Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Infection Or Possibly Something Else


  • This topic is locked This topic is locked
10 replies to this topic

#1 fofomazuzu

fofomazuzu

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 03 August 2008 - 09:40 PM

I have done many scans on many programs (AdAware, AVG Free 8.0, ClamWin AntiVirus) and most have said that I have Vundo. I also did a scan on VundoFix but it did not find anything. I also did VitrumondoBeGone and it said that there was nothing either. I know that I still have an infection because I keep getting pop-ups about a Registry Cleaner and etc. on IE even though I am on Mozilla Firefox (which is also my default browser).

Here are the requested logs:

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-08-03 21:15:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
12: 2008-08-04 02:16:47 UTC - RP360 - Deckard's System Scanner Restore Point
11: 2008-08-03 19:54:42 UTC - RP359 - Installed iTunes
10: 2008-08-02 23:00:27 UTC - RP358 - Installed Ad-Aware
9: 2008-08-01 17:09:47 UTC - RP357 - Installed AVG Free 8.0
8: 2008-07-31 20:29:21 UTC - RP356 - Restore Operation


-- First Restore Point --
1: 2008-07-31 18:32:10 UTC - RP349 - Removed MapleStory.


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 86% (more than 75%).
Total Physical Memory: 128 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:19 PM, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\filehippo.com\UpdateChecker.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Trillian\trillian.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {0AEB0211-2E76-413C-ABE5-E629D10F99A5} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {4B88A5A4-C390-4D37-87A3-784D570B5B4B} - (no file)
O2 - BHO: (no name) - {748D6EA8-CD59-4682-91E7-AF92F4F2D40E} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [filehippo.com] "C:\Program Files\filehippo.com\UpdateChecker.exe" /background
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: ddcbXoMC - ddcbXoMC.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6939 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080802-141112-273 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iesearch.com/

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 kss - c:\windows\system32\drivers\kss.sys (file missing)
R1 SbcpHid - c:\windows\system32\drivers\sbcphid.sys
R2 SocketLock (Raw Socket Lock Driver) - c:\windows\system32\socketlock.sys

S3 dump_wmimmc - c:\nexon\maplestory\gameguard\dump_wmimmc.sys (file missing)
S3 NPPTNT2 - c:\windows\system32\npptnt2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Microsoft PS/2 Port Mouse (IntelliPoint)
Device ID: ACPI\PNP0F03\4&268D196D&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Port Mouse (IntelliPoint)
PNP Device ID: ACPI\PNP0F03\4&268D196D&0
Service: i8042prt


-- Scheduled Tasks -------------------------------------------------------------

2008-07-28 10:18:10 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-07-03 and 2008-08-03 -----------------------------

2008-08-03 19:03:20 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-08-03 15:07:32 0 d-------- C:\Program Files\iPod
2008-08-03 15:05:34 0 d-------- C:\Program Files\iTunes
2008-08-02 18:00:48 0 d-------- C:\Program Files\Lavasoft
2008-08-02 17:57:56 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-02 14:02:50 0 d-------- C:\Program Files\Trend Micro
2008-08-02 11:41:59 0 d-------- C:\VundoFix Backups
2008-08-01 12:23:19 0 d--h----- C:\$AVG8.VAULT$
2008-08-01 12:10:35 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-01 12:09:54 0 d-------- C:\Program Files\AVG
2008-08-01 10:44:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-08-01 04:30:06 863329 --ahs---- C:\WINDOWS\system32\WHgPonnn.ini2
2008-07-31 13:31:55 1714 --ahs---- C:\WINDOWS\system32\WxGQYJjl.ini2
2008-07-31 13:25:12 0 d-------- C:\WINDOWS\system32\vn3
2008-07-31 13:25:12 0 d-------- C:\WINDOWS\system32\fonts
2008-07-31 13:25:12 0 d-------- C:\WINDOWS\system32\esr
2008-07-31 13:24:40 0 d-------- C:\WINDOWS\system32\kBin02
2008-07-31 13:24:36 0 d-------- C:\Temp
2008-07-31 13:24:02 77 --a------ C:\Documents and Settings\Administrator\8604.bat
2008-07-31 13:23:44 36352 --a------ C:\Documents and Settings\Administrator\services.exe
2008-07-31 12:55:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\.wyzo
2008-07-25 20:59:42 0 d--hs---- C:\found.000
2008-07-25 20:52:40 4682 --a------ C:\WINDOWS\system32\npptNT2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
2008-07-25 20:52:33 0 d-------- C:\Program Files\Common Files\INCA Shared
2008-07-25 20:44:55 0 d-------- C:\Nexon
2008-07-22 18:52:08 0 d-------- C:\Program Files\Bonjour
2008-07-22 18:51:25 0 d-------- C:\Program Files\Apple Software Update
2008-07-22 18:49:58 0 d-------- C:\Program Files\Common Files\Apple
2008-07-22 18:49:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-13 19:34:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\vlc
2008-07-10 22:56:03 0 d-------- C:\Program Files\Defraggler
2008-07-10 15:19:57 0 d-------- C:\Program Files\Google
2008-07-10 12:28:27 0 d-------- C:\Program Files\Common Files\xing shared
2008-07-10 00:07:18 45056 --a------ C:\WINDOWS\system32\wnaspi32.dll <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-07-10 00:07:18 25244 --a------ C:\WINDOWS\system32\drivers\aspi32.sys <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-07-10 00:07:18 4672 --a------ C:\WINDOWS\system\wowpost.exe <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-07-10 00:07:18 5600 --a------ C:\WINDOWS\system\winaspi.dll <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-07-10 00:07:14 203776 --a------ C:\WINDOWS\system32\clrviddc.dll <Not Verified; Iterated Systems, Inc.; ClearVideo Decoder DLL>
2008-07-06 17:07:34 0 d--h----- C:\WINDOWS\msdownld.tmp
2008-07-06 17:07:07 0 d-------- C:\WINDOWS\Logs
2008-07-06 16:27:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\SystemRequirementsLab
2008-07-06 15:42:25 0 dr-h----- C:\Documents and Settings\Administrator\Application Data\SecuROM
2008-07-06 15:40:51 0 d-------- C:\ProgramData
2008-07-06 15:40:44 1628 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2008-07-03 22:29:46 0 d-------- C:\WINDOWS\system32\bits


