Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirects; multiple browser windows


  • This topic is locked This topic is locked
11 replies to this topic

#1 harrisnyc

harrisnyc

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 08 December 2009 - 05:55 AM

Hi,

I ran a bunch of scans as directed by boopme in the Am I Infected? forum, and he asked me to follow up by creating a post here. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/276630/please-help-browser-redirects-to-random-sites-plus-multiple-browser-windows/ ~ OB

Here's the latest log he asked me to post:


Running from: C:\Documents and Settings\Harris\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Harris\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!


Thank you very much for all your help.
Harris

Editing in rootkit scan from other topic. ~ OB

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 12/7/2009 at 6:31:26 AM
User "Harris" on computer "HARRIS-SYSTEM76"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_USERS\S-1-5-21-602162358-1229272821-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.doc;JSESSIONID=G1TDVbRhB2yc5WKVpvCsDh3zLF9JpQPyPjcT9YYrmBGySzVzxYgK!347125987!2045904670!1191170947318?fileContentID=273879611
Info: Starting disk scan of C: (NTFS).
Stopped logging on 12/7/2009 at 6:58:29 AM

Edited by Orange Blossom, 08 December 2009 - 11:13 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:16 PM

Posted 20 December 2009 - 05:30 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems just let me know in your next reply or simply post a Hijackthis log.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 harrisnyc

harrisnyc
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 20 December 2009 - 07:59 PM

Hi EB,

Thanks for helping. I'm doing what you asked -- posting the DDS text log, attaching the zipped DDS Attach, and posting the RootRepeal log. I'm still having the same problem whereby when I do a google search, then click one of the results links, I'm taken to some garbage page instead of the page I wanted to go to.

Here are the logs:



DDS (Ver_09-12-01.01) - NTFSx86
Run by Harris at 19:33:17.04 on Sun 12/20/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1527.937 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Hcontrol.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\ATKOSD.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Harris\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUxdm486YYUS&fl=0&ptb=urB4HkBGDN7ZwkexUkGt8w&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
mRun: [Hcontrol] c:\windows\Hcontrol.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [BHR] c:\program files\zamaan's software\browser hijack retaliator 4.5\BHR.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
Trusted Zone: capella.edu
Trusted Zone: nist.gov\time
Trusted Zone: windows.com\time
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193822933296
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://site02.remoteoffice.citigroup.com/dana-cached/setup/JuniperSetupSP1.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\harris\applic~1\mozilla\firefox\profiles\aipwqbj1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\harris\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-29 207792]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\2.tmp --> c:\windows\system32\2.tmp [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-11-29 359624]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-11-29 1141712]

=============== Created Last 30 ================

2009-12-12 01:19:16 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-12-12 01:18:15 0 d-----w- c:\program files\iPod
2009-12-12 01:18:10 0 d-----w- c:\program files\iTunes
2009-12-12 01:17:45 0 d-----w- c:\program files\Bonjour
2009-12-07 02:02:52 0 d-----w- c:\program files\Sophos
2009-12-04 16:01:20 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-04 15:59:53 0 d-----w- c:\program files\Microsoft Security Essentials
2009-12-03 17:35:10 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-12-03 17:35:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-12-03 14:40:55 244024 ----a-w- c:\windows\system32\MSFLXGRD.OCX
2009-12-03 14:40:55 203976 ----a-w- c:\windows\system32\richtx32.ocx
2009-12-03 14:40:55 140096 ----a-w- c:\windows\system32\COMDLG32.OCX
2009-12-03 14:40:55 132880 ----a-w- c:\windows\system32\MSINET.OCX
2009-12-03 03:13:18 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-03 02:54:27 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-03 02:54:15 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-03 02:54:15 0 d-----w- c:\docume~1\harris\applic~1\SUPERAntiSpyware.com
2009-12-03 02:53:36 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-11-29 19:32:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-29 19:32:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-29 19:32:07 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-29 18:16:30 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-11-29 18:16:30 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-29 18:16:26 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-29 18:16:26 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-11-29 18:16:26 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-11-29 18:16:26 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-29 18:16:17 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-11-29 18:16:17 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-29 18:16:09 0 d-----w- c:\program files\Spyware Doctor
2009-11-29 18:16:09 0 d-----w- c:\docume~1\harris\applic~1\PC Tools
2009-11-29 18:16:09 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2009-11-29 18:15:39 0 d-----w- c:\program files\common files\PC Tools
2009-11-29 14:09:29 94 ----a-w- c:\windows\family.ini
2009-11-28 17:55:49 0 d-----w- c:\windows\pss
2009-11-28 14:50:41 0 d-----w- c:\docume~1\harris\applic~1\Malwarebytes
2009-11-28 14:50:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-12-03 18:44:04 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-03 16:28:12 22888 ----a-w- c:\docume~1\harris\applic~1\GDIPFONTCACHEV1.DAT
2009-11-08 17:33:49 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-11-08 17:33:49 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-18 23:48:40 23520 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-16 08:36:30 81 ----a-w- C:\CTX.DAT
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

