Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win32.Trojan.Tdss


  • This topic is locked This topic is locked
12 replies to this topic

#1 wolvie

wolvie

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 06 August 2009 - 03:49 PM

Hi all,

My PC has recently become infected with some form of virus. I use zonealarm Security Suite and followed various suggested fixes for this infection from Fax on the zonelabs website.

So I have tried the following so far:

Adaware detects a Win32.Trojan.Tdss virus and requires a restart to remove it but on restart the infection is till present after repeated attempts.
Zonealarms virus scan freezes when it reaches the file mlang.dll and wont close down.
MBAM would only install after renaming the installer but would never actually run after installation, it just freezes up.
DrWeb bootable cd ran for approximately 2 days and said it found various infection but on restarting the infection is still present.

Files with the extension tmp keep crashing on startup and requesting access to the internet which I deny via zonealarm. Internet Explorer (I use firefox myself) keeps starting itself up but not actually appearing as a window on the desktop.

Any Help is greatly appreciated.

Below is my DDS log file and attached is the zipped attach.txt file as requested:


DDS (Ver_09-07-30.01) - NTFSx86 NETWORK
Run by Wolvie at 21:24:27.39 on 06/08/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1505 [GMT 1:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
svchost.exe C:\WINDOWS\TEMP\VRT1.tmp
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Documents and Settings\Wolvie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: {549B5CA7-4A86-11D7-A4DF-000874180BB3} - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
uRun: [Steam] "c:\valve\steam\steam.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
mRun: [DVDTray] "c:\program files\hp dvd\umbrella\DVDTray.exe"
mRun: [DVDBitSet] "c:\program files\hp dvd\umbrella\DVDBitSet.exe" /NOUI
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [ASUS Probe] c:\program files\asus\probe\AsusProb.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
mRun: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Regedit32] c:\windows\system32\regedit.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Wolvie] c:\documents and settings\wolvie\Wolvie.exe /i
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15030/CTSUEng.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkID=39204
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15108/CTPID.cab
TCP: {E6934435-291D-48DD-AF28-37406C4D0119} = 192.168.2.1
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\wolvie\applic~1\mozilla\firefox\profiles\abrhmjdd.default\
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - component: c:\documents and settings\wolvie\application data\mozilla\firefox\profiles\abrhmjdd.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-2 64160]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2005-9-11 77312]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-4 353672]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-4-3 150544]
S1 TRIXX;TRIXX;\??\c:\program files\trixx\trixxdriver.sys --> c:\program files\trixx\TRIXXDriver.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2006-10-6 3712]
S2 WF23880;WinFast TV2000/DV2000 WDM Video Capture.;c:\windows\system32\drivers\wf88vcap.sys [2004-10-18 208851]
S2 WF88XBAR;WinFast TV2000/DV2000 WDM Crossbar.;c:\windows\system32\drivers\WF88XBAR.sys [2004-10-18 10324]
S2 WFTUNE;WinFast TV2000/DV2000 WDM Tuner.;c:\windows\system32\drivers\wf88tune.sys [2004-10-18 34789]
S3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2005-9-16 16269]
S3 bcbthub;Belkin Bluetooth Composite Device Driver;c:\windows\system32\drivers\bcbthub.sys [2002-8-15 148794]
S3 cpuz130;cpuz130;\??\c:\docume~1\wolvie\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\wolvie\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 protect;protect;c:\windows\system32\drivers\protect.sys [2009-8-4 18944]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [2009-4-23 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [2009-4-23 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [2009-4-23 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [2009-4-23 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [2009-4-23 98568]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [2005-9-11 3968]
S3 WFIOCTL;WFIOCTL;c:\program files\winfast\wftvfm\WFIOCTL.sys [2005-9-17 9446]

