Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ad popups/Vundo Trojan Horse


  • This topic is locked This topic is locked
14 replies to this topic

#1 chadi

chadi

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 21 January 2009 - 03:34 AM

Well I am battling the Vundo virus and I need help in removing it. I have run Ad-Aware, AVG Free, and Combofix once (At the suggestion of another forum that did not warn me of how powerful it is. Fortunately my computer is fine.) Combofix seemed to have gotten rid of it but I am having more show up in regular virus scans. I do not have popups anymore. I'm just scared to check crucial info on the internet (i.e. bank accounts etc. I don't know how much info this thing can get.) Also Ad-Watch is not catching so many occurrences in the registry (I was having 90,000+ occurrences queuing up) Any help is much appreciated and thanks for being here guys!

Here is the DDS.txt:


DDS (Ver_09-01-18.01) - NTFSx86
Run by Administrator at 2:20:52.39 on Wed 01/21/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2497 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\U-ABIT\uGuru\uGuru.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
D:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft\Resource Kit\QUIKTRAY.EXE
C:\Utils\WinTools\PrintNow\printnow.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ABIT uGuruIII] c:\program files\u-abit\uguru\uGuru.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [EA Core] d:\program files\electronic arts\eadm\Core.exe -silent
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [BCWipeTM Startup] "d:\program files\jetico\bcwipe\BCWipeTM.exe" startup
mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "d:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\Ad-Watch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - d:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - d:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quiktray.lnk - c:\program files\microsoft\resource kit\QUIKTRAY.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\startu~1.lnk - c:\utils\wintools\printnow\printnow.exe
IE: E&xport to Microsoft Excel - d:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~1\office11\REFIEBAR.DLL
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - d:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\qt9svh71.default\
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\qt9svh71.default\extensions\{7e7165e2-0767-448c-852f-5fa8714f2c37}\components\PlainOldFavorites.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\qt9svh71.default\extensions\{0c7e3f01-99e9-4095-9bdc-f84724960b57}\plugins\NPCpnMgr.dll
FF - plugin: d:\program files\adobe\reader 8.0\reader\browser\nppdf32.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin7.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-21 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-21 26824]
R1 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [2008-6-16 14592]
R3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;c:\windows\system32\drivers\NSDriver.sys [2008-4-29 15648]
R3 Ad-Watch Real-Time Scanner;AW Real-Time Scanner;c:\windows\system32\drivers\Awrtpd.sys [2008-4-29 12960]
R3 Ad-Watch Registry Filter;Ad-Watch Registry Kernel Filter;c:\windows\system32\drivers\Awrtrd.sys [2008-4-29 15648]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-7-20 84992]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2009-1-13 611664]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-4 875288]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-4 231704]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-21 76040]
S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\BCSwap.sys [2005-7-28 88080]

=============== Created Last 30 ================

2009-01-20 02:32 <DIR> --d----- C:\ComboFix
2009-01-19 21:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Electronic Arts
2009-01-19 16:46 <DIR> a-dshr-- C:\cmdcons
2009-01-19 16:41 161,792 a------- c:\windows\SWREG.exe
2009-01-19 16:41 98,816 a------- c:\windows\sed.exe
2009-01-15 10:27 40,960 a------- c:\windows\system32\mdswsknx.dll
2009-01-11 22:59 <DIR> --d----- C:\VundoFix Backups
2008-12-28 21:51 <DIR> --d----- c:\program files\common files\LogiShared
2008-12-28 21:51 127,034 -----r-- c:\windows\bwUnin-8.1.1.50-8876480SL.exe
2008-12-28 21:50 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-12-28 21:50 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-12-28 21:49 <DIR> --d----- c:\program files\common files\Logitech
2008-12-28 21:32 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2008-12-28 21:32 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2008-12-28 21:32 10,368 ac------ c:\windows\system32\dllcache\hidusb.sys
2008-12-28 21:32 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2008-12-28 21:32 32,128 ac------ c:\windows\system32\dllcache\usbccgp.sys
2008-12-28 21:32 32,128 a------- c:\windows\system32\drivers\usbccgp.sys

