Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Malware/spyware, Possibly Virtumonde


  • Please log in to reply
18 replies to this topic

#1 Quad X

Quad X

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 23 June 2008 - 02:47 PM

I am having trouble with my computer and it seems to be a spyware/malware infection, possibly the Virtumonde virus. When I first turn the computer one, the background of my desktop is blue, and in yellow writing it reads: "Warning: Spyware threat has been detected on your PC. Your computer has several fatal errors due to spyware activity. It is strongly recommended to install an antispyware software to close all security vulnerabilities. Antispyware software helps protect your PC against spyware and other security threats. Click here to scan your PC for spyware..." I have not clicked on that message due to fear of it actually making things worse. I have also noticed several other unusual things that I suspect may be related to a virus. One, there is now a shortcut link on the desktop for "Internet Security Suite", which I do not know what it is, nor did I intentionally download it. Secondly, there are two other programs that appear when I select "Start" and "All Programs" that I am not familiar with - "Internet Speed Monitor" and "Outerinfo". Finally, when using the internet typically with Mozilla Firefox, I frequently am bombarded with random pop-ups as well as dialog boxes in the lower right corner of the screen that typically say there is a spyware threat and to click on the box to fix the issue. I have never clicked on any of those boxes.

I read the Preparation Guide For Use Before Posting about your Potential Malware Problem, and I followed all of the steps with a few issues. I attempted to scan my computer with the Kaspersky Online Scanner, however whenever it got to the "updates" part, it said that the updates failed to install and that the program needed to be restarted. I tried this several times with the same result, so I moved on without performing that scan. I then proceeded to use Deckard's System Scanner after I manually downloaded and installed HijackThis. The problem I ran into here is that, per your instructions, there should have been two Notepad windows opened with two different reports. I only received one report "main.txt", which I posted per your instructions below. Any help you can offer in aiding me in getting my computer back and functioning properly will be greatly appreciated. Thanks so much for your time!!!

Mike




Deckard's System Scanner v20071014.68
Run by Mikey on 2008-06-23 15:02:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 78% (more than 75%).
Total Physical Memory: 192 MiB (512 MiB recommended).


-- HijackThis (run as Mikey.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:04:33 PM, on 6/23/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\M?crosoft.NET\t?skmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Mikey\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Mikey.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Bat\Bat.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {B1F9B61C-2FBA-44AC-AA71-303165832F83} - C:\Program Files\Windows NT\hokepoqC:\DOCUME~1\Mikey\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
O4 - HKCU\..\Run: [Eeot] "C:\PROGRA~1\COMMON~1\WNSXS~1\csrss.exe" -vt yazb
O4 - HKCU\..\Run: [Brxri] "C:\Program Files\Common Files\M?crosoft.NET\t?skmgr.exe"
O4 - HKCU\..\Run: [GetModule18] "C:\Program Files\GetModule\GetModule18.exe"
O4 - HKCU\..\Run: [GetPack18] "C:\Program Files\GetPack\GetPack18.exe"
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/081a80b6ec84b9e54704/netzip/RdxIE2.cab
O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} - http://download.mediacharger.com/amazingtens.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABDABD8A-9881-4CE8-B1AE-B77E9764A5B2}: NameServer = 151.197.0.38,151.197.0.39
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Mikey/LOCALS~1/Temp/msoclip1/01/clip_image001.jpg

--
End of file - 5381 bytes

-- Files created between 2008-05-23 and 2008-06-23 -----------------------------

2008-06-23 15:03:51 0 d-------- C:\Program Files\Trend Micro
2008-06-23 11:31:25 0 d-------- C:\Documents and Settings\Mikey\.housecall6.6
2008-06-23 11:30:22 0 d-------- C:\WINDOWS\Sun
2008-06-23 11:30:20 0 d-------- C:\Documents and Settings\Mikey\Application Data\Sun
2008-06-23 11:23:33 0 d-------- C:\Program Files\Java
2008-06-23 11:23:03 0 d-------- C:\Program Files\Common Files\Java
2008-06-23 11:02:32 0 d-------- C:\Program Files\Panda Security
2008-06-23 10:54:15 0 d-------- C:\Program Files\GetPack
2008-06-23 10:54:15 0 d-------- C:\Program Files\GetModule
2008-06-23 10:54:14 0 d-------- C:\Program Files\iCheck
2008-06-22 22:03:32 16384 --a------ C:\WINDOWS\stcloader.exe
2008-06-22 22:03:32 0 d-------- C:\Program Files\stc
2008-06-22 22:03:30 8960 --a------ C:\WINDOWS\voiceip.dll
2008-06-22 22:03:28 21760 --a------ C:\WINDOWS\swin32.dll
2008-06-22 22:03:25 14336 --a------ C:\WINDOWS\cdsm32.dll
2008-06-22 22:03:24 28672 --a------ C:\WINDOWS\bokja.exe
2008-06-22 22:03:16 15616 --a------ C:\WINDOWS\mssvr.exe
2008-06-22 22:03:13 19456 --a------ C:\WINDOWS\mspphe.dll
2008-06-22 22:03:10 26112 --a------ C:\WINDOWS\bjam.dll
2008-06-22 22:03:04 15360 --a------ C:\WINDOWS\2020search2.dll
2008-06-22 22:03:02 8448 --a------ C:\WINDOWS\2020search.dll


-- Find3M Report ---------------------------------------------------------------

2008-06-23 11:23:03 0 d-------- C:\Program Files\Common Files
2008-06-23 11:14:10 0 d-------- C:\Program Files\QdrDrive
2008-06-23 10:54:38 0 d-------- C:\Program Files\Common Files\M?crosoft.NET
2008-06-23 10:54:13 0 d-------- C:\Program Files\QdrPack
2008-06-23 10:54:12 0 d-------- C:\Program Files\QdrModule


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}]
03/07/2008 10:15 PM 413696 --a------ C:\Program Files\Bat\Bat.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1F9B61C-2FBA-44AC-AA71-303165832F83}]
C:\Program Files\Windows NT\hokepoqC:\DOCUME~1\Mikey\LOCALS~1\Temp\CEMG555077.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\WINDOWS\System32\qttask.exe" [05/16/2002 08:07 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 09:00 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [08/02/2001 08:14 AM]
"ESPN BottomLine"="C:\Program Files\ESPN\BottomLine\bline.exe" []
"Eeot"="C:\PROGRA~1\COMMON~1\WNSXS~1\csrss.exe" [03/16/2008 12:03 PM]
"Brxri"="C:\Program Files\Common Files\M?crosoft.NET\t?skmgr.exe" [05/29/2008 02:35 PM]
"GetModule18"="C:\Program Files\GetModule\GetModule18.exe" [06/09/2008 05:40 PM]
"GetPack18"="C:\Program Files\GetPack\GetPack18.exe" [06/10/2008 05:08 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=C:\WINDOWS\System32\Macromed\Flash\NPSWF32_FlashUtil.exe -p

C:\Documents and Settings\Mikey\Start Menu\Programs\Startup\
Bat - Auto Update.lnk - C:\Program Files\Bat\Bat.exe [3/16/2008 12:04:37 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [7/14/2002 8:22:02 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 7:05:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,"

*Newly Created Service* - TMCOMM



-- End of Deckard's System Scanner: finished at 2008-06-23 15:05:25 ------------

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 23 June 2008 - 03:07 PM

Hello there Mike and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.

Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.

Post that in your next reply with a fresh HijackThis log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 Quad X

Quad X
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 23 June 2008 - 07:26 PM

Hi Charles, thanks so much for replying to my post. Below is the Combofix log, followed by a new HijackThis log. Thanks again.

Mike

ComboFix 08-06-20.4 - Mikey 2008-06-23 19:59:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.58 [GMT -4:00]
Running from: C:\Documents and Settings\Mikey\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Rabio
C:\Documents and Settings\Mikey\My Documents\SEMBLY~1
C:\Documents and Settings\Mikey\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Mikey\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Mikey\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Mikey\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Mikey\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Mikey\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\180search assistant
C:\Program Files\180search assistant\180sa.exe
C:\Program Files\180search assistant\sau.exe
C:\Program Files\180searchassistant
C:\Program Files\180searchassistant\saap.exe
C:\Program Files\180searchassistant\sac.exe
C:\Program Files\180solutions
C:\Program Files\180solutions\sais.exe
C:\Program Files\Common Files\mcroso~1.net
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\Common Files\wnsxs~1\W?nSxS\
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\MyWay
C:\Program Files\MyWay\myBar\History\search
C:\Program Files\MyWay\myBar\Settings\prevcfg.htm
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\azvaroupd.exe
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrModule\QdrModule13.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack14.exe
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\QdrPack\webzsoloupd.exe
C:\Program Files\seekmo
C:\Program Files\seekmo\seekmohook.dll
C:\Program Files\stc
C:\Program Files\stc\csv5p070.exe
C:\Program Files\Sysmnt
C:\Program Files\Sysmnt\Ssmgr.exe
C:\Program Files\zango
C:\Program Files\zango\zango.exe
C:\WINDOWS\123messenger.per
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\browserad.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\default.htm
C:\WINDOWS\didduid.ini
C:\WINDOWS\FLEOK
C:\WINDOWS\FLEOK\180ax.exe
C:\WINDOWS\Installer\id53.exe
C:\WINDOWS\licencia.txt
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\ntnut.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\MSNSA32.dll
C:\WINDOWS\system32\ntnut32.exe
C:\WINDOWS\system32\shdocpe.dll
C:\WINDOWS\system32\SIPSPI32.dll
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\telefonos.txt
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\textos.txt
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll
C:\WINDOWS\winsb.dll
C:\Program Files\Common Files\mcroso~1.net\t?skmgr.exe . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-05-24 to 2008-06-24 )))))))))))))))))))))))))))))))
.

2008-06-23 15:03 . 2008-06-23 15:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-23 14:33 . 2008-06-23 14:33 <DIR> d-------- C:\Deckard
2008-06-23 13:44 . 2008-06-23 13:44 63 --a------ C:\WINDOWS\mdm.ini
2008-06-23 11:32 . 2008-06-23 11:31 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-23 11:31 . 2008-06-23 11:42 <DIR> d-------- C:\Documents and Settings\Mikey\.housecall6.6
2008-06-23 11:30 . 2008-06-23 11:30 <DIR> d-------- C:\WINDOWS\Sun
2008-06-23 11:28 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-23 11:23 . 2008-06-23 11:28 <DIR> d-------- C:\Program Files\Java
2008-06-23 11:23 . 2008-06-23 11:23 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-23 11:06 . 2008-06-23 11:06 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-06-23 11:02 . 2008-06-23 11:02 <DIR> d-------- C:\Program Files\Panda Security
2008-06-23 10:54 . 2008-06-23 10:54 <DIR> d-------- C:\Program Files\iCheck
2008-06-23 10:54 . 2008-06-23 10:54 <DIR> d-------- C:\Program Files\GetPack
2008-06-23 10:54 . 2008-06-23 11:14 <DIR> d-------- C:\Program Files\GetModule
2008-06-22 22:03 . 2001-08-17 14:00 24,832 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-06-22 22:03 . 2001-08-17 14:00 24,832 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-23 23:57 --------- d-----w C:\Program Files\Bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}]
2008-03-07 22:15 413696 --a------ C:\Program Files\Bat\Bat.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1F9B61C-2FBA-44AC-AA71-303165832F83}]
C:\Program Files\Windows NT\hokepoqC:\DOCUME~1\Mikey\LOCALS~1\Temp\CEMG555077.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ESPN BottomLine"="C:\Program Files\ESPN\BottomLine\bline.exe" [ ]
"Eeot"="C:\PROGRA~1\COMMON~1\WNSXS~1\csrss.exe" [ ]
"Brxri"="C:\Program Files\Common Files\M?crosoft.NET\t?skmgr.exe" [ ]
"GetModule18"="C:\Program Files\GetModule\GetModule18.exe" [2008-06-09 17:40 351744]
"GetPack18"="C:\Program Files\GetPack\GetPack18.exe" [2008-06-10 05:08 350208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\WINDOWS\System32\qttask.exe" [2002-05-16 20:07 28672]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 09:00 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

C:\Documents and Settings\Mikey\Start Menu\Programs\Startup\
Bat - Auto Update.lnk - C:\Program Files\Bat\Bat.exe [2008-03-16 12:04:37 178419]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-07-14 20:22:02 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 19:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\mgmrwmrv.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys [2001-08-17 08:11]
S3 IPN2120;Instant Wireless-B PCI Adapter Driver;C:\WINDOWS\System32\DRIVERS\LSIPNDS.sys []
S3 NeroCd2k;NeroCd2k;C:\WINDOWS\System32\drivers\NeroCd2k.sys [2002-03-21 00:39]
S3 NETR33X;D-Link Air Wireless Adapter(RTL) NT Driver;C:\WINDOWS\System32\DRIVERS\NETR33X.SYS [2003-11-11 18:20]
S3 PRISM;D-Link Air Wireless Prism3 Adapter Driver;C:\WINDOWS\System32\DRIVERS\PRISMNDS.sys []

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-23 20:07:29
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-06-23 20:13:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-24 00:13:31

Pre-Run: 1,944,961,024 bytes free
Post-Run: 2,029,953,024 bytes free

213 --- E O F --- 2008-03-12 09:02:43




HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:16:19 PM, on 6/23/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\GetModule\GetModule18.exe
C:\Program Files\GetPack\GetPack18.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Bat\Bat.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {B1F9B61C-2FBA-44AC-AA71-303165832F83} - C:\Program Files\Windows NT\hokepoqC:\DOCUME~1\Mikey\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
O4 - HKCU\..\Run: [Eeot] "C:\PROGRA~1\COMMON~1\WNSXS~1\csrss.exe" -vt yazb
O4 - HKCU\..\Run: [Brxri] "C:\Program Files\Common Files\M?crosoft.NET\t?skmgr.exe"
O4 - HKCU\..\Run: [GetModule18] "C:\Program Files\GetModule\GetModule18.exe"
O4 - HKCU\..\Run: [GetPack18] "C:\Program Files\GetPack\GetPack18.exe"
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/081a80b6ec84b9e54704/netzip/RdxIE2.cab
O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} - http://download.mediacharger.com/amazingtens.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABDABD8A-9881-4CE8-B1AE-B77E9764A5B2}: NameServer = 151.197.0.38,151.197.0.39
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Mikey/LOCALS~1/Temp/msoclip1/01/clip_image001.jpg

