Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Agent.AWDE or Bredolab.B Digeste.dll


  • This topic is locked This topic is locked
22 replies to this topic

#1 nigelt

nigelt

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 03 February 2009 - 06:20 AM

Hi Guys,
I picked up this trojan a few days ago I think on some freeware font files(?)

It all started with a stuttering mouse and video playback.

I've tried scanning and cleaning with AVG Internet Security and Spybot Search and Destroy. Both programmes picked up some stuff and removed it but obviously missed a bit.

Nothing wierd is noticeable with the laptop but I've obviously still got teh infection.

My net searches revealed that the digeste.dll I found in my /system32/ was linked to some Trojan called Bredolab.B

I've scanned today with the free Spyware Doctor and it has identified it as Trojan.Agent.AWDE

I really need help in removing and cleaning this up please. I'm not good at this stuff!

Log files pasted below as instructed:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Nigel T at 10:55:40.00 on 03/02/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1263.533 [GMT 0:00]

AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
FW: AVG Firewall 7.5.500 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Nigel T\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Orange: {4e7bd74f-2b8d-469e-a1fb-f862b587b57d} - c:\progra~1\orange3\orange3.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Orange: {4e7bd74f-2b8d-469e-a1fb-f862b587b57d} - c:\progra~1\orange3\orange3.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Nigel T] c:\documents and settings\nigel t\Nigel T.exe /i
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DXDllRegExe] dxdllreg.exe
mRun: [vdrdpup] c:\windows\system32\rundll32 c:\windows\system32\vdrdpup.dll,RegisterVirtualChannel
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: orange search - file://c:\program files\orange3\cache\SelectedContextSearch.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\avgfwafu.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} - hxxp://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab
DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - hxxp://download.microsoft.com/download/PowerPoint2002/Install/10.0.2609/WIN98MeXP/EN-US/msorun.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
TCP: {EFE3E65E-4079-4FCF-B1A7-1681C8D7BA9C} = 195.92.195.94,195.92.195.95
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: avgwlntf - avgwlntf.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-2-3 40840]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2008-2-3 10760]
R1 AvgMfx86;AVG Minifilter x86 Resident Driver;c:\windows\system32\drivers\avgmfx86.sys [2008-2-3 26952]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-2-3 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-2-3 81288]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2008-2-3 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2008-2-3 49664]
R2 AvgCoreSvc;AVG7 Resident Shield Service;c:\progra~1\grisoft\avg7\avgrssvc.exe [2008-2-3 192512]
R2 AVGFwSrv;AVG Firewall;c:\progra~1\grisoft\avg7\avgfwsrv.exe [2008-2-3 838656]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-2-3 356920]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-2-3 1079176]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [2005-1-31 191092]
S2 acpi32;acpi32;\??\c:\windows\system32\drivers\acpi32.sys --> c:\windows\system32\drivers\acpi32.sys [?]
S2 ati64si;ati64si;\??\c:\windows\system32\drivers\ati64si.sys --> c:\windows\system32\drivers\ati64si.sys [?]
S2 DILUSBCamera;Agfa ePhoto CL18 Camera Stream Driver;c:\windows\system32\drivers\stream18.sys [2005-7-25 70708]
S2 i386si;i386si;\??\c:\windows\system32\drivers\i386si.sys --> c:\windows\system32\drivers\i386si.sys [?]
S2 port135sik;port135sik;\??\c:\windows\system32\drivers\port135sik.sys --> c:\windows\system32\drivers\port135sik.sys [?]
S2 systemntmi;systemntmi;\??\c:\windows\system32\drivers\systemntmi.sys --> c:\windows\system32\drivers\systemntmi.sys [?]
S2 ws2_32sik;ws2_32sik;\??\c:\windows\system32\drivers\ws2_32sik.sys --> c:\windows\system32\drivers\ws2_32sik.sys [?]
S3 F5U103BD;Belkin F5U103 USB-RS232 Bus Driver;c:\windows\system32\drivers\F5U103BD.SYS [2001-8-9 16528]
S3 F5U103UD;Belkin F5U103 USB-RS232 Port Driver;c:\windows\system32\drivers\F5U103UD.SYS [2001-8-9 25569]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [2005-8-31 24197]
S3 HwIOctl;HwIOctl;\??\c:\documents and settings\nigel t\desktop\hwioctl.sys --> c:\documents and settings\nigel t\desktop\HwIOctl.sys [?]
S3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [2005-1-31 6100]
S3 Memctl;Memctl;\??\c:\documents and settings\nigel t\desktop\memctl.sys --> c:\documents and settings\nigel t\desktop\Memctl.sys [?]

=============== Created Last 30 ================

2009-02-03 10:04 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-02-03 10:04 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-02-03 10:04 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-02-03 10:04 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-02-03 10:04 <DIR> --d----- c:\program files\Spyware Doctor
2009-02-03 10:04 <DIR> --d----- c:\docume~1\nigelt~1\applic~1\PC Tools
2009-01-27 18:40 <DIR> --dsh--- c:\documents and settings\nigel t\UserData
2009-01-26 11:33 12 a------- c:\windows\system32\shell31.dll
2009-01-26 11:33 24,064 a------- c:\windows\system32\digeste.dll

==================== Find3M ====================

2009-01-26 18:49 92,744 ac------ c:\docume~1\nigelt~1\applic~1\GDIPFONTCACHEV1.DAT
2008-12-13 06:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-02 07:50 410,976 a------- c:\windows\system32\deploytk.dll
2006-12-20 14:47 278,528 a------- c:\program files\common files\FDEUnInstaller.exe
2006-03-20 16:20 6,373 ac------ c:\docume~1\nigelt~1\applic~1\unins000.dat
2006-03-20 16:18 673,546 ac------ c:\docume~1\nigelt~1\applic~1\unins000.exe
2005-06-13 19:02 25,236 ac--h--- c:\program files\NWB.GID
2005-05-13 16:12 217,073 a--shr-- c:\windows\meta4.exe
2005-10-24 10:13 66,560 a--shr-- c:\windows\MOTA113.exe
2005-10-13 20:27 422,400 a--shr-- c:\windows\x2.64.exe
2005-10-07 18:14 308,224 a--shr-- c:\windows\system32\avisynth.dll
2005-07-14 11:31 27,648 a--shr-- c:\windows\system32\AVSredirect.dll
2005-06-26 14:32 616,448 a--shr-- c:\windows\system32\cygwin1.dll
2005-06-21 21:37 45,568 a--shr-- c:\windows\system32\cygz.dll
2004-01-24 23:00 70,656 a--shr-- c:\windows\system32\i420vfw.dll
2006-04-27 09:24 2,945,024 a--shr-- c:\windows\system32\Smab.dll
2005-02-28 12:16 240,128 a--shr-- c:\windows\system32\x.264.exe
2004-01-24 23:00 70,656 a--shr-- c:\windows\system32\yv12vfw.dll
2008-09-06 18:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090620080907\index.dat

============= FINISH: 10:57:23.79 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:10:45 AM

Posted 11 February 2009 - 08:51 AM

Hello ,

Welcome to Bleeping Computer.