-- Find3M Report ---------------------------------------------------------------

2008-08-03 18:57:43 0 d-------- C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2008-08-02 17:57:56 0 d-------- C:\Program Files\Common Files
2008-07-31 13:28:55 0 d-------- C:\Documents and Settings\Administrator\Application Data\FrostWire
2008-07-28 19:09:17 0 d-------- C:\Program Files\SpywareBlaster
2008-07-28 18:13:56 0 d-------- C:\Documents and Settings\Administrator\Application Data\gtk-2.0
2008-07-24 21:07:31 0 d-------- C:\Program Files\FrostWire
2008-07-22 11:40:50 0 d-------- C:\Program Files\Microsoft Silverlight
2008-07-10 12:28:12 0 d-------- C:\Program Files\Common Files\Real
2008-07-10 00:01:32 0 d-------- C:\Program Files\Java
2008-07-09 23:46:48 0 d-------- C:\Program Files\Project64 1.6
2008-07-06 17:20:34 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-02 23:35:43 0 d-------- C:\Program Files\Foxit Software
2008-06-30 02:45:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Songbird2
2008-06-30 02:36:41 0 d-------- C:\Program Files\Resource Kit
2008-06-29 12:57:17 0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-29 12:56:06 0 d-------- C:\Program Files\Intel
2008-06-29 12:37:52 0 d-------- C:\Program Files\Microsoft IntelliPoint
2008-06-29 12:34:39 0 d-------- C:\Program Files\Microsoft IntelliPoint 5.2
2008-06-27 15:44:10 0 d-------- C:\Program Files\LimeWire
2008-06-20 17:26:20 0 d-------- C:\Program Files\Trillian
2008-06-18 16:15:08 0 d-------- C:\Program Files\FLV Player
2008-06-16 15:23:54 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-06-15 17:47:39 0 d-------- C:\Program Files\VideoLAN
2008-06-15 16:00:46 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-06-10 16:47:35 0 d-------- C:\Program Files\OpenOffice.org 2.4
2008-06-10 16:32:19 0 d-------- C:\Program Files\QuickTime
2008-05-29 16:58:19 5811 --a------ C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0AEB0211-2E76-413C-ABE5-E629D10F99A5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4B88A5A4-C390-4D37-87A3-784D570B5B4B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{748D6EA8-CD59-4682-91E7-AF92F4F2D40E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [04/01/2005 05:16 PM]
"NvMediaCenter"="NvMCTray.dll" [04/01/2005 05:16 PM C:\WINDOWS\system32\nvmctray.dll]
"Lexmark X83 Button Monitor"="C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe" [10/18/2001 10:25 AM]
"Lexmark X83 Button Manager"="C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe" [06/14/2001 12:42 PM]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [06/26/2002 10:47 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [05/27/2008 10:50 AM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [06/03/2004 01:50 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07/10/2008 12:27 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [07/03/2008 02:23 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [08/01/2008 12:10 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/30/2008 10:47 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"filehippo.com"="C:\Program Files\filehippo.com\UpdateChecker.exe" [07/03/2008 12:08 PM]
"ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [07/29/2008 08:41 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [1/21/2008 4:41:28 PM]
Trillian.lnk - C:\Program Files\Trillian\trillian.exe [5/19/2008]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoAdminPage"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcbXoMC]
ddcbXoMC.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\nnnoPgHW

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8032 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-03 21:27:23 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 1.60GHz
Percentage of Memory in Use: 85%
Physical Memory (total/avail): 127.3 MiB / 18.89 MiB
Pagefile Memory (total/avail): 883.05 MiB / 540.93 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1939.74 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 18.64 GiB total, 10.52 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST320410A - 18.65 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 18.64 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntivirusOverride is set.