============= FINISH: 19:34:59.18 ===============



ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/20 19:38
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9D402000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\all users\application data\microsoft\microsoft antimalware\support\mpwpptracing.bin
Status: Allocation size mismatch (API: 524288, Raw: 65536)

Path: C:\Documents and Settings\Harris\My Documents\My Music\Mary J. Blige\Growing Pains v2\14 - If You Love Me?.mp3
Status: Locked to the Windows API!

Path: c:\documents and settings\harris\local settings\application data\microsoft\internet explorer\recovery\active\{f270ecc0-edc9-11de-a12d-0018de28b623}.dat
Status: Size mismatch (API: 48640, Raw: 3584)

Path: C:\Documents and Settings\Harris\Local Settings\Apps\2.0\CWEOWMZQ.B5B\4WEACT9K.Z6B\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Harris\Local Settings\Apps\2.0\CWEOWMZQ.B5B\4WEACT9K.Z6B\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xba6f0e52

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xba6d1cde

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xba6d1ed0

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xba6f1640

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xba6f18f4

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xba6efb44

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xba6f1d60

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xba6f1112

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "PCTCore.sys" at address 0xba6d1984

==EOF==


Thanks very much!
Harris

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:16 PM

Posted 20 December 2009 - 10:06 PM

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 harrisnyc

harrisnyc
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 23 December 2009 - 08:27 PM

Okay EB, I've done this. Here's the Combofix log:



ComboFix 09-12-22.09 - Harris 12/24/2009 1:08.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1527.1071 [GMT -5:00]
Running from: c:\documents and settings\Harris\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\EventSystem.log

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((( Files Created from 2009-11-24 to 2009-12-24 )))))))))))))))))))))))))))))))
.