My name mas_pogi and I will be helping you with your Malware problem.
As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.

Attention!

Please do not run any other tool untill instructed to do so.
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.
Please reply to this thread, do not start another.




You might want to save this page on your bookmark, so you can find it again when you return.

Firefox: Posted Image Then click on Done.

IExplorer: Posted Image Then click on Add.

Stay calm.

Since its almost 7 days since your last log, I would ask for latest log.

Delete DDS in your desktop;

Please download DDS and save it to your desktop.
Disable any script blocker then double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
Please post the content of DDS.txt in your next reply.
Please upload the file attach.txt using this Posted Image

With Regards,
mas_pogi

#3 nigelt

nigelt
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 11 February 2009 - 09:09 AM

Hi and thanks for helping.

Pasted the new DDS.txt below and attached the new attach.txt

One thing, I didn't understand your instruction "Click Yes at the next prompt for Optional Scan". I didn't get anything appear which gave me that option, just the resulting two .txt files from the DDS scan.

Thanks, here's the log...



DDS (Ver_09-02-01.01) - NTFSx86
Run by Nigel T at 14:02:22.65 on 11/02/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1263.687 [GMT 0:00]

AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
FW: AVG Firewall 7.5.500 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nigel T\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Orange: {4e7bd74f-2b8d-469e-a1fb-f862b587b57d} - c:\progra~1\orange3\orange3.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Orange: {4e7bd74f-2b8d-469e-a1fb-f862b587b57d} - c:\progra~1\orange3\orange3.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Nigel T] c:\documents and settings\nigel t\Nigel T.exe /i
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DXDllRegExe] dxdllreg.exe
mRun: [vdrdpup] c:\windows\system32\rundll32 c:\windows\system32\vdrdpup.dll,RegisterVirtualChannel
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: orange search - file://c:\program files\orange3\cache\SelectedContextSearch.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\avgfwafu.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} - hxxp://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab
DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - hxxp://download.microsoft.com/download/PowerPoint2002/Install/10.0.2609/WIN98MeXP/EN-US/msorun.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
TCP: {EFE3E65E-4079-4FCF-B1A7-1681C8D7BA9C} = 195.92.195.94,195.92.195.95
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: avgwlntf - avgwlntf.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

============= SERVICES / DRIVERS ===============

R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2008-2-3 10760]
R1 AvgMfx86;AVG Minifilter x86 Resident Driver;c:\windows\system32\drivers\avgmfx86.sys [2008-2-3 26952]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2008-2-3 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2008-2-3 49664]
R2 AvgCoreSvc;AVG7 Resident Shield Service;c:\progra~1\grisoft\avg7\avgrssvc.exe [2008-2-3 192512]
R2 AVGFwSrv;AVG Firewall;c:\progra~1\grisoft\avg7\avgfwsrv.exe [2008-2-3 838656]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [2005-1-31 191092]
S2 acpi32;acpi32;\??\c:\windows\system32\drivers\acpi32.sys --> c:\windows\system32\drivers\acpi32.sys [?]
S2 ati64si;ati64si;\??\c:\windows\system32\drivers\ati64si.sys --> c:\windows\system32\drivers\ati64si.sys [?]
S2 DILUSBCamera;Agfa ePhoto CL18 Camera Stream Driver;c:\windows\system32\drivers\stream18.sys [2005-7-25 70708]
S2 i386si;i386si;\??\c:\windows\system32\drivers\i386si.sys --> c:\windows\system32\drivers\i386si.sys [?]
S2 port135sik;port135sik;\??\c:\windows\system32\drivers\port135sik.sys --> c:\windows\system32\drivers\port135sik.sys [?]
S2 systemntmi;systemntmi;\??\c:\windows\system32\drivers\systemntmi.sys --> c:\windows\system32\drivers\systemntmi.sys [?]
S2 ws2_32sik;ws2_32sik;\??\c:\windows\system32\drivers\ws2_32sik.sys --> c:\windows\system32\drivers\ws2_32sik.sys [?]
S3 F5U103BD;Belkin F5U103 USB-RS232 Bus Driver;c:\windows\system32\drivers\F5U103BD.SYS [2001-8-9 16528]
S3 F5U103UD;Belkin F5U103 USB-RS232 Port Driver;c:\windows\system32\drivers\F5U103UD.SYS [2001-8-9 25569]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [2005-8-31 24197]
S3 HwIOctl;HwIOctl;\??\c:\documents and settings\nigel t\desktop\hwioctl.sys --> c:\documents and settings\nigel t\desktop\HwIOctl.sys [?]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-2-3 40840]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-2-3 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-2-3 81288]
S3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [2005-1-31 6100]
S3 Memctl;Memctl;\??\c:\documents and settings\nigel t\desktop\memctl.sys --> c:\documents and settings\nigel t\desktop\Memctl.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-2-3 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-2-3 1079176]

=============== Created Last 30 ================

2009-02-03 10:04 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-02-03 10:04 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-02-03 10:04 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-02-03 10:04 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-02-03 10:04 <DIR> --d----- c:\program files\Spyware Doctor
2009-02-03 10:04 <DIR> --d----- c:\docume~1\nigelt~1\applic~1\PC Tools
2009-01-27 18:40 <DIR> --dsh--- c:\documents and settings\nigel t\UserData
2009-01-26 11:33 12 a------- c:\windows\system32\shell31.dll