AV: AVG Anti-Virus Free v8.0 (AVG Technologies)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\WINDOWS\\system32\\dxdiag.exe"="C:\\WINDOWS\\system32\\dxdiag.exe:*:Enabled:Microsoft DirectX Diagnostic Tool"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"C:\\Program Files\\Grisoft\\AVG7\\avgw.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgw.exe:*:Enabled:AVG Test Center"
"C:\\Program Files\\Grisoft\\AVG7\\avgvv.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgvv.exe:*:Enabled:AVG Virus Vault"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\Maxima-5.14.0\\wxMaxima\\wxMaxima.exe"="C:\\Program Files\\Maxima-5.14.0\\wxMaxima\\wxMaxima.exe:*:Enabled:wxMaxima"
"C:\\Program Files\\Maxima-5.14.0\\bin\\xmaxima.exe"="C:\\Program Files\\Maxima-5.14.0\\bin\\xmaxima.exe:*:Enabled:TclKit = Tcl + IncrTcl + Tk + MetaKit"
"C:\\Documents and Settings\\Administrator\\Desktop\\VisualBoy Advanced\\VisualBoyAdvance.exe"="C:\\Documents and Settings\\Administrator\\Desktop\\VisualBoy Advanced\\VisualBoyAdvance.exe:*:Enabled:VisualBoyAdvance emulator"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\FrostWire\\FrostWire.exe"="C:\\Program Files\\FrostWire\\FrostWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Electronic Arts\\EADM\\Core.exe"="C:\\Program Files\\Electronic Arts\\EADM\\Core.exe:*:Enabled:EA Download Manager"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Wyzo\\wyzo.exe"="C:\\Program Files\\Wyzo\\wyzo.exe:*:Enabled:Wyzo"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=A2B8816
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LANG=C
LOGONSERVER=\\A2B8816
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\GTK\2.0\bin;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Intel\DMIX
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0102
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=A2B8816
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Shockwave Player 11 --> C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Apple Mobile Device Support --> MsiExec.exe /I{49C88E44-1B38-4FC6-824E-2BDA3063B0E3}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Best of Card Games --> C:\PROGRA~1\ONHAND~1\BESTOF~1\UNWISE.EXE C:\PROGRA~1\ONHAND~1\BESTOF~1\INSTALL.LOG
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
C:\PROGRA~1\LEXMAR~1 --> C:\PROGRA~1\LEXMAR~1
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Defraggler (remove only) --> "C:\Program Files\Defraggler\uninst.exe"
filehippo.com Update Checker --> "C:\Program Files\filehippo.com\uninstall.exe"
Foxit Reader --> C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
FrostWire 4.17.0 --> C:\Program Files\FrostWire\Uninstall.exe
GIMP 2.4.1 --> "C:\Program Files\GIMP-2.0\setup\unins000.exe"
Graph 4.3 --> "C:\Program Files\Graph\unins000.exe"
GTK+ 2.8.18-1 runtime environment --> "C:\Program Files\Common Files\GTK\2.0\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel® Network Connections 13.0.42.0 --> MsiExec.exe /i{2223FC2F-B862-4F83-BC9E-DDF2DADF2859} ARPREMOVE=1
iTunes --> MsiExec.exe /I{3DE0053C-FD9A-483E-B7C9-B06E4392206E}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Tool Web Package : EXCTRLST.EXE --> MsiExec.exe /X{B0650E3D-FDCA-4908-B74B-0CC1731BDB93}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OpenOffice.org 2.4 --> MsiExec.exe /I{80851370-07CF-477B-837D-F2E488916CFE}
Project64 1.6 --> MsiExec.exe /X{9559F7CA-5E34-4237-A2D9-D856464AD727}
QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
SpywareBlaster 4.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Super Collapse! --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A301896D-9F55-4492-B518-30EAC4C723E1}\setup.exe" -l0x9
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
Tweak UI --> "C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
VideoLAN VLC media player 0.8.6i --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Virtools 3D Life Player --> C:\Program Files\Virtools\3D Life Player\WebplayerConfig.exe -u
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type6366 / Error
Event Submitted/Written: 07/18/2008 05:44:27 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type18600 / Error
Event Submitted/Written: 08/03/2008 06:50:43 PM
Event ID/Source: 7011 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.

Event Record #/Type18595 / Error
Event Submitted/Written: 08/03/2008 06:50:43 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The AVG Free8 E-mail Scanner service failed to start due to the following error:
%%1053

Event Record #/Type18594 / Error
Event Submitted/Written: 08/03/2008 06:50:43 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the AVG Free8 E-mail Scanner service to connect.

Event Record #/Type18590 / Error
Event Submitted/Written: 08/03/2008 04:09:28 PM / 08/03/2008 04:09:29 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {0002DF01-0000-0000-C000-000000000046} did not register with DCOM within the required timeout.

Event Record #/Type18581 / Warning
Event Submitted/Written: 08/03/2008 06:35:49 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.