--
End of file - 4587 bytes

#4 Quad X

Quad X
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 23 June 2008 - 07:30 PM

Here is another HijackThis scan that I just ran using Deckard's System Scanner. The last one I ran was using HijackThis without DSS. I'm not sure if it makes a difference, but in case it does, here it is:


Deckard's System Scanner v20071014.68
Run by Mikey on 2008-06-23 20:27:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 83% (more than 75%).
Total Physical Memory: 192 MiB (512 MiB recommended).


-- HijackThis (run as Mikey.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:27:46 PM, on 6/23/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\GetModule\GetModule18.exe
C:\Program Files\GetPack\GetPack18.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mikey\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Mikey.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Bat\Bat.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {B1F9B61C-2FBA-44AC-AA71-303165832F83} - C:\Program Files\Windows NT\hokepoqC:\DOCUME~1\Mikey\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
O4 - HKCU\..\Run: [Eeot] "C:\PROGRA~1\COMMON~1\WNSXS~1\csrss.exe" -vt yazb
O4 - HKCU\..\Run: [Brxri] "C:\Program Files\Common Files\M?crosoft.NET\t?skmgr.exe"
O4 - HKCU\..\Run: [GetModule18] "C:\Program Files\GetModule\GetModule18.exe"
O4 - HKCU\..\Run: [GetPack18] "C:\Program Files\GetPack\GetPack18.exe"
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/081a80b6ec84b9e54704/netzip/RdxIE2.cab
O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} - http://download.mediacharger.com/amazingtens.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABDABD8A-9881-4CE8-B1AE-B77E9764A5B2}: NameServer = 151.197.0.38,151.197.0.39
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Mikey/LOCALS~1/Temp/msoclip1/01/clip_image001.jpg

--
End of file - 4555 bytes

-- Files created between 2008-05-23 and 2008-06-23 -----------------------------

2008-06-23 20:18:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-06-23 19:57:49 68096 --a------ C:\WINDOWS\zip.exe
2008-06-23 19:57:49 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-23 19:57:49 98816 --a------ C:\WINDOWS\sed.exe
2008-06-23 19:57:49 80412 --a------ C:\WINDOWS\grep.exe
2008-06-23 19:57:49 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-23 19:57:48 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-23 19:57:48 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-23 19:57:48 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-23 15:03:51 0 d-------- C:\Program Files\Trend Micro
2008-06-23 11:31:25 0 d-------- C:\Documents and Settings\Mikey\.housecall6.6
2008-06-23 11:30:22 0 d-------- C:\WINDOWS\Sun
2008-06-23 11:30:20 0 d-------- C:\Documents and Settings\Mikey\Application Data\Sun
2008-06-23 11:23:33 0 d-------- C:\Program Files\Java
2008-06-23 11:23:03 0 d-------- C:\Program Files\Common Files\Java
2008-06-23 11:02:32 0 d-------- C:\Program Files\Panda Security
2008-06-23 10:54:15 0 d-------- C:\Program Files\GetPack
2008-06-23 10:54:15 0 d-------- C:\Program Files\GetModule
2008-06-23 10:54:14 0 d-------- C:\Program Files\iCheck


-- Find3M Report ---------------------------------------------------------------

2008-06-23 20:06:35 0 d-------- C:\Program Files\Common Files
2008-06-23 19:57:36 0 d-------- C:\Program Files\Bat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}]
03/07/2008 10:15 PM 413696 --a------ C:\Program Files\Bat\Bat.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1F9B61C-2FBA-44AC-AA71-303165832F83}]
C:\Program Files\Windows NT\hokepoqC:\DOCUME~1\Mikey\LOCALS~1\Temp\CEMG555077.exe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\WINDOWS\System32\qttask.exe" [05/16/2002 08:07 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 09:00 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ESPN BottomLine"="C:\Program Files\ESPN\BottomLine\bline.exe" []
"Eeot"="C:\PROGRA~1\COMMON~1\WNSXS~1\csrss.exe" []
"Brxri"="C:\Program Files\Common Files\M?crosoft.NET\t?skmgr.exe" []
"GetModule18"="C:\Program Files\GetModule\GetModule18.exe" [06/09/2008 05:40 PM]
"GetPack18"="C:\Program Files\GetPack\GetPack18.exe" [06/10/2008 05:08 AM]

C:\Documents and Settings\Mikey\Start Menu\Programs\Startup\
Bat - Auto Update.lnk - C:\Program Files\Bat\Bat.exe [3/16/2008 12:04:37 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [7/14/2002 8:22:02 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 7:05:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)




-- End of Deckard's System Scanner: finished at 2008-06-23 20:28:42 ------------

#5 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 24 June 2008 - 01:43 AM

Before we begin, please visit the page below, scroll down to the part which says "How to install and use the Windows XP Recovery Console," and follow those instructions:

How to download and use ComboFix

Then please run another scan with Combofix and post back the new log, along with a HijackThis log
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#6 Quad X

Quad X
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 24 June 2008 - 08:22 AM

Okay, below are the updated Combofix and HijackThis logs you requested. Hopefully I got it right this time!

Thanks,
Mike


ComboFix 08-06-20.4 - Mikey 2008-06-24 9:11:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.40 [GMT -4:00]
Running from: C:\Documents and Settings\Mikey\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mikey\Desktop\WinXP_EN_PRO_BF.EXE
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Rabio

.
((((((((((((((((((((((((( Files Created from 2008-05-24 to 2008-06-24 )))))))))))))))))))))))))))))))
.

2008-06-24 08:51 . 2008-06-24 08:51 <DIR> d-------- C:\WINDOWS\LastGood
2008-06-23 15:03 . 2008-06-23 15:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-23 14:33 . 2008-06-23 14:33 <DIR> d-------- C:\Deckard
2008-06-23 13:44 . 2008-06-23 13:44 63 --a------ C:\WINDOWS\mdm.ini
2008-06-23 11:32 . 2008-06-23 11:31 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-23 11:31 . 2008-06-23 11:42 <DIR> d-------- C:\Documents and Settings\Mikey\.housecall6.6
2008-06-23 11:30 . 2008-06-23 11:30 <DIR> d-------- C:\WINDOWS\Sun
2008-06-23 11:28 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-23 11:23 . 2008-06-23 11:28 <DIR> d-------- C:\Program Files\Java
2008-06-23 11:23 . 2008-06-23 11:23 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-23 11:06 . 2008-06-23 11:06 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-06-23 11:02 . 2008-06-23 11:02 <DIR> d-------- C:\Program Files\Panda Security
2008-06-23 10:54 . 2008-06-23 10:54 <DIR> d-------- C:\Program Files\iCheck
2008-06-23 10:54 . 2008-06-23 10:54 <DIR> d-------- C:\Program Files\GetPack
2008-06-23 10:54 . 2008-06-24 08:54 <DIR> d-------- C:\Program Files\GetModule
2008-06-22 22:03 . 2001-08-17 14:00 24,832 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-06-22 22:03 . 2001-08-17 14:00 24,832 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-24 13:07 --------- d-----w C:\Program Files\Bat
.

