Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected and (mostly?) cleaned SHeur2.TVJ, frmwrk.exe, and other trojans


  • This topic is locked This topic is locked
10 replies to this topic

#1 Azeroth717

Azeroth717

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 04 March 2009 - 04:08 PM

Hello and thanks in advance for your help. I have followed several threads in this forum, and have used several programs to check and re-check my pc for viruses/malware/trojans... and it is looking clean at this point. I have a feeling (according to Thunder, HJT Team, in a post I read to another user) that I may have to wipe and reinstall. Steps I've used so far (Let me catch you up):

see: <http://www.threatexpert.com/report.aspx?md5=bd87166569cc7542f89b58b1d3111e19>

1) Had issues logging in to XP as admin... It would auto logout.
a) Fixed running Windows Repair Console and XP disk with command:
expand d:/i386/userinit.ex_ system32
:thumbup2: Also had to adjust registry policies post-userinit.exe reinstall
2) Had issues with task manager unable to load (reason: Administrator disabled)
a) researched and adjusted registry policies to resolve. Working.
3) Had issues with background flashing "Warning trojan virus..." etc and Firefox showing a link to <http://antivirus-xp-pro2009.com/cgi-bin/download.pl?code=> at the top -
a) the issue with the website link was fixed eventually using multiple malware removal tools independently.
:) the background issue was a permissions issue in the registry. I manually repaired that.
4) The main issue is that I had occasionally (not within the last 4 hrs) been picking up a SHeur2.TVJ issue from AVG Resident Shield which has located and healed the infection each time it attempts to send information.
5) Can you see anything else in my logs I need to be concerned with, as my PC is running well now, and it has not presented any other issues recently.

I have run:
AVG Free 8.5
Cleared Java applets and cache
Uninstalled Java and reinstalled latest version
Uninstalled ccleaner, reinstalled, cleared temp files, firefox cache, reg errors (after malwarebytes fixes)
Panda online ActiveScan (have first log)
AVG Free 8.5 caught several (5-6 times) now no new infections
Malwarebytes caught quite a few and cleaned - ran full system scan - 0 malware
Hijack This showed nothing unusual to me (the second time). (Not a pro as I'm sure you know)
Ad-aware AE installed and run - caught several cookies and cleaned.
Kaspersky online scanner (critical scan only) found 0 infections
Now Running Zonealarm - not seeing any packet requests being sent/received
Ran "sfc/ scannow" to repair critical files

Most recent issue was AVG Resident Shield found SHeur2.TVJ in a restore point as a random .exe - was cleaned (4-5 hrs ago)

Zonealarm was installed afterward... AVG is running... no issues now.

None of these programs (aforementioned) are turning anything up currently.

1) I'm sure you can recommend additional measures
2) I still need to create a solid backup - but don't want to transfer any trojans / malware onto another install..
3) I realize XP Pro is not up to date - I was until recently wary of SP3 (as others have caused issues before)

Help! :step4:

Posting Logs as instructed:

*** First LOG is Panda Active Scan Log BEFORE several measures taken to clean... then HiJack This Initial log... then the Malwarebytes logs.... DDS LOG following is latest....

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-03-04 01:04:46
PROTECTIONS: 1
MALWARE: 2
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AVG Anti-Virus Free 8.5 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00020942 adware/exact.bargainbuddy Adware No 0 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{0878B424-1F95-4e26-B5AB-F0D349D89650}
00029434 spyware/virtumonde Spyware No 1 Yes No hkey_local_machine\software\microsoft\rdfa
00029434 spyware/virtumonde Spyware No 1 Yes No hkey_local_machine\software\microsoft\ms track system
;===================================================================================================================================================================================
SUSPECTS
Sent Location J
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description J
;===================================================================================================================================================================================
184380 MEDIUM MS08-002 J
184379 MEDIUM MS08-001 J
182048 HIGH MS07-069 J
182046 HIGH MS07-067 J
182043 HIGH MS07-064 J
179553 HIGH MS07-061 J
176382 HIGH MS07-057 J
176383 HIGH MS07-058 J
;===================================================================================================================================================================================