2009-12-21 00:51 . 2009-12-21 00:52 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-12-12 01:19 . 2008-04-17 18:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-12-12 01:18 . 2009-12-12 01:18 -------- d-----w- c:\program files\iPod
2009-12-12 01:18 . 2009-12-12 01:19 -------- d-----w- c:\program files\iTunes
2009-12-12 01:17 . 2009-12-12 01:17 -------- d-----w- c:\program files\Bonjour
2009-12-12 01:16 . 2009-12-12 01:17 -------- d-----w- c:\program files\QuickTime
2009-12-12 01:15 . 2009-12-12 01:15 -------- d-----w- c:\program files\Apple Software Update
2009-12-12 01:13 . 2009-12-12 01:18 -------- d-----w- c:\program files\Common Files\Apple
2009-12-07 11:32 . 2009-12-07 11:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2009-12-07 02:02 . 2009-12-07 02:02 -------- d-----w- c:\program files\Sophos
2009-12-04 16:01 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-04 15:59 . 2009-12-04 16:00 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-12-04 13:18 . 2009-12-04 13:20 -------- d-----w- c:\program files\Windows Live Safety Center
2009-12-03 17:35 . 2009-12-04 17:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-03 17:35 . 2009-12-04 17:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-03 03:13 . 2009-12-03 03:13 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-03 02:54 . 2009-12-03 02:54 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-03 02:54 . 2009-12-06 11:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-03 02:54 . 2009-12-03 02:54 -------- d-----w- c:\documents and settings\Harris\Application Data\SUPERAntiSpyware.com
2009-12-03 02:53 . 2009-12-03 02:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-29 19:32 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-29 19:32 . 2009-12-06 12:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-29 19:32 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-29 18:16 . 2009-10-30 16:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-29 18:16 . 2009-11-09 16:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-29 18:16 . 2009-10-06 21:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-29 18:16 . 2009-09-03 14:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-29 18:16 . 2009-12-04 03:53 -------- d-----w- c:\program files\Spyware Doctor
2009-11-29 18:16 . 2009-11-29 18:16 -------- d-----w- c:\documents and settings\Harris\Application Data\PC Tools
2009-11-29 18:16 . 2009-11-29 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-11-29 18:15 . 2009-11-29 18:16 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-29 14:09 . 2009-11-29 14:09 -------- d-----w- c:\documents and settings\Harris\Application Data\HotSync
2009-11-28 15:16 . 2009-11-28 15:16 -------- d-----w- c:\documents and settings\Harris\Local Settings\Application Data\Threat Expert
2009-11-28 14:50 . 2009-11-28 14:50 -------- d-----w- c:\documents and settings\Harris\Application Data\Malwarebytes
2009-11-28 14:50 . 2009-11-28 14:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-28 14:39 . 2009-12-04 03:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-28 14:16 . 2009-11-28 14:16 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-28 13:47 . 2009-11-29 19:43 -------- d-----w- c:\documents and settings\Harris\Local Settings\Application Data\vjtryl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-09 01:47 . 2007-09-09 02:10 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-12-06 12:41 . 2009-12-06 12:41 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-06 11:54 . 2009-12-03 02:55 117760 ----a-w- c:\documents and settings\Harris\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-04 17:16 . 2008-02-10 19:05 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-04 15:57 . 2007-09-09 02:07 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-03 18:44 . 2006-02-28 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-03 11:47 . 2007-09-22 12:56 -------- d-----w- c:\documents and settings\Harris\Application Data\Yahoo!
2009-12-03 11:47 . 2007-09-22 12:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-12-03 11:46 . 2008-04-13 19:31 -------- d-----w- c:\program files\Google
2009-11-30 03:01 . 2009-02-01 15:38 -------- d-----w- c:\documents and settings\Harris\Application Data\U3
2009-11-29 14:09 . 2008-05-11 22:29 -------- d-----w- c:\program files\Palm
2009-11-28 17:52 . 2008-02-26 05:55 -------- d-----w- c:\program files\MSN Messenger
2009-11-12 22:07 . 2009-11-12 22:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-08 17:34 . 2008-09-18 02:30 -------- d-----w- c:\program files\Common Files\Real
2009-11-08 17:34 . 2009-11-08 17:34 -------- d-----w- c:\program files\Common Files\xing shared
2009-11-08 17:33 . 2008-09-18 02:30 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-11-08 17:33 . 2008-09-18 02:30 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-11-08 17:33 . 2009-11-08 17:33 -------- d-----w- c:\program files\real
2009-10-29 07:45 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2006-02-28 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2006-02-28 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2006-02-28 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-18 23:48 . 2009-10-18 23:48 23520 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-16 08:36 . 2009-10-16 08:36 81 ----a-w- C:\CTX.DAT
2009-10-13 10:30 . 2006-02-28 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2006-02-28 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2006-02-28 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 10:21 . 2009-10-11 10:21 152576 ----a-w- c:\documents and settings\Harris\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hcontrol"="c:\windows\Hcontrol.exe" [2002-01-08 53248]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"SMSERIAL"="sm56hlpr.exe" [2006-01-20 544768]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-14 16050176]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 786521]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-6-16 49152]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-09-14 01:37 133104 ----atw- c:\documents and settings\Harris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-12-03 21:14 1394000 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-04-20 18:17 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-11-08 17:33 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [11/29/2009 1:16 PM 207792]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\2.tmp --> c:\windows\system32\2.tmp [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [11/29/2009 1:16 PM 359624]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUxdm486YYUS&fl=0&ptb=urB4HkBGDN7ZwkexUkGt8w&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
Trusted Zone: capella.edu
Trusted Zone: nist.gov\time
Trusted Zone: windows.com\time
FF - ProfilePath - c:\documents and settings\Harris\Application Data\Mozilla\Firefox\Profiles\aipwqbj1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\Harris\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-BHR - c:\program files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS
MSConfigStartUp-HotSync - c:\program files\PalmSource\Desktop\HotSync.exe
MSConfigStartUp-Zune Launcher - c:\program files\Zune\ZuneLauncher.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-24 01:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\2.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3836)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\windows\sm56hlpr.exe
c:\windows\RTHDCPL.EXE
c:\program files\Microsoft ActiveSync\Wcescomm.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\windows\ATKOSD.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-12-24 01:20:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-24 06:20