((((((((((((((((((((((((((((( snapshot@2008-06-23_20.12.51.74 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-24 00:05:59 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-24 12:48:55 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2003-01-13 19:57:58 589,881 ----a-w C:\WINDOWS\LastGood\System32\dllcache\jscript.dll
+ 2003-01-13 19:57:58 589,881 ----a-w C:\WINDOWS\LastGood\System32\jscript.dll
- 2003-01-13 19:57:58 589,881 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
+ 2003-01-13 18:57:58 589,881 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
- 2003-01-13 19:57:58 589,881 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2003-01-13 18:57:58 589,881 ----a-w C:\WINDOWS\system32\jscript.dll
- 2008-03-05 16:30:54 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-05-29 20:35:12 17,486,968 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-06-24 12:49:18 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_450.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}]
2008-03-07 22:15 413696 --a------ C:\Program Files\Bat\Bat.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1F9B61C-2FBA-44AC-AA71-303165832F83}]
C:\Program Files\Windows NT\hokepoqC:\DOCUME~1\Mikey\LOCALS~1\Temp\CEMG555077.exe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ESPN BottomLine"="C:\Program Files\ESPN\BottomLine\bline.exe" [ ]
"Eeot"="C:\PROGRA~1\COMMON~1\WNSXS~1\csrss.exe" [ ]
"Brxri"="C:\Program Files\Common Files\M?crosoft.NET\t?skmgr.exe" [ ]
"GetModule18"="C:\Program Files\GetModule\GetModule18.exe" [2008-06-09 17:40 351744]
"GetPack18"="C:\Program Files\GetPack\GetPack18.exe" [2008-06-10 05:08 350208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\WINDOWS\System32\qttask.exe" [2002-05-16 20:07 28672]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 09:00 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

C:\Documents and Settings\Mikey\Start Menu\Programs\Startup\
Bat - Auto Update.lnk - C:\Program Files\Bat\Bat.exe [2008-03-16 12:04:37 178419]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-07-14 20:22:02 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 19:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys [2001-08-17 08:11]
S3 IPN2120;Instant Wireless-B PCI Adapter Driver;C:\WINDOWS\System32\DRIVERS\LSIPNDS.sys []
S3 NeroCd2k;NeroCd2k;C:\WINDOWS\System32\drivers\NeroCd2k.sys [2002-03-21 00:39]
S3 NETR33X;D-Link Air Wireless Adapter(RTL) NT Driver;C:\WINDOWS\System32\DRIVERS\NETR33X.SYS [2003-11-11 18:20]
S3 PRISM;D-Link Air Wireless Prism3 Adapter Driver;C:\WINDOWS\System32\DRIVERS\PRISMNDS.sys []

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-24 09:15:03
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-24 9:18:08
ComboFix-quarantined-files.txt 2008-06-24 13:17:49
ComboFix2.txt 2008-06-24 00:13:53

Pre-Run: 1,832,742,912 bytes free
Post-Run: 1,816,477,696 bytes free

WinXP_EN_PRO_BF.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

105 --- E O F --- 2008-06-24 12:58:33




HIJACKTHIS LOG


Deckard's System Scanner v20071014.68
Run by Mikey on 2008-06-24 09:18:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 81% (more than 75%).
Total Physical Memory: 192 MiB (512 MiB recommended).


-- HijackThis (run as Mikey.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:19:06 AM, on 6/24/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\GetModule\GetModule18.exe
C:\Program Files\GetPack\GetPack18.exe
C:\Program Files\Bat\X_Bat.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Mikey\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Mikey.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Bat\Bat.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {B1F9B61C-2FBA-44AC-AA71-303165832F83} - C:\Program Files\Windows NT\hokepoqC:\DOCUME~1\Mikey\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
O4 - HKCU\..\Run: [Eeot] "C:\PROGRA~1\COMMON~1\WNSXS~1\csrss.exe" -vt yazb
O4 - HKCU\..\Run: [Brxri] "C:\Program Files\Common Files\M?crosoft.NET\t?skmgr.exe"
O4 - HKCU\..\Run: [GetModule18] "C:\Program Files\GetModule\GetModule18.exe"
O4 - HKCU\..\Run: [GetPack18] "C:\Program Files\GetPack\GetPack18.exe"
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/081a80b6ec84b9e54704/netzip/RdxIE2.cab
O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} - http://download.mediacharger.com/amazingtens.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABDABD8A-9881-4CE8-B1AE-B77E9764A5B2}: NameServer = 151.197.0.38,151.197.0.39
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Mikey/LOCALS~1/Temp/msoclip1/01/clip_image001.jpg

--
End of file - 4607 bytes

-- Files created between 2008-05-24 and 2008-06-24 -----------------------------

2008-06-24 09:19:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-06-24 09:08:43 0 d-------- C:\cmdcons
2008-06-24 08:51:46 0 d-------- C:\WINDOWS\LastGood
2008-06-23 19:57:49 68096 --a------ C:\WINDOWS\zip.exe
2008-06-23 19:57:49 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-23 19:57:49 98816 --a------ C:\WINDOWS\sed.exe
2008-06-23 19:57:49 80412 --a------ C:\WINDOWS\grep.exe
2008-06-23 19:57:49 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-23 19:57:48 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-23 19:57:48 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-23 19:57:48 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-23 15:03:51 0 d-------- C:\Program Files\Trend Micro
2008-06-23 11:31:25 0 d-------- C:\Documents and Settings\Mikey\.housecall6.6
2008-06-23 11:30:22 0 d-------- C:\WINDOWS\Sun
2008-06-23 11:30:20 0 d-------- C:\Documents and Settings\Mikey\Application Data\Sun
2008-06-23 11:23:33 0 d-------- C:\Program Files\Java
2008-06-23 11:23:03 0 d-------- C:\Program Files\Common Files\Java
2008-06-23 11:02:32 0 d-------- C:\Program Files\Panda Security
2008-06-23 10:54:15 0 d-------- C:\Program Files\GetPack
2008-06-23 10:54:15 0 d-------- C:\Program Files\GetModule
2008-06-23 10:54:14 0 d-------- C:\Program Files\iCheck


-- Find3M Report ---------------------------------------------------------------

2008-06-24 09:07:16 0 d-------- C:\Program Files\Bat
2008-06-23 20:06:35 0 d-------- C:\Program Files\Common Files