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:19:45 AM, on 3/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\X3watch\x3watch.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.praktikos.com/mail5a/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: (no name) - {046a4003-5b87-47be-9d5f-6812bb1dc3b6} - C:\WINDOWS\system32\jogejopi.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: {d9d74052-5560-7c8b-9b74-6c77875aeaaa} - {aaaea578-77c6-47b9-b8c7-065525047d9d} - C:\WINDOWS\system32\bcuuzw.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-19\..\Run: [rivadeweru] Rundll32.exe "C:\WINDOWS\system32\defanuvo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [rivadeweru] Rundll32.exe "C:\WINDOWS\system32\defanuvo.dll",s (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O15 - Trusted Zone: http://www.fileplanet.com
O15 - Trusted Zone: http://www.liberty.edu
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Shared/C...22/ComCtl32.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/download...MARKETING14.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1187315083875
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinner.com/games/v42/paint/paint.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v51/h2hpool/h2hpool.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\zakulapa.dll bcuuzw.dll c:\windows\system32\tuyizizu.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tuyizizu.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tuyizizu.dll (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 7395 bytes

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Malwarebytes' Anti-Malware 1.34
Database version: 1815
Windows 5.1.2600 Service Pack 2

3/4/2009 3:33:36 AM
mbam-log-2009-03-04 (03-33-36).txt

Scan type: Quick Scan
Objects scanned: 62623
Time elapsed: 2 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 18
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{aaaea578-77c6-47b9-b8c7-065525047d9d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{aaaea578-77c6-47b9-b8c7-065525047d9d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{046a4003-5b87-47be-9d5f-6812bb1dc3b6} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{046a4003-5b87-47be-9d5f-6812bb1dc3b6} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\bcuuzw.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\CouponPrinter.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cpnprt2.cid (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ntdll64.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Administrator\Local Settings\Temp\mousehook.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\mousehook.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekabmhqhbqv.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekaoodupksi.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekarfviqmla.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekarwbigior.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekaswdoscdq.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekajkylkyab.sys (Trojan.Agent) -> Quarantined and deleted successfully.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=

Malwarebytes' Anti-Malware 1.34
Database version: 1815
Windows 5.1.2600 Service Pack 2

3/4/2009 3:42:44 AM
mbam-log-2009-03-04 (03-42-44).txt

Scan type: Quick Scan
Objects scanned: 62672
Time elapsed: 3 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Malwarebytes' Anti-Malware 1.34
Database version: 1815
Windows 5.1.2600 Service Pack 2

3/4/2009 9:01:59 AM
mbam-log-2009-03-04 (09-01-59).txt

Scan type: Full Scan (C:\|)
Objects scanned: 136631
Time elapsed: 33 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Malwarebytes' Anti-Malware 1.34
Database version: 1815
Windows 5.1.2600 Service Pack 2

3/4/2009 11:32:23 AM
mbam-log-2009-03-04 (11-32-23).txt

Scan type: Quick Scan
Objects scanned: 61308
Time elapsed: 2 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Malwarebytes' Anti-Malware 1.34
Database version: 1817
Windows 5.1.2600 Service Pack 2

3/4/2009 2:01:38 PM
mbam-log-2009-03-04 (14-01-38).txt

Scan type: Full Scan (C:\|)
Objects scanned: 140314
Time elapsed: 30 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++






DDS (Ver_09-02-01.01) - NTFSx86
Run by Administrator at 14:54:40.26 on Wed 03/04/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1523 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\X3watch\x3watch.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.praktikos.com/mail5a/index.php
uWindow Title =
mWindow Title =
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = local
mSearchAssistant = hxxp://ie.search.msn.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
mRun: [SoundMax] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [x3watch] c:\program files\x3watch\x3watch.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: fileplanet.com\www
Trusted Zone: liberty.edu\www
DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} - hxxp://download.mcafee.com/molbin/Shared/ComCtl32/6,0,80,22/ComCtl32.cab
DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650}
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187315083875
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} - hxxp://www.worldwinner.com/games/v42/paint/paint.cab
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} - hxxp://www.worldwinner.com/games/v51/h2hpool/h2hpool.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
LSA: Notification Packages = scecli c:\windows\system32\zakulapa.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\urhdggey.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cingo.com/index.php?go=member.show_homepage
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-4 64160]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-3-4 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-18 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-18 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-3 107912]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-3-4 127768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-3-4 394952]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-3 298264]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\system32\drivers\lne100v5.sys [2005-11-28 36224]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 951120]

