Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet redirects aol and ebay to phishing site


  • This topic is locked This topic is locked
19 replies to this topic

#1 rkrplus1

rkrplus1

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 16 March 2010 - 03:41 PM

my computer is being redirected when I try to log in to ebay or aol email to a site that looks like aol or ebay but wants my credit card number and atm pin. I have a copy of hijack this I am uploading. Also my computer runs very slow, especially when I am on the net.
Thank you
Russell

Attached Files


Edited by boopme, 16 March 2010 - 04:09 PM.
moved to malware removal~~boopme


BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:31 PM

Posted 19 March 2010 - 09:51 PM

Hello rkrplus1 smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.



In order to better assist you I will need the following:




Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop, post the DDS.txt in the reply window and attach the Attach.txt









  • If you have any CD emulation software such as Daemon or Alcohol please run the following before you run GMER. If you do not skip DeFogger and go right on to GMER. If you do use it let me know so we can reenable when we finish up.



    Disable:


    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers.
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

    Do not re-enable these drivers until otherwise instructed.



    Disable your antivirus along with other security programs such as Windows Defender or TeaTimer before running the following. Instructions can be found Here.



    Download GMER Rootkit Scanner from here to your desktop.
    • Double click the exe file.
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.



      Click the image to enlarge it


    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • Sections
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
    Save it where you can easily find it, such as your desktop, and post it in reply.

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries




    If GMER does not want to run add the following to those that you unchecked and try it again:

    • Registry
    • Files












    Note: Please make only the Attach.txt from DDS an attachment, post the other logs directly into the reply window.



    Thanks,



    thewall



    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #3 rkrplus1

    rkrplus1
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:09:31 PM

    Posted 20 March 2010 - 12:17 PM

    Here are the dds, and gmer. also attached the attach.txt
    Thanks
    Russell


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by elizabeth at 8:39:01.82 on Sat 03/20/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.513 [GMT -5:00]

    AV: Total Protection for Small Business *On-access scanning enabled* (Updated) {8C354827-2F54-4E28-90DC-AD391E77808C}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\system32\svchost -k rpcss
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\McAfee\Managed VirusScan\Agent\swAgent.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
    C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\3apps\Catapult\3listen.exe
    C:\3apps\Catapult\APPIPC.exe
    C:\WINDOWS\system32\P32HELP.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Brother\ControlCenter2\brctrcen.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\elizabeth\Desktop\dds.scr
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.yahoo.com/
    uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    uWindow Title = Windows Internet Explorer provided by Yahoo!
    uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
    uSearch Bar = hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60076
    uInternet Connection Wizard,ShellNext = iexplore
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
    BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [McAfee Managed Services Tray] "c:\program files\mcafee\managed virusscan\agent\StartMyagtTry.exe"
    mRun: [MVS Splash] c:\program files\mcafee\managed virusscan\agent\Splash.exe
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
    mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
    mRun: [SetDefPrt] c:\program files\brother\brmfl04g\BrStDvPt.exe
    StartupFolder: c:\docume~1\elizab~1\startm~1\programs\startup\eaglel~1.lnk - c:\3apps\catapult\3listen.exe
    StartupFolder: c:\docume~1\elizab~1\startm~1\programs\startup\eagles~1.lnk - c:\3apps\catapult\Sched.exe
    IE: Crawler Search
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    Trusted Zone: //about.htm/
    Trusted Zone: //Exclude.htm/
    Trusted Zone: //LanguageSelection.htm/
    Trusted Zone: //Message.htm/
    Trusted Zone: //MyAgttryCmd.htm/
    Trusted Zone: //MyAgttryNag.htm/
    Trusted Zone: //MyNotification.htm/
    Trusted Zone: //NOCLessUpdate.htm/
    Trusted Zone: //quarantine.htm/
    Trusted Zone: //ScanNow.htm/
    Trusted Zone: //strings.vbs/
    Trusted Zone: //Template.htm/
    Trusted Zone: //Update.htm/
    Trusted Zone: //VirFound.htm/
    Trusted Zone: mcafee.com\*
    Trusted Zone: mcafeeasap.com\betavscan
    Trusted Zone: mcafeeasap.com\vs
    Trusted Zone: mcafeeasap.com\www
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} - hxxp://virusscanasap.mcafeeasap.com/VS2/SonicWall/bin/myCioAgt.cab
    DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229553875421
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
    DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    TCP: {C9F17E97-CB4C-4155-B1CD-91A7C627E762} = 66.76.2.130,66.76.2.137
    Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - c:\program files\mcafee\managed virusscan\agent\MyRmProt4.7.0.777.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    Notify: igfxcui - igfxdev.dll
    Notify: TPSvc - TPSvc.dll
    AppInit_DLLs: c:\windows\system32\penepubi.dll,c:\windows\system32\rilalelu.dll,c:\windows\system32\wativuki.dll,c:\windows\system32\,c:\windows\system32\yopufuju.dll,c:\windows\system32\rahehuvo.dll,c:\windows\system32\wekoperi.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
    LSA: Notification Packages = scecli c:\windows\system32\rahehuvo.dll
    mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
    Hosts: 192.168.1.1 3USQLODBC # Eagle for Windows U/SQL ODBC Connection (11/10/05 10:16:41)