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}]
03/07/2008 10:15 PM 413696 --a------ C:\Program Files\Bat\Bat.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1F9B61C-2FBA-44AC-AA71-303165832F83}]
C:\Program Files\Windows NT\hokepoqC:\DOCUME~1\Mikey\LOCALS~1\Temp\CEMG555077.exe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\WINDOWS\System32\qttask.exe" [05/16/2002 08:07 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 09:00 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ESPN BottomLine"="C:\Program Files\ESPN\BottomLine\bline.exe" []
"Eeot"="C:\PROGRA~1\COMMON~1\WNSXS~1\csrss.exe" []
"Brxri"="C:\Program Files\Common Files\M?crosoft.NET\t?skmgr.exe" []
"GetModule18"="C:\Program Files\GetModule\GetModule18.exe" [06/09/2008 05:40 PM]
"GetPack18"="C:\Program Files\GetPack\GetPack18.exe" [06/10/2008 05:08 AM]

C:\Documents and Settings\Mikey\Start Menu\Programs\Startup\
Bat - Auto Update.lnk - C:\Program Files\Bat\Bat.exe [3/16/2008 12:04:37 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [7/14/2002 8:22:02 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 7:05:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)




-- End of Deckard's System Scanner: finished at 2008-06-24 09:20:08 ------------

#7 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 24 June 2008 - 03:27 PM

Hello again Mike,
Please print off a copy of these instructions, and also save them to a Notepad file on your Desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Bat\Bat.dll
O2 - BHO: (no name) - {B1F9B61C-2FBA-44AC-AA71-303165832F83} - C:\Program Files\Windows NT\hokepoqC:\DOCUME~1\Mikey\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O4 - HKCU\..\Run: [Eeot] "C:\PROGRA~1\COMMON~1\WNSXS~1\csrss.exe" -vt yazb
O4 - HKCU\..\Run: [Brxri] "C:\Program Files\Common Files\M?crosoft.NET\t?skmgr.exe"
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/081a80b6ec84b9e54704/netzip/RdxIE2.cab
O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} - http://download.mediacharger.com/amazingtens.cab


Then close all other windows - you should only see HijackThis on your Desktop - and click the Fix checked button.

Reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Find and delete the following folders (if present):

C:\Program Files\Common Files\M?crosoft.NET <--will look like Microsoft.net and contain a file that looks like taskmgr.exe
C:\Program Files\Bat
C:\Program Files\Common Files\WNSXS <-begins with this, probably contains a few more letters

Let's clean out your temporary internet files:
Close all open windows before we start.
Go to Start | Control Panel | Internet Options | General.
Click the Delete Cookies button.
Next to it, click the Delete Files button.
When prompted, place a check in: 'Delete all offline content', click OK

If you have Firefox installed, we need to clean out these temporary files as well:
Go to Tools | Options.
Click Privacy.
Press the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to finish, before closing it.
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

Now we'll clean other temporary files and your Recycle Bin:
Go to Start | Run | type: cleanmgr | OK.
Let it scan your system for files to remove.
Make sure 'Temporary Files', 'Temporary Internet Files', and 'Recycle Bin' are the only things checked.
Press OK to remove them.

Reboot into Normal Mode again.

Please run a scan with Kaspersky Online Scanner.
You will be promted to install an ActiveX component from Kaspersky, click Yes.
The program will launch and then begin downloading the latest definition files.
Once the files have been downloaded click on Next.
Select a target to scan; click on My Computer.
The scan will take a while so be patient and let it run.
Once the scan is complete choose the option to Save as Text.

In your reply I'd like the Kaspersky report and a brand new HJT log.
Thanks,
Charles

Edited by rookie147, 24 June 2008 - 03:28 PM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#8 Quad X

Quad X
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 25 June 2008 - 07:14 PM

Okay, finally able to get the Kaspersky Scan to run! Below is the Kaspersky report, followed by a new HijackThis as requested.

Thanks,
Mike


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, June 25, 2008
Operating System: Microsoft Windows XP Professional (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, June 25, 2008 10:29:33
Records in database: 881944
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\

Scan statistics:
Files scanned: 29835
Threat name: 21
Infected objects: 33
Suspicious objects: 0
Duration of the scan: 04:43:05


File name / Threat name / Threats count
C:\Deckard\System Scanner\20080623144433\backup\DOCUME~1\Mikey\LOCALS~1\Temp\ADL99.tmp Infected: not-a-virus:AdWare.Win32.AdBand.p 1
C:\Deckard\System Scanner\20080623144433\backup\DOCUME~1\Mikey\LOCALS~1\Temp\BAK8D.tmp Infected: not-a-virus:AdWare.Win32.AdBand.p 3
C:\Deckard\System Scanner\20080623144433\backup\DOCUME~1\Mikey\LOCALS~1\Temp\BatSetup.exe Infected: not-a-virus:AdWare.Win32.Rabio.m 1
C:\Deckard\System Scanner\20080623144433\backup\DOCUME~1\Mikey\LOCALS~1\Temp\bblatest.exe Infected: not-virus:Hoax.Win32.Renos.bee 1
C:\Deckard\System Scanner\20080623144433\backup\DOCUME~1\Mikey\LOCALS~1\Temp\ismupd24.exe Infected: not-a-virus:AdWare.Win32.AdBand.n 1
C:\Deckard\System Scanner\20080623144433\backup\DOCUME~1\Mikey\LOCALS~1\Temp\syswcc32.exe Infected: not-a-virus:AdWare.Win32.WebHancer.423 1
C:\Deckard\System Scanner\20080623144433\backup\DOCUME~1\Mikey\LOCALS~1\Temp\syswcc32.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 3
C:\Deckard\System Scanner\20080623144433\backup\DOCUME~1\Mikey\LOCALS~1\Temp\xpre.exe Infected: Trojan-Downloader.Win32.VB.axa 1
C:\Deckard\System Scanner\20080623144433\backup\DOCUME~1\Mikey\LOCALS~1\Temp\xrun.exe Infected: Trojan-Downloader.Win32.Agent.brq 1
C:\Deckard\System Scanner\20080623144433\backup\WINDOWS\temp\Altnet\admdloader.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3039 1
C:\Deckard\System Scanner\20080623144433\backup\WINDOWS\temp\Altnet\admfdi.dll Infected: not-a-virus:AdWare.Win32.Altnet.j 1
C:\Deckard\System Scanner\20080623144433\backup\WINDOWS\temp\Altnet\admprog.dll Infected: not-a-virus:AdWare.Win32.Altnet.i 1
C:\Deckard\System Scanner\20080623144433\backup\WINDOWS\temp\Altnet\dmfiles.cab Infected: not-a-virus:AdWare.Win32.Altnet.b 1
C:\Program Files\Network Essentials\v11\NE.exe Infected: not-a-virus:AdWare.Win32.SmartPops.b 1
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080624-222754-325.dll Infected: not-a-virus:AdWare.Win32.Rabio.m 1
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1552OinAdmin.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.gb 1
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1552OinUninstaller.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gp 1
C:\QooBox\Quarantine\C\Program Files\ISM\ism.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.p 1
C:\QooBox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad 1
C:\QooBox\Quarantine\C\Program Files\QdrModule\QdrModule13.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.p 1
C:\QooBox\Quarantine\C\Program Files\QdrPack\QdrPack14.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.n 1
C:\QooBox\Quarantine\C\WINDOWS\default.htm.vir Infected: not-virus:Hoax.HTML.Secureinvites.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\mgmrwmrv.exe.vir Infected: not-virus:Hoax.Win32.Renos.bee 1
C:\WINDOWS\system32\000070.exe Infected: Trojan-Downloader.Win32.PurityScan.gb 1
C:\WINDOWS\system32\000090.exe Infected: Trojan-Downloader.Win32.Small.tod 1
C:\WINDOWS\system32\AlxRes.dll.bak Infected: not-a-virus:AdWare.Win32.AlexaBar.a 1
C:\WINDOWS\system32\bdeinsta3.dll Infected: not-a-virus:AdWare.Win32.Altnet.a 1
C:\WINDOWS\system32\bdeinstallman3.exe Infected: not-a-virus:AdWare.Win32.Altnet.i 1
C:\WINDOWS\system32\bdeinstallprogress3.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e 1

