18:19	667136	----a-w-	c:\windows\system32\wininet.dll
2011-09-05 13:56 . 2011-02-20 18:19	61952	----a-w-	c:\windows\system32\tdc.ocx
2011-09-05 13:56 . 2011-02-20 18:19	81920	----a-w-	c:\windows\system32\ieencode.dll
2011-09-05 12:35 . 2011-02-20 18:19	369664	----a-w-	c:\windows\system32\html.iec
2010-08-15 16:22 . 2011-08-12 13:41	48640	----a-w-	c:\program files\FLVExtract.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-04-29 . D24EA301E2B36C4E975FD216CA85D8E7 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\TCPIP.SYS
.
(((((((((((((((((((((((((((((   SnapShot@2011-11-22_20.31.24   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 11:00 . 2011-11-23 10:28	701692              c:\windows\system32\perfh009.dat
+ 2008-04-14 11:00 . 2011-11-23 10:28	170100              c:\windows\system32\perfc009.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2011-05-30 16:50	21864	----a-w-	c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2008-04-14 99840]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
GB-PVR Tray.lnk - c:\program files\Devnz\GBPVR\GBPVRTray.exe [2009-8-30 208896]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\~Disabled
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2011-5-23 576000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\~Disabled
NextPVR Tray.lnk - c:\program files\NPVR\NTray.exe [2011-8-29 26624]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ   	PDBoot.exe\0autocheck autochk *
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [20/02/2011 18:20 210000]
R0 hotcore;hotcore;c:\windows\system32\drivers\hotcore.sys [20/02/2011 22:54 18208]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [06/03/2011 17:54 98160]
R2 DUMeterSvc;DU Meter Service;c:\program files\DU Meter\DUMeterSvc.exe [12/08/2011 13:38 1412488]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [09/10/2007 12:13 38144]
R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [23/05/2011 13:48 66816]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [22/10/2009 05:00 70704]
R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [23/05/2011 15:03 218688]
R3 DUMeterDrv;Hagel Technologies DU Meter traffic accounting driver;c:\program files\DU Meter\DUM_XP32.sys [12/08/2011 13:38 14992]
R3 VME900;VideoMate SAA716X capture service;c:\windows\system32\drivers\CPhilMAS.sys [20/02/2011 23:42 1271256]
R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files\PhenomMsrTweaker\WinRing0.sys [03/06/2010 13:54 14416]
S2 AODService;AODService;c:\program files\AMD\OverDrive\AODAssist.exe [01/07/2010 04:45 136616]
S2 PhenomMsrTweaker;PhenomMsrTweaker service;c:\program files\PhenomMsrTweaker\PhenomMsrTweakerService.exe [03/06/2010 13:54 158720]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\ALSysIO.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [20/02/2011 22:52 1691480]
S3 arusb(TP-LINK);Wireless Network Adapter Service(TP-LINK);c:\windows\system32\drivers\arusb.sys [23/10/2011 17:11 598528]
S3 etdrv;etdrv;c:\windows\etdrv.sys [21/02/2011 23:11 17488]
S3 NPVR Recording Service;NPVR Recording Service;c:\program files\NPVR\NRecord.exe [29/08/2011 20:07 46080]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [19/11/2010 02:34 62208]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [19/11/2010 02:34 141568]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 21:37 4640000]
S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [31/07/2009 14:12 341504]
S3 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [22/10/2009 03:47 563760]
S4 PyCron;Python Cron Service;c:\program files\pycron\pycron.exe [05/06/2006 19:57 24576]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
TCP: Interfaces\{B59FEAC8-A146-433C-8F26-FDC2BE12F942}: NameServer = 62.6.40.178,194.74.65.68,192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-23 16:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\DUMeterSvc]
"ImagePath"="c:\program files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1644491937-616249376-682003330-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6D61FD0F-1826-F63F-7E8B-4611F376F911}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iafmjdkhiehcabkmpp"=hex:6b,61,62,6e,63,6e,63,67,6b,62,6f,67,70,63,6e,6d,69,64,
   70,69,66,6d,00,00
"haljpggnbhjenlmk"=hex:6b,61,62,6e,63,6e,63,67,6b,62,6f,67,70,63,6e,6d,69,64,
   70,69,66,6d,00,00
"gaelodijgkcmga"=hex:61,63,69,6f,63,6d,63,62,61,64,70,69,65,69,66,6f,70,64,64,
   6a,6f,63,6a,62,68,64,63,63,61,63,6e,67,69,6f,65,6d,69,6e,6b,6c,6c,6d,68,6d,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{376f9565-9d4e-4b1b-8c9a-d265e6adb91c}]
@Denied: (Full) (Everyone)
"Model"=dword:00000125
"Therad"=dword:00000015
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
   1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):62,49,01,22,7d,2d,4b,2d,ee,1d,ec,ff,1d,fd,ae,76,2d,b2,a2,c3,4d,
   50,04,20,8a,7c,1d,5b,98,9a,6b,9a,7d,63,b4,1f,9d,b2,db,16,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):42,49,ec,4e,be,89,43,d7,11,26,26,58,e0,2c,37,f9,74,32,0b,d9,84,
   74,2e,de,2d,26,43,bb,bd,90,30,c8,46,35,5a,ff,e7,95,80,33,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ce98564e-99bf-430e-926a-4ef4b8bed1ff}]
@Denied: (Full) (Everyone)
"Model"=dword:000000df
"Therad"=dword:00000018
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
Completion time: 2011-11-23  16:40:40
ComboFix-quarantined-files.txt  2011-11-23 16:40
ComboFix2.txt  2011-11-22 20:31
ComboFix3.txt  2011-11-08 02:59
C:\DeQuarantine.txt
.
Pre-Run: 5,867,773,952 bytes free
Post-Run: 5,877,202,944 bytes free
.
- - End Of File - - 481C7C2678E60D48743BA15073A11090