=============== Created Last 30 ================

2009-03-04 14:48 55,328 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-03-04 14:48 32 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-03-04 14:42 4,212 ----h--- c:\windows\system32\zllictbl.dat
2009-03-04 14:42 75,248 a------- c:\windows\zllsputility.exe
2009-03-04 14:39 1,086,952 a------- c:\windows\system32\zpeng24.dll
2009-03-04 14:39 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-03-04 14:39 <DIR> --d----- c:\program files\Zone Labs
2009-03-04 14:38 352,918 a------- c:\windows\system32\vsconfig.xml
2009-03-04 14:38 <DIR> --d----- c:\windows\Internet Logs
2009-03-04 10:10 116,224 ac------ c:\windows\system32\dllcache\xrxwiadr.dll
2009-03-04 10:10 27,648 ac------ c:\windows\system32\dllcache\xrxftplt.exe
2009-03-04 10:10 23,040 ac------ c:\windows\system32\dllcache\xrxwbtmp.dll
2009-03-04 10:10 17,408 ac------ c:\windows\system32\dllcache\xrxscnui.dll
2009-03-04 10:10 4,608 ac------ c:\windows\system32\dllcache\xrxflnch.exe
2009-03-04 10:10 99,865 ac------ c:\windows\system32\dllcache\xlog.exe
2009-03-04 10:10 28,288 ac------ c:\windows\system32\dllcache\xjis.nls
2009-03-04 10:10 16,970 ac------ c:\windows\system32\dllcache\xem336n5.sys
2009-03-04 10:10 19,455 ac------ c:\windows\system32\dllcache\wvchntxx.sys
2009-03-04 10:10 12,063 ac------ c:\windows\system32\dllcache\wsiintxx.sys
2009-03-04 10:10 8,192 ac------ c:\windows\system32\dllcache\wshirda.dll
2009-03-04 10:08 11,520 ac------ c:\windows\system32\dllcache\twotrack.sys
2009-03-04 10:07 252,032 ac------ c:\windows\system32\dllcache\sis300iv.dll
2009-03-04 10:06 259,328 ac------ c:\windows\system32\dllcache\perm3dd.dll
2009-03-04 10:05 35,200 ac------ c:\windows\system32\dllcache\msgame.sys
2009-03-04 10:04 26,624 ac------ c:\windows\system32\dllcache\irstusb.sys
2009-03-04 10:03 324,608 ac------ c:\windows\system32\dllcache\hpojwia.dll
2009-03-04 10:02 20,992 ac------ c:\windows\system32\dllcache\dshowext.ax
2009-03-04 10:01 49,182 ac------ c:\windows\system32\dllcache\cem56n5.sys
2009-03-04 10:00 24,576 ac------ c:\windows\system32\dllcache\agcgauge.ax
2009-03-04 09:28 <DIR> --d----- c:\program files\Defraggler
2009-03-04 09:25 <DIR> --d----- c:\program files\CCleaner
2009-03-04 03:29 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-03-04 03:29 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-04 03:29 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-04 03:29 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-04 03:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-04 03:26 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-04 03:18 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-04 03:16 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-04 03:16 <DIR> --d----- c:\program files\Lavasoft
2009-03-04 01:35 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-03-04 01:34 <DIR> --d----- c:\documents and settings\administrator\.housecall6.6
2009-03-04 01:19 <DIR> --d----- c:\program files\Trend Micro
2009-03-04 00:56 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-03-04 00:56 <DIR> --d----- c:\program files\Panda Security
2009-03-04 00:47 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-04 00:47 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-04 00:36 0 a------- c:\windows\system32\REN18.tmp
2009-03-04 00:36 0 a------- c:\windows\system32\REN17.tmp
2009-03-03 18:09 24,576 ac------ c:\windows\system32\dllcache\userinit.exe
2009-03-03 18:09 24,576 a------- c:\windows\system32\userinit.exe
2009-03-03 13:52 439 a------- c:\windows\system32\win32hlp.cnf
2009-03-03 12:41 1,629,068 ---sh--- c:\windows\system32\ejedufev.ini
2009-03-03 01:15 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-03 01:15 107,912 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-03 00:41 1,629,035 ---sh--- c:\windows\system32\ubolafoh.ini
2009-03-02 23:44 321 a------- c:\windows\WPE PRO.INI