The selected area was scanned.



HIJACK THIS LOG


Deckard's System Scanner v20071014.68
Run by Mikey on 2008-06-25 20:12:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 192 MiB (512 MiB recommended).


-- HijackThis (run as Mikey.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:12:17 PM, on 6/25/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\GetPack\GetPack19.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mikey\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Mikey.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Helper Class - {3670A914-63C2-4E67-8C9B-370AE1922143} - C:\Program Files\BChanger\bchanger.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
O4 - HKCU\..\Run: [GetModule19] "C:\Program Files\GetModule\GetModule19.exe"
O4 - HKCU\..\Run: [GetPack19] "C:\Program Files\GetPack\GetPack19.exe"
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABDABD8A-9881-4CE8-B1AE-B77E9764A5B2}: NameServer = 151.197.0.38,151.197.0.39
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Mikey/LOCALS~1/Temp/msoclip1/01/clip_image001.jpg

--
End of file - 3962 bytes

-- Files created between 2008-05-25 and 2008-06-25 -----------------------------

2008-06-24 22:48:05 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-06-24 22:43:41 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-24 22:43:41 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-06-24 22:43:41 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-24 22:43:41 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-24 22:43:40 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-24 22:43:40 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-24 22:43:40 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-24 22:43:40 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-06-24 22:43:40 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-24 22:43:40 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-24 22:43:40 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-24 22:43:40 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-06-24 22:43:40 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-24 22:43:40 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-06-24 22:41:48 0 d-------- C:\WINDOWS\pss
2008-06-24 22:16:04 90112 --a------ C:\WINDOWS\System32\CNMCP75.exe <Not Verified; CANON INC.; Canon BJ Raster Printer Driver Installer>
2008-06-24 22:15:58 0 d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-06-24 17:20:24 0 d-------- C:\Program Files\BChanger
2008-06-24 09:19:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-06-24 09:08:43 0 d-------- C:\cmdcons
2008-06-23 19:57:49 68096 --a------ C:\WINDOWS\zip.exe
2008-06-23 19:57:49 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-23 19:57:49 98816 --a------ C:\WINDOWS\sed.exe
2008-06-23 19:57:49 80412 --a------ C:\WINDOWS\grep.exe
2008-06-23 19:57:49 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-23 19:57:48 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-23 19:57:48 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-23 19:57:48 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-23 15:03:51 0 d-------- C:\Program Files\Trend Micro
2008-06-23 11:31:25 0 d-------- C:\Documents and Settings\Mikey\.housecall6.6
2008-06-23 11:30:22 0 d-------- C:\WINDOWS\Sun
2008-06-23 11:30:20 0 d-------- C:\Documents and Settings\Mikey\Application Data\Sun
2008-06-23 11:23:33 0 d-------- C:\Program Files\Java
2008-06-23 11:23:03 0 d-------- C:\Program Files\Common Files\Java
2008-06-23 11:02:32 0 d-------- C:\Program Files\Panda Security
2008-06-23 10:54:15 0 d-------- C:\Program Files\GetPack
2008-06-23 10:54:15 0 d-------- C:\Program Files\GetModule
2008-06-23 10:54:14 0 d-------- C:\Program Files\iCheck


-- Find3M Report ---------------------------------------------------------------

2008-06-23 20:06:35 0 d-------- C:\Program Files\Common Files


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3670A914-63C2-4E67-8C9B-370AE1922143}]
06/19/2008 10:21 AM 36864 --a------ C:\Program Files\BChanger\bchanger.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\WINDOWS\System32\qttask.exe" [05/16/2002 08:07 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 09:00 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ESPN BottomLine"="C:\Program Files\ESPN\BottomLine\bline.exe" []
"GetModule19"="C:\Program Files\GetModule\GetModule19.exe" [06/17/2008 05:58 AM]
"GetPack19"="C:\Program Files\GetPack\GetPack19.exe" [06/17/2008 05:56 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)




-- End of Deckard's System Scanner: finished at 2008-06-25 20:13:31 ------------

#9 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 26 June 2008 - 03:01 PM

Open Notepad - don't use any other text editor or the script will fail.
Copy and paste the text in the quote box below into the document:

File::
C:\WINDOWS\system32\000070.exe
C:\WINDOWS\system32\000090.exe
C:\WINDOWS\system32\AlxRes.dll.bak
C:\WINDOWS\system32\bdeinsta3.dll
C:\WINDOWS\system32\bdeinstallman3.exe
C:\WINDOWS\system32\bdeinstallprogress3.dll


Save this as txtfile CFScript .
Then drag the CFScript into ComboFix.exe as you see in the screenshot below:

Posted Image

This will start ComboFix again.
A new log will be created, which I would like to see in your reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#10 Quad X

Quad X
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 27 June 2008 - 06:42 AM

Below is the latest Combofix log as requested:


ComboFix 08-06-20.4 - Mikey 2008-06-27 7:32:38.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.44 [GMT -4:00]Running from: C:\Documents and Settings\Mikey\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mikey\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\000070.exe
C:\WINDOWS\system32\000090.exe
C:\WINDOWS\system32\AlxRes.dll.bak
C:\WINDOWS\system32\bdeinsta3.dll
C:\WINDOWS\system32\bdeinstallman3.exe
C:\WINDOWS\system32\bdeinstallprogress3.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Rabio
C:\WINDOWS\system32\000070.exe
C:\WINDOWS\system32\000090.exe
C:\WINDOWS\system32\AlxRes.dll.bak
C:\WINDOWS\system32\bdeinsta3.dll
C:\WINDOWS\system32\bdeinstallman3.exe
C:\WINDOWS\system32\bdeinstallprogress3.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-27 to 2008-06-27 )))))))))))))))))))))))))))))))
.

