Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Removing "trojan:win32/virtumonde.o


  • This topic is locked This topic is locked
10 replies to this topic

#1 b3john

b3john

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 24 August 2007 - 09:32 PM

This is my first post. I did all of the pre-post stuff that the site said to do before posting a hijack this log. I cleaned my computer, ran the adaware, and spy bot (which found the virus but couldn't delete it). Originally windows defender found it would remove it then after a restart it showed up again. After spy bot I did malware remover, then the macafee stinger, firewall enabled, updated and then ran the hijack this. Below is my log any help would be great. Thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:57 PM, on 8/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\MsiExec.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2451] command /c del "C:\WINDOWS\system32\mljjh.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6421] cmd /c del "C:\WINDOWS\system32\mljjh.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA9673] command /c del "C:\WINDOWS\system32\mljjh.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6794] cmd /c del "C:\WINDOWS\system32\mljjh.dll_tobedeleted"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8634] command /c del "C:\WINDOWS\system32\mljjh.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1604] cmd /c del "C:\WINDOWS\system32\mljjh.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6785] command /c del "C:\WINDOWS\system32\mljjh.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1148] cmd /c del "C:\WINDOWS\system32\mljjh.dll_tobedeleted"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187379752763
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 9314 bytes

BC AdBot (Login to Remove)

 


m

#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:43 AM

Posted 25 August 2007 - 06:27 AM

Hello and welcome aboard! :thumbsup:

Firstly, please reboot to let SpyBot finish it's spyware removal.

Once rebooted,

Please download Combofix to your desktop:
  • Double-click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#3 b3john

b3john
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 25 August 2007 - 01:02 PM

Rebooted computer and sbybot finished. It sill couldn't remove the virtumonde. I then ran the combofix and below is the log. Thank you for your help.

ComboFix 07-08-25.2 - "Beaner" 2007-08-25 10:30:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.68 [GMT -7:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Beaner\STARTM~1\Programs\Outerinfo
C:\DOCUME~1\Beaner\STARTM~1\Programs\Startup.\TA_Start.lnk
C:\DOCUME~1\Beaner\STARTM~1\Programs\Startup\ta_start.lnk
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cqibgaaq.dll
C:\WINDOWS\system32\f10WtR
C:\WINDOWS\system32\gugwyqfn.ini
C:\WINDOWS\system32\hjjlm.bak1
C:\WINDOWS\system32\hjjlm.ini
C:\WINDOWS\system32\hjjlm.tmp
C:\WINDOWS\system32\khfgeef.dll
C:\WINDOWS\system32\mljjh.dll
C:\WINDOWS\system32\nfqywgug.dll
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\qsuvw.bak1
C:\WINDOWS\system32\qsuvw.ini
C:\WINDOWS\system32\S1
C:\WINDOWS\system32\S2
C:\WINDOWS\system32\S6
C:\WINDOWS\system32\S7
C:\WINDOWS\system32\win
C:\WINDOWS\system32\wpbyknuu.dll
C:\WINDOWS\system32\zxdnt3d.cfg


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-07-25 to 2007-08-25 )))))))))))))))))))))))))))))))