    ============= SERVICES / DRIVERS ===============

    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-3-12 28552]
    R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2007-5-30 11000]
    R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2010-3-4 10872]
    R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2006-5-25 213768]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
    R2 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [2007-5-30 312880]
    R2 EngineServer;EngineServer;c:\program files\mcafee\managed virusscan\vscan\EngineServer.exe [2008-6-5 14144]
    R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2005-12-1 175704]
    R2 SWAGENT;SonicWALL Agent Service;c:\program files\mcafee\managed virusscan\agent\swAgent.exe [2005-12-1 103744]
    R3 McShield;McShield;c:\progra~1\mcafee\manage~1\vscan\McShield.exe [2005-12-1 144704]
    R3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\MfeAVFK.sys [2006-5-25 79880]
    R3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\MfeBOPK.sys [2006-5-25 35272]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-12 135664]
    S2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-2-12 311568]
    S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-1-8 41288]
    S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-1-8 62280]
    S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-1-8 79688]
    S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\MfeRKDK.sys [2008-6-5 34216]
    S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2005-12-1 114400]
    S3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctndis.sys --> c:\windows\system32\drivers\pctNdis.sys [?]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
    S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\svcntaux.exe [2008-1-8 742216]
    S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\swdsvc.exe [2008-1-8 1415496]

    =============== Created Last 30 ================

    2010-03-12 23:10:29 584 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
    2010-03-12 21:34:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
    2010-03-12 21:18:08 16384 ---ha-w- C:\SZKGFS.dat
    2010-03-12 21:02:42 0 d-----w- c:\docume~1\elizab~1\applic~1\ConsumerSoft
    2010-03-12 21:02:37 0 d-----w- c:\program files\ConsumerSoft
    2010-03-12 20:46:04 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
    2010-03-12 20:45:44 0 d-----w- c:\program files\Panda Security
    2010-03-10 02:26:04 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
    2010-03-04 22:10:01 0 d-----w- c:\docume~1\elizab~1\applic~1\Grisoft
    2010-03-04 22:09:33 10872 ----a-w- c:\windows\system32\drivers\AvgAsCln.sys
    2010-03-04 22:09:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Grisoft

    ==================== Find3M ====================

    2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
    2009-12-21 13:19:18 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
    2008-09-29 09:06:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092920080930\index.dat

    ============= FINISH: 8:40:06.40 ===============

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-03-20 11:55:35
    Windows 5.1.2600 Service Pack 3
    Running: y3f3jjdm.exe; Driver: C:\DOCUME~1\ELIZAB~1\LOCALS~1\Temp\pwddapod.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess [0xF7CE68AC]
    SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess [0xF7CE6812]

    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEECDC4BE]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEECDC46C]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEECDC480]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEECDC4FE]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEECDC458]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEECDC4D2]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEECDC4AA]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEECDC496]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEECDC514]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEECDC4E8]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 86F674F8
    Device \Driver\atapi \Device\Ide\IdePort0 86F674F8
    Device \Driver\atapi \Device\Ide\IdePort1 86F674F8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 86F674F8

    AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

    Device \FileSystem\Fastfat \Fat ED3ADD20

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior;

    ---- EOF - GMER 1.0.15 ----

    Attached Files



    #4 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:08:31 PM

    Posted 20 March 2010 - 01:22 PM

    Before we proceed I notice you have Total Protection for Small Business on your computer. Is this a company computer? The reason I need to ask is there is always the slight possibility of some software added by a company with information not easily available that can be misread as Malware.
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #5 rkrplus1

    rkrplus1
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:09:31 PM

    Posted 20 March 2010 - 01:47 PM

    yes it is a company computer. We had an employee use it and apparently went to a site or opened an email he should not have. We are a paint store with 3 employees. We run eagle pos software.