==================== Find3M ====================

2009-01-21 00:06 137,688 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-01-21 00:06 202,040 a------- c:\windows\system32\PnkBstrB.exe
2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-18 16:04 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-10 15:35 34,816 a------- c:\windows\system32\RtkCoInstXP.dll
2008-11-07 16:40 17,421,824 a------- c:\windows\RTHDCPL.EXE
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-07-19 16:36 22,328 a------- c:\docume~1\admini~1\applic~1\PnkBstrK.sys

============= FINISH: 2:21:08.71 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 31 January 2009 - 02:40 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


Download and Run ATFCleaner

Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Download and Run OTScanIt

Download OTScanIt by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Check the Scan all users box at the top left.
  • Change the Rootkit Scan setting from "No" to Yes.
  • Click the Extras button under "Additional Scans".
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt folder and named OTScanIt.txt.
Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Please post back with:
-OTScanIT log
-MBAM log
-What Problems do you still have?


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 chadi

chadi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 02 February 2009 - 10:46 AM

Hello and thanks for replying. I've been working all weekend so its been a few days since I could get to my computer. I still have occurences of the Trojan Horse Vundo being found on my computer by AVG Free and Ad-Aware. The occurrences are not as often and the pop-ups have alltogether stopped. But I would still appreciate any help in getting this virus eradicated. Here is the MBAM log as requested. BTW Happy Groundhog Day!

Malwarebytes' Anti-Malware 1.33
Database version: 1712
Windows 5.1.2600 Service Pack 3

2/2/2009 9:44:07 AM
mbam-log-2009-02-02 (09-44-07).txt

Scan type: Quick Scan
Objects scanned: 53695
Time elapsed: 2 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 02 February 2009 - 05:04 PM

Hello again.

I still have occurences of the Trojan Horse Vundo being found on my computer by AVG Free and Ad-Aware. The occurrences are not as often and the pop-ups have alltogether stopped.

I'm glad everything is better now. Could you tell me the file name that AVG is detecting or registry key? It would be helpful if you could give me the file address and name.

Since you ran Combofix before I would like to see that log as well. It can be found at C:\Combofix.txt.

The OTScanIT log looks fine. Combofix and some of your other tools already took them out.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

Post back with:
-Combofix log
-AVG detecting Vundo Filename address
-Kaspersky log


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 chadi

chadi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 03 February 2009 - 12:40 AM

The virus is showing up in multiple files. It seems this one is pretty tricky, so I am including a jpeg of my AVG virus vault.I have attached all the necessary files. Many thanks!

Attached Files



#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 03 February 2009 - 04:35 PM

Hello again.

The virus is showing up in multiple files. It seems this one is pretty tricky, so I am including a jpeg of my AVG virus vault.I have attached all the necessary files. Many thanks!

Most of what AVG detected actually isn't active. Most are from the quarantined items from Qoobox which is part of Combofix and some are system restore points. We will remove those once we are finished. There are just a few files that are infected which we will take care of.

There are some files that I don't know if it got removed but let's see.

Run ATFCleaner

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    File::
    c:\windows\system32\mdswsknx.dll
    c:\windows\bwUnin-8.1.1.50-8876480SL.exe
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Kaspersky scan log looks fine. PsKill.exe is not a virus, it's a risk tool because it "kills" processes and sometimes it can be used for malicious purposes so that was why Kaspersky detected it as "not-a-virus risk tool". No need to worry about that.

let AVG quarantine everything and delete them afterwards. Any other problems? Does AVG still detect alot of things?

Post back with:
-Combofix log
-Problems you still have.


Attach back with:
-New OTScanIT Scan log

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 chadi

chadi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 03 February 2009 - 06:47 PM

Ran Combofix and after turning AVG back on it scanned and found two more occurences, jpeg is attached. I'm not seeing anything wrong on my computer (ie no pop-ups or slow computer). I'm mainly concerned about logging into certain sites. Is this virus associated with any key logging or anything like that? Anyways, to get back on subject, everything seems to be working fine. Thanks so much for your help! Combofix log is posted below and OTScan log is attached.

ComboFix 09-01-19.03 - Administrator 2009-02-03 16:21:42.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2532 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
c:\windows\bwUnin-8.1.1.50-8876480SL.exe
c:\windows\system32\mdswsknx.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\bwUnin-8.1.1.50-8876480SL.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-03 to 2009-02-03 )))))))))))))))))))))))))))))))
.