==================== Find3M ====================

2009-03-03 01:15 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2008-10-19 21:33 1,682 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2008-10-19 00:57 88 ---shr-- c:\docume~1\alluse~1\applic~1\96928EDE19.sys
2008-06-11 21:41 60,968 a------- c:\documents and settings\administrator\GoToAssistDownloadHelper.exe
2007-05-01 20:19 630,784 a------- c:\documents and settings\administrator\GoToAssist_chat2way__317_en.exe

============= FINISH: 14:55:37.95 ===============



++++++++++++++++++++++++++++++++++++++++++++++++++++++

Attached Files


Edited by Orange Blossom, 04 March 2009 - 05:28 PM.
Deactivate links. ~ OB


BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:55 PM

Posted 18 March 2009 - 11:06 AM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. Please download Trend Micro - HijackThis. Do a new scan with Trend Micro - HijackThis and post it in your next reply.] Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  • Reply to this thread; do not start another!
  • Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  • Do not run any other tool until instructed to do so!
  • Let me know if any of the links do not work or if any of the tools do not work.
  • Tell me about problems or symptoms that occur during the fix.
  • Do not run any other programs or open any other windows while doing a fix.
  • Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 Azeroth717

Azeroth717
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 19 March 2009 - 12:33 AM

The only subsequent recent issue I have noticed is being redirected when clicking on a link listed after a google search, and after clicking on most links. If a web address is entered, or copied and pasted into the address bar, there is no issue with arriving at the correct site.

I am listing:

1) Current Hijack This log
2) DDS Log (Just in case it helps / You need it)

I have not done anything further on the PC since I last posted to this forum -

THANKS for getting back to me! I appreciate it!

**************************************************************

1)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:26 AM, on 3/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\X3watch\x3watch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.praktikos.com/mail5a/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-19\..\Run: [rivadeweru] Rundll32.exe "C:\WINDOWS\system32\defanuvo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [rivadeweru] Rundll32.exe "C:\WINDOWS\system32\defanuvo.dll",s (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.fileplanet.com
O15 - Trusted Zone: http://www.liberty.edu
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Shared/C...22/ComCtl32.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1187315083875
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinner.com/games/v42/paint/paint.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v51/h2hpool/h2hpool.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 6884 bytes


************************************************************************************8

2)

DDS (Ver_09-02-01.01) - NTFSx86
Run by Administrator at 1:28:31.76 on Thu 03/19/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1220 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\X3watch\x3watch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.praktikos.com/mail5a/index.php
uWindow Title =
mWindow Title =
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = local
mSearchAssistant = hxxp://ie.search.msn.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
mRun: [SoundMax] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [x3watch] c:\program files\x3watch\x3watch.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: fileplanet.com\www
Trusted Zone: liberty.edu\www
DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} - hxxp://download.mcafee.com/molbin/Shared/ComCtl32/6,0,80,22/ComCtl32.cab
DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650}
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187315083875
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} - hxxp://www.worldwinner.com/games/v42/paint/paint.cab
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} - hxxp://www.worldwinner.com/games/v51/h2hpool/h2hpool.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
LSA: Notification Packages = scecli c:\windows\system32\zakulapa.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\urhdggey.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cingo.com/index.php?go=member.show_homepage
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-4 64160]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-3-4 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-19 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-19 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-3 107912]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-3-4 127768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-3-4 394952]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-3 298264]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 951632]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\system32\drivers\lne100v5.sys [2005-11-28 36224]