This post has been edited by Croftie: 23 November 2011 - 11:57 AM

#7 User is offline   nasdaq 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 5,061
  • Joined: 16-June 06
  • Gender:Male
  • Location:Montreal, QC. Canada

Posted 23 November 2011 - 01:45 PM

Quote

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\SendTo\Hotfix EXtr4cT0r.exe

Was it deleted again.

If this is the case, run this ComboFix script again.


Open notepad and copy/paste the text in the quote box below into it:

DEQUARANTINE::
c:\qoobox\quarantine\c\documents and settings\Administrator\SendTo\Hotfix EXtr4cT0r.exe.vir
Quit::


No log will be generated.

This is a personal file. ComboFix is finding a string that if normally found on some malware file.
I'm sure it's good. Make sure you have a backup copy.

How is the computer performing.

#8 User is offline   Croftie 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 5
  • Joined: 13-November 11

Posted 23 November 2011 - 02:54 PM

Yeah it was deleted again, so I just went into the quarantine folder, got it's checksum and compared it to a copy I have on a backup drive. It matches and has not been edited so it's clean.

Computer is performing good.

So I guess that is it then?

#9 User is offline   nasdaq 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 5,061
  • Joined: 16-June 06
  • Gender:Male
  • Location:Montreal, QC. Canada

Posted 24 November 2011 - 07:55 AM

Time for some housekeeping
    The following will implement some cleanup procedures as well as reset System Restore points:

    Click Start > Run and copy/paste the following bold text into the Run box and click OK:

    ComboFix /Uninstall

===

Delete the other tools we used.

Surf Safely, and Think Prevention!
===

#10 User is offline   Croftie 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 5
  • Joined: 13-November 11

Posted 24 November 2011 - 12:41 PM

Is ComboFix /Uninstall necessary? Or can I just delete the exe?

Thanks for your help nasdaq, people like you and this site are invaluable.

#11 User is offline   nasdaq 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 5,061
  • Joined: 16-June 06
  • Gender:Male
  • Location:Montreal, QC. Canada

Posted 24 November 2011 - 02:10 PM

Please remove with the /Uninstall switch to make sure all is deleted.

#12 User is offline   nasdaq 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 5,061
  • Joined: 16-June 06
  • Gender:Male
  • Location:Montreal, QC. Canada

Posted 29 November 2011 - 09:37 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users