2009-02-03 12:42 . 2009-02-03 12:43 <DIR> d-------- c:\windows\LastGood
2009-02-03 12:42 . 2009-02-03 12:42 <DIR> d-------- c:\program files\Common Files\Logishrd
2009-02-03 12:42 . 2008-05-02 02:38 301,656 --a------ c:\windows\system32\BtCoreIf.dll
2009-02-03 02:38 . 2009-02-03 02:38 <DIR> d----c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-03 02:37 . 2009-02-03 02:37 <DIR> d-------- c:\windows\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2009-02-02 21:16 . 2009-02-02 21:16 <DIR> d-------- c:\windows\Sun
2009-02-02 16:57 . 2009-02-02 16:57 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-02 16:57 . 2009-02-02 16:57 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-31 16:00 . 2009-01-31 16:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-31 16:00 . 2009-01-31 16:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-31 16:00 . 2009-01-31 16:00 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-31 16:00 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-31 16:00 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-19 21:28 . 2009-01-19 21:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-01-19 21:11 . 2009-01-19 21:11 <DIR> d-------- c:\program files\Electronic Arts
2009-01-13 18:22 . 2009-01-13 18:22 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Lavasoft
2009-01-11 22:59 . 2009-01-11 22:59 <DIR> d-------- C:\VundoFix Backups