    #6 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:08:31 PM

    Posted 20 March 2010 - 03:28 PM

    I want to run ComboFix next and although I don't foresee any problem with it I would like you to know there is an outside chance it could mistake something in your softmare as malicious. Doesn't happen very often but the possibility is there. Of course is it deleted one of your files we could restore it from the quarantine area of CF which is called Qoobox. Don't want to sound pessimistic but I believe it is only fair to advise you going in.



    Please download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Save ComboFix.exe to your Desktop
    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





    Click on Yes, to continue scanning for malware.

    When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.





    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #7 rkrplus1

    rkrplus1
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:09:31 PM

    Posted 22 March 2010 - 01:00 PM

    I downloaded the combofix file, saved to desktop, and executed it. It acted as if it would start, then disappeared from the desktop. I tried to download again but it said access denied. I did download it after i changed the extension from .exe to .scr. I executed it and it installed windows recovery console, then it restarted the computer and began the process until it got to #50 where it froze up(let it run for two hours). I restarted the computer, and tried to download again but it would not let me (access denied) even with different extensions.
    Russell

    #8 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:08:31 PM

    Posted 22 March 2010 - 04:48 PM

    More than likely it is interference from some of your security programs. I would suggest disabling AVG and Superantispyware as well as making sure the McAfee is completely disabled. McAfee often interferes with ComboFix.

    I'll give you a link below to help you with disabling anything you have:

    http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #9 rkrplus1

    rkrplus1
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:09:31 PM

    Posted 23 March 2010 - 09:22 AM

    There are no directions on how to stop mcafee total protection so I ended all processes that appeared to be from mcafee. When I downloaded combofix it allowed me to run it. Combofix said that total protection was still running but I could not find where it would be, even the icon at the bottom was gone. I ran combofix and have included the log below
    Thanks
    Russell

    ComboFix 10-03-22.03 - elizabeth 03/23/2010 7:07.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.723 [GMT -5:00]
    Running from: c:\documents and settings\elizabeth\Desktop\ComboFix.exe
    AV: Total Protection for Small Business *On-access scanning enabled* (Updated) {8C354827-2F54-4E28-90DC-AD391E77808C}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_TDSSSERV.SYS


    ((((((((((((((((((((((((( Files Created from 2010-02-23 to 2010-03-23 )))))))))))))))))))))))))))))))
    .

    2010-03-22 12:30 . 2010-03-22 12:30 -------- d-sh--w- c:\documents and settings\McAfeeMVSUser\IETldCache
    2010-03-12 21:34 . 2010-03-12 21:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-03-12 21:34 . 2010-03-12 21:34 -------- d-----w- c:\program files\Alwil Software
    2010-03-12 21:18 . 2010-03-12 21:18 16384 ---ha-w- C:\SZKGFS.dat
    2010-03-12 21:02 . 2010-03-12 21:02 -------- d-----w- c:\documents and settings\elizabeth\Application Data\ConsumerSoft
    2010-03-12 21:02 . 2010-03-12 21:07 -------- d-----w- c:\program files\ConsumerSoft
    2010-03-12 20:46 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
    2010-03-12 20:45 . 2010-03-12 20:45 -------- d-----w- c:\program files\Panda Security
    2010-03-10 02:26 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
    2010-03-04 22:09 . 2010-03-04 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft
    2010-02-25 09:13 . 2010-03-18 00:18 -------- d-----w- c:\documents and settings\elizabeth\Local Settings\Application Data\Temp