Pre-Run: 10,191,429,632 bytes free
Post-Run: 10,164,117,504 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 352266FE1339233A748122435E18D444



Thanks again EB!
Harris

#6 harrisnyc

harrisnyc
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 23 December 2009 - 08:31 PM

By the way, not sure if it matters, but my clock was incorrectly set to 1:08am on 12/24, which was incorrect by five hours.... I actually ran Combofix at 8:08pm on 12/23.

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:16 PM

Posted 23 December 2009 - 09:08 PM

Sure, thanks for letting me know.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 harrisnyc

harrisnyc
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 24 December 2009 - 10:30 PM

Hi EB,

Okay, I ran Kaspersky and DDS. The problem seems to be gone -- I can't reproduce it. All seems fine, except for the several items flagged by Kaspersky, so I'm eagerly awaiting your thoughts on that!


Here are the logs:


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, December 24, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, December 25, 2009 01:51:01
Records in database: 3409850
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 65655
Threats found: 4
Infected objects found: 2
Suspicious objects found: 2
Scan duration: 01:20:45


File name / Threat / Threats count
C:\Documents and Settings\Harris\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Harris\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Infected: Email-Worm.Win32.Mydoom.m.log 1
C:\Documents and Settings\Harris\My Documents\Archive\From HP\Download - from HP\ipodder\i-podder.js Suspicious: Trojan-Downloader.JS.gen 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.TDSS.y 1

Selected area has been scanned.



DDS (Ver_09-12-01.01) - NTFSx86
Run by Harris at 22:20:43.23 on Thu 12/24/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1527.832 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Hcontrol.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\ATKOSD.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Harris\Local Settings\temp\jkos-Harris\binaries\ScanningProcess.exe
C:\Documents and Settings\Harris\Local Settings\temp\jkos-Harris\binaries\ScanningProcess.exe
C:\PROGRA~1\MICROS~3\Office10\OUTLOOK.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Harris\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUxdm486YYUS&fl=0&ptb=urB4HkBGDN7ZwkexUkGt8w&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Hcontrol] c:\windows\Hcontrol.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
Trusted Zone: capella.edu
Trusted Zone: nist.gov\time
Trusted Zone: windows.com\time
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193822933296
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://site02.remoteoffice.citigroup.com/dana-cached/setup/JuniperSetupSP1.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\harris\applic~1\mozilla\firefox\profiles\aipwqbj1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\harris\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-29 207792]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\2.tmp --> c:\windows\system32\2.tmp [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-11-29 359624]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-11-29 1141712]