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 18:42 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-03 18:42 --------- d-----w c:\program files\Common Files\Logitech
2009-02-03 08:38 --------- d-----w c:\program files\Lavasoft
2009-02-03 06:29 202,040 ----a-w c:\windows\system32\PnkBstrB.exe
2009-02-03 06:29 137,688 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-27 04:01 --------- d-----w c:\documents and settings\Administrator\Application Data\Apple Computer
2009-01-20 08:54 --------- d-----w c:\program files\SpeedFan
2008-12-29 03:57 --------- d-----w c:\documents and settings\Administrator\Application Data\Logitech
2008-12-29 03:51 --------- d-----w c:\program files\Common Files\LogiShared
2008-12-29 03:50 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-12-29 03:50 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-12-29 03:49 --------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2008-12-29 03:49 --------- d-----w c:\documents and settings\All Users\Application Data\LogiShrd
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-08 21:41 --------- d-----w c:\program files\iTunes
2008-12-08 21:41 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-08 21:40 --------- d-----w c:\program files\iPod
2008-12-08 21:40 --------- d-----w c:\program files\Common Files\Apple
2008-11-10 21:35 34,816 ----a-w c:\windows\system32\RtkCoInstXP.dll
2008-11-07 22:40 17,421,824 ----a-w c:\windows\RTHDCPL.EXE
2008-07-19 22:36 22,328 ----a-w c:\documents and settings\Administrator\Application Data\PnkBstrK.sys
2006-02-23 13:16 34,048 ----a-w c:\program files\mozilla firefox\plugins\upd62i9x.dll
2006-02-23 13:16 45,056 ----a-w c:\program files\mozilla firefox\plugins\upd62int.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-19_17.02.19.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-20 11:48:03 138,496 ----a-w c:\windows\$hf_mig$\KB951748\SP3QFE\afd.sys
+ 2008-06-20 17:43:05 147,968 ----a-w c:\windows\$hf_mig$\KB951748\SP3QFE\dnsapi.dll
+ 2008-06-20 17:43:05 245,248 ----a-w c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll
+ 2008-06-20 11:59:02 361,600 ----a-w c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
+ 2008-06-20 11:16:44 225,856 ----a-w c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip6.sys
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB951748\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB951748\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB951748\update\spcustom.dll
+ 2007-11-30 12:39:18 755,576 ----a-w c:\windows\$hf_mig$\KB951748\update\update.exe
+ 2007-11-30 12:39:19 382,840 ----a-w c:\windows\$hf_mig$\KB951748\update\updspapi.dll
+ 2009-02-03 08:37:39 42,248 ----a-w c:\windows\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP\WiseCustCall64.dll
+ 2009-02-03 08:37:39 27,912 ----a-w c:\windows\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP\WiseCustomCall.dll
+ 2009-02-03 08:37:39 73,728 ----a-w c:\windows\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP\WiseCustomCalla.dll
+ 2009-02-03 08:37:39 83,296 ----a-w c:\windows\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP\WiseCustomCalla1.dll
+ 2009-02-03 18:42:59 10,134 ----a-r c:\windows\Installer\{0C826C5B-B131-423A-A229-C71B3CACCD6A}\ARPPRODUCTICON.exe
- 2008-12-13 18:08:36 593,920 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2009-01-20 09:03:15 593,920 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-12-13 18:08:36 12,288 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2009-01-20 09:03:15 12,288 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-12-13 18:08:36 86,016 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2009-01-20 09:03:15 86,016 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2008-12-13 18:08:36 135,168 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-01-20 09:03:15 135,168 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-12-13 18:08:36 11,264 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2009-01-20 09:03:15 11,264 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-12-13 18:08:36 27,136 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2009-01-20 09:03:15 27,136 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-12-13 18:08:36 4,096 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-01-20 09:03:15 4,096 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-12-13 18:08:36 794,624 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2009-01-20 09:03:15 794,624 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-12-13 18:08:36 249,856 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2009-01-20 09:03:15 249,856 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-12-13 18:08:36 61,440 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2009-01-20 09:03:15 61,440 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-12-13 18:08:36 23,040 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2009-01-20 09:03:15 23,040 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-12-13 18:08:36 286,720 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2009-01-20 09:03:15 286,720 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-12-13 18:08:36 409,600 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2009-01-20 09:03:15 409,600 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2007-04-11 21:32:22 56,080 ----a-w c:\windows\KHALMNPR.Exe
+ 2008-02-29 09:12:38 76,304 ----a-w c:\windows\KHALMNPR.Exe
+ 2007-04-11 21:32:22 56,080 ----a-w c:\windows\LastGood\KHALMNPR.Exe
+ 2008-04-13 19:18:00 52,480 ----a-w c:\windows\LastGood\system32\DRIVERS\i8042prt.sys
+ 2008-04-13 18:39:48 24,576 ----a-w c:\windows\LastGood\system32\DRIVERS\kbdclass.sys
+ 2007-04-11 21:32:30 20,496 ----a-w c:\windows\LastGood\system32\DRIVERS\L8042Kbd.sys
+ 2007-04-11 21:32:38 63,248 ----a-w c:\windows\LastGood\system32\DRIVERS\L8042mou.Sys
+ 2007-04-11 21:32:52 34,832 ----a-w c:\windows\LastGood\system32\DRIVERS\LHidFilt.Sys
+ 2007-04-11 21:32:58 36,112 ----a-w c:\windows\LastGood\system32\DRIVERS\LMouFilt.Sys
+ 2007-04-11 21:33:06 79,376 ----a-w c:\windows\LastGood\system32\DRIVERS\LMouKE.Sys
+ 2008-04-13 18:39:48 23,040 ----a-w c:\windows\LastGood\system32\DRIVERS\mouclass.sys
+ 2001-08-17 19:48:00 12,160 ----a-w c:\windows\LastGood\system32\DRIVERS\mouhid.sys
+ 2007-04-11 21:33:20 1,419,024 ----a-w c:\windows\LastGood\system32\WdfCoInstaller01005.dll
+ 2009-01-20 03:02:04 344,064 ----a-w c:\windows\system32\config\systemprofile\ntuser.dat
+ 2008-06-20 17:46:57 147,968 -c----w c:\windows\system32\dllcache\dnsapi.dll
+ 2008-06-20 17:46:57 245,248 -c----w c:\windows\system32\dllcache\mswsock.dll
- 2008-09-08 10:41:42 333,824 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 10:57:09 333,952 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-06-20 11:51:12 361,600 -c----w c:\windows\system32\dllcache\tcpip.sys
+ 2008-06-20 11:08:27 225,856 -c----w c:\windows\system32\dllcache\tcpip6.sys
- 2008-04-14 00:11:52 147,968 ----a-w c:\windows\system32\dnsapi.dll
+ 2008-06-20 17:46:57 147,968 ----a-w c:\windows\system32\dnsapi.dll
- 2007-04-11 21:32:30 20,496 ----a-w c:\windows\system32\drivers\L8042Kbd.sys
+ 2008-02-29 09:12:48 20,240 ----a-w c:\windows\system32\drivers\L8042Kbd.sys