==================== Find3M ====================

2009-01-26 18:49 92,744 ac------ c:\docume~1\nigelt~1\applic~1\GDIPFONTCACHEV1.DAT
2008-12-13 06:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-02 07:50 410,976 a------- c:\windows\system32\deploytk.dll
2006-12-20 14:47 278,528 a------- c:\program files\common files\FDEUnInstaller.exe
2006-03-20 16:20 6,373 ac------ c:\docume~1\nigelt~1\applic~1\unins000.dat
2006-03-20 16:18 673,546 ac------ c:\docume~1\nigelt~1\applic~1\unins000.exe
2005-06-13 19:02 25,236 ac--h--- c:\program files\NWB.GID
2005-05-13 16:12 217,073 a--shr-- c:\windows\meta4.exe
2005-10-24 10:13 66,560 a--shr-- c:\windows\MOTA113.exe
2005-10-13 20:27 422,400 a--shr-- c:\windows\x2.64.exe
2005-10-07 18:14 308,224 a--shr-- c:\windows\system32\avisynth.dll
2005-07-14 11:31 27,648 a--shr-- c:\windows\system32\AVSredirect.dll
2005-06-26 14:32 616,448 a--shr-- c:\windows\system32\cygwin1.dll
2005-06-21 21:37 45,568 a--shr-- c:\windows\system32\cygz.dll
2004-01-24 23:00 70,656 a--shr-- c:\windows\system32\i420vfw.dll
2006-04-27 09:24 2,945,024 a--shr-- c:\windows\system32\Smab.dll
2005-02-28 12:16 240,128 a--shr-- c:\windows\system32\x.264.exe
2004-01-24 23:00 70,656 a--shr-- c:\windows\system32\yv12vfw.dll
2008-09-06 18:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090620080907\index.dat

============= FINISH: 14:03:53.37 ===============

Attached Files



#4 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:10:45 AM

Posted 11 February 2009 - 09:19 AM

hi.

One thing, I didn't understand your instruction "Click Yes at the next prompt for Optional Scan". I didn't get anything appear which gave me that option, just the resulting two .txt files from the DDS scan.

The one I am referring is the attach.txt. Anyways, you already attached it.

I will now analyze your log and then wait for approval. I will post the fix here as soon as possible. :thumbup2:

Mark

#5 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:10:45 AM

Posted 11 February 2009 - 09:38 AM

hi nigelt.


Could I ask for addition scan?

Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for 'Show All'.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

Post it here when finished.

Mark

#6 nigelt

nigelt
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 11 February 2009 - 09:39 AM

Appreciate your help Mark.
Just for your info - nothing suspicious seems to be happening on the surface.
It's just 'what lurks beneath' that I worry about!
:thumbup2:

#7 nigelt

nigelt
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 11 February 2009 - 10:30 AM

Copied from GMER...
Thanks,
NigelT


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-11 15:29:56
Windows 5.1.2600 Service Pack 3


---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[216] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[216] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A179F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[216] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A1720 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[216] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A1764 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[216] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A16AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[216] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A16E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[216] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A17DA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[216] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000f3d0d464e
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000f3d0d464e@00180f5911da 0xBA 0xD0 0x05 0x1B ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000f3d0d464e
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000f3d0d464e@00180f5911da 0xBA 0xD0 0x05 0x1B ...

---- EOF - GMER 1.0.14 ----

#8 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:10:45 AM

Posted 12 February 2009 - 04:26 PM

hi.

Let start cleaning your computer.

You have rootkit installed in your computer


A Rootkit is software that cloaks the presence of files and data to evade detection, while allowing an attacker to take control of the machine without the user's knowledge. Rootkits are typically used by malware including viruses, spyware, trojans, and backdoors, to conceal themselves from the user as well as from malware detection software such as anti-virus and anti-spyware applications. Rootkits are also used by some adware applications and DRM (Digital Rights Management) programs to thwart the removal of that unwanted software by users.

Typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.


  • The following is referring to registry mechanic.

    Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
    • Registry tools can cause irreparable damage to your Operating System
    • Registry tools can, as a result of the above, render your pc to be inoperable.
    This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.

    You should only use them if you have a basic knowledge about the registry and know if a certain key/value is safe to be removed or not.

    Cleaning the registry won't really improve system performance, even though there a lot of orphaned keys.
    IMHO, if registry cleaning was required, then Microsoft would have added this option. So you use registry at you own risk. After all, a corrupted registry is a corrupted Windows.

    Should I Use a Registry Cleaner?

    Mark Russinovich wrote:
    No, even if the registry was massively bloated there would be little impact on the performance of anything other than exhaustive searches (ed. of the registry itself).

    On Win2K Terminal Server systems, however, there is a limit on the total amount of Registry data that can be loaded and so large profile hives can limit the number of users that can be logged on simultaneously.

    I haven't and never will implement a Registry cleaner since it's of little practical use on anything other than Win2K terminal servers and developing one that's both safe and effective requires a huge amount of application-specific knowledge.


  • Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

    How to see hidden files in Windows

    Please click this link-->Virustotal

    When the virutotal page has finished loading, click the Browse button and navigate to the following file and click Submit.

    c:\windows\system32\shell31.dll


    Please post back the results of the scan in your next post.

    If Jotti is busy, try the same at Jotti: http://virusscan.jotti.org/

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop
    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    Posted Image



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
In your reply, please post

C:\combofix.txt
C:\QooBox\Add-Remove Programs.txt
Virustotal result


Mark

#9 nigelt

nigelt
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 13 February 2009 - 07:04 AM

Thanks Mark.

Pasted below the stuff you requested...

Ran Combofix.exe but it didn't give me the option to install "Microsoft Windows Recovery Console" although I notice from the log it says it is not installed!!

If you want me to try running it again please let me know.