-- End of Deckard's System Scanner: finished at 2008-08-03 21:27:23 ------------

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:50 PM

Posted 08 August 2008 - 11:34 PM

Hello fofomazuzu,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire Malwarebytes' Anti-Malware report in your next reply along with a fresh DSS Main.txt log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 fofomazuzu

fofomazuzu
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 09 August 2008 - 11:52 AM

I did some housecleaning on some programs I was not using, so be aware of that when they don't appear in the logs

Here are the logs:

Malwarebytes' Anti-Malware 1.24
Database version: 1035
Windows 5.1.2600 Service Pack 2

11:30:25 AM 8/9/2008
mbam-log-8-9-2008 (11-30-25).txt

Scan type: Quick Scan
Objects scanned: 40428
Time elapsed: 43 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\PlayMP3 (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\kBin02 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\esr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fonts (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vn3 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Mozilla Firefox\regxpcom.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\services.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM7bad53c0.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM7bad53c0.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-08-09 11:35:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 128 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-09 11:35:31
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\LexmarkX83\ACMonitor_X83.exe
C:\Program Files\LexmarkX83\AcBtnMgr_X83.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\filehippo.com\UpdateChecker.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.charter.net
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: (no name) - {0AEB0211-2E76-413C-ABE5-E629D10F99A5} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {4B88A5A4-C390-4D37-87A3-784D570B5B4B} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [filehippo.com] "C:\Program Files\filehippo.com\UpdateChecker.exe" /background
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} () - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} () - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...director/sw.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} () - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} () - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} () - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddcbXoMC - C:\WINDOWS\system32\ddcbXoMC.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


--
End of file - 7404 bytes

-- Files created between 2008-07-09 and 2008-08-09 -----------------------------

2008-08-09 10:40:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-09 10:40:10 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-08 21:46:29 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-08-04 11:45:23 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-04 11:41:22 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-08-04 11:41:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-08-03 15:07:32 0 d-------- C:\Program Files\iPod
2008-08-03 15:05:34 0 d-------- C:\Program Files\iTunes
2008-08-02 17:57:56 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-02 14:02:50 0 d-------- C:\Program Files\Trend Micro
2008-08-02 11:41:59 0 d-------- C:\VundoFix Backups
2008-08-01 12:23:19 0 d--h----- C:\$AVG8.VAULT$
2008-08-01 12:10:35 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-01 12:09:54 0 d-------- C:\Program Files\AVG
2008-08-01 10:44:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-08-01 04:30:06 863329 --ahs---- C:\WINDOWS\system32\WHgPonnn.ini2
2008-07-31 13:31:55 1714 --ahs---- C:\WINDOWS\system32\WxGQYJjl.ini2
2008-07-31 13:24:36 0 d-------- C:\Temp
2008-07-31 13:24:02 77 --a------ C:\Documents and Settings\Administrator\8604.bat
2008-07-31 12:55:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\.wyzo
2008-07-25 20:59:42 0 d--hs---- C:\found.000
2008-07-25 20:52:40 4682 --a------ C:\WINDOWS\system32\npptNT2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
2008-07-25 20:52:33 0 d-------- C:\Program Files\Common Files\INCA Shared
2008-07-25 20:44:55 0 d-------- C:\Nexon
2008-07-22 18:52:08 0 d-------- C:\Program Files\Bonjour
2008-07-22 18:51:25 0 d-------- C:\Program Files\Apple Software Update
2008-07-22 18:49:58 0 d-------- C:\Program Files\Common Files\Apple
2008-07-22 18:49:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-10 15:19:57 0 d-------- C:\Program Files\Google
2008-07-10 00:07:18 45056 --a------ C:\WINDOWS\system32\wnaspi32.dll <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-07-10 00:07:18 25244 --a------ C:\WINDOWS\system32\drivers\aspi32.sys <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-07-10 00:07:18 4672 --a------ C:\WINDOWS\system\wowpost.exe <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-07-10 00:07:18 5600 --a------ C:\WINDOWS\system\winaspi.dll <Not Verified; Adaptec; Adaptec's ASPI Layer>