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-03-16 22:17 . 2008-01-08 13:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-03-12 23:13 . 2008-12-06 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
    2010-03-12 23:11 . 2010-03-12 23:10 584 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
    2010-02-27 21:07 . 2010-02-02 22:22 117760 ----a-w- c:\documents and settings\elizabeth\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-02-27 19:14 . 2008-03-05 14:47 -------- d-----w- c:\program files\CCleaner
    2010-02-23 16:20 . 2010-02-12 22:24 -------- d-----w- c:\program files\Auslogics
    2010-02-12 22:49 . 2008-01-08 13:55 -------- d-----w- c:\program files\Spyware Doctor
    2010-02-12 22:36 . 2010-02-12 22:34 -------- d-----w- c:\program files\TweakNow PowerPack 2009
    2010-02-12 22:34 . 2010-02-12 22:34 -------- d-----w- c:\documents and settings\elizabeth\Application Data\TweakNow PowerPack 2009
    2010-02-12 22:25 . 2010-02-12 22:25 -------- d-----w- c:\documents and settings\elizabeth\Application Data\Auslogics
    2010-02-12 22:08 . 2006-07-25 15:22 -------- d-----w- c:\program files\Google
    2010-02-12 21:41 . 2008-03-05 20:12 -------- d-----w- c:\program files\Lavasoft
    2010-02-12 21:41 . 2008-03-05 20:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2010-02-12 21:40 . 2010-02-06 19:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-02-12 21:40 . 2008-02-18 14:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-02-12 21:31 . 2008-01-08 13:55 -------- d-----w- c:\documents and settings\elizabeth\Application Data\PC Tools
    2010-02-12 16:49 . 2010-02-12 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
    2010-02-12 16:49 . 2010-02-12 16:49 -------- d-----w- c:\program files\IObit
    2010-02-12 12:40 . 2010-02-11 20:57 -------- d-----w- c:\program files\PC Tools Firewall Plus
    2010-02-11 22:39 . 2007-12-18 22:23 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-02-11 20:24 . 2010-02-11 20:24 388096 ----a-r- c:\documents and settings\elizabeth\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
    2010-02-11 20:24 . 2010-02-11 20:24 -------- d-----w- c:\program files\TrendMicro
    2010-02-11 20:19 . 2010-02-11 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
    2010-02-11 20:17 . 2010-02-11 20:17 -------- d-----w- c:\program files\AVG
    2010-02-11 20:17 . 2007-12-18 22:23 -------- d-----w- c:\documents and settings\elizabeth\Application Data\SUPERAntiSpyware.com
    2010-02-11 20:17 . 2010-02-11 20:17 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-02-02 22:22 . 2010-02-02 22:22 52224 ----a-w- c:\documents and settings\elizabeth\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-01-25 10:17 . 2009-12-09 22:13 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-01-07 22:07 . 2010-01-16 14:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-07 22:07 . 2010-01-16 14:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-12-31 16:50 . 2005-10-20 13:42 353792 ----a-w- c:\windows\system32\drivers\srv.sys
    2009-12-27 14:48 . 2009-11-27 14:12 79488 ----a-w- c:\documents and settings\elizabeth\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
    "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
    "IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
    "SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
    "IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2009-12-24 1280272]

    c:\documents and settings\elizabeth\Start Menu\Programs\Startup\
    Eagle Listener.lnk - c:\3apps\Catapult\3listen.exe [2005-11-10 552960]
    Eagle Scheduler.lnk - c:\3apps\Catapult\Sched.exe [2005-11-10 339968]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PCTAVSvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Spyware Doctor\\svcntaux.exe"=
    "c:\\Program Files\\Spyware Doctor\\SDTrayApp.exe"=
    "c:\\Program Files\\McAfee\\Managed VirusScan\\VScan\\McShield.exe"=
    "c:\\WINDOWS\\system32\\hkcmd.exe"=
    "c:\\Program Files\\McAfee\\Managed VirusScan\\VScan\\EngineServer.exe"=
    "c:\\WINDOWS\\system32\\spoolsv.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "59152:UDP"= 59152:UDP:SonicWALL Compliance 59152
    "59153:UDP"= 59153:UDP:SonicWALL Compliance 59153
    "65533:TCP"= 65533:TCP:Services
    "52344:TCP"= 52344:TCP:Services
    "3246:TCP"= 3246:TCP:Services
    "2479:TCP"= 2479:TCP:Services
    "3389:TCP"= 3389:TCP:Remote Desktop
    "7566:TCP"= 7566:TCP:Services
    "4536:TCP"= 4536:TCP:Services