Thanks,
NigelT

File shell31.dll received on 02.13.2009 10:38:36 (CET)
Current status: finished

Result: 0/39 (0.00%)
Compact Print results
Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.13 -
AhnLab-V3 5.0.0.2 2009.02.13 -
AntiVir 7.9.0.76 2009.02.13 -
Authentium 5.1.0.4 2009.02.13 -
Avast 4.8.1335.0 2009.02.12 -
AVG 8.0.0.237 2009.02.12 -
BitDefender 7.2 2009.02.13 -
CAT-QuickHeal 10.00 2009.02.13 -
ClamAV 0.94.1 2009.02.13 -
Comodo 975 2009.02.12 -
DrWeb 4.44.0.09170 2009.02.13 -
eSafe 7.0.17.0 2009.02.12 -
eTrust-Vet 31.6.6356 2009.02.13 -
F-Prot 4.4.4.56 2009.02.13 -
F-Secure 8.0.14470.0 2009.02.13 -
Fortinet 3.117.0.0 2009.02.13 -
GData 19 2009.02.13 -
Ikarus T3.1.1.45.0 2009.02.13 -
K7AntiVirus 7.10.628 2009.02.12 -
Kaspersky 7.0.0.125 2009.02.13 -
McAfee 5524 2009.02.12 -
McAfee+Artemis 5524 2009.02.12 -
Microsoft 1.4306 2009.02.13 -
NOD32 3850 2009.02.13 -
Norman 6.00.02 2009.02.12 -
nProtect 2009.1.8.0 2009.02.13 -
Panda 10.0.0.10 2009.02.12 -
PCTools 4.4.2.0 2009.02.12 -
Prevx1 V2 2009.02.13 -
Rising 21.16.42.00 2009.02.13 -
SecureWeb-Gateway 6.7.6 2009.02.13 -
Sophos 4.38.0 2009.02.13 -
Sunbelt 3.2.1851.2 2009.02.12 -
Symantec 10 2009.02.13 -
TheHacker 6.3.1.9.255 2009.02.13 -
TrendMicro 8.700.0.1004 2009.02.13 -
VBA32 3.12.8.12 2009.02.13 -
ViRobot 2009.2.13.1605 2009.02.13 -
VirusBuster 4.5.11.0 2009.02.12 -
Additional information
File size: 12 bytes
MD5...: dd7cae2c853ecf5ef0bc6ceb7c238359
SHA1..: e89eba06f0c751581f20138a85dd1bf46d8811c6
SHA256: 26984d5d37f3d18100bade7556a9a25cdab393efa1d7bc6664ab73821149c2aa
SHA512: a441730e2591b51a0b5c2d347544b89d63a22d77c4de90346a8152e6018ac10b
9eb134080aca153de07356aca5c494628be7e9cf51529ec2d3ffce835502182f

ssdeep: 3:CihVSn:CcVSn

PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -



COMBOFIX.TXT below:

ComboFix 09-02-12.03 - Nigel T 2009-02-13 11:31:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1263.748 [GMT 0:00]
Running from: c:\documents and settings\Nigel T\Desktop\ComboFix.exe
AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
FW: AVG Firewall 7.5.500 *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Nigel T\Application Data\unins000.exe
c:\windows\jestertb.dll
c:\windows\system32\Cache
c:\windows\system32\shell31.dll
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2009-01-13 to 2009-02-13 )))))))))))))))))))))))))))))))
.

2009-02-11 14:43 . 2009-02-11 14:43 250 --a------ c:\windows\gmer.ini
2009-02-03 10:04 . 2009-02-03 10:06 <DIR> d-------- c:\program files\Spyware Doctor
2009-02-03 10:04 . 2009-02-03 10:04 <DIR> d-------- c:\documents and settings\Nigel T\Application Data\PC Tools
2009-02-03 10:04 . 2009-02-13 09:28 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-03 10:04 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-02-03 10:04 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-02-03 10:04 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-02-03 10:04 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-01-27 18:40 . 2009-01-27 18:40 <DIR> d--hs---- c:\documents and settings\Nigel T\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-06 21:00 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-02-06 19:03 --------- d-----w c:\documents and settings\Nigel T\Application Data\AVG7
2009-01-26 18:49 92,744 -c--a-w c:\documents and settings\Nigel T\Application Data\GDIPFONTCACHEV1.DAT
2009-01-16 21:35 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-01-06 17:09 --------- d-----w c:\program files\FlashGet
2008-12-29 09:43 --------- d-----w c:\documents and settings\Nigel T\Application Data\uTorrent
2008-12-23 15:49 --------- d-----w c:\program files\ACT
2008-12-23 10:57 --------- d-----w c:\program files\iTunes
2008-12-23 10:57 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-23 10:56 --------- d-----w c:\program files\iPod
2008-12-23 10:56 --------- d-----w c:\program files\Bonjour
2008-12-23 10:55 --------- d-----w c:\program files\QuickTime
2008-12-23 10:55 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-23 10:54 --------- d-----w c:\program files\Apple Software Update
2008-12-23 10:53 --------- d-----w c:\program files\Common Files\Apple
2008-12-23 10:53 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-12-22 18:34 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-19 09:10 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-02 07:50 410,976 ----a-w c:\windows\system32\deploytk.dll
2006-12-20 14:47 278,528 ----a-w c:\program files\Common Files\FDEUnInstaller.exe
2006-03-20 16:20 6,373 -c--a-w c:\documents and settings\Nigel T\Application Data\unins000.dat
2005-06-13 19:02 25,236 -c-ha-w c:\program files\NWB.GID
2005-05-13 16:12 217,073 --sha-r c:\windows\meta4.exe
2005-10-24 10:13 66,560 --sha-r c:\windows\MOTA113.exe
2005-10-13 20:27 422,400 --sha-r c:\windows\x2.64.exe
2005-10-07 18:14 308,224 --sha-r c:\windows\system32\avisynth.dll
2005-07-14 11:31 27,648 --sha-r c:\windows\system32\AVSredirect.dll
2005-06-26 14:32 616,448 --sha-r c:\windows\system32\cygwin1.dll
2005-06-21 21:37 45,568 --sha-r c:\windows\system32\cygz.dll
2004-01-24 23:00 70,656 --sha-r c:\windows\system32\i420vfw.dll
2006-04-27 09:24 2,945,024 --sha-r c:\windows\system32\Smab.dll
2005-02-28 12:16 240,128 --sha-r c:\windows\system32\x.264.exe
2004-01-24 23:00 70,656 --sha-r c:\windows\system32\yv12vfw.dll
2008-09-06 18:07 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090620080907\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-02 136600]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-07 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-07 536576]
"vdrdpup"="c:\windows\system32\vdrdpup.dll" [2004-05-26 71680]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-17 590848]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-01 180269]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-02-03 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2005-06-13 49254]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2008-02-03 13:17 9216 c:\windows\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideACT!.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SideACT!.lnk
backup=c:\windows\pss\SideACT!.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Submit Equalizer]
c:\program files\Submit Equalizer\se_service [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
--a------ 2007-01-16 20:22 1003520 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SCDEmuApp.exe]
--a------ 2005-10-16 01:15 167936 c:\program files\PowerISO\SCDEmuApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-11-01 12:04 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
--a------ 2007-03-14 16:52 3770024 c:\program files\TomTom HOME\TomTomHOME.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RichVideo"=2 (0x2)
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"AVG Anti-Spyware Guard"=2 (0x2)
"DTSRVC"=2 (0x2)
"KService"=2 (0x2)
"Fax"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Real\\RealPlayer\\trueplay.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [2005-01-31 191092]
S2 acpi32;acpi32;\??\c:\windows\system32\drivers\acpi32.sys --> c:\windows\system32\drivers\acpi32.sys [?]
S2 ati64si;ati64si;\??\c:\windows\system32\drivers\ati64si.sys --> c:\windows\system32\drivers\ati64si.sys [?]
S2 DILUSBCamera;Agfa ePhoto CL18 Camera Stream Driver;c:\windows\system32\drivers\stream18.sys [2005-07-25 70708]
S2 i386si;i386si;\??\c:\windows\system32\drivers\i386si.sys --> c:\windows\system32\drivers\i386si.sys [?]
S2 port135sik;port135sik;\??\c:\windows\system32\drivers\port135sik.sys --> c:\windows\system32\drivers\port135sik.sys [?]
S2 systemntmi;systemntmi;\??\c:\windows\system32\drivers\systemntmi.sys --> c:\windows\system32\drivers\systemntmi.sys [?]
S2 ws2_32sik;ws2_32sik;\??\c:\windows\system32\drivers\ws2_32sik.sys --> c:\windows\system32\drivers\ws2_32sik.sys [?]
S3 F5U103BD;Belkin F5U103 USB-RS232 Bus Driver;c:\windows\system32\drivers\F5U103BD.SYS [2001-08-09 16528]
S3 F5U103UD;Belkin F5U103 USB-RS232 Port Driver;c:\windows\system32\drivers\F5U103UD.SYS [2001-08-09 25569]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [2005-08-31 24197]
S3 HwIOctl;HwIOctl;\??\c:\documents and settings\Nigel T\Desktop\HwIOctl.sys --> c:\documents and settings\Nigel T\Desktop\HwIOctl.sys [?]
S3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [2005-01-31 6100]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-02-03 356920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4fab2ea2-9602-11db-9719-00030d1afa59}]
\Shell\AutoRun\command - E:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9625436-ef84-11dc-99c1-000e35b95592}]
\Shell\AutoRun\command - E:\setup.exe
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Nigel T - c:\documents and settings\Nigel T\Nigel T.exe
HKLM-Run-DXDllRegExe - dxdllreg.exe
MSConfigStartUp-4oD - c:\program files\Kontiki\KHost.exe
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
MSConfigStartUp-kdx - c:\program files\Kontiki\KHost.exe
MSConfigStartUp-LanguageShortcut - c:\program files\CyberLink\PowerDVD\Language\Language.exe
MSConfigStartUp-NeroFilterCheck - c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
MSConfigStartUp-RemoteControl - c:\program files\CyberLink\PowerDVD\PDVDServ.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: orange search - file://c:\program files\ORANGE3\Cache\SelectedContextSearch.htm
LSP: c:\windows\system32\avgfwafu.dll
TCP: {EFE3E65E-4079-4FCF-B1A7-1681C8D7BA9C} = 195.92.195.94,195.92.195.95
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-13 11:37:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\avgwlntf.dll