=============== Created Last 30 ================

2009-03-04 15:48 11,110,432 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-03-04 15:48 32 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-03-04 15:42 4,212 ----h--- c:\windows\system32\zllictbl.dat
2009-03-04 15:42 75,248 a------- c:\windows\zllsputility.exe
2009-03-04 15:39 1,086,952 a------- c:\windows\system32\zpeng24.dll
2009-03-04 15:39 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-03-04 15:39 <DIR> --d----- c:\program files\Zone Labs
2009-03-04 15:38 352,918 a------- c:\windows\system32\vsconfig.xml
2009-03-04 15:38 <DIR> --d----- c:\windows\Internet Logs
2009-03-04 11:10 116,224 ac------ c:\windows\system32\dllcache\xrxwiadr.dll
2009-03-04 11:10 27,648 ac------ c:\windows\system32\dllcache\xrxftplt.exe
2009-03-04 11:10 23,040 ac------ c:\windows\system32\dllcache\xrxwbtmp.dll
2009-03-04 11:10 17,408 ac------ c:\windows\system32\dllcache\xrxscnui.dll
2009-03-04 11:10 4,608 ac------ c:\windows\system32\dllcache\xrxflnch.exe
2009-03-04 11:10 99,865 ac------ c:\windows\system32\dllcache\xlog.exe
2009-03-04 11:10 28,288 ac------ c:\windows\system32\dllcache\xjis.nls
2009-03-04 11:10 16,970 ac------ c:\windows\system32\dllcache\xem336n5.sys
2009-03-04 11:10 19,455 ac------ c:\windows\system32\dllcache\wvchntxx.sys
2009-03-04 11:10 12,063 ac------ c:\windows\system32\dllcache\wsiintxx.sys
2009-03-04 11:10 8,192 ac------ c:\windows\system32\dllcache\wshirda.dll
2009-03-04 11:08 11,520 ac------ c:\windows\system32\dllcache\twotrack.sys
2009-03-04 11:07 252,032 ac------ c:\windows\system32\dllcache\sis300iv.dll
2009-03-04 11:06 259,328 ac------ c:\windows\system32\dllcache\perm3dd.dll
2009-03-04 11:05 35,200 ac------ c:\windows\system32\dllcache\msgame.sys
2009-03-04 11:04 26,624 ac------ c:\windows\system32\dllcache\irstusb.sys
2009-03-04 11:03 324,608 ac------ c:\windows\system32\dllcache\hpojwia.dll
2009-03-04 11:02 20,992 ac------ c:\windows\system32\dllcache\dshowext.ax
2009-03-04 11:01 49,182 ac------ c:\windows\system32\dllcache\cem56n5.sys
2009-03-04 11:00 24,576 ac------ c:\windows\system32\dllcache\agcgauge.ax
2009-03-04 10:28 <DIR> --d----- c:\program files\Defraggler
2009-03-04 10:25 <DIR> --d----- c:\program files\CCleaner
2009-03-04 04:29 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-03-04 04:29 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-04 04:29 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-04 04:29 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-04 04:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-04 04:26 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-04 04:18 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-04 04:16 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-04 04:16 <DIR> --d----- c:\program files\Lavasoft
2009-03-04 02:35 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-03-04 02:34 <DIR> --d----- c:\documents and settings\administrator\.housecall6.6
2009-03-04 02:19 <DIR> --d----- c:\program files\Trend Micro
2009-03-04 01:56 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-03-04 01:56 <DIR> --d----- c:\program files\Panda Security
2009-03-04 01:47 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-04 01:47 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-04 01:36 0 a------- c:\windows\system32\REN18.tmp
2009-03-04 01:36 0 a------- c:\windows\system32\REN17.tmp
2009-03-03 19:09 24,576 ac------ c:\windows\system32\dllcache\userinit.exe
2009-03-03 19:09 24,576 a------- c:\windows\system32\userinit.exe
2009-03-03 14:52 439 a------- c:\windows\system32\win32hlp.cnf
2009-03-03 13:41 1,629,068 ---sh--- c:\windows\system32\ejedufev.ini
2009-03-03 02:15 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-03 02:15 107,912 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-03 01:41 1,629,035 ---sh--- c:\windows\system32\ubolafoh.ini
2009-03-03 00:44 321 a------- c:\windows\WPE PRO.INI

==================== Find3M ====================

2009-03-03 02:15 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2008-10-19 22:33 1,682 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2008-10-19 01:57 88 ---shr-- c:\docume~1\alluse~1\applic~1\96928EDE19.sys
2008-06-11 22:41 60,968 a------- c:\documents and settings\administrator\GoToAssistDownloadHelper.exe
2007-05-01 21:19 630,784 a------- c:\documents and settings\administrator\GoToAssist_chat2way__317_en.exe

============= FINISH: 1:29:22.59 ===============

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:55 PM

Posted 19 March 2009 - 09:21 AM

Step 1
  • Please download
    VundoFix by Atribune to your desktop.
  • Double-click VundoFix.exe to run it.
    You want to run the fix until you see all Vundo files say: "Has been deleted".
  • Click the Scan for Vundo button.
  • When VundoFix opens, click the Scan for Vundo button.
  • After scanning is completed, click the Fix Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • After you click Yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HijackThis log.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot. Follow the above instructions starting from Click the "Scan for Vundo button. when VundoFix appears at reboot.