=============== Created Last 30 ================

2009-08-06 21:02 <DIR> --d----- c:\program files\Trend Micro
2009-08-06 21:02 812,344 a------- C:\Install.exe
2009-08-06 20:54 20,974 a------- c:\windows\system32\D.tmp
2009-08-06 20:54 35,328 a------- c:\windows\system32\C.tmp
2009-08-06 20:54 80 a------- c:\windows\system32\2.tmp
2009-08-06 20:33 20,974 a------- c:\windows\system32\B.tmp
2009-08-06 20:33 35,328 a------- c:\windows\system32\A.tmp
2009-08-06 20:33 80 a------- c:\windows\system32\9.tmp
2009-08-06 20:28 410,984 a------- c:\windows\system32\deploytk.dll
2009-08-06 20:28 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-06 20:18 20,974 a------- c:\windows\system32\8.tmp
2009-08-06 20:18 35,328 a------- c:\windows\system32\7.tmp
2009-08-06 20:18 80 a------- c:\windows\system32\6.tmp
2009-08-06 20:10 20,974 a------- c:\windows\system32\5.tmp
2009-08-06 20:10 35,328 a------- c:\windows\system32\4.tmp
2009-08-06 20:10 80 a------- c:\windows\system32\3.tmp
2009-08-04 23:38 18,944 a---h--- c:\windows\system32\drivers\protect.sys
2009-08-04 23:38 53,248 a------- c:\windows\system32\20.tmp
2009-08-04 23:38 0 a------- c:\windows\system32\1F.tmp
2009-08-04 23:38 120 a------- c:\windows\system32\1D.tmp
2009-08-04 01:13 17,200 a------- c:\windows\system32\drivers\mbam.sys
2009-08-04 01:13 38,528 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-04 01:13 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-04 01:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-03 23:27 41,456 ----h--- c:\documents and settings\wolvie\Wolvie.exe
2009-08-02 13:31 15,688 a------- c:\windows\system32\lsdelete.exe
2009-08-02 13:19 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-08-02 13:17 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-02 13:17 <DIR> --d----- c:\program files\Lavasoft
2009-07-26 00:33 <DIR> --d----- c:\program files\common files\DivX Shared
2009-07-25 17:12 66 a------- c:\windows\CLOCKT.INI
2009-07-25 16:13 <DIR> --d----- C:\doukutsu
2009-07-23 20:55 4,096 a------- c:\windows\system32\crash
2009-07-11 15:48 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll
2009-07-11 15:48 453,456 a------- c:\windows\system32\d3dx10_41.dll
2009-07-11 15:47 4,178,264 a------- c:\windows\system32\D3DX9_41.dll
2009-07-11 15:47 69,448 a------- c:\windows\system32\XAPOFX1_3.dll
2009-07-11 15:47 517,448 a------- c:\windows\system32\XAudio2_4.dll
2009-07-11 15:47 235,352 a------- c:\windows\system32\xactengine3_4.dll
2009-07-11 15:47 22,360 a------- c:\windows\system32\X3DAudio1_6.dll