2007-08-25 10:25 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-24 19:24 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-08-24 18:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-23 16:48 <DIR> d-------- C:\Program Files\Microsoft Small Business
2007-08-23 15:54 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2007-08-23 14:53 <DIR> d-------- C:\46ce9fcaa5df97356880391b48f213
2007-08-22 20:43 6,473 --ahs---- C:\WINDOWS\system32\egfii.bak1
2007-08-22 20:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-08-22 19:09 6,473 --ahs---- C:\WINDOWS\system32\bddgh.bak1
2007-08-22 18:00 6,473 --ahs---- C:\WINDOWS\system32\vvyxx.bak1
2007-08-22 16:19 6,473 --ahs---- C:\WINDOWS\system32\gillm.bak1
2007-08-22 09:12 6,473 --ahs---- C:\WINDOWS\system32\fhiii.bak1
2007-08-22 08:59 <DIR> d--hs---- C:\WINDOWS\QnJldHQgSm9obg
2007-08-22 08:59 <DIR> d-------- C:\WINDOWS\system32\temps1
2007-08-22 08:59 <DIR> d-------- C:\WINDOWS\system32\IBD4
2007-08-22 08:59 <DIR> d-------- C:\WINDOWS\system32\dllz1
2007-08-22 08:59 <DIR> d-------- C:\WINDOWS\system32\cofig32
2007-08-18 06:00 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-08-07 13:30 163,840 --a------ C:\Program Files\TTX.exe
2007-08-04 13:48 <DIR> d-------- C:\DOCUME~1\Beaner\APPLIC~1\U3
2007-08-04 13:09 73,728 --a------ C:\WINDOWS\system32\TwcToolbarBho.dll
2007-08-04 13:09 262,144 --a------ C:\WINDOWS\system32\TwcToolbarIe7.dll
2007-08-04 13:09 25,600 --a------ C:\WINDOWS\system32\TwcToolInstDll.dll
2007-08-04 13:09 <DIR> d-------- C:\Program Files\The Weather Channel Toolbar
2007-08-04 13:06 <DIR> d-------- C:\Program Files\The Weather Channel FW
2007-08-02 18:50 498 --a------ C:\WINDOWS\system32\xscan32.dat
2007-08-02 18:45 <DIR> d--h----- C:\BJPrinter
2007-08-02 18:44 98,304 --a------ C:\WINDOWS\system32\CNCFUT51.DLL
2007-08-02 18:44 90,112 --a------ C:\WINDOWS\system32\CNCAWS51.dll
2007-08-02 18:44 73,728 --a------ C:\WINDOWS\system32\CNCFCM51.DLL
2007-08-02 18:44 69,632 --a------ C:\WINDOWS\system32\CNCFIM51.DLL
2007-08-02 18:44 57,344 --a------ C:\WINDOWS\system32\CNCFSV51.DLL
2007-08-02 18:44 57,344 --a------ C:\WINDOWS\system32\CNCFDs51.exe
2007-08-02 18:44 40,960 --a------ C:\WINDOWS\system32\CNCAAb51.exe
2007-08-02 18:44 229,376 --a------ C:\WINDOWS\system32\CNCAAi51.dll
2007-08-02 18:44 217,088 --a------ C:\WINDOWS\system32\CNCFDl51.dll
2007-08-02 18:44 139,264 --a------ C:\WINDOWS\system32\CNCAMg51.dll
2007-08-02 18:44 126,976 --a------ C:\WINDOWS\system32\CNCAPf51.exe
2007-08-02 18:44 122,880 --a------ C:\WINDOWS\system32\CNCFDO51.DLL
2007-08-02 18:44 118,784 --a------ C:\WINDOWS\system32\CNCFTR51.DLL
2007-08-02 18:44 114,688 --a------ C:\WINDOWS\system32\CNCFIF51.DLL
2007-08-02 18:37 <DIR> d--h----- C:\CanonMP