- - - - - - - > 'lsass.exe'(832)
c:\windows\system32\avgfwafu.dll
.
Completion time: 2009-02-13 11:41:31
ComboFix-quarantined-files.txt 2009-02-13 11:40:49

Pre-Run: 25,465,487,360 bytes free
Post-Run: 25,823,232,000 bytes free

214 --- E O F --- 2009-02-12 19:02:58



C:\QooBox\Add-Remove Programs.txt....

µTorrent
1300
1300_Help
1300Tour
1300Trb
ACT!
ACT! Link 2.0
Adobe Acrobat 5.0
Adobe Flash Player ActiveX
Adobe Reader 7.0.8
Adobe Shockwave Player 11
Agfa ePhoto CL18 Digital Camera Driver
AiO_Scan
AIOMinimal
AiOSoftware
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
AVG 7.5
Avi2Dvd 0.4.4 beta
Bonjour
BT Openzone QuickTour
CinePlayer Editor 1.4.5
Compatibility Pack for the 2007 Office system
CorelDRAW 10
DVD Decrypter (Remove Only)
DVD Shrink 3.2
EOL Universal Printer Client
Fax
ffdshow [rev 610] [2006-12-01]
Golden Phrases
Google Earth
Google Toolbar for Internet Explorer
GroupMail :: Free Edition
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Display Assistant
HP PSC & OfficeJet 3.0
HP Software Update
Intel® Extreme Graphics 2 Driver
iTunes
Java 2 Runtime Environment, SE v1.4.2_05
Java™ 6 Update 10
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1
LimeWire 4.9.37
Memories Disc Creator 2.0
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Outlook 2003
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft XML Parser
MPEG Converter 2.0
MPEG Video Wizard DVD
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
NatWest Book-Keeper
Notebook Interactive Viewer
Orange Search Toolbar
OS Mapbuilder - British Isles Edition 2.0
Palm Desktop
PoiEdit
PowerISO
Press Equalizer 1.0.21
PrintScreen
QuickTime
Readme
RealPlayer
Registry Mechanic 8.0
RoadAngel 2 - UK
RoadAngel II USB Drivers
Scan
SDK
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960715)
Smart Link 56K Modem
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Spyware Doctor 6.0
SUPER © Version 2006.19 (FIX)
Synaptics Pointing Device Driver
TaxCalc 2007
TomTom HOME
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
VideoLAN VLC media player 0.8.6a
VIGOS Gsitemap 0.97a
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Mobile® Device Handbook
Windows XP Service Pack 3
WinZip
WMV to AVI MPEG DVD WMV Converter 1.5.4

#10 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:10:45 AM

Posted 13 February 2009 - 06:40 PM

hi.

We will try other methods to install it. We need to install it just incase the situation will
be undesirable. :thumbup2:


With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System
Posted Image
Download the file & save it as it's originally named.


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image
  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
    Posted Image
  • At the next prompt, click No'.
  • When the tool is finished, a log named CF_RC.txt will open.
You can also find it in C:\CF_RC.txt .
Please post it in your next reply.