Step 2
  • Please download GooredFix , making sure that you save this file to your Desktop.
  • Double-click GooredFix.exe on your Desktop (Note: If you are using Vista, right-click GooredFix and select Run As Administrator...).
  • Select Option#1 - Find Goored (no fix), by typing 1 and pressing Enter.
  • A logfile should popup shortly. Please post the log in your next reply.

Edited by suebaby41, 19 March 2009 - 09:22 AM.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#5 Azeroth717

Azeroth717
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 24 March 2009 - 07:48 PM

Sue,

Thank you so much for your help. I am following your directions right now. I have been meaning to do this the last several days, but have been dealing with my insurance concerning water damage in my kitchen. I should have the results in less than 2 hours, and I will post them here.

VudoFix is currently scanning windows\system32\ and no infections have been found as of yet...

I wanted you to know that I have not ignored your post, and I am working with it currently.

I will follow your directions word for word, and I have not / do not intend to post or seek help elsewhere.

Again, thank you for your continued assistance, and I look forward to resolving this problem shortly!



Best Regards,

Azeroth

Edited by Azeroth717, 24 March 2009 - 07:54 PM.


#6 Azeroth717

Azeroth717
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 24 March 2009 - 08:17 PM

I am posting the following, as requested:

1) VudoFix Log
2) HiJackThis Log
3) GooredLog


Thanks again for all your help!!! I look forward to your response. I will be checking regularly (and my email as well for notifications) for your updates !!

:thumbup2:

1)


VundoFix V7.0.6

Scan started at 8:44:59 PM 3/24/2009

Listing files found while scanning....

No infected files were found.

Edited by Azeroth717, 24 March 2009 - 09:00 PM.


#7 Azeroth717

Azeroth717
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 24 March 2009 - 08:58 PM

UPDATE:

Checked AVG log - it had run a scheduled scan today, no infections found.

Ran Malwarebyte's Anti-Malware, found several infections and looks as though they were unable to clean:

Reposting new logs:

1) Malwarebytes
2) Goored
3) HiJackThis


++++++++++++++++++++++++++++++++++++++++++++++++++++++++

1)

Malwarebytes' Anti-Malware 1.34
Database version: 1893
Windows 5.1.2600 Service Pack 2

3/24/2009 9:47:12 PM
mbam-log-2009-03-24 (21-46-47).txt

Scan type: Quick Scan
Objects scanned: 67030
Time elapsed: 4 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seneka (Rootkit.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\seneka (Rootkit.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> No action taken.

++++++++++++++++++++++++++++++++++++++++++++

2)


GooredFix v1.92 by jpshortstuff
Log created at 21:54 on 24/03/2009 running Option #1 (Administrator)
Firefox version 3.0.7 (en-US)

=====Suspect Goored Entries=====

C:\Program Files\Mozilla Firefox\extensions\{5A943888-15CA-439A-9E5A-7D66D25E92C0}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

++++++++++++++++++++++++++++++++++++++++

3)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:50 PM, on 3/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\X3watch\x3watch.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.praktikos.com/mail5a/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-19\..\Run: [rivadeweru] Rundll32.exe "C:\WINDOWS\system32\defanuvo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [rivadeweru] Rundll32.exe "C:\WINDOWS\system32\defanuvo.dll",s (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.fileplanet.com
O15 - Trusted Zone: http://www.liberty.edu
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Shared/C...22/ComCtl32.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1187315083875
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinner.com/games/v42/paint/paint.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v51/h2hpool/h2hpool.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 6830 bytes

#8 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:55 PM

Posted 25 March 2009 - 10:18 AM

I have some bad news for you.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seneka (Rootkit.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\seneka (Rootkit.Trace) -> No action taken.


The entries above indicate your computer may be infected with backdoor trojans. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. These trojans leave a backdoor open on the system that can allow hacker total and complete access to your computer. Hackers can operate your computer just as if he were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs. Backdoor trojans send your identity information to a third party who may use that information for their own purposes such as identity theft, stolen bank funds, stealing credit card information etc.

Before deciding whether your computer needs cleaning or reformatting, you need to ask yourself some very serious questions.

Do you use your computer for any of the following?
  • Online banking/Business purposes
  • storing sensitive or very personal information
If you answered yes to any of those questions, you should disconnect your computer from the Internet and do a complete format and reinstall. If you use online banking, then you should contact your bank and arrange to have your password changed immediately. You should change any other passwords you use as these may have been compromised.