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-24 07:35 --------- d-------- C:\Program Files\Microsoft Works
2007-08-24 07:33 --------- d-------- C:\Program Files\Full Tilt Poker
2007-08-23 16:05 --------- d-------- C:\Program Files\Microsoft.NET
2007-08-02 18:49 --------- d-------- C:\Program Files\Common Files\ScanSoft Shared
2007-08-02 18:46 --------- d-------- C:\Program Files\Canon
2007-08-02 18:39 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-03 09:09 --------- d-------- C:\DOCUME~1\Beaner\APPLIC~1\Intuit
2007-07-03 09:09 --------- d-------- C:\DOCUME~1\Beaner\APPLIC~1\Intuit
2007-07-03 09:08 --------- d-------- C:\Program Files\Intuit
2007-07-03 09:08 --------- d-------- C:\Program Files\Common Files\supportsoft
2007-07-03 08:59 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Intuit
2007-07-03 08:55 --------- d-------- C:\Program Files\Common Files\Intuit
2007-07-03 08:53 --------- d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2007-07-03 08:50 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\COMMON FILES
2007-07-03 08:49 --------- d-------- C:\Program Files\MSXML 4.0
2007-06-29 23:08 0 --a------ C:\Program Files\TTC.dll
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-22 22:53 0 --a------ C:\WINDOWS\system32\nmdsregr.exe
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 03:23 1033216 --a------ C:\WINDOWS\explorer.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E9BF651-797D-491A-B145-4E2DB4C591B5}]
C:\WINDOWS\system32\wvusq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E972CFB-8F63-4703-B650-C06DCBF7B580}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90D0B11E-D590-4CAA-A298-CFBEFE3797A8}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-29 13:17 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-05-16 18:10]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 16:42]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-10-31 14:46]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-10-31 14:46]
"vptray"="C:\PROGRA~1\NavNT\vptray.exe" [2001-09-24 04:59]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-25 18:20]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 10:00]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 10:28 C:\WINDOWS\KHALMNPR.Exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 16:20]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 08:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 00:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-19 09:00]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-27 00:00]
"RealPlayer"="C:\Program Files\Real\RealPlayer\realplay.exe" [2006-04-14 02:28]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-03-16 04:51]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvusq]
C:\WINDOWS\system32\wvusq.dll

R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ
R2 SQLBrowser;SQL Server Browser;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe"
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a


Contents of the 'Scheduled Tasks' folder
2007-08-25 09:00:00 C:\WINDOWS\Tasks\Brett John Golf 1183682629.job - C:\Program Files\Intuit\QuickBooks 2007\AutoBackupEXE.exe
2007-08-25 17:48:59 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe
2004-08-26 02:04:12 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-25 10:47:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-25 10:51:37 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-25 10:51

--- E O F ---

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:43 AM

Posted 25 August 2007 - 01:21 PM

Open notepad and copy/paste the text in the quotebox into it

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E9BF651-797D-491A-B145-4E2DB4C591B5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E972CFB-8F63-4703-B650-C06DCBF7B580}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90D0B11E-D590-4CAA-A298-CFBEFE3797A8}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvusq]

File::
C:\WINDOWS\system32\egfii.bak1
C:\WINDOWS\system32\bddgh.bak1
C:\WINDOWS\system32\vvyxx.bak1
C:\WINDOWS\system32\gillm.bak1
C:\WINDOWS\system32\fhiii.bak1
C:\WINDOWS\system32\nmdsregr.exe
C:\WINDOWS\system32\wvusq.dll

Folder::
C:\WINDOWS\QnJldHQgSm9obg
C:\WINDOWS\system32\temps1
C:\WINDOWS\system32\IBD4
C:\WINDOWS\system32\dllz1
C:\WINDOWS\system32\cofig32

Dirlook::
C:\46ce9fcaa5df97356880391b48f213


Save it as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. :thumbsup:

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#5 b3john

b3john
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 25 August 2007 - 02:25 PM

Did as instructed. Thank you again.

ComboFix 07-08-25.2 - "Beaner" 2007-08-25 12:18:09.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.64 [GMT -7:00]
Command switches used :: C:\Documents and Settings\Beaner\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\egfii.bak1
C:\WINDOWS\system32\bddgh.bak1
C:\WINDOWS\system32\vvyxx.bak1
C:\WINDOWS\system32\gillm.bak1
C:\WINDOWS\system32\fhiii.bak1
C:\WINDOWS\system32\nmdsregr.exe
C:\WINDOWS\system32\wvusq.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\QnJldHQgSm9obg
C:\WINDOWS\system32\bddgh.bak1
C:\WINDOWS\system32\cofig32
C:\WINDOWS\system32\cofig32\r1w2821.exe
C:\WINDOWS\system32\dllz1
C:\WINDOWS\system32\egfii.bak1
C:\WINDOWS\system32\fhiii.bak1
C:\WINDOWS\system32\gillm.bak1
C:\WINDOWS\system32\IBD4
C:\WINDOWS\system32\IBD4\rru22011.exe
C:\WINDOWS\system32\nmdsregr.exe
C:\WINDOWS\system32\temps1
C:\WINDOWS\system32\vvyxx.bak1