    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [3/12/2010 3:46 PM 28552]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 8:56 AM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 8:56 AM 74480]
    R2 EngineServer;EngineServer;c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [6/5/2008 1:55 AM 14144]
    R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [12/1/2005 3:06 PM 175704]
    R2 SWAGENT;SonicWALL Agent Service;c:\program files\McAfee\Managed VirusScan\Agent\swAgent.exe [12/1/2005 3:07 PM 103744]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/12/2010 5:08 PM 135664]
    S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [2/12/2010 11:49 AM 311568]
    S3 pctNDIS;PC Tools Driver;c:\windows\system32\DRIVERS\pctNdis.sys --> c:\windows\system32\DRIVERS\pctNdis.sys [?]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 8:56 AM 7408]
    S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [1/8/2008 8:55 AM 742216]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
    2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
    .
    Contents of the 'Scheduled Tasks' folder

    2010-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 22:08]

    2010-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 22:08]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    uInternet Connection Wizard,ShellNext = iexplore
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    IE: Crawler Search
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    Trusted Zone: //about.htm/
    Trusted Zone: //Exclude.htm/
    Trusted Zone: //LanguageSelection.htm/
    Trusted Zone: //Message.htm/
    Trusted Zone: //MyAgttryCmd.htm/
    Trusted Zone: //MyAgttryNag.htm/
    Trusted Zone: //MyNotification.htm/
    Trusted Zone: //NOCLessUpdate.htm/
    Trusted Zone: //quarantine.htm/
    Trusted Zone: //ScanNow.htm/
    Trusted Zone: //strings.vbs/
    Trusted Zone: //Template.htm/
    Trusted Zone: //Update.htm/
    Trusted Zone: //VirFound.htm/
    Trusted Zone: mcafee.com\*
    Trusted Zone: mcafeeasap.com\betavscan
    Trusted Zone: mcafeeasap.com\vs
    Trusted Zone: mcafeeasap.com\www
    TCP: {C9F17E97-CB4C-4155-B1CD-91A7C627E762} = 66.76.2.130,66.76.2.137
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-SITEguard - (no file)
    Notify-TPSvc - TPSvc.dll
    AddRemove-MVS - c:\progra~1\McAfee\MANAGE~1\Agent\myinx



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-03-23 07:16
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c9,65,f1,43,fb,7c,73,40,8e,91,b4,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c9,65,f1,43,fb,7c,73,40,8e,91,b4,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(472)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(1544)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\HPZipm12.exe
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\3apps\Catapult\APPIPC.exe
    c:\windows\system32\P32HELP.EXE
    c:\progra~1\McAfee\MANAGE~1\VScan\McShield.exe
    .
    **************************************************************************
    .
    Completion time: 2010-03-23 07:23:48 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-03-23 12:23

    Pre-Run: 61,672,611,840 bytes free
    Post-Run: 61,672,595,456 bytes free

    - - End Of File - - A40989E0D0CB72CE88352DA422D00A2A


    #10 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:08:31 PM

    Posted 23 March 2010 - 10:09 AM

    Good job. It can be aggravating at times to get CF to run when something is blocking it.

    Your log shows you have MalwareBytes on your computer. If you haven't deleted it open it up, do an update and then do a Full Scan with it and post the log if it finds anything.



    Do you intentionally have these ports open? If you do that's fine but if not we can close them.


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "59152:UDP"= 59152:UDP:SonicWALL Compliance 59152
    "59153:UDP"= 59153:UDP:SonicWALL Compliance 59153
    "65533:TCP"= 65533:TCP:Services
    "52344:TCP"= 52344:TCP:Services
    "3246:TCP"= 3246:TCP:Services
    "2479:TCP"= 2479:TCP:Services
    "3389:TCP"= 3389:TCP:Remote Desktop
    "7566:TCP"= 7566:TCP:Services
    "4536:TCP"= 4536:TCP:Services


    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #11 rkrplus1

    rkrplus1
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:09:31 PM

    Posted 23 March 2010 - 01:23 PM

    malwarebytes did not detect any malicious items. However the computer seems to be moving much faster right now. The ports I am not sure what they do, I know that we do use the sonicwall box which I believe is like a firewall but not sure. The tcp things listed im not sure what they are for. I can tell you that windows firewall started up and ask me if I wanted to allow eagle for windows listener to be unblocked. I allowed it as it controls our terminals being able to access the printer. Also internet explorer asked if I wanted to set my home page to www.yahoo.com. I thought that it was already since that is what pulls up when the browser is opened.
    Thanks
    Russell

    #12 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:08:31 PM

    Posted 23 March 2010 - 01:45 PM

    Sounds good. There are a couple of things I would like us to do before we finish up. We need to get a Kapersky scan and I would also like for you to post another DDS log. If it produces two when you run it the only one I will need is the DDS.txt log. I want to see if some entries I saw in the last log are now gone.