- 2007-04-11 21:32:38 63,248 ----a-w c:\windows\system32\drivers\L8042mou.Sys
+ 2008-02-29 09:12:56 63,120 ----a-w c:\windows\system32\drivers\L8042mou.Sys
- 2007-04-11 21:32:52 34,832 ----a-w c:\windows\system32\drivers\LHidFilt.Sys
+ 2008-02-29 09:13:16 35,344 ----a-w c:\windows\system32\drivers\LHidFilt.Sys
- 2007-04-11 21:32:58 36,112 ----a-w c:\windows\system32\drivers\LMouFilt.Sys
+ 2008-02-29 09:13:24 36,880 ----a-w c:\windows\system32\drivers\LMouFilt.Sys
- 2007-04-11 21:33:06 79,376 ----a-w c:\windows\system32\drivers\LMouKE.Sys
+ 2008-02-29 09:13:36 79,120 ----a-w c:\windows\system32\drivers\LMouKE.Sys
- 2008-04-13 19:20:16 361,344 ----a-w c:\windows\system32\drivers\tcpip.sys
+ 2008-06-20 11:51:12 361,600 ----a-w c:\windows\system32\drivers\tcpip.sys
- 2008-04-13 19:00:02 225,664 ----a-w c:\windows\system32\drivers\tcpip6.sys
+ 2008-06-20 11:08:27 225,856 ----a-w c:\windows\system32\drivers\tcpip6.sys
+ 2009-02-02 22:57:48 144,792 ----a-w c:\windows\system32\java.exe
+ 2009-02-02 22:57:48 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2009-02-02 22:57:48 148,888 ----a-w c:\windows\system32\javaws.exe
- 2007-04-23 10:00:00 163,840 ----a-w c:\windows\system32\kemutb.dll
+ 2008-05-02 08:39:50 170,512 ----a-w c:\windows\system32\kemutb.dll
- 2007-04-23 10:00:00 135,168 ----a-w c:\windows\system32\KemUtil.dll
+ 2008-05-02 08:39:54 145,936 ----a-w c:\windows\system32\KemUtil.dll
- 2007-04-23 10:00:00 110,592 ----a-w c:\windows\system32\KemWnd.dll
+ 2008-05-02 08:40:02 117,264 ----a-w c:\windows\system32\KemWnd.dll
- 2007-04-23 10:00:00 69,632 ----a-w c:\windows\system32\KemXML.dll
+ 2008-05-02 08:40:08 84,496 ----a-w c:\windows\system32\KemXML.dll
- 2008-12-09 23:24:37 17,593,280 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
- 2008-04-14 00:12:01 245,248 ----a-w c:\windows\system32\mswsock.dll
+ 2008-06-20 17:46:57 245,248 ----a-w c:\windows\system32\mswsock.dll
- 2008-11-25 23:59:08 59,440 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-24 21:37:46 59,440 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-25 23:59:08 395,200 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-24 21:37:46 395,200 ----a-w c:\windows\system32\perfh009.dat
+ 2008-04-13 19:18:00 52,480 ----a-w c:\windows\system32\ReinstallBackups\0017\DriverFiles\i386\i8042prt.sys
+ 2008-04-13 18:39:48 24,576 ----a-w c:\windows\system32\ReinstallBackups\0017\DriverFiles\i386\kbdclass.sys
+ 2007-04-11 21:32:30 20,496 ----a-w c:\windows\system32\ReinstallBackups\0017\DriverFiles\L8042Kbd.sys
+ 2008-04-13 18:39:48 23,040 ----a-w c:\windows\system32\ReinstallBackups\0019\DriverFiles\i386\mouclass.sys
+ 2008-02-29 09:12:38 76,304 ----a-w c:\windows\system32\ReinstallBackups\0019\DriverFiles\KHALMNPR.Exe
+ 2007-04-11 21:32:38 63,248 ----a-w c:\windows\system32\ReinstallBackups\0019\DriverFiles\L8042mou.Sys
+ 2007-04-11 21:33:06 79,376 ----a-w c:\windows\system32\ReinstallBackups\0019\DriverFiles\LMouKE.Sys
+ 2008-04-13 18:39:48 23,040 ----a-w c:\windows\system32\ReinstallBackups\0020\DriverFiles\i386\mouclass.sys
+ 2001-08-17 19:48:00 12,160 ----a-w c:\windows\system32\ReinstallBackups\0020\DriverFiles\i386\mouhid.sys
+ 2007-04-11 21:32:22 56,080 ----a-w c:\windows\system32\ReinstallBackups\0020\DriverFiles\KHALMNPR.Exe
+ 2007-04-11 21:32:52 34,832 ----a-w c:\windows\system32\ReinstallBackups\0020\DriverFiles\LHidFilt.Sys
+ 2007-04-11 21:32:58 36,112 ----a-w c:\windows\system32\ReinstallBackups\0020\DriverFiles\LMouFilt.Sys
+ 2007-04-11 21:33:20 1,419,024 ----a-w c:\windows\system32\ReinstallBackups\0020\DriverFiles\WdfCoInstaller01005.dll
+ 2009-01-20 08:55:24 73,416 ----a-w c:\windows\system32\Restore\rstrlog.dat
+ 2009-02-03 08:40:47 16,384 ----atw c:\windows\temp\Perflib_Perfdata_8d4.dat
+ 2008-07-29 14:05:06 161,784 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2008-07-29 09:54:08 225,280 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 14:05:08 572,928 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 14:05:08 655,872 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 09:54:12 312,832 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcm90d.dll
+ 2008-07-29 14:05:08 875,520 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcp90d.dll
+ 2008-07-29 14:05:08 1,180,672 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcr90d.dll
+ 2008-07-29 14:05:12 5,937,144 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfc90d.dll
+ 2008-07-29 14:05:12 5,982,720 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfc90ud.dll
+ 2008-07-29 12:07:42 80,896 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfcm90d.dll
+ 2008-07-29 12:07:42 80,896 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfcm90ud.dll
+ 2008-07-29 14:05:08 3,768,312 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
+ 2008-07-29 14:05:10 3,783,672 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 12:07:42 59,904 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2008-07-29 12:07:42 59,904 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 14:05:06 38,912 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 14:05:06 39,936 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 14:05:08 66,560 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 14:05:08 56,832 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 14:05:06 65,024 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 14:05:08 65,024 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 14:05:06 66,048 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 14:05:08 64,512 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 14:05:08 46,592 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 14:05:08 46,080 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 14:05:08 62,976 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"ABIT uGuruIII"="c:\program files\U-ABIT\uGuru\uGuru.exe" [2007-04-11 425984]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"EA Core"="d:\program files\Electronic Arts\EADM\Core.exe" [2008-07-21 2752512]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-08-22 2363392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\Ad-Watch.exe" [2009-01-13 2468200]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-07-07 282624]
Logitech Desktop Messenger.lnk - d:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-12-28 67128]
Logitech SetPoint.lnk - d:\program files\Logitech\SetPoint\SetPoint.exe [2009-02-03 805392]
QuikTray.lnk - c:\program files\Microsoft\Resource Kit\QUIKTRAY.EXE [2008-06-20 27136]
Startup printnow.lnk - c:\utils\WinTools\PrintNow\printnow.exe [2008-06-21 122880]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-06-21 97928]
R1 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [2008-06-16 14592]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-07-20 84992]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-04 875288]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 231704]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-06-21 76040]
S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\BCSwap.sys [2005-07-28 88080]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AD-WATCH_REAL-TIME_SCANNER
*NewlyCreated* - AD-WATCH_REGISTRY_FILTER