((((((((((((((((((((((((( Files Created from 2007-07-25 to 2007-08-25 )))))))))))))))))))))))))))))))


2007-08-25 10:25 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-24 19:24 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-08-24 18:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-23 16:48 <DIR> d-------- C:\Program Files\Microsoft Small Business
2007-08-23 15:54 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2007-08-23 14:53 <DIR> d-------- C:\46ce9fcaa5df97356880391b48f213
2007-08-22 20:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-08-18 06:00 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-08-07 13:30 163,840 --a------ C:\Program Files\TTX.exe
2007-08-04 13:48 <DIR> d-------- C:\DOCUME~1\Beaner\APPLIC~1\U3
2007-08-04 13:09 73,728 --a------ C:\WINDOWS\system32\TwcToolbarBho.dll
2007-08-04 13:09 262,144 --a------ C:\WINDOWS\system32\TwcToolbarIe7.dll
2007-08-04 13:09 25,600 --a------ C:\WINDOWS\system32\TwcToolInstDll.dll
2007-08-04 13:09 <DIR> d-------- C:\Program Files\The Weather Channel Toolbar
2007-08-04 13:06 <DIR> d-------- C:\Program Files\The Weather Channel FW
2007-08-02 18:50 498 --a------ C:\WINDOWS\system32\xscan32.dat
2007-08-02 18:45 <DIR> d--h----- C:\BJPrinter
2007-08-02 18:44 98,304 --a------ C:\WINDOWS\system32\CNCFUT51.DLL
2007-08-02 18:44 90,112 --a------ C:\WINDOWS\system32\CNCAWS51.dll
2007-08-02 18:44 73,728 --a------ C:\WINDOWS\system32\CNCFCM51.DLL
2007-08-02 18:44 69,632 --a------ C:\WINDOWS\system32\CNCFIM51.DLL
2007-08-02 18:44 57,344 --a------ C:\WINDOWS\system32\CNCFSV51.DLL
2007-08-02 18:44 57,344 --a------ C:\WINDOWS\system32\CNCFDs51.exe
2007-08-02 18:44 40,960 --a------ C:\WINDOWS\system32\CNCAAb51.exe
2007-08-02 18:44 229,376 --a------ C:\WINDOWS\system32\CNCAAi51.dll
2007-08-02 18:44 217,088 --a------ C:\WINDOWS\system32\CNCFDl51.dll
2007-08-02 18:44 139,264 --a------ C:\WINDOWS\system32\CNCAMg51.dll
2007-08-02 18:44 126,976 --a------ C:\WINDOWS\system32\CNCAPf51.exe
2007-08-02 18:44 122,880 --a------ C:\WINDOWS\system32\CNCFDO51.DLL
2007-08-02 18:44 118,784 --a------ C:\WINDOWS\system32\CNCFTR51.DLL
2007-08-02 18:44 114,688 --a------ C:\WINDOWS\system32\CNCFIF51.DLL
2007-08-02 18:37 <DIR> d--h----- C:\CanonMP


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-24 07:35 --------- d-------- C:\Program Files\Microsoft Works
2007-08-24 07:33 --------- d-------- C:\Program Files\Full Tilt Poker
2007-08-23 16:05 --------- d-------- C:\Program Files\Microsoft.NET
2007-08-02 18:49 --------- d-------- C:\Program Files\Common Files\ScanSoft Shared
2007-08-02 18:46 --------- d-------- C:\Program Files\Canon
2007-08-02 18:39 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-03 09:09 --------- d-------- C:\DOCUME~1\Beaner\APPLIC~1\Intuit
2007-07-03 09:09 --------- d-------- C:\DOCUME~1\Beaner\APPLIC~1\Intuit
2007-07-03 09:08 --------- d-------- C:\Program Files\Intuit
2007-07-03 09:08 --------- d-------- C:\Program Files\Common Files\supportsoft
2007-07-03 08:59 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Intuit
2007-07-03 08:55 --------- d-------- C:\Program Files\Common Files\Intuit
2007-07-03 08:53 --------- d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2007-07-03 08:50 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\COMMON FILES
2007-07-03 08:49 --------- d-------- C:\Program Files\MSXML 4.0
2007-06-29 23:08 0 --a------ C:\Program Files\TTC.dll
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 03:23 1033216 --a------ C:\WINDOWS\explorer.exe