    It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:



    Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

    If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
    • Open the Kaspersky WebScanner
      page.
    • Click on the button on the main page.
    • The program will launch and fill in the Information section on the left.
    • Read the "Requirements and Limitations" then press the button.
    • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
    • Once the files have been downloaded, click on the ...button.
      In the scan settings make sure the following are selected:
      • Detect malicious programs of the following categories:
        Viruses, Worms, Trojan Horses, Rootkits
        Spyware, Adware, Dialers and other potentially dangerous programs
      • Scan compound files (doesn't apply to the File scan area):
        Archives
        Mail databases
        By default the above items should already be checked.
      • Click the button, if you made any changes.
    • Now under the Scan section on the left:

      Select My Computer
    • The program will now start and scan your system. This will run for a while, be patient and let it finish.
    • Once the scan is complete, click on View scan report
    • Now, click on the Save Report as button.
    • In the drop down box labeled Files of type change the type to Text file.
    • Save the file to your desktop.
    • Copy and paste that information in your next post.
    You can refer to this animation by sundavis if needed.


    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #13 rkrplus1

    rkrplus1
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:09:31 PM

    Posted 23 March 2010 - 02:10 PM

    Here is the second DDS.txt. I will begin kapersky in a moment. Do you know what the infection was?
    Thanks
    Russell

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by elizabeth at 14:05:44.50 on Tue 03/23/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.519 [GMT -5:00]

    AV: Total Protection for Small Business *On-access scanning enabled* (Updated) {8C354827-2F54-4E28-90DC-AD391E77808C}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\system32\svchost -k rpcss
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\3apps\Catapult\3listen.exe
    C:\3apps\Catapult\APPIPC.exe
    C:\WINDOWS\system32\P32HELP.EXE
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\McAfee\Managed VirusScan\Agent\swAgent.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre6\bin\jucheck.exe
    C:\Program Files\Brother\ControlCenter2\brctrcen.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Documents and Settings\elizabeth\Desktop\dds.scr
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.yahoo.com/
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    uInternet Connection Wizard,ShellNext = iexplore
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
    BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
    mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
    mRun: [SetDefPrt] c:\program files\brother\brmfl04g\BrStDvPt.exe
    mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
    mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [McAfee Managed Services Tray] "c:\program files\mcafee\managed virusscan\agent\StartMyagtTry.exe"
    mRun: [MVS Splash] c:\program files\mcafee\managed virusscan\agent\Splash.exe
    StartupFolder: c:\docume~1\elizab~1\startm~1\programs\startup\eaglel~1.lnk - c:\3apps\catapult\3listen.exe
    StartupFolder: c:\docume~1\elizab~1\startm~1\programs\startup\eagles~1.lnk - c:\3apps\catapult\Sched.exe
    IE: Crawler Search
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    Trusted Zone: //about.htm/
    Trusted Zone: //Exclude.htm/
    Trusted Zone: //LanguageSelection.htm/
    Trusted Zone: //Message.htm/
    Trusted Zone: //MyAgttryCmd.htm/
    Trusted Zone: //MyAgttryNag.htm/
    Trusted Zone: //MyNotification.htm/
    Trusted Zone: //NOCLessUpdate.htm/
    Trusted Zone: //quarantine.htm/
    Trusted Zone: //ScanNow.htm/
    Trusted Zone: //strings.vbs/
    Trusted Zone: //Template.htm/
    Trusted Zone: //Update.htm/
    Trusted Zone: //VirFound.htm/
    Trusted Zone: mcafee.com\*
    Trusted Zone: mcafeeasap.com\betavscan
    Trusted Zone: mcafeeasap.com\vs
    Trusted Zone: mcafeeasap.com\www
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} - hxxp://virusscanasap.mcafeeasap.com/VS2/SonicWall/bin/myCioAgt.cab
    DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229553875421
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
    DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    TCP: {C9F17E97-CB4C-4155-B1CD-91A7C627E762} = 66.76.2.130,66.76.2.137
    Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - c:\program files\mcafee\managed virusscan\agent\MyRmProt4.7.0.777.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