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ff08384-aa20-11dd-9435-00508db57faa}]
\Shell\AutoRun\command - J:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f4653a4f-3a9f-11dd-bf00-806d6172696f}]
\Shell\AutoRun\command - V:\Autorun.exe root.ini

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-02-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - d:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\qt9svh71.default\
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\qt9svh71.default\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37}\components\PlainOldFavorites.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\qt9svh71.default\extensions\{0C7E3F01-99E9-4095-9BDC-F84724960B57}\plugins\NPCpnMgr.dll
FF - plugin: d:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin7.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-03 16:21:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\SecuROM\License information*]
"datasecu"=hex:82,5f,4f,b2,b1,64,a3,dc,77,36,e2,3d,1f,ae,7b,02,7e,c8,ac,e4,ef,
91,2f,04,05,ac,20,f9,44,4e,cf,c1,98,10,d9,ba,9d,cb,7e,35,58,23,2b,23,56,56,\
"rkeysecu"=hex:e2,26,6d,94,9c,ba,ad,1d,64,79,70,1b,d8,19,de,23
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(828)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-03 16:22:44
ComboFix-quarantined-files.txt 2009-02-03 22:22:42
ComboFix2.txt 2009-01-19 23:02:49

Pre-Run: 4,955,574,272 bytes free
Post-Run: 4,934,696,960 bytes free

315 --- E O F --- 2009-01-20 09:03:50

Attached Files


Edited by chadi, 03 February 2009 - 06:50 PM.