==================== Find3M ====================

2009-08-01 22:27 445,070,112 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-08-01 04:50 5,940,476 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-06-23 12:29 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 20:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-16 04:39 442,368 a------- c:\windows\system32\ATIDEMGX.dll
2009-05-16 04:38 335,872 a------- c:\windows\system32\ati2dvag.dll
2009-05-16 04:18 204,800 a------- c:\windows\system32\atipdlxx.dll
2009-05-16 04:17 155,648 a------- c:\windows\system32\Oemdspif.dll
2009-05-16 04:17 46,592 a------- c:\windows\system32\Ati2mdxx.exe
2009-05-16 04:17 43,520 a------- c:\windows\system32\ati2edxx.dll
2009-05-16 04:17 155,648 a------- c:\windows\system32\ati2evxx.dll
2009-05-16 04:14 53,248 a------- c:\windows\system32\ATIDDC.DLL
2009-05-16 04:07 2,987,136 a------- c:\windows\system32\ati3duag.dll
2009-05-16 03:55 11,423,744 a------- c:\windows\system32\atioglxx.dll
2009-05-16 03:54 2,122,624 a------- c:\windows\system32\ativvaxx.dll
2009-05-16 03:54 887,724 a------- c:\windows\system32\ativva6x.dat
2009-05-16 03:51 311,296 a------- c:\windows\system32\atiiiexx.dll
2009-05-16 03:38 49,664 a------- c:\windows\system32\atimpc32.dll
2009-05-16 03:38 49,664 a------- c:\windows\system32\amdpcom32.dll
2009-05-16 03:33 479,232 a------- c:\windows\system32\atikvmag.dll
2009-05-16 03:31 139,264 a------- c:\windows\system32\atiadlxx.dll
2009-05-16 03:31 17,408 a------- c:\windows\system32\atitvo32.dll
2009-05-16 03:26 376,832 a------- c:\windows\system32\atiok3x2.dll
2009-05-16 03:24 651,264 a------- c:\windows\system32\ati2cqag.dll
2009-05-16 02:35 45,056 a------- c:\windows\system32\aticalrt.dll
2009-05-16 02:34 45,056 a------- c:\windows\system32\aticalcl.dll
2009-05-16 02:33 3,158,016 a------- c:\windows\system32\aticaldd.dll
2009-05-15 21:05 614,400 -------- c:\windows\system32\ati2sgag.exe
2009-03-14 22:55 22,328 a------- c:\docume~1\wolvie\applic~1\PnkBstrK.sys
2007-06-16 13:31 87,608 a------- c:\docume~1\wolvie\applic~1\inst.exe
2007-06-16 13:31 47,360 a------- c:\docume~1\wolvie\applic~1\pcouffin.sys
2008-04-28 23:54 88 ---shr-- c:\windows\system32\24D266CB15.sys
2006-09-17 16:33 88 ---shr-- c:\windows\system32\AB4C4EE74B.sys
2008-04-29 00:28 4,130 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-05-12 01:30 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051220080513\index.dat

============= FINISH: 21:26:10.95 ===============

Attached Files


Edited by wolvie, 06 August 2009 - 03:51 PM.


BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:03 AM

Posted 06 August 2009 - 10:55 PM

Hello wolvie my name is Sempai and welcome to Bleeping Computer.

*We apologize for the delay. Forum have been busy.

*I want you to understand that I'm still a trainee here. I will be working with my Coach who will approve all my instructions before posting them to you, so there's a possibility to have some delays in my responses. But the good part is, there are two people reviewing your problem instead of one.

*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.

*You must reply within 5 days otherwise this topic will be closed.


Your log will be analyzed and you will be instructed on what to do next as soon as possible.



~Semp :thumbup2:

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 wolvie

wolvie
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 07 August 2009 - 09:55 AM

Hi Sempai,

Thank you for getting back to me and thanks for the help on this. Take all the time you need.

Regards,

Wolvie

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:03 AM

Posted 08 August 2009 - 09:54 AM

Hello wolvie,

Sorry for the delay. Forum have been really busy.


We need to settle some issues before we go to the cleaning process:

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Please follow the next instructions if you decided that we do the cleaning process:



1. We need to download and run ComboFix (by sUBs)

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2

  • Temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note**:

*If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.


Warning!

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper, *** If your are not the topic starter DO NOT run this tool as it could cause irreversible damage to your computer.


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


2. Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.


3. Lastly, create a fresh DDS log. Post the following when you reply:

1. Combofix.text
2. GMER log
3. DDS.text and attach the attach.text



Regards,
~Semp :thumbup2:

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 wolvie

wolvie
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 08 August 2009 - 07:12 PM

Hi Sempai,

Thank you for the response, I am hoping to do both, i.e. first of all remove the current issue and after retreiving some information format and reinstall the os, obviously there is a slight risk of reinfection. I have altered passwords for my bank accounts, etc. thank you for the advice and the information on risk assesment.

Unfortunately combofix after downloading on a clean machine and transferring across on usb stick is failing to run. I have disabled both adaware and zonealarm and no longer see them in the process view in task manager but when I run combofix.exe it freezes with 0% cpu time. I have also tried this in Safemode as my account and as administrator and get the same results, I have also tried renaming the combofix.exe and this also fails to work. Is there anything else I can use?

Regards,

wolvie

#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:03 AM

Posted 09 August 2009 - 08:49 AM

Hello wolvie,

Your log show some signs of VIRUT. In order to verify this, we need to send some files to Jotti.