(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))


---- Directory of C:\46ce9fcaa5df97356880391b48f213 ----

2006-10-29 11:33 86856 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\microsoft.interop.mapi.proptags.dll
2006-10-29 11:33 76616 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\microsoft.interop.mapi.interfaces.dll
2006-10-29 11:33 64328 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\en-us\bcmhooks.resources.dll
2006-10-29 11:33 640840 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\microsoft.interop.mapi.impl.dll
2006-10-29 11:33 53064 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\program files\microsoft small business\business contact manager\microsoft.businesssolutions.ecrm.isvdeployment.mapiproperties.dll
2006-10-29 11:33 53064 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\microsoft.businesssolutions.ecrm.isvdeployment.mapiproperties.dll
2006-10-29 11:33 494408 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\program files\microsoft small business\business contact manager\microsoft.businesssolutions.ecrm.outlookaddin.importexportui.dll
2006-10-29 11:33 494408 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\microsoft.businesssolutions.ecrm.outlookaddin.importexportui.dll
2006-10-29 11:33 379720 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\program files\microsoft small business\business contact manager\microsoft.interop.ecrm.msforms.dll
2006-10-29 11:33 379720 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\microsoft.interop.ecrm.msforms.dll
2006-10-29 11:33 359240 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\program files\microsoft small business\business contact manager\bcmmsidcrl.managed.dll
2006-10-29 11:33 359240 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\bcmmsidcrl.managed.dll
2006-10-29 11:33 300872 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\program files\microsoft small business\business contact manager\bcmcommon.dll
2006-10-29 11:33 300872 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\bcmcommon.dll
2006-10-29 11:33 281416 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\sbaiapiv2.dll
2006-10-29 11:33 280392 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\program files\microsoft small business\business contact manager\bcmhistoryaddin.dll
2006-10-29 11:33 2431816 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\program files\microsoft small business\business contact manager\microsoft.businesssolutions.ecrm.outlookaddin.csutils.dll
2006-10-29 11:33 2431816 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\microsoft.businesssolutions.ecrm.outlookaddin.csutils.dll
2006-10-29 11:33 240456 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\program files\microsoft small business\business contact manager\microsoft.interop.ecrm.mscomctl.dll
2006-10-29 11:33 240456 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\microsoft.interop.ecrm.mscomctl.dll
2006-10-29 11:33 1661768 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\program files\microsoft small business\business contact manager\microsoft.businesssolutions.ecrm.reports2.dll
2006-10-29 11:33 1661768 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\microsoft.businesssolutions.ecrm.reports2.dll
2006-10-29 11:33 142152 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\program files\microsoft small business\business contact manager\microsoft.businesssolutions.ecrm.datasync.dll
2006-10-29 11:33 142152 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\program files\microsoft small business\business contact manager\iris.mapi.messagestore.dll
2006-10-29 11:33 142152 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\microsoft.businesssolutions.ecrm.datasync.dll
2006-10-29 11:33 142152 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\iris.mapi.messagestore.dll
2006-10-29 11:33 1389056 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\mssmlbiz.msi
2006-10-29 11:33 138056 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\program files\microsoft small business\business contact manager\microsoft.interop.ecrm.shdocvw.dll
2006-10-29 11:33 138056 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\microsoft.interop.ecrm.shdocvw.dll
2006-10-29 11:33 129864 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\microsoft.iris.importexport.dll
2006-10-29 11:33 121672 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\microsoft.iris.importexportdataaccess.dll
2006-10-29 11:33 1121096 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\program files\microsoft small business\business contact manager\businesslayer.dll
2006-10-29 11:33 1121096 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\businesslayer.dll
2006-10-29 11:33 1063752 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\program files\microsoft small business\business contact manager\bcmres.dll
2006-10-29 11:33 1063752 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\bcmres.dll
2006-10-29 11:33 1022792 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\program files\microsoft small business\business contact manager\microsoft.businesssolutions.ecrm.outlookaddin.dll