2008-06-24 22:43 . 2008-06-24 22:43 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-24 22:16 . 2006-07-11 05:00 139,776 --a------ C:\WINDOWS\system32\CNMLM75.DLL
2008-06-24 22:16 . 2005-03-08 18:17 90,112 --a------ C:\WINDOWS\system32\CNMCP75.exe
2008-06-24 22:16 . 2006-07-11 05:00 8,704 --a------ C:\WINDOWS\system32\CNMVS75.DLL
2008-06-24 22:15 . 2008-06-24 22:15 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-06-24 17:20 . 2008-06-24 17:20 <DIR> d-------- C:\Program Files\BChanger
2008-06-23 15:03 . 2008-06-23 15:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-23 14:33 . 2008-06-23 14:33 <DIR> d-------- C:\Deckard
2008-06-23 13:44 . 2008-06-23 13:44 63 --a------ C:\WINDOWS\mdm.ini
2008-06-23 11:32 . 2008-06-23 11:31 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-23 11:31 . 2008-06-23 11:42 <DIR> d-------- C:\Documents and Settings\Mikey\.housecall6.6
2008-06-23 11:30 . 2008-06-23 11:30 <DIR> d-------- C:\WINDOWS\Sun
2008-06-23 11:28 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-23 11:23 . 2008-06-23 11:28 <DIR> d-------- C:\Program Files\Java
2008-06-23 11:23 . 2008-06-23 11:23 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-23 11:06 . 2008-06-23 11:06 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-06-23 11:02 . 2008-06-23 11:02 <DIR> d-------- C:\Program Files\Panda Security
2008-06-23 10:54 . 2008-06-23 10:54 <DIR> d-------- C:\Program Files\iCheck
2008-06-23 10:54 . 2008-06-24 17:20 <DIR> d-------- C:\Program Files\GetPack
2008-06-23 10:54 . 2008-06-27 07:17 <DIR> d-------- C:\Program Files\GetModule
2008-06-22 22:03 . 2001-08-17 14:00 24,832 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-06-22 22:03 . 2001-08-17 14:00 24,832 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( snapshot@2008-06-23_20.12.51.74 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-24 00:05:59 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-27 11:05:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2003-01-13 19:57:58 589,881 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
+ 2003-01-13 18:57:58 589,881 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
- 2003-01-13 19:57:58 589,881 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2003-01-13 18:57:58 589,881 ----a-w C:\WINDOWS\system32\jscript.dll
- 2008-03-05 16:30:54 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-05-29 20:35:12 17,486,968 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2006-07-11 09:00:00 274,944 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMCB75.DLL
+ 2006-07-11 09:00:00 101,888 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMCP75.DLL
+ 2006-07-11 09:00:00 151,552 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMD575.DLL
+ 2006-07-11 09:00:00 397,312 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMDR75.DLL
+ 2006-07-11 09:00:00 19,968 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMFU75.DLL
+ 2006-07-11 09:00:00 90,624 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMLR75.DLL
+ 2006-07-11 09:10:00 176,640 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMOP75.DLL
+ 2006-07-11 09:00:00 23,280 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMP075.DAT
+ 2006-07-11 09:00:00 27,140 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMP175.DAT
+ 2006-07-11 09:00:00 30,320 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMP275.DAT
+ 2006-07-11 09:00:00 7,168 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMPI75.DLL
+ 2006-07-11 09:00:00 89,088 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMPV75.DLL
+ 2006-07-11 09:00:00 145,408 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSB75.DLL
+ 2006-07-11 09:00:00 39,936 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSD75.DLL
+ 2006-07-11 09:00:00 193,536 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSM75.DLL
+ 2006-07-11 09:00:00 39,424 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSQ75.DLL
+ 2006-07-11 09:00:00 69,632 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSR75.DLL
+ 2006-07-11 09:00:00 666,112 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMUB75.DLL
+ 2006-07-11 09:00:00 1,635,840 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMUI75.DLL
+ 2006-07-11 09:00:00 1,724,928 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMUM75.DLL
+ 2006-07-11 09:00:00 254,464 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMUR75.DLL
+ 2006-07-11 09:00:00 6,656 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMW375.DLL
+ 2006-07-11 09:00:00 274,944 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip16003916\CNMCB75.DLL
+ 2006-07-11 09:00:00 101,888 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip16003916\CNMCP75.DLL
+ 2006-07-11 09:00:00 151,552 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip16003916\CNMD575.DLL
+ 2006-07-11 09:00:00 397,312 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip16003916\CNMDR75.DLL
+ 2006-07-11 09:00:00 19,968 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip16003916\CNMFU75.DLL
+ 2006-07-11 09:00:00 90,624 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip16003916\CNMLR75.DLL
+ 2006-07-11 09:10:00 176,640 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip16003916\CNMOP75.DLL
+ 2006-07-11 09:00:00 23,280 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip16003916\CNMP075.DAT
+ 2006-07-11 09:00:00 27,140 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip16003916\CNMP175.DAT
+ 2006-07-11 09:00:00 30,320 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip16003916\CNMP275.DAT
+ 2006-07-11 09:00:00 7,168 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip16003916\CNMPI75.DLL
+ 2006-07-11 09:00:00 89,088 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip16003916\CNMPV75.DLL
+ 2006-07-11 09:00:00 145,408 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip16003916\CNMSB75.DLL
+ 2006-07-11 09:00:00 39,936 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip16003916\CNMSD75.DLL
+ 2006-07-11 09:00:00 193,536 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip16003916\CNMSM75.DLL
+ 2006-07-11 09:00:00 39,424 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip16003916\CNMSQ75.DLL
+ 2006-07-11 09:00:00 69,632 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip16003916\CNMSR75.DLL
+ 2006-07-11 09:00:00 666,112 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip16003916\CNMUB75.DLL
+ 2006-07-11 09:00:00 1,635,840 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip16003916\CNMUI75.DLL
+ 2006-07-11 09:00:00 1,724,928 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip16003916\CNMUM75.DLL
+ 2006-07-11 09:00:00 254,464 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip16003916\CNMUR75.DLL
+ 2006-07-11 09:00:00 6,656 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonip16003916\CNMW375.DLL
+ 2006-07-11 09:00:00 20,992 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPD75.DLL
+ 2006-07-11 09:00:00 59,392 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPP75.DLL
+ 2008-06-27 11:06:07 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_504.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3670A914-63C2-4E67-8C9B-370AE1922143}]
2008-06-19 10:21 36864 --a------ C:\Program Files\BChanger\bchanger.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ESPN BottomLine"="C:\Program Files\ESPN\BottomLine\bline.exe" [ ]
"GetModule19"="C:\Program Files\GetModule\GetModule19.exe" [2008-06-17 05:58 351744]
"GetPack19"="C:\Program Files\GetPack\GetPack19.exe" [2008-06-17 05:56 350208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\WINDOWS\System32\qttask.exe" [2002-05-16 20:07 28672]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 09:00 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-07-14 20:22:02 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 19:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys [2001-08-17 08:11]
S3 IPN2120;Instant Wireless-B PCI Adapter Driver;C:\WINDOWS\System32\DRIVERS\LSIPNDS.sys []
S3 NeroCd2k;NeroCd2k;C:\WINDOWS\System32\drivers\NeroCd2k.sys [2002-03-21 00:39]
S3 NETR33X;D-Link Air Wireless Adapter(RTL) NT Driver;C:\WINDOWS\System32\DRIVERS\NETR33X.SYS [2003-11-11 18:20]
S3 PRISM;D-Link Air Wireless Prism3 Adapter Driver;C:\WINDOWS\System32\DRIVERS\PRISMNDS.sys []