Please make sure that you can view all hidden files.  Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit.  You will only be able to have one file scanned at a time.  

C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\svchost.exe


Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotalhttp://www.virustotal.com/




~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 wolvie

wolvie
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 09 August 2009 - 10:18 AM

Hi Sempai,

Unfortunately I can't navigate to either of the virus scan websites, I just get an "address not found" in Firefox and and in Internet Explorer I get a "Internet explorer cannot display the webpage" message. Any thing else I can try?

Thanks,

wolvie

#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:03 AM

Posted 10 August 2009 - 06:59 AM

Can you access other web pages?

Let's try different On-line scanner. Please click here --> VirSCAN.org

Please make sure that you can view all hidden files.  Instructions on how to do this can be found here:

How to see hidden files in Windows

Click the browse button and navigate to the files listed below in bold, then click Upload.  You will only be able to have one file scanned at a time.  

C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\svchost.exe

Please post back the results of the scan in your next post.


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 wolvie

wolvie
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 10 August 2009 - 07:05 PM

Hi Sempai,

Thank you for the new site, this worked. Please excuse the poor layout, but the "copy to clipboard" button did not copy anything to the clipboard so I had to manually copy the text.

Only c:\windows\explorer.exe and c:\windows\system32\svchost.exe came back with any positive results, I have the output for the other 3 files if you need them but below are the results for the 2 that came back with the positive results.

Scan of c:\windows\explorer.exe:

File information
File Name : explorer.exe
File Size : 1054208 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 43276b60c14fed0db2c03b0aaa17dd4b
SHA1 : 930009e96d6e7ec48d94f5043d89f8e2efea2405

Scanner results
Scanner results : 62% Scanner(23/37) found malware!
Time : 2009/08/11 00:32:46 (BST)
Scanner ↓ Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.5.0.3 20090811000225 2009-08-11
Trojan.Win32.Patched!IK
0.375
AhnLab V3 2009.08.10.07 2009.08.10 2009-08-10
-
0.810
AntiVir 8.2.0.248 7.1.5.93 2009-08-10
W32/Virut.Gen
0.092
Antiy 2.0.18 20090810.2695746 2009-08-10
-
0.120
Arcavir 2009 200908101724 2009-08-10
-
0.054
Authentium 5.1.1 200908101914 2009-08-10
W32/Virut.AI!Generic (Heuristic)
1.301
AVAST! 4.7.4 090810-0 2009-08-10
Win32:Vitro
0.052
AVG 8.5.288 270.13.49/2295 2009-08-11
-
0.526
BitDefender 7.81008.3835536 7.27100 2009-08-11
Win32.Virtob.Gen.12
3.327
CA (VET) 9.0.0.143 31.6.6667 2009-08-10
Win32/Virut.17408 virus.
5.797
ClamAV 0.95.2 9673 2009-08-10
-
0.163
Comodo 3.10 1937 2009-08-10
-
0.976
CP Secure 1.1.0.715 2009.08.10 2009-08-10
-
11.963
Dr.Web 4.44.0.9170 2009.08.10 2009-08-10
Win32.Virut.56
5.080
F-Prot 4.4.4.56 20090810 2009-08-10
Possible W32/Virut.AI!Generic
1.159
F-Secure 7.02.73807 2009.08.10.11 2009-08-10
Virus.Win32.Virut.ce [AVP]
1.316
Fortinet 2.81-3.120 10.691 2009-08-07
-
0.266
GData 19.7017/19.435 20090811 2009-08-11
Virus.Win32.Virut.ce [Engine:A]
4.875
Ikarus T3.1.01.64 2009.08.10.73215 2009-08-10
Trojan.Win32.Patched
3.516
JiangMin 11.0.800 2009.08.10 2009-08-10
-
4.302
Kaspersky 5.5.10 2009.08.10 2009-08-10
Virus.Win32.Virut.ce
0.052
KingSoft 2009.2.5.15 2009.8.10.14 2009-08-10
Win32.Virut.cr.61440
0.499
McAfee 5.3.00 5705 2009-08-10
W32/Virut.n.gen
3.104
Microsoft 1.4903 2009.08.10 2009-08-10
Virus:Win32/Virut.BM
6.573
Norman 6.01.09 6.01.00 2009-08-10
-
2.007
nProtect 20090809.01 4982391 2009-08-09
-
6.202
Panda 9.05.01 2009.08.10 2009-08-10
Suspicious file
1.771
Quick Heal 10.00 2009.08.10 2009-08-10
W32.Virut.G
1.320
Rising 20.0 21.42.04.00 2009-08-10
Win32.Virut.ci
1.190
Sophos 2.89.1 4.44 2009-08-11
W32/Scribble-B
2.878
Sunbelt 5323 5323 2009-08-10
Virus.Win32.Virut.ce (v)
1.199
Symantec 1.3.0.24 20090810.003 2009-08-10
W32.Virut.CF
0.092
The Hacker 6.3.4.3 v00379 2009-08-10
-
0.715
Trend Micro 8.700-1004 6.354.06 2009-08-10
PE_VIRUX.J
0.036
VBA32 3.12.10.9 20090810.1232 2009-08-10
-
2.046
ViRobot 20090810 2009.08.10 2009-08-10
-
0.426
VirusBuster 4.5.11.10 10.112.1/1844782 2009-08-10
Win32.Virut.Y.Gen
2.855