-- Find3M Report ---------------------------------------------------------------

2008-08-07 23:08:54 0 d-------- C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2008-08-07 22:37:21 0 d-------- C:\Program Files\Real
2008-08-07 22:37:21 0 d-------- C:\Program Files\Common Files\Real
2008-08-07 22:37:16 0 d-------- C:\Program Files\VideoLAN
2008-08-07 22:37:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-08-07 22:36:41 0 d-------- C:\Program Files\Common Files
2008-08-07 22:28:09 0 d-------- C:\Program Files\Project64 1.6
2008-08-06 18:42:19 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-08-05 21:54:30 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-08-05 13:19:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\FrostWire
2008-07-28 18:13:56 0 d-------- C:\Documents and Settings\Administrator\Application Data\gtk-2.0
2008-07-24 21:07:31 0 d-------- C:\Program Files\FrostWire
2008-07-22 11:40:50 0 d-------- C:\Program Files\Microsoft Silverlight
2008-07-10 00:01:32 0 d-------- C:\Program Files\Java
2008-07-06 16:27:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\SystemRequirementsLab
2008-07-06 15:42:25 0 dr-h----- C:\Documents and Settings\Administrator\Application Data\SecuROM
2008-07-06 15:40:44 1628 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2008-07-02 23:35:43 0 d-------- C:\Program Files\Foxit Software
2008-06-30 02:45:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Songbird2
2008-06-30 02:36:41 0 d-------- C:\Program Files\Resource Kit
2008-06-29 12:57:17 0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-29 12:56:06 0 d-------- C:\Program Files\Intel
2008-06-29 12:37:52 0 d-------- C:\Program Files\Microsoft IntelliPoint
2008-06-29 12:34:39 0 d-------- C:\Program Files\Microsoft IntelliPoint 5.2
2008-06-27 15:44:10 0 d-------- C:\Program Files\LimeWire
2008-06-20 17:26:20 0 d-------- C:\Program Files\Trillian
2008-06-18 16:15:08 0 d-------- C:\Program Files\FLV Player
2008-06-16 15:23:54 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-06-10 16:47:35 0 d-------- C:\Program Files\OpenOffice.org 2.4
2008-06-10 16:32:19 0 d-------- C:\Program Files\QuickTime
2008-05-29 16:58:19 5811 --a------ C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0AEB0211-2E76-413C-ABE5-E629D10F99A5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4B88A5A4-C390-4D37-87A3-784D570B5B4B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [04/01/2005 05:16 PM]
"NvMediaCenter"="NvMCTray.dll" [04/01/2005 05:16 PM C:\WINDOWS\system32\nvmctray.dll]
"Lexmark X83 Button Monitor"="C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe" [10/18/2001 10:25 AM]
"Lexmark X83 Button Manager"="C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe" [06/14/2001 12:42 PM]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [06/26/2002 10:47 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [05/27/2008 10:50 AM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [06/03/2004 01:50 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [07/03/2008 02:23 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [08/01/2008 12:10 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/30/2008 10:47 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"filehippo.com"="C:\Program Files\filehippo.com\UpdateChecker.exe" [07/03/2008 12:08 PM]
"ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [07/29/2008 08:41 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [1/21/2008 4:41:28 PM]
Trillian.lnk - C:\Program Files\Trillian\trillian.exe [5/19/2008]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoAdminPage"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcbXoMC]
ddcbXoMC.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\nnnoPgHW

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,




-- End of Deckard's System Scanner: finished at 2008-08-09 11:39:58 ------------

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:50 PM

Posted 09 August 2008 - 01:35 PM

Hi fofomazuzu,

Since you are still infected, we will run ComboFix©.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
 It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You need to disable your AVG Antivirus before running ComboFix, as it will prevent it from running.

To disable AVG antivirus:  
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, ( I’ll let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.


Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

 When following the instructions install the Windows XP Recovery Console if you are using XP. <== IMPORTANT 
It is a simple procedure that will only take a few moments of your time. It is our safety net.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read  here   what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 fofomazuzu

fofomazuzu
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 09 August 2008 - 03:38 PM

ComboFix didn't reset my clock to normal as it said it would in the tutorial. Is that something to be worried about, or could I go manually fix?

Here's the log:

ComboFix 08-08-08.08 - Administrator 2008-08-09 14:47:54.1 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\drtmcwtv.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\tyyooitmgk\winlogon.ini
C:\WINDOWS\system32\uuokppvy.ini
C:\WINDOWS\system32\WHgPonnn.ini
C:\WINDOWS\system32\WHgPonnn.ini2
C:\WINDOWS\system32\WxGQYJjl.ini
C:\WINDOWS\system32\WxGQYJjl.ini2

.
((((((((((((((((((((((((( Files Created from 2008-07-09 to 2008-08-09 )))))))))))))))))))))))))))))))
.