#11 nigelt

nigelt
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 15 February 2009 - 08:16 AM

Did exactly as you said.
Combofix ran the Recovery Console as it should etc etc.

At the end of the combofix scan it opened up log.txt and not CF_RC.txt as you said.
There isn't a CF_RC.txt file in C:\ either!

The log.txt file is pasted below.

Dont understand what the problem / issue is here and approeciate your help to solve it.

Thanks!!!


ComboFix 09-02-14.01 - Nigel T 2009-02-15 13:05:23.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1263.746 [GMT 0:00]
Running from: c:\documents and settings\Nigel T\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Nigel T\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: AVG 7.5.552 *On-access scanning disabled* (Updated)
FW: AVG Firewall 7.5.500 *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-15 to 2009-02-15 )))))))))))))))))))))))))))))))
.

2009-02-11 14:43 . 2009-02-11 14:43 250 --a------ c:\windows\gmer.ini
2009-02-03 10:04 . 2009-02-03 10:06 <DIR> d-------- c:\program files\Spyware Doctor
2009-02-03 10:04 . 2009-02-03 10:04 <DIR> d-------- c:\documents and settings\Nigel T\Application Data\PC Tools
2009-02-03 10:04 . 2009-02-15 12:33 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-03 10:04 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-02-03 10:04 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-02-03 10:04 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-02-03 10:04 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-01-27 18:40 . 2009-01-27 18:40 <DIR> d--hs---- c:\documents and settings\Nigel T\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-13 18:10 --------- d-----w c:\program files\Microsoft ActiveSync
2009-02-06 21:00 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-02-06 19:03 --------- d-----w c:\documents and settings\Nigel T\Application Data\AVG7
2009-01-26 18:49 92,744 -c--a-w c:\documents and settings\Nigel T\Application Data\GDIPFONTCACHEV1.DAT
2009-01-16 21:35 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-01-06 17:09 --------- d-----w c:\program files\FlashGet
2008-12-29 09:43 --------- d-----w c:\documents and settings\Nigel T\Application Data\uTorrent
2008-12-23 15:49 --------- d-----w c:\program files\ACT
2008-12-23 10:57 --------- d-----w c:\program files\iTunes
2008-12-23 10:57 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-23 10:56 --------- d-----w c:\program files\iPod
2008-12-23 10:56 --------- d-----w c:\program files\Bonjour
2008-12-23 10:55 --------- d-----w c:\program files\QuickTime
2008-12-23 10:55 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-23 10:54 --------- d-----w c:\program files\Apple Software Update
2008-12-23 10:53 --------- d-----w c:\program files\Common Files\Apple
2008-12-23 10:53 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-12-22 18:34 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-19 09:10 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-02 07:50 410,976 ----a-w c:\windows\system32\deploytk.dll
2006-12-20 14:47 278,528 ----a-w c:\program files\Common Files\FDEUnInstaller.exe
2006-03-20 16:20 6,373 -c--a-w c:\documents and settings\Nigel T\Application Data\unins000.dat
2005-06-13 19:02 25,236 -c-ha-w c:\program files\NWB.GID
2005-05-13 16:12 217,073 --sha-r c:\windows\meta4.exe
2005-10-24 10:13 66,560 --sha-r c:\windows\MOTA113.exe
2005-10-13 20:27 422,400 --sha-r c:\windows\x2.64.exe
2005-10-07 18:14 308,224 --sha-r c:\windows\system32\avisynth.dll
2005-07-14 11:31 27,648 --sha-r c:\windows\system32\AVSredirect.dll
2005-06-26 14:32 616,448 --sha-r c:\windows\system32\cygwin1.dll
2005-06-21 21:37 45,568 --sha-r c:\windows\system32\cygz.dll
2004-01-24 23:00 70,656 --sha-r c:\windows\system32\i420vfw.dll
2006-04-27 09:24 2,945,024 --sha-r c:\windows\system32\Smab.dll
2005-02-28 12:16 240,128 --sha-r c:\windows\system32\x.264.exe
2004-01-24 23:00 70,656 --sha-r c:\windows\system32\yv12vfw.dll
2008-09-06 18:07 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090620080907\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-13_11.38.58.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-02-04 16:03:47 22,486 ----a-r c:\windows\Installer\{99052DB7-9592-4522-A558-5417BBAD48EE}\ARPPRODUCTICON.exe
+ 2009-02-13 18:10:09 22,486 ----a-r c:\windows\Installer\{99052DB7-9592-4522-A558-5417BBAD48EE}\ARPPRODUCTICON.exe
- 2008-02-04 16:03:47 22,486 ----a-r c:\windows\Installer\{99052DB7-9592-4522-A558-5417BBAD48EE}\WCESMgrIcon.exe
+ 2009-02-13 18:10:09 22,486 ----a-r c:\windows\Installer\{99052DB7-9592-4522-A558-5417BBAD48EE}\WCESMgrIcon.exe
- 2009-02-13 09:12:52 229,183 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-02-15 12:27:27 229,186 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
- 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
+ 2009-02-12 04:56:17 21,244,872 ----a-w c:\windows\system32\MRT.exe
+ 2009-02-15 12:27:08 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_3b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-02 136600]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-07 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-07 536576]
"vdrdpup"="c:\windows\system32\vdrdpup.dll" [2004-05-26 71680]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-17 590848]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-01 180269]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-02-03 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2005-06-13 49254]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2008-02-03 13:17 9216 c:\windows\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideACT!.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SideACT!.lnk
backup=c:\windows\pss\SideACT!.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Submit Equalizer]
c:\program files\Submit Equalizer\se_service [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
--a------ 2007-01-16 20:22 1003520 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SCDEmuApp.exe]
--a------ 2005-10-16 01:15 167936 c:\program files\PowerISO\SCDEmuApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-11-01 12:04 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
--a------ 2007-03-14 16:52 3770024 c:\program files\TomTom HOME\TomTomHOME.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RichVideo"=2 (0x2)
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"AVG Anti-Spyware Guard"=2 (0x2)
"DTSRVC"=2 (0x2)
"KService"=2 (0x2)
"Fax"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Real\\RealPlayer\\trueplay.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [2005-01-31 191092]
S2 acpi32;acpi32;\??\c:\windows\system32\drivers\acpi32.sys --> c:\windows\system32\drivers\acpi32.sys [?]
S2 ati64si;ati64si;\??\c:\windows\system32\drivers\ati64si.sys --> c:\windows\system32\drivers\ati64si.sys [?]
S2 DILUSBCamera;Agfa ePhoto CL18 Camera Stream Driver;c:\windows\system32\drivers\stream18.sys [2005-07-25 70708]
S2 i386si;i386si;\??\c:\windows\system32\drivers\i386si.sys --> c:\windows\system32\drivers\i386si.sys [?]
S2 port135sik;port135sik;\??\c:\windows\system32\drivers\port135sik.sys --> c:\windows\system32\drivers\port135sik.sys [?]
S2 systemntmi;systemntmi;\??\c:\windows\system32\drivers\systemntmi.sys --> c:\windows\system32\drivers\systemntmi.sys [?]
S2 ws2_32sik;ws2_32sik;\??\c:\windows\system32\drivers\ws2_32sik.sys --> c:\windows\system32\drivers\ws2_32sik.sys [?]
S3 F5U103BD;Belkin F5U103 USB-RS232 Bus Driver;c:\windows\system32\drivers\F5U103BD.SYS [2001-08-09 16528]
S3 F5U103UD;Belkin F5U103 USB-RS232 Port Driver;c:\windows\system32\drivers\F5U103UD.SYS [2001-08-09 25569]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [2005-08-31 24197]
S3 HwIOctl;HwIOctl;\??\c:\documents and settings\Nigel T\Desktop\HwIOctl.sys --> c:\documents and settings\Nigel T\Desktop\HwIOctl.sys [?]
S3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [2005-01-31 6100]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-02-03 356920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4fab2ea2-9602-11db-9719-00030d1afa59}]
\Shell\AutoRun\command - E:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9625436-ef84-11dc-99c1-000e35b95592}]
\Shell\AutoRun\command - E:\setup.exe
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: orange search - file://c:\program files\ORANGE3\Cache\SelectedContextSearch.htm
LSP: c:\windows\system32\avgfwafu.dll
TCP: {EFE3E65E-4079-4FCF-B1A7-1681C8D7BA9C} = 195.92.195.94,195.92.195.95
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-15 13:06:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\avgwlntf.dll