=============== Created Last 30 ================

2009-12-24 06:02:33 0 d-sha-r- C:\cmdcons
2009-12-24 06:00:48 98816 ----a-w- c:\windows\sed.exe
2009-12-24 06:00:48 77312 ----a-w- c:\windows\MBR.exe
2009-12-24 06:00:48 261632 ----a-w- c:\windows\PEV.exe
2009-12-24 06:00:48 161792 ----a-w- c:\windows\SWREG.exe
2009-12-12 01:19:16 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-12-12 01:18:15 0 d-----w- c:\program files\iPod
2009-12-12 01:18:10 0 d-----w- c:\program files\iTunes
2009-12-12 01:17:45 0 d-----w- c:\program files\Bonjour
2009-12-07 02:02:52 0 d-----w- c:\program files\Sophos
2009-12-04 16:01:20 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-04 15:59:53 0 d-----w- c:\program files\Microsoft Security Essentials
2009-12-03 17:35:10 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-12-03 17:35:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-12-03 14:40:55 244024 ----a-w- c:\windows\system32\MSFLXGRD.OCX
2009-12-03 14:40:55 203976 ----a-w- c:\windows\system32\richtx32.ocx
2009-12-03 14:40:55 140096 ----a-w- c:\windows\system32\COMDLG32.OCX
2009-12-03 14:40:55 132880 ----a-w- c:\windows\system32\MSINET.OCX
2009-12-03 03:13:18 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-03 02:54:27 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-03 02:54:15 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-03 02:54:15 0 d-----w- c:\docume~1\harris\applic~1\SUPERAntiSpyware.com
2009-12-03 02:53:36 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-11-29 19:32:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-29 19:32:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-29 19:32:07 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-29 18:16:30 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-11-29 18:16:30 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-29 18:16:26 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-29 18:16:26 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-11-29 18:16:26 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-11-29 18:16:26 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-29 18:16:17 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-11-29 18:16:17 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-29 18:16:09 0 d-----w- c:\program files\Spyware Doctor
2009-11-29 18:16:09 0 d-----w- c:\docume~1\harris\applic~1\PC Tools
2009-11-29 18:16:09 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2009-11-29 18:15:39 0 d-----w- c:\program files\common files\PC Tools
2009-11-29 14:09:29 94 ----a-w- c:\windows\family.ini
2009-11-28 17:55:49 0 d-----w- c:\windows\pss
2009-11-28 14:50:41 0 d-----w- c:\docume~1\harris\applic~1\Malwarebytes
2009-11-28 14:50:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-12-03 18:44:04 96512 ------w- c:\windows\system32\drivers\atapi.sys
2009-12-03 16:28:12 22888 ----a-w- c:\docume~1\harris\applic~1\GDIPFONTCACHEV1.DAT
2009-11-08 17:33:49 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-11-08 17:33:49 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-29 07:45:38 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-18 23:48:40 23520 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-16 08:36:30 81 ----a-w- C:\CTX.DAT
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll

============= FINISH: 22:21:10.42 ===============

Attached Files



#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:16 PM

Posted 25 December 2009 - 02:17 PM

Hello.

That looks good.

There are (some) infected mail(s) in your Outlook box. I can't delete that file since that would delete EVERYTHING. Therefore, you must do it yourself manually. Be careful with mails that you don't know the person and attachments.

Looks good other than that.



Please follow/read the steps below to remove the tools we used and for some more information. :)


Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    Posted Image
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything assoicated with it.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
System A bit Slow? Try StartupLight

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.

If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.


Congratulations! You now appear clean! :) :(

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :(


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks :)

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 harrisnyc

harrisnyc
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:16 PM

Posted 26 December 2009 - 10:22 AM

Thank you Extremeboy!! Everything is great now.

Harris

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:16 PM

Posted 26 December 2009 - 10:23 AM

You're very welcome :(

Good luck in the future.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:16 PM

Posted 26 December 2009 - 10:28 AM

Hello.

Since the problem appears to be resolved, this topic is now Closed. Glad we could help :(
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users