2100-02-24 14:15 . 2001-04-02 16:30 821 --a------ C:\WINDOWS\Lexmark_ICM.ini
2100-02-16 16:09 . 2001-02-16 15:37 62 --a------ C:\WINDOWS\system32\LXASUSCI.INI
2008-08-09 10:40 . 2008-08-09 10:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-09 10:40 . 2008-08-09 10:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-09 10:40 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-09 10:40 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-04 11:45 . 2008-08-04 11:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-04 11:41 . 2008-08-04 11:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-04 11:41 . 2008-08-04 11:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-08-03 21:14 . 2008-08-03 21:14 <DIR> d-------- C:\Deckard
2008-08-03 15:07 . 2008-08-03 15:07 <DIR> d-------- C:\Program Files\iPod
2008-08-03 15:05 . 2008-08-03 15:08 <DIR> d-------- C:\Program Files\iTunes
2008-08-02 17:57 . 2008-08-04 16:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-02 14:02 . 2008-08-02 14:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-02 11:41 . 2008-08-02 11:41 <DIR> d-------- C:\VundoFix Backups
2008-08-01 12:23 . 2008-08-04 07:33 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-01 12:11 . 2008-08-01 12:11 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-01 12:11 . 2008-08-01 12:11 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-01 12:10 . 2008-08-09 15:04 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-01 12:10 . 2008-08-01 12:10 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-01 12:09 . 2008-08-01 12:09 <DIR> d-------- C:\Program Files\AVG
2008-08-01 10:44 . 2008-08-01 10:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-07-31 13:24 . 2008-07-31 13:25 <DIR> d-------- C:\Temp\epr1
2008-07-31 13:24 . 2008-08-09 14:49 <DIR> d-------- C:\Temp
2008-07-31 13:24 . 2008-07-31 13:24 77 --a------ C:\Documents and Settings\Administrator\8604.bat
2008-07-31 12:55 . 2008-07-31 12:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\.wyzo
2008-07-25 20:59 . 2008-07-25 20:59 <DIR> d--hs---- C:\found.000
2008-07-25 20:52 . 2008-07-25 20:52 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-07-25 20:52 . 2003-07-20 13:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-07-25 20:52 . 2005-01-04 04:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-07-25 20:44 . 2008-07-25 20:44 <DIR> d-------- C:\Nexon
2008-07-22 18:52 . 2008-07-22 18:52 <DIR> d-------- C:\Program Files\Bonjour
2008-07-22 18:51 . 2008-07-22 18:51 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-22 18:49 . 2008-07-22 18:49 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-07-22 18:49 . 2008-07-22 18:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-10 15:19 . 2008-07-10 18:28 <DIR> d-------- C:\Program Files\Google
2008-07-10 00:07 . 1999-09-10 06:06 45,056 --a------ C:\WINDOWS\system32\wnaspi32.dll
2008-07-10 00:07 . 1999-09-10 06:06 25,244 --a------ C:\WINDOWS\system32\drivers\aspi32.sys
2008-07-10 00:07 . 1999-09-10 06:06 5,600 --a------ C:\WINDOWS\system\winaspi.dll
2008-07-10 00:07 . 1999-09-10 06:06 4,672 --a------ C:\WINDOWS\system\wowpost.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 18:05 --------- d-----w C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2008-08-08 03:37 --------- d-----w C:\Program Files\VideoLAN
2008-08-08 03:37 --------- d-----w C:\Program Files\Real
2008-08-08 03:37 --------- d-----w C:\Program Files\Common Files\Real
2008-08-08 03:28 --------- d-----w C:\Program Files\Project64 1.6
2008-08-06 23:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-06 02:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-08-05 18:19 --------- d-----w C:\Documents and Settings\Administrator\Application Data\FrostWire
2008-08-04 16:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-02 23:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-01 17:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-07-28 23:13 --------- d-----w C:\Documents and Settings\Administrator\Application Data\gtk-2.0
2008-07-25 02:07 --------- d-----w C:\Program Files\FrostWire
2008-07-22 16:40 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-07-10 17:27 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-07-10 17:27 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-07-10 05:01 --------- d-----w C:\Program Files\Java
2008-07-06 21:27 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SystemRequirementsLab
2008-07-06 20:42 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-07-06 20:42 --------- d--h--r C:\Documents and Settings\Administrator\Application Data\SecuROM
2008-07-06 20:40 1,628 ----a-w C:\WINDOWS\system32\ealregsnapshot1.reg
2008-07-03 04:35 --------- d-----w C:\Program Files\Foxit Software
2008-06-30 07:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\SongbirdVLC
2008-06-30 07:45 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Songbird2
2008-06-30 07:36 --------- d-----w C:\Program Files\Resource Kit
2008-06-29 17:57 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-29 17:56 --------- d-----w C:\Program Files\Intel
2008-06-29 17:37 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-06-29 17:34 --------- d-----w C:\Program Files\Microsoft IntelliPoint 5.2
2008-06-27 20:44 --------- d-----w C:\Program Files\LimeWire
2008-06-20 22:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-06-20 22:26 --------- d-----w C:\Program Files\Trillian
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-18 21:15 --------- d-----w C:\Program Files\FLV Player
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 21:47 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-06-10 21:32 --------- d-----w C:\Program Files\QuickTime
2008-05-30 19:19 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-30 19:18 238,088 ----a-w C:\WINDOWS\system32\xactengine3_1.dll
2008-05-30 19:17 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-30 19:17 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-30 19:11 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-30 19:11 3,850,760 ----a-w C:\WINDOWS\system32\D3DX9_38.dll
2008-05-30 19:11 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
2007-09-26 20:51 38,992 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"filehippo.com"="C:\Program Files\filehippo.com\UpdateChecker.exe" [2008-07-03 12:08 137216]
"ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2008-07-29 08:41 1213680]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 17:16 5562368]
"Lexmark X83 Button Monitor"="C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe" [2001-10-18 10:25 40960]
"Lexmark X83 Button Manager"="C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe" [2001-06-14 12:42 53248]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2002-06-26 22:47 36864]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 01:50 204800]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-03 02:23 116040]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-01 12:10 1232152]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"NvMediaCenter"="NvMCTray.dll" [2005-04-01 17:16 86016 C:\WINDOWS\system32\nvmctray.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 01:01 437160]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 16:41:28 393216]
Trillian.lnk - C:\Program Files\Trillian\trillian.exe [2008-05-19 1873280]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\WINDOWS\\system32\\dxdiag.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5214:TCP"= 5214:TCP:Administrator's Limewire Tunes