2006-10-29 11:33 1022792 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\microsoft.businesssolutions.ecrm.outlookaddin.dll
2006-10-29 11:33 101192 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\bcmhooks.dll
2006-10-29 11:32 52040 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\program files\microsoft small business\business contact manager\microsoft.ecrm.axshdocvw.dll
2006-10-29 11:32 52040 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\program files\microsoft small business\business contact manager\microsoft.businesssolutions.ecrm.sbareportaddin.dll
2006-10-29 11:32 52040 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\sbaireporting.dll
2006-10-29 11:32 52040 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\microsoft.ecrm.axshdocvw.dll
2006-10-29 11:32 52040 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\microsoft.businesssolutions.ecrm.sbareportaddin.dll
2006-10-29 11:32 31560 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\program files\microsoft small business\business contact manager\microsoft.interop.ecrm.netfw.dll
2006-10-29 11:32 31560 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\microsoft.interop.ecrm.netfw.dll
2006-10-29 11:32 26952 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\program files\microsoft small business\business contact manager\microsoft.interop.ecrm.ole.dll
2006-10-29 11:32 26952 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\microsoft.interop.ecrm.ole.dll
2006-10-24 09:09 269136 --a------ C:\46ce9fcaa5df97356880391b48f213\wizard.exe
2006-10-24 09:06 43880 --a------ C:\46ce9fcaa5df97356880391b48f213\wizardresources.dll
2006-10-24 09:04 11112 --a------ C:\46ce9fcaa5df97356880391b48f213\iinstallhook.dll
2006-10-23 10:33 78530 --a------ C:\46ce9fcaa5df97356880391b48f213\readme.htm
2006-10-06 17:01 355060 --a------ C:\46ce9fcaa5df97356880391b48f213\adp\payapi.cab
2006-10-06 17:01 103936 --a------ C:\46ce9fcaa5df97356880391b48f213\adp\payapi.msi
2006-10-06 17:01 10124 --a------ C:\46ce9fcaa5df97356880391b48f213\wizard.exe.config
2006-10-04 20:01 117096 --a------ C:\46ce9fcaa5df97356880391b48f213\setup.exe
2006-10-03 23:01 301 --a------ C:\46ce9fcaa5df97356880391b48f213\setup.ini
2006-09-22 18:09 350 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\commonappdata\microsoft\business contact manager\registration.xml
2006-09-08 16:10 2585872 --a------ C:\46ce9fcaa5df97356880391b48f213\instmsi3.exe
2006-09-08 16:09 54738624 --a------ C:\46ce9fcaa5df97356880391b48f213\fxia64.exe
2006-09-08 16:09 47400128 --a------ C:\46ce9fcaa5df97356880391b48f213\fxamd64.exe
2006-09-08 16:09 23510720 --a------ C:\46ce9fcaa5df97356880391b48f213\dotnetfx.exe
2006-09-08 11:16 1162 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\readme.htm
2006-09-01 07:08 212992 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\xceed.zip.dll
2006-09-01 07:08 122880 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\xceed.filesystem.dll
2006-09-01 07:08 102400 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\xceed.compression.dll
2006-06-26 11:08 802816 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\xceed.grid.dll
2006-06-26 11:08 299008 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\xceed.grid.uistyle.dll
2006-05-17 13:34 282624 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\program files\microsoft small business\business contact manager\mailmerge.accdb
2006-01-17 10:39 5120 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\sbaiui.dll
2006-01-17 10:39 208896 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\sbaiapi.dll
2005-07-01 14:22 16384 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\stdole.dll
2005-02-16 11:17 47 --a------ C:\46ce9fcaa5df97356880391b48f213\autorun.inf
2004-05-17 11:54 4608 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\program files\microsoft small business\business contact manager\extensibility.dll
2004-05-17 11:54 4608 --a------ C:\46ce9fcaa5df97356880391b48f213\bcm\globalassemblycache\extensibility.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-29 13:17 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-05-16 18:10]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 16:42]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-10-31 14:46]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-10-31 14:46]
"vptray"="C:\PROGRA~1\NavNT\vptray.exe" [2001-09-24 04:59]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-25 18:20]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 10:00]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 10:28 C:\WINDOWS\KHALMNPR.Exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 16:20]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 08:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 00:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-19 09:00]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-27 00:00]
"RealPlayer"="C:\Program Files\Real\RealPlayer\realplay.exe" [2006-04-14 02:28]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-03-16 04:51]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ
R2 SQLBrowser;SQL Server Browser;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe"
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a