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 07:36:27
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-27 7:39:48
ComboFix-quarantined-files.txt 2008-06-27 11:39:40
ComboFix2.txt 2008-06-24 13:18:10
ComboFix3.txt 2008-06-24 00:13:53

Pre-Run: 1,758,765,056 bytes free
Post-Run: 1,799,086,080 bytes free

155 --- E O F --- 2008-06-26 11:42:48

#11 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 30 June 2008 - 03:48 PM

Please run a scan with Kaspersky Online Scanner.
You will be promted to install an ActiveX component from Kaspersky, click Yes.
The program will launch and then begin downloading the latest definition files.
Once the files have been downloaded click on Next.
Select a target to scan; click on My Computer.
The scan will take a while so be patient and let it run.
Once the scan is complete choose the option to Save as Text.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#12 Quad X

Quad X
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 01 July 2008 - 07:39 AM

Latest Kaspersky Scan Report as requested:


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, July 1, 2008
Operating System: Microsoft Windows XP Professional (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, July 01, 2008 02:53:25
Records in database: 900976
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\

Scan statistics:
Files scanned: 29466
Threat name: 20
Infected objects: 32
Suspicious objects: 0
Duration of the scan: 04:46:26


File name / Threat name / Threats count
C:\Deckard\System Scanner\20080623144433\backup\DOCUME~1\Mikey\LOCALS~1\Temp\ADL99.tmp Infected: not-a-virus:AdWare.Win32.AdBand.p 1
C:\Deckard\System Scanner\20080623144433\backup\DOCUME~1\Mikey\LOCALS~1\Temp\BAK8D.tmp Infected: not-a-virus:AdWare.Win32.AdBand.p 3
C:\Deckard\System Scanner\20080623144433\backup\DOCUME~1\Mikey\LOCALS~1\Temp\BatSetup.exe Infected: not-a-virus:AdWare.Win32.Rabio.m 1
C:\Deckard\System Scanner\20080623144433\backup\DOCUME~1\Mikey\LOCALS~1\Temp\bblatest.exe Infected: not-virus:Hoax.Win32.Renos.bee 1
C:\Deckard\System Scanner\20080623144433\backup\DOCUME~1\Mikey\LOCALS~1\Temp\ismupd24.exe Infected: not-a-virus:AdWare.Win32.AdBand.n 1
C:\Deckard\System Scanner\20080623144433\backup\DOCUME~1\Mikey\LOCALS~1\Temp\syswcc32.exe Infected: not-a-virus:AdWare.Win32.WebHancer.423 1
C:\Deckard\System Scanner\20080623144433\backup\DOCUME~1\Mikey\LOCALS~1\Temp\syswcc32.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 3
C:\Deckard\System Scanner\20080623144433\backup\DOCUME~1\Mikey\LOCALS~1\Temp\xpre.exe Infected: Trojan-Downloader.Win32.VB.axa 1
C:\Deckard\System Scanner\20080623144433\backup\DOCUME~1\Mikey\LOCALS~1\Temp\xrun.exe Infected: Trojan-Downloader.Win32.Agent.brq 1
C:\Deckard\System Scanner\20080623144433\backup\WINDOWS\temp\Altnet\admdloader.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3039 1
C:\Deckard\System Scanner\20080623144433\backup\WINDOWS\temp\Altnet\admfdi.dll Infected: not-a-virus:AdWare.Win32.Altnet.j 1
C:\Deckard\System Scanner\20080623144433\backup\WINDOWS\temp\Altnet\admprog.dll Infected: not-a-virus:AdWare.Win32.Altnet.i 1
C:\Deckard\System Scanner\20080623144433\backup\WINDOWS\temp\Altnet\dmfiles.cab Infected: not-a-virus:AdWare.Win32.Altnet.b 1
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080624-222754-325.dll Infected: not-a-virus:AdWare.Win32.Rabio.m 1
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1552OinAdmin.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.gb 1
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1552OinUninstaller.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gp 1
C:\QooBox\Quarantine\C\Program Files\ISM\ism.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.p 1
C:\QooBox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad 1
C:\QooBox\Quarantine\C\Program Files\QdrModule\QdrModule13.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.p 1
C:\QooBox\Quarantine\C\Program Files\QdrPack\QdrPack14.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.n 1
C:\QooBox\Quarantine\C\WINDOWS\default.htm.vir Infected: not-virus:Hoax.HTML.Secureinvites.b 1
C:\QooBox\Quarantine\C\WINDOWS\system32\000070.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.gb 1
C:\QooBox\Quarantine\C\WINDOWS\system32\000090.exe.vir Infected: Trojan-Downloader.Win32.Small.tod 1
C:\QooBox\Quarantine\C\WINDOWS\system32\AlxRes.dll.bak.vir Infected: not-a-virus:AdWare.Win32.AlexaBar.a 1
C:\QooBox\Quarantine\C\WINDOWS\system32\bdeinsta3.dll.vir Infected: not-a-virus:AdWare.Win32.Altnet.a 1
C:\QooBox\Quarantine\C\WINDOWS\system32\bdeinstallman3.exe.vir Infected: not-a-virus:AdWare.Win32.Altnet.i 1
C:\QooBox\Quarantine\C\WINDOWS\system32\bdeinstallprogress3.dll.vir Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e 1
C:\QooBox\Quarantine\C\WINDOWS\system32\mgmrwmrv.exe.vir Infected: not-virus:Hoax.Win32.Renos.bee 1

The selected area was scanned.

#13 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 02 July 2008 - 04:19 PM

Now please navigate to: Start | Run...
  • Type: Combofix /u and hit Enter
  • This will delete:
    • \Qoobox
    • \VundoFix Backups
    • \Deckard
    • \_OTMoveIt
    • %systemroot%\erdnt\subs
  • Also resets System Restore, re-hides system & hidden files, resets system clock and last but not least, hides the file extensions of known filetypes
Please then let me know how things are running now.
Thanks,
Charles

Edited by rookie147, 02 July 2008 - 04:19 PM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#14 Quad X

Quad X
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 02 July 2008 - 08:49 PM

Charles,

I tried what you said and it came back with a message stating that the version of Combofix I have has expired.

I then downloaded it again and followed your instructions, and now all it does is brings up a window that has an icon that is called nircmd.com, MS-Dos Application.

Is this good or bad?

On the positive side, the computer does seem to be running better. The pop-ups have stopped and the messages about having spyware are gone as well.

Thanks,
Mike

#15 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 04 July 2008 - 02:56 PM

Navigate to your C:\ drive, do you see a folder called Qoobox?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users