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-01 12:10]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-01 12:11]
R2 SocketLock;Raw Socket Lock Driver;C:\WINDOWS\system32\socketlock.sys [2006-09-01 11:53]
S1 kss;kss;C:\WINDOWS\system32\drivers\kss.sys []
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINDOWS\system32\drivers\ctlsb16.sys [2001-08-17 13:19]
S3 dump_wmimmc;dump_wmimmc;C:\Nexon\MapleStory\GameGuard\dump_wmimmc.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-08-04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0AEB0211-2E76-413C-ABE5-E629D10F99A5} - (no file)
BHO-{4B88A5A4-C390-4D37-87A3-784D570B5B4B} - (no file)
Notify-ddcbXoMC - ddcbXoMC.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\satr52ti.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.charter.net/
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.30523.6\npctrl.dll
FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.1.0.30109.0.dll
FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npvirtools.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 15:03:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-09 15:28:49 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-08-09 20:28:36

Pre-Run: 10,872,791,040 bytes free
Post-Run: 10,845,609,984 bytes free

216 --- E O F --- 2008-08-08 03:20:27

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:50 PM

Posted 09 August 2008 - 04:13 PM

Hi fofomazuzu,

ComboFix didn't reset my clock to normal as it said it would in the tutorial. Is that something to be worried about, or could I go manually fix?


Dont worry about it. :thumbsup: We will set it back to normal time when we are have your computer clean.


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Folder:: 
C:\VundoFix Backups


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 fofomazuzu

fofomazuzu
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 09 August 2008 - 04:56 PM

ComboFix Log:

ComboFix 08-08-08.08 - Administrator 2008-08-09 16:27:31.2 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups

.
((((((((((((((((((((((((( Files Created from 2008-07-09 to 2008-08-09 )))))))))))))))))))))))))))))))
.

2100-02-24 14:15 . 2001-04-02 16:30 821 --a------ C:\WINDOWS\Lexmark_ICM.ini
2100-02-16 16:09 . 2001-02-16 15:37 62 --a------ C:\WINDOWS\system32\LXASUSCI.INI
2008-08-09 10:40 . 2008-08-09 10:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-09 10:40 . 2008-08-09 10:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-09 10:40 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-09 10:40 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-04 11:45 . 2008-08-04 11:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-04 11:41 . 2008-08-04 11:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-04 11:41 . 2008-08-04 11:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-08-03 21:14 . 2008-08-03 21:14 <DIR> d-------- C:\Deckard
2008-08-03 15:07 . 2008-08-03 15:07 <DIR> d-------- C:\Program Files\iPod
2008-08-03 15:05 . 2008-08-03 15:08 <DIR> d-------- C:\Program Files\iTunes
2008-08-02 17:57 . 2008-08-04 16:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-02 14:02 . 2008-08-02 14:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-01 12:23 . 2008-08-04 07:33 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-01 12:11 . 2008-08-01 12:11 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-01 12:11 . 2008-08-01 12:11 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-01 12:10 . 2008-08-09 15:04 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-01 12:10 . 2008-08-01 12:10 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-01 12:09 . 2008-08-01 12:09 <DIR> d-------- C:\Program Files\AVG
2008-08-01 10:44 . 2008-08-01 10:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-07-31 13:24 . 2008-07-31 13:25 <DIR> d-------- C:\Temp\epr1
2008-07-31 13:24 . 2008-08-09 14:49 <DIR> d-------- C:\Temp
2008-07-31 13:24 . 2008-07-31 13:24 77 --a------ C:\Documents and Settings\Administrator\8604.bat
2008-07-31 12:55 . 2008-07-31 12:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\.wyzo
2008-07-25 20:59 . 2008-07-25 20:59 <DIR> d--hs---- C:\found.000
2008-07-25 20:52 . 2008-07-25 20:52 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-07-25 20:52 . 2003-07-20 13:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-07-25 20:52 . 2005-01-04 04:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-07-25 20:44 . 2008-07-25 20:44 <DIR> d-------- C:\Nexon
2008-07-22 18:52 . 2008-07-22 18:52 <DIR> d-------- C:\Program Files\Bonjour
2008-07-22 18:51 . 2008-07-22 18:51 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-22 18:49 . 2008-07-22 18:49 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-07-22 18:49 . 2008-07-22 18:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-10 15:19 . 2008-07-10 18:28 <DIR> d-------- C:\Program Files\Google
2008-07-10 00:07 . 1999-09-10 06:06 45,056 --a------ C:\WINDOWS\system32\wnaspi32.dll
2008-07-10 00:07 . 1999-09-10 06:06 25,244 --a------ C:\WINDOWS\system32\drivers\aspi32.sys
2008-07-10 00:07 . 1999-09-10 06:06 5,600 --a------ C:\WINDOWS\system\winaspi.dll
2008-07-10 00:07 . 1999-09-10 06:06 4,672 --a------ C:\WINDOWS\system\wowpost.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 20:15 --------- d-----w C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2008-08-08 03:37 --------- d-----w C:\Program Files\VideoLAN
2008-08-08 03:37 --------- d-----w C:\Program Files\Real
2008-08-08 03:37 --------- d-----w C:\Program Files\Common Files\Real
2008-08-08 03:28 --------- d-----w C:\Program Files\Project64 1.6
2008-08-06 23:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-06 02:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-08-05 18:19 --------- d-----w C:\Documents and Settings\Administrator\Application Data\FrostWire
2008-08-04 16:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-02 23:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-01 17:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-07-28 23:13 --------- d-----w C:\Documents and Settings\Administrator\Application Data\gtk-2.0
2008-07-25 02:07 --------- d-----w C:\Program Files\FrostWire
2008-07-22 16:40 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-07-10 05:01 --------- d-----w C:\Program Files\Java
2008-07-06 21:27 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SystemRequirementsLab
2008-07-06 20:42 --------- d--h--r C:\Documents and Settings\Administrator\Application Data\SecuROM
2008-07-03 04:35 --------- d-----w C:\Program Files\Foxit Software
2008-06-30 07:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\SongbirdVLC
2008-06-30 07:45 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Songbird2
2008-06-30 07:36 --------- d-----w C:\Program Files\Resource Kit
2008-06-29 17:57 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-29 17:56 --------- d-----w C:\Program Files\Intel
2008-06-29 17:37 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-06-29 17:34 --------- d-----w C:\Program Files\Microsoft IntelliPoint 5.2
2008-06-27 20:44 --------- d-----w C:\Program Files\LimeWire
2008-06-20 22:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-06-20 22:26 --------- d-----w C:\Program Files\Trillian
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-18 21:15 --------- d-----w C:\Program Files\FLV Player
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 21:47 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-06-10 21:32 --------- d-----w C:\Program Files\QuickTime
2007-09-26 20:51 38,992 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"filehippo.com"="C:\Program Files\filehippo.com\UpdateChecker.exe" [2008-07-03 12:08 137216]
"ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2008-07-29 08:41 1213680]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 17:16 5562368]
"Lexmark X83 Button Monitor"="C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe" [2001-10-18 10:25 40960]
"Lexmark X83 Button Manager"="C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe" [2001-06-14 12:42 53248]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2002-06-26 22:47 36864]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 01:50 204800]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-03 02:23 116040]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-01 12:10 1232152]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"NvMediaCenter"="NvMCTray.dll" [2005-04-01 17:16 86016 C:\WINDOWS\system32\nvmctray.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 01:01 437160]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 16:41:28 393216]
Trillian.lnk - C:\Program Files\Trillian\trillian.exe [2008-05-19 1873280]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\WINDOWS\\system32\\dxdiag.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5214:TCP"= 5214:TCP:Administrator's Limewire Tunes