David Bach's Six Ways to Avoid Identity Theft

Here are six things you need to know to fight back against identity theft:

1. Keep your private information private.

Half of all identity theft in which the thief is identified is committed by a friend, coworker, neighbor, in-home employee, or relative of the victim. So make it a habit not to leave things lying around at home or in the office -- specifically your wallet, checkbook, or anything else containing private or financial information, including your mail.

Also, before you toss anything in the trash containing your private information, be sure to shred it. This isn't new advice, but I'd be remiss not to mention it.

2. Get a copy of your credit reports.

Often, victims of identity theft have no idea their credit is being used or destroyed until they apply for a loan and pull their credit score. So pull your credit report now, and make a plan to check it regularly.

By law, you're entitled to a free credit report from each of the three major credit bureaus -- Equifax, Experian, and TransUnion -- once every year. Go to AnnualCreditReport.com and stagger your requests so that you'll receive one report from each credit bureau every four months. Put the dates on your calendar so you don't forget. Keep in mind that this is for your free credit report only, not your credit score.

For your credit score, you'll need to go to myFICO. While you're there, you may want to check out their Identity Theft Security Deluxe product, which monitors your credit score and credit report automatically for $49.95 a year.

3. Find out if your state has a credit freeze law.

Here's a virtually foolproof way to prevent a thief from stealing your identity and using your personal data to get approved for credit. With this new law you're able to block ("freeze") all access to your credit report and credit score.

It's not necessarily the most convenient solution to protect yourself from fraud. Anytime you need to have your credit checked -- for instance, if you're buying a car or cell phone or even interviewing for a job -- you'll need to lift the block ("thaw" your record), which takes about three days. But if you have real concerns about identity theft or perhaps are already a victim, this is an option you may want to consider.

Some states will only grant a credit freeze if you're already a victim of identity theft. Find out if your state has a credit freeze law, including what it costs, by visiting FinancialPrivacyNow.org.

4. Check your bank statements weekly.

One of the great things about online banking is that you can log on and check your account at any time. Make a point of checking your bank statement weekly to be sure there aren't any red flags.

The same goes for your credit card statements. In fact, you may want to consider canceling your paper statements altogether and opting for online statements. After all, you're more likely to have personal information stolen from your mail than from the Internet.

That said, be sure to always use a secure computer. Using a public computer, like one at your local library, is risky due to tracking software that thieves can use to steal your passwords.

5. Be computer savvy.

Even though a relatively small percentage of identity theft occurs online, you should still take necessary precautions.

In addition to being careful about surfing the web on public computers, you should also be aware of the risks involved when using a wireless connection. Wi-Fi and Bluetooth are becoming increasingly popular, and as a result, there is bound to be an increase in wireless hacking.

Wireless connectivity is the perfect platform for thieves to get your personal data. If you have a wireless network at home or work, make sure you are incorporating password-protection and encryption. When accessing public hotspots, use a personal firewall.

Also, keep your computer safe by updating your antivirus and anti-spyware programs regularly. Use passwords so that others can't log on to your computer, laptop, or even your PDA, and be sure to change your passwords often.

Be smart about phishing scams, too. That's when you're sent an email that requests your personal or financial information, or that prompts you to click a link to provide your personal or financial information. If you're unsure of the legitimacy of such a request, call the company that it was supposedly sent from. If an email seems suspicious, it usually is.

6. Be aware of "deleted" data.

The Washington Post recently ran an article on mobile phones -- specifically "smartphones" like the Palm Treo and BlackBerry -- that was quite an eye-opener.

According to the story, resetting your phone to wipe out personal data doesn't exactly delete information. It turns out that your phone's operating system never actually deletes data, only the pointers to where the data is located. Anyone with the right software can recover information that was stored on your phone once you sell or discard it

You need to do is contact the device manufacturer for complete instructions on what to do to wipe your data clean. You can also visit WirelessRecycling.com for instructions. And think twice about what information you store on your device in case it's ever lost or stolen.

If Your Identity Is Stolen

Take the above steps and -- should you ever find yourself in the unfortunate position of having had your identity stolen -- you'll commend yourself for being proactive enough to identify a problem before too much damage was done.

Don't waste a minute once you've discovered suspicious activity -- go directly to the website of the Federal Trade Commission to file a complaint and access their comprehensive guide on the steps you'll need to follow to resolve the situation.

Posted Image I recommend backing up your important files and reinstalling everything from scratch.