    ============= SERVICES / DRIVERS ===============

    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-3-12 28552]
    R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2006-5-25 213768]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
    R2 EngineServer;EngineServer;c:\program files\mcafee\managed virusscan\vscan\EngineServer.exe [2008-6-5 14144]
    R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2005-12-1 175704]
    R2 SWAGENT;SonicWALL Agent Service;c:\program files\mcafee\managed virusscan\agent\swAgent.exe [2005-12-1 103744]
    R3 McShield;McShield;c:\progra~1\mcafee\manage~1\vscan\McShield.exe [2005-12-1 144704]
    R3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\MfeAVFK.sys [2006-5-25 79880]
    R3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\MfeBOPK.sys [2006-5-25 35272]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-12 135664]
    S2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-2-12 311568]
    S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-1-8 41288]
    S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-1-8 62280]
    S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-1-8 79688]
    S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\MfeRKDK.sys [2008-6-5 34216]
    S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2005-12-1 114400]
    S3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctndis.sys --> c:\windows\system32\drivers\pctNdis.sys [?]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
    S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\svcntaux.exe [2008-1-8 742216]
    S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\swdsvc.exe [2008-1-8 1415496]

    =============== Created Last 30 ================

    2010-03-22 13:04:38 0 d-sha-r- C:\cmdcons
    2010-03-22 13:03:26 98816 ----a-w- c:\windows\sed.exe
    2010-03-22 13:03:26 77312 ----a-w- c:\windows\MBR.exe
    2010-03-22 13:03:26 261632 ----a-w- c:\windows\PEV.exe
    2010-03-22 13:03:26 161792 ----a-w- c:\windows\SWREG.exe
    2010-03-12 23:10:29 584 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
    2010-03-12 21:34:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
    2010-03-12 21:18:08 16384 ---ha-w- C:\SZKGFS.dat
    2010-03-12 21:02:42 0 d-----w- c:\docume~1\elizab~1\applic~1\ConsumerSoft
    2010-03-12 21:02:37 0 d-----w- c:\program files\ConsumerSoft
    2010-03-12 20:46:04 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
    2010-03-12 20:45:44 0 d-----w- c:\program files\Panda Security
    2010-03-10 02:26:04 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
    2010-03-04 22:09:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Grisoft

    ==================== Find3M ====================

    2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
    2008-09-29 09:06:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092920080930\index.dat

    ============= FINISH: 14:06:21.57 ===============


    #14 rkrplus1

    rkrplus1
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:09:31 PM

    Posted 24 March 2010 - 06:39 AM

    kapersky finished and found no threats.
    Russell

    #15 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:08:31 PM

    Posted 24 March 2010 - 12:05 PM

    Good that Kaspersky didn't find anything and your DDS log looked clean. You had a TDSS rootkit which also brought in some Vundo with it. The Vundo files were what I was looking for in the DDS log but they are gone now.

    Before we finish up you need to get some updates taken care of. The first is your Adobe Reader but the one we really need to take care of is all those old versions of Java which showed up in your Add/Remove log. Those are prime areas for Malware exploitation.


    Please uninstall older version of Adobe Reader before installing the latest version

    * Click Start
    * Control Panel
    * Double clicking on Add/Remove Programs
    * Locate older version of Adobe Reader and click on Change/Remove to uninstall it
    * Click HERE to download the latest version of Adobe Acrobat Reader.
    * Select your Windows version and click onDownload. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you. If you are using other browsers, it will prompt you to save a file. Save this file to your desktop and run it to install the latest version of Adobe Reader.
    * Close your Internet browser and open it again.






    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
    • Download the latest version of Java Runtime Environment (JRE) 18 and save it to your desktop.
    • Scroll down to where it says JDK 6 Update 18 (JDK or JRE)
    • Click the Download JRE button to the right
    • Select the Windows platform from the dropdown menu.
    • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u18 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
    • Click on the link to download Windows Offline Installation and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version.
    • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
      • On the General tab, under Temporary Internet Files, click the Settings button.
      • Next, click on the Delete Files button
      • There are two options in the window to clear the cache - Leave BOTH Checked
          Applications and Applets
          Trace and Log Files
      • Click OK on Delete Temporary Files Window
        Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
      • Click OK to leave the Temporary Files Window
      • Click OK to leave the Java Control Panel.


    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users