- - - - - - - > 'lsass.exe'(844)
c:\windows\system32\avgfwafu.dll
.
Completion time: 2009-02-15 13:09:44
ComboFix-quarantined-files.txt 2009-02-15 13:09:03
ComboFix2.txt 2009-02-15 12:58:49
ComboFix3.txt 2009-02-13 11:41:32

Pre-Run: 25,635,135,488 bytes free
Post-Run: 25,615,806,464 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

219 --- E O F --- 2009-02-13 15:30:32

#12 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:10:45 AM

Posted 15 February 2009 - 09:13 AM

hi.


Did exactly as you said.
Combofix ran the Recovery Console as it should etc etc.

At the end of the combofix scan it opened up log.txt and not CF_RC.txt as you said.
There isn't a CF_RC.txt file in C:\ either!

The log.txt file is pasted below.

Dont understand what the problem / issue is here and approeciate your help to solve it.

NP :thumbup2: . Recovery console was installed. Rootkit is still there.

Before I'll forget, about p2p software

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case µTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."


Let's continue.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

ROOTKIT::
c:\windows\system32\drivers\acpi32.sys
c:\windows\system32\drivers\ati64si.sys
c:\windows\system32\drivers\i386si.sys
c:\windows\system32\drivers\port135sik.sys
c:\windows\system32\drivers\systemntmi.sys
c:\windows\system32\drivers\ws2_32sik.sys
c:\documents and settings\Nigel T\Desktop\HwIOctl.sys

REGISTRY::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=-

DRIVER::
acpi32
ati64si
i386si
port135sik
systemntmi
ws2_32sik
HwIOctl


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


How's your computer now?


In your reply, please post

[b]C:\combofix.txt
Answer to my questions/b]

Mark

#13 nigelt

nigelt
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 15 February 2009 - 12:02 PM

Hi Mark, Thanks again :thumbup2:

Pasted below is the Combofix.txt

Answer to your question: Computer seems to be runing fine, not visible performance or strange happenings - but I don't know whether there's still any spyware / rootkit infection?

ComboFix 09-02-14.01 - Nigel T 2009-02-15 16:46:09.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1263.708 [GMT 0:00]
Running from: c:\documents and settings\Nigel T\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Nigel T\Desktop\CFScript.txt
AV: AVG 7.5.552 *On-access scanning disabled* (Updated)
FW: AVG Firewall 7.5.500 *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ACPI32
-------\Legacy_ATI64SI
-------\Legacy_HWIOCTL
-------\Legacy_I386SI
-------\Legacy_PORT135SIK
-------\Legacy_SYSTEMNTMI
-------\Legacy_WS2_32SIK
-------\Service_acpi32
-------\Service_ati64si
-------\Service_HwIOctl
-------\Service_i386si
-------\Service_port135sik
-------\Service_systemntmi
-------\Service_ws2_32sik


((((((((((((((((((((((((( Files Created from 2009-01-15 to 2009-02-15 )))))))))))))))))))))))))))))))
.