There are so many changes that could have been done if that backdoor was used. Even if we cleaned the infections, it would not help to recover the information that has been compromised and there is no guarantee that your computer would be safe to use. Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is another hidden piece of malware which has not been detected by your security tools that protects malicious files and registry keys (which have been detected) so they cannot be permanently deleted.

If you only use your computer for music/games etc, your better option would be to clean it of infections rather than do a reformat. The decision must be made by you.

Here are some informative links to use to help you make a decision:

Danger: Remote Access Trojans

Consumers – Identity Theft

When should I re-format? How should I reinstall?

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Rootkits: The Obscure Hacker Attack

Help: I Got Hacked. Now What Do I Do?

Microsoft Says Recovery from Malware Becoming Impossible

How to report ID theft, fraud, drive-by installs, hijacking and malware? (#10451)

However, if you do not have the resources to reformat your computer and reinstall your operating system and programs, I will be happy to attempt to clean it.

Should you have any questions, please feel free to ask.

Please let me know what you have decided to do in your next post.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#9 Azeroth717

Azeroth717
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 25 March 2009 - 02:02 PM

Sue,

Thanks again for your help. While I do have the resources and experience to reinstall, I would like the experience and chance to clean out any rootkits before taking that measure. I have already flagged my credit for 90 days with all 3 bureaus - so I am protected in that sense.

How likely is it that any future fixes will cause serious system instability? It seems sometimes these rootkits are hard to remove completely, and they cause system instability, and you end up having to reformat after losing data.

If it is possible to fix without a reinstall (saving 8 hours of my life) and without causing serious system instabilities and data loss, I would like to try.

Let me know your opinion, and also the next steps I should take to proceed.


UPDATE:
I just read the article...

Help: I Got Hacked. Now What Do I Do?

Which confirms exactly my concern - once compromised - you never know that it is clean because there are undetectable backdoors.

SO, instead of helping clean,

1)can you help by recommending some freeware / software to prevent any issues like this in the future (Im running zonealarm, and you can see the other software Im running from HiJackThis).

1a) If there is an article that plainly and quickly describes the software I should use for security against these malware and rootkit attacks?

3) ALSO, how can I ensure that the data I back up does not have hidden data within it (that I cannot see because of the rootkit) that will compromise my new system after reinstall... do you have any suggestions for this?

4) There are executables I am interested in keeping - how can I know if these .rar .zip and .exe files are not compromised? I heard there is a site to upload them to for testing, or there is some software possibly?

THANKS so much for all your help!


Thanks again,

Azeroth

Edited by Azeroth717, 25 March 2009 - 02:12 PM.


#10 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:55 PM

Posted 26 March 2009 - 11:45 AM

1)can you help by recommending some freeware / software to prevent any issues like this in the future (Im running zonealarm, and you can see the other software Im running from HiJackThis). 1a) If there is an article that plainly and quickly describes the software I should use for security against these malware and rootkit attacks?

The Best Free Security and Spyware Software

15 Great, Free Security Programs

Ten free security utilities you should already be using

3) ALSO, how can I ensure that the data I back up does not have hidden data within it (that I cannot see because of the rootkit) that will compromise my new system after reinstall... do you have any suggestions for this?

Before doing a reformat, backup any data to flash drives and scan them with antivirus program and Malwarebytes from a clean computer. Anything that is suspect should be deleted.

4) There are executables I am interested in keeping - how can I know if these .rar .zip and .exe files are not compromised? I heard there is a site to upload them to for testing, or there is some software possibly?

Please upload the file to Jotti or VirusTotal or Virscan.

Note: Internet Explorer is the browser to use for best results.

Please upload suspicious file(s) to Jotti.
  • Click the white box beside the Browse box.
  • Copy and paste the following file path into the white box.



  • Press Submit. The file will be submitted for testing.
  • Please wait for all the scanners to finish, then post the results in your next response.
Alternatively, if Jotti is busy or inaccessible, you may try VirusTotal.
  • Click the white box beside the Browse box.
  • Copy and paste the following file path into the white box.



  • Click Send File.
or
  • Please go to VirSCAN.org free on-line scan service.
  • Copy and paste the following file path into the "Suspicious files to scan" box at the top of the page on the VirScan web site:



  • Click on the Upload button
  • After the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply. (Ctrl & V)

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#11 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:55 PM

Posted 03 April 2009 - 06:23 AM

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users