Scan of c:\windows\system32\svchost.exe:

File information
File Name : svchost.exe
File Size : 34816 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 5801e13d23df0b403304df1139cf0f1f
SHA1 : efe8ebef0f9b4bde3b71a37bc7418d582b1387b4

Scanner results
Scanner results : 57% Scanner(21/37) found malware!
Time : 2009/08/11 00:55:47 (BST)
Scanner ↓ Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.5.0.3 20090811000225 2009-08-11
-
1.075
AhnLab V3 2009.08.10.07 2009.08.10 2009-08-10
-
0.979
AntiVir 8.2.0.248 7.1.5.93 2009-08-10
W32/Virut.Gen
0.420
Antiy 2.0.18 20090810.2695746 2009-08-10
-
0.121
Arcavir 2009 200908101724 2009-08-10
-
0.041
Authentium 5.1.1 200908101914 2009-08-10
W32/Virut.AI!Generic (Heuristic)
1.198
AVAST! 4.7.4 090810-0 2009-08-10
Win32:Vitro
0.006
AVG 8.5.288 270.13.49/2295 2009-08-11
-
0.579
BitDefender 7.81008.3835536 7.27100 2009-08-11
Win32.Virtob.Gen.12
3.335
CA (VET) 9.0.0.143 31.6.6667 2009-08-10
Win32/Virut.17408 virus.
5.643
ClamAV 0.95.2 9673 2009-08-10
-
0.014
Comodo 3.10 1937 2009-08-10
-
0.843
CP Secure 1.1.0.715 2009.08.10 2009-08-10
-
11.934
Dr.Web 4.44.0.9170 2009.08.10 2009-08-10
Win32.Virut.56
5.079
F-Prot 4.4.4.56 20090810 2009-08-10
Possible W32/Virut.AI!Generic
1.160
F-Secure 7.02.73807 2009.08.10.11 2009-08-10
Virus.Win32.Virut.ce [AVP]
0.151
Fortinet 2.81-3.120 10.691 2009-08-07
-
0.228
GData 19.7017/19.435 20090811 2009-08-11
Virus.Win32.Virut.ce [Engine:A]
6.542
Ikarus T3.1.01.64 2009.08.10.73215 2009-08-10
-
3.654
JiangMin 11.0.800 2009.08.10 2009-08-10
-
3.466
Kaspersky 5.5.10 2009.08.10 2009-08-10
Virus.Win32.Virut.ce
0.054
KingSoft 2009.2.5.15 2009.8.10.14 2009-08-10
Win32.Virut.cr.61440
0.471
McAfee 5.3.00 5705 2009-08-10
W32/Virut.n.gen
3.053
Microsoft 1.4903 2009.08.10 2009-08-10
Virus:Win32/Virut.BM
5.088
Norman 6.01.09 6.01.00 2009-08-10
-
4.007
nProtect 20090809.01 4982391 2009-08-09
-
7.058
Panda 9.05.01 2009.08.10 2009-08-10
Suspicious file
1.644
Quick Heal 10.00 2009.08.10 2009-08-10
W32.Virut.G
1.054
Rising 20.0 21.42.04.00 2009-08-10
Win32.Virut.ci
1.256
Sophos 2.89.1 4.44 2009-08-11
W32/Scribble-B
2.878
Sunbelt 5323 5323 2009-08-10
Virus.Win32.Virut.ce (v)
2.023
Symantec 1.3.0.24 20090810.003 2009-08-10
W32.Virut.CF
0.046
The Hacker 6.3.4.3 v00379 2009-08-10
-
0.872
Trend Micro 8.700-1004 6.354.06 2009-08-10
PE_VIRUX.J
0.037
VBA32 3.12.10.9 20090810.1232 2009-08-10
-
2.027
ViRobot 20090810 2009.08.10 2009-08-10
-
1.223
VirusBuster 4.5.11.10 10.112.1/1844782 2009-08-10
Win32.Virut.Y.Gen
2.491