2009-02-11 14:43 . 2009-02-11 14:43 250 --a------ c:\windows\gmer.ini
2009-02-03 10:04 . 2009-02-03 10:06 <DIR> d-------- c:\program files\Spyware Doctor
2009-02-03 10:04 . 2009-02-03 10:04 <DIR> d-------- c:\documents and settings\Nigel T\Application Data\PC Tools
2009-02-03 10:04 . 2009-02-15 16:52 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-03 10:04 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-02-03 10:04 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-02-03 10:04 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-02-03 10:04 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-01-27 18:40 . 2009-01-27 18:40 <DIR> d--hs---- c:\documents and settings\Nigel T\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-13 18:10 --------- d-----w c:\program files\Microsoft ActiveSync
2009-02-06 21:00 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-02-06 19:03 --------- d-----w c:\documents and settings\Nigel T\Application Data\AVG7
2009-01-26 18:49 92,744 -c--a-w c:\documents and settings\Nigel T\Application Data\GDIPFONTCACHEV1.DAT
2009-01-06 17:09 --------- d-----w c:\program files\FlashGet
2008-12-29 09:43 --------- d-----w c:\documents and settings\Nigel T\Application Data\uTorrent
2008-12-23 15:49 --------- d-----w c:\program files\ACT
2008-12-23 10:57 --------- d-----w c:\program files\iTunes
2008-12-23 10:57 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-23 10:56 --------- d-----w c:\program files\iPod
2008-12-23 10:56 --------- d-----w c:\program files\Bonjour
2008-12-23 10:55 --------- d-----w c:\program files\QuickTime
2008-12-23 10:55 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-23 10:54 --------- d-----w c:\program files\Apple Software Update
2008-12-23 10:53 --------- d-----w c:\program files\Common Files\Apple
2008-12-23 10:53 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-12-22 18:34 --------- d-----w c:\program files\Spybot - Search & Destroy
2006-12-20 14:47 278,528 ----a-w c:\program files\Common Files\FDEUnInstaller.exe
2006-03-20 16:20 6,373 -c--a-w c:\documents and settings\Nigel T\Application Data\unins000.dat
2005-06-13 19:02 25,236 -c-ha-w c:\program files\NWB.GID
2005-05-13 16:12 217,073 --sha-r c:\windows\meta4.exe
2005-10-24 10:13 66,560 --sha-r c:\windows\MOTA113.exe
2005-10-13 20:27 422,400 --sha-r c:\windows\x2.64.exe
2005-10-07 18:14 308,224 --sha-r c:\windows\system32\avisynth.dll
2005-07-14 11:31 27,648 --sha-r c:\windows\system32\AVSredirect.dll
2005-06-26 14:32 616,448 --sha-r c:\windows\system32\cygwin1.dll
2005-06-21 21:37 45,568 --sha-r c:\windows\system32\cygz.dll
2004-01-24 23:00 70,656 --sha-r c:\windows\system32\i420vfw.dll
2006-04-27 09:24 2,945,024 --sha-r c:\windows\system32\Smab.dll
2005-02-28 12:16 240,128 --sha-r c:\windows\system32\x.264.exe
2004-01-24 23:00 70,656 --sha-r c:\windows\system32\yv12vfw.dll
2008-09-06 18:07 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090620080907\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-13_11.38.58.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 20:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-02-04 16:03:47 22,486 ----a-r c:\windows\Installer\{99052DB7-9592-4522-A558-5417BBAD48EE}\ARPPRODUCTICON.exe
+ 2009-02-13 18:10:09 22,486 ----a-r c:\windows\Installer\{99052DB7-9592-4522-A558-5417BBAD48EE}\ARPPRODUCTICON.exe
- 2008-02-04 16:03:47 22,486 ----a-r c:\windows\Installer\{99052DB7-9592-4522-A558-5417BBAD48EE}\WCESMgrIcon.exe
+ 2009-02-13 18:10:09 22,486 ----a-r c:\windows\Installer\{99052DB7-9592-4522-A558-5417BBAD48EE}\WCESMgrIcon.exe
- 2009-02-13 09:12:52 229,183 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-02-15 16:50:23 229,184 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
- 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
+ 2009-02-12 04:56:17 21,244,872 ----a-w c:\windows\system32\MRT.exe
+ 2009-02-15 16:50:08 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_488.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-02 136600]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-07 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-07 536576]
"vdrdpup"="c:\windows\system32\vdrdpup.dll" [2004-05-26 71680]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-17 590848]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-01 180269]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-02-03 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2005-06-13 49254]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2008-02-03 13:17 9216 c:\windows\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideACT!.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SideACT!.lnk
backup=c:\windows\pss\SideACT!.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Submit Equalizer]
c:\program files\Submit Equalizer\se_service [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
--a------ 2007-01-16 20:22 1003520 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SCDEmuApp.exe]
--a------ 2005-10-16 01:15 167936 c:\program files\PowerISO\SCDEmuApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-11-01 12:04 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
--a------ 2007-03-14 16:52 3770024 c:\program files\TomTom HOME\TomTomHOME.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RichVideo"=2 (0x2)
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"AVG Anti-Spyware Guard"=2 (0x2)
"DTSRVC"=2 (0x2)
"KService"=2 (0x2)
"Fax"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Real\\RealPlayer\\trueplay.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [2005-01-31 191092]
S2 DILUSBCamera;Agfa ePhoto CL18 Camera Stream Driver;c:\windows\system32\drivers\stream18.sys [2005-07-25 70708]
S3 F5U103BD;Belkin F5U103 USB-RS232 Bus Driver;c:\windows\system32\drivers\F5U103BD.SYS [2001-08-09 16528]
S3 F5U103UD;Belkin F5U103 USB-RS232 Port Driver;c:\windows\system32\drivers\F5U103UD.SYS [2001-08-09 25569]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [2005-08-31 24197]
S3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [2005-01-31 6100]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-02-03 356920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4fab2ea2-9602-11db-9719-00030d1afa59}]
\Shell\AutoRun\command - E:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9625436-ef84-11dc-99c1-000e35b95592}]
\Shell\AutoRun\command - E:\setup.exe
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: orange search - file://c:\program files\ORANGE3\Cache\SelectedContextSearch.htm
LSP: c:\windows\system32\avgfwafu.dll
TCP: {EFE3E65E-4079-4FCF-B1A7-1681C8D7BA9C} = 195.92.195.94,195.92.195.95
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-15 16:50:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\avgwlntf.dll

- - - - - - - > 'lsass.exe'(836)
c:\windows\system32\avgfwafu.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\Grisoft\AVG7\avgrssvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Grisoft\AVG7\avgamsvr.exe
c:\program files\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgrssvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
c:\program files\Grisoft\AVG7\avgfwsrv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Grisoft\AVG7\avgcc.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-02-15 16:57:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-15 16:57:10
ComboFix2.txt 2009-02-15 13:09:45
ComboFix3.txt 2009-02-15 12:58:49
ComboFix4.txt 2009-02-13 11:41:32

Pre-Run: 25,603,735,552 bytes free
Post-Run: 25,497,018,368 bytes free

237 --- E O F --- 2009-02-13 15:30:32

#14 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:10:45 AM

Posted 15 February 2009 - 04:48 PM

hi.

Any other issues you want to address?


Mark

#15 nigelt

nigelt
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 15 February 2009 - 06:02 PM

Sorry if I missed something here Mark.
Is that it then? Am I all clear?

Nigel.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users