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 03 February 2009 - 07:27 PM

Hello chadi.

Ran Combofix and after turning AVG back on it scanned and found two more occurences, jpeg is attached. I'm not seeing anything wrong on my computer (ie no pop-ups or slow computer). I'm mainly concerned about logging into certain sites. Is this virus associated with any key logging or anything like that? Anyways, to get back on subject, everything seems to be working fine. Thanks so much for your help! Combofix log is posted below and OTScan log is attached.

No. I don't see any signs of keyloggers so it would be fine for you to use this computer after we are done. Best to change all passwords that are improtant, espically if you do banking, using another computer if you do not feel safe.

I do not see the OTScanIT log, please attach it for me.

THe combofix log looks okay. AVG just found some TEMP folders, as long as it qurantined it, it's okay.

Let's run an online scan.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

Post back with:
-Kaspersky log

Attach back with:
-OTScanIT2 scan log

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 chadi

chadi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 04 February 2009 - 05:02 PM

Sorry about to OTScanIt log. Here's what you requested. I had to compress the OTScanIt file because it is too large to attach. Thanks again!

KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, February 4, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, February 04, 2009 08:20:50
Records in database: 1743718
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
S:\
V:\
Scan statistics
Files scanned 134059
Threat name 2
Infected objects 4
Suspicious objects 0
Duration of the scan 01:51:01

File name Threat name Threats count
C:\Utils\WinTools\Pstools\psexec.exe Infected: not-a-virus:NetTool.Win32.RemoteStartProcess.a 1
C:\Utils\WinTools\Pstools\pskill.exe Infected: not-a-virus:NetTool.Win32.PsKill.a 1
G:\Utils\WinTools\PsTools\psexec.exe Infected: not-a-virus:NetTool.Win32.RemoteStartProcess.a 1
G:\Utils\WinTools\PsTools\pskill.exe Infected: not-a-virus:NetTool.Win32.PsKill.a 1

Attached Files



#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 04 February 2009 - 05:51 PM

Hello.

Log looks good. If you have no more problems/questions we can wrap up now :step5:

Please follow/read the steps below to remove the tools we used and for some more information. :)

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
  • When shown the disclaimer, Select "2"
This will remove files/folders assoicated with combofix and uninstall it.

Download and Run OTCleanIt

We will now remove the tools we used during this fix.
  • Download OTCleanIt by OldTimer to your desktop.
  • Double click OTCleanIt.exe to start the program.
  • Click the big CleanUp! button.
  • When asked if you want to proceed witht the cleanup process, click Yes. Restart your computer when prompted.
You may delete the tool after use.


Congratulations! You now appear clean! :step1: :) :thumbup2:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.


Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Additional Security Programs

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :step4:


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks :)

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 chadi

chadi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 05 February 2009 - 03:09 AM

:thumbup2: :step4: :) :step5: :step1:

Thank you so much!!!! I really appreciate all of your help, you guys are great!!!! Thanks again! :)

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 05 February 2009 - 01:06 PM

You are very welcome :)

Happy surfing again and good luck :thumbup2:

With Regards,
Extremeboy

Edited by extremeboy, 05 February 2009 - 01:06 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 chadi

chadi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 05 February 2009 - 11:42 PM

Sorry but one last question. If I have any more occurences with the virus should I just post back here? Or should I contact you directly? I figure I should start a new post but would it be helpful for someone to know about this thread?


Thanks again for all of your help!

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 06 February 2009 - 01:01 PM

Hello again.

I forgot to close this thread.. Anyways I'll answer your question before closing it :thumbup2:

Sorry but one last question. If I have any more occurences with the virus should I just post back here? Or should I contact you directly? I figure I should start a new post but would it be helpful for someone to know about this thread?


Thanks again for all of your help!

Yes, you should start another topic in this forum. You could link your other malware expert to this link if it's required. Normally, they can see just by viewing your profile. :)

Hope that helps.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 07 February 2009 - 04:40 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users