Contents of the 'Scheduled Tasks' folder
2007-08-25 09:00:00 C:\WINDOWS\Tasks\Brett John Golf 1183682629.job - C:\Program Files\Intuit\QuickBooks 2007\AutoBackupEXE.exe
2007-08-25 17:48:59 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe
2004-08-26 02:04:12 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-25 12:21:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-25 12:23:04
C:\ComboFix-quarantined-files.txt ... 2007-08-25 12:22
C:\ComboFix2.txt ... 2007-08-25 10:51

--- E O F ---

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:43 AM

Posted 25 August 2007 - 02:30 PM

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a fresh HijackThis log. :thumbsup:

Hi there, stranger!

#7 b3john

b3john
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 25 August 2007 - 08:41 PM

OK here is the report and hijack this log...first is the report second is the log. Thank you.

Incident Status Location

Adware:adware/seekmo Not disinfected Windows Registry
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Beaner\Application Data\Mozilla\Profiles\default\hkddnhkh.slt\cookies.txt[.atwola.com/]
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Beaner\Application Data\Mozilla\Profiles\default\hkddnhkh.slt\cookies.txt[.centrport.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Beaner\Cookies\beaner@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Beaner\Cookies\beaner@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Beaner\Cookies\beaner@atwola[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Beaner\Cookies\beaner@drivecleaner[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Beaner\Cookies\beaner@questionmarket[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Beaner\Cookies\beaner@tribalfusion[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Beaner\Desktop\ComboFix.exe[nircmd.exe]
Adware:Adware/TTC Not disinfected C:\Program Files\TTX.exe
Virus:Trj/Downloader.PUT Disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\IBD4\rru22011.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\catchme2007-08-25_104721.27.zip[khfgeef.dll]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
---------------------------------------------------------------------------------------------

HiJack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:40:49 PM, on 8/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\system32\TwcToolbarBho.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187379752763
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 8713 bytes

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:43 AM

Posted 26 August 2007 - 04:48 AM

Hi again :thumbsup: Looking SO much better.

Delete the following file & folder:

C:\Program Files\TTX.exe
C:\QooBox


You can also go ahead and delete ComboFix if you want.

--

Have you installed TitanPoker yourself? Is it something you play?

--

Run a scan with HijackThis and checkfix the following object (allow changes if Windows Defender asks):

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)


----

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 2 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u2...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. They should have next icon next to it: Posted Image
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.
----

How is the system running now? Popups? Warnings? :flowers:
Hi there, stranger!

#9 b3john

b3john
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 26 August 2007 - 10:05 AM

Thank you very much for your help. My computer is running better. I do not get the pop ups and it is quicker. I did download Titan Poker, it just a site I play on. The only thing I've noticed is some of the ICONS in my internet explorer are not what they are supposed to be. When I go to CHASE website (bank) it has a bear or a boar (may have horns) as the icon. That is not what the icon used to look like. It used to be their own logo. I'm not sure what this means. I have not logged into my account because of the virus. There are a few other ones that come up to. I've seen a panda bear, and that boar or bear has shown up for YAHOO also. Any ideas? THank you.

#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:43 AM

Posted 26 August 2007 - 11:44 AM

If it's the bookmark icons you are talking about, simply delete the bookmarks and add them back. :thumbsup:
Hi there, stranger!

#11 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:43 AM

Posted 09 September 2007 - 11:21 AM

Since this issue appears to be resolved, this Topic has been closed. Should you need this Topic reopened, please PM a Staff member. :thumbsup:
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users