Regards,

wolvie

#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:03 AM

Posted 11 August 2009 - 05:04 AM

Hello wolvie,

I'm afraid I have very bad news. :thumbup2:

Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). Virux is an even more complex file infector which can embed an iframe into the body of web-related files and infect script files (.php, .asp, and .html). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of infection can vary.

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.

CA Virus detail of W32/Virut

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutThis kind of infection is contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:
I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc.
Keep in mind, though, that with a Virut infection, there is always a chance of backed up data reinfecting your system! Do NOT backup any applications/installers and do NOT backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script (.php, .asp, .html, .htm, .xml) files. Also avoid backing up compressed files (.zip, .cab, .rar) that have .exe or .scr files inside them as Virut can penetrate and infect these files within compressed files too.
NOTE: If you have to backup files, do so only for MS Office documents & any non-executable files. Burn them to CD/DVD. Do NOT copy files from the infected machine to your flash drive or external hard drive as they may become compromised in the process. You risk infecting the other machine!

Virut is not disinfectable. Your only option is to perform a full reformat. Do NOT attempt a repair install. It shall be a waste of time. If you do so, the infected executables remain on the machine & you shall likely trigger another bout of Virut.

If you do not know how to perform a fresh install, use these websites and read for instructions how to format and reinstall Windows:Sorry to be the bearer of bad news, but this really is your only option at this point. :) Should you have any questions, please feel free to ask.


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 wolvie

wolvie
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 13 August 2009 - 10:47 AM

Hi Sempai,

Thank you for all your help with this and to your coach, I am rebuilding my PC as we speak, it's given me an excuse to upgrade as well ( :thumbup2: ).

Any advice on antivirus software as the virus got past the zonealarm virus scanner (although I think the old version of Java I had on my system may have left me vulnerable)? I used to use Avast, is this recommended being a freeware package?

Thank you again,

wolvie

#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:03 AM

Posted 13 August 2009 - 11:07 AM

Hi,

I am rebuilding my PC as we speak, it's given me an excuse to upgrade as well

Good choice.... :thumbup2:

Two good antivirus programs free for non-commercial home use are Avast! and Antivir
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.


Use a Firewall
I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls



Please take the time to read below to secure your machine and take the necessary steps to keep it Clean :)


Microsoft has released the latest upgrades to the XP OS platform, which can be referenced HERE
It is critical to stay up to date with the latest upgrades to your Operating System, as this can help prevent future problems.
Windows XP Service Pack 3 (SP3) includes all previously released updates for the operating system.
I recommend that you visit the link above and apply the SP3 patch.

Visit Microsoft's Windows Update Site Frequently
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

How to prevent Malware: by miekiemoes



~Semp :)

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:03 AM

Posted 14 August 2009 - 09:25 AM

As the problem here seems to be resolved, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. If you should have a new issue, please start a new topic. Everyone else with similar problems, please start a new topic.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users