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-01 12:10]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-01 12:11]
R2 SocketLock;Raw Socket Lock Driver;C:\WINDOWS\system32\socketlock.sys [2006-09-01 11:53]
S1 kss;kss;C:\WINDOWS\system32\drivers\kss.sys []
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINDOWS\system32\drivers\ctlsb16.sys [2001-08-17 13:19]
S3 dump_wmimmc;dump_wmimmc;C:\Nexon\MapleStory\GameGuard\dump_wmimmc.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-08-04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 16:35:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-09 16:46:03
ComboFix-quarantined-files.txt 2008-08-09 21:45:51
ComboFix2.txt 2008-08-09 20:28:55

Pre-Run: 10,816,925,696 bytes free
Post-Run: 10,806,468,608 bytes free

166 --- E O F --- 2008-08-08 03:20:27

HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:50:13 PM, on 8/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\filehippo.com\UpdateChecker.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.charter.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [filehippo.com] "C:\Program Files\filehippo.com\UpdateChecker.exe" /background
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6707 bytes

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:50 PM

Posted 09 August 2008 - 05:04 PM

fofomazuzu,

Please perform this online scan: Kaspersky Webscan

Note that you need to run this scan with Internet Explorer for it to work correctly.

If you have any problem running the scan to completion, disable your Antivirus and/or firewall temporarily, just refrain from surfing around while the scan is running and be sure to re-enable when done.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appear asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat step 1.
3. Select "Install" to download the ActiveX controls that allows Kaspersky to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. Wait for the scanner to initialize and update its databases. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE,
Scan Options:
Scan Archives
Scan Mail Bases


then click "OK"
7. Select a target to scan: Click on "My Computer" and the scan will begin.
8. Once the scan is complete it will display if your system has been infected.
Now click on the Save Report As... button:

Posted Image

Under Save as type select Text file write name for the file and save it to your Desktop.
Locate the file at the Desktop, open it, then copy and paste that information in your next post.
9. Post the Kaspersky scan results in your next reply.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 fofomazuzu

fofomazuzu
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 09 August 2008 - 10:08 PM

Kaspersky Log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, August 9, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 10, 2008 00:13:50
Records in database: 1076600
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 35316
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 04:05:06

No malware has been detected. The scan area is clean.

The selected area was scanned.

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:50 PM

Posted 09 August 2008 - 10:29 PM

Hi fofomazuzu,

I think you are good to go. :thumbsup: Your log looks clean!


Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete any of its related folders and files (Qoobox
VundoFix Backups, Avenger, Deckard, _OTMoveIt), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:50 PM

Posted 19 August 2008 - 11:53 AM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users