Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent Virus, Possibly 'Your Protection'


  • This topic is locked This topic is locked
13 replies to this topic

#1 Nick Ollivere

Nick Ollivere

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 26 April 2010 - 06:43 AM

Dear all, I hope you can help. I've had persistent problems with my laptop recently, which I first identified as 'Your Protection' (fake Windows Security Center warnings etc, exactly as detailed in the guide on this website). rkill stopped most of the processes, but there are still problems. I have scanned the computer multiple times with Malwarebytes' Anti-Malware, Dr Web's CureIt, SpyBot Search & Destroy, Avira Antivirus, until they find nothing, both in and out of safe mode, but then the problems keep reappearing.

Every time I start up I get the warning 'Spooler SubSystem App has encountered a problem and needs to close' (which then reappears every few minutes). My usual wireless connection (from a built-in Intel wireless card) can't detect networks. I seemed to be able to connect with a Wireless USB adapter, but Chrome was unresponsive, and Internet Explorer doesn't open (a command prompt appears for a second, then goes). After a while, I began getting new warnings to close Windows Explorer, and programs wouldn't open, so I ran rkill again and closed the connection.

I have the two DDS logs, but when I try to run GMER, my computer crashes/restarts. It opens fine, but as soon as I start to scan, it goes black.

I'm running Windows XP Home Service Pack 3, on a Fujitsu Siemes Amilo Pro.

Many thanks in advance for your help, Nick.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Nick at 12:10:42.78 on 26/04/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.205 [GMT 1:00]

AV: Your Protection *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: Microsoft Security Essentials *On-access scanning enabled* (Outdated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\Nick\LOCALS~1\Temp\qlrl.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
C:\Program Files\Belkin\F6D4050\v1\BelkinWCUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Nick\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = 127.0.0.1
uWinlogon: Userinit=,c:\windows\system32\rxjddnvj.exe,
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mExplorerRun: [scop] c:\docume~1\nick\locals~1\temp\qlrl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f6d4050\v1\BelkinWCUI.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxsrvc.dll
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll

============= SERVICES / DRIVERS ===============

R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2007-5-30 11000]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2008-2-27 10872]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R2 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [2007-5-30 312880]
S3 AtmElan;ATM Emulated LAN;c:\windows\system32\drivers\atmlane.sys [2005-2-2 55808]
S3 AtmLane;ATM LAN Emulation;c:\windows\system32\drivers\atmlane.sys [2005-2-2 55808]
S3 BTUsbrXP®;BT Voyager 1010 USB Adapter;c:\windows\system32\drivers\btusbrxp.sys --> c:\windows\system32\drivers\btusbrxp.sys [?]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2008-2-27 30946]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2010-4-7 637952]
S3 TIAU5CO;Actiontec Home DSL Modem(WAN) Service;c:\windows\system32\drivers\tiau5co.sys --> c:\windows\system32\drivers\TIAU5CO.sys [?]

=============== Created Last 30 ================

2010-04-26 11:09:35 0 ----a-w- c:\documents and settings\nick\defogger_reenable
2010-04-26 10:20:12 0 d-----w- c:\program files\Microsoft Security Essentials
2010-04-26 09:20:14 36865 ----a-w- c:\windows\system32\msmxlxxq.dll
2010-04-26 09:20:05 42496 ----a-w- c:\windows\system32\so.bin
2010-04-09 14:49:41 169563 ----a-w- c:\windows\system32\3211786.exe
2010-04-09 14:47:44 169563 ----a-w- c:\windows\system32\1988031.exe
2010-04-09 14:29:23 169563 ----a-w- c:\windows\system32\2631189.exe
2010-04-09 13:31:00 167535 ----a-w- c:\windows\system32\1949274.exe
2010-04-09 13:13:19 167535 ----a-w- c:\windows\system32\5146143.exe
2010-04-09 12:15:06 167535 ----a-w- c:\windows\system32\4422724.exe
2010-04-09 11:49:42 167535 ----a-w- c:\windows\system32\1105768.exe
2010-04-08 11:04:30 0 d-----w- c:\program files\CCleaner
2010-04-07 18:04:06 168786 ----a-w- c:\windows\system32\1419489.exe
2010-04-07 18:01:05 637952 ----a-w- c:\windows\system32\drivers\rt2870.sys
2010-04-07 18:01:03 0 d-----w- c:\program files\Belkin
2010-04-07 17:18:49 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-07 17:18:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-04-07 13:33:25 0 d-----w- c:\documents and settings\nick\DoctorWeb
2010-04-07 09:58:24 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-07 06:54:56 168410 ----a-w- c:\windows\system32\6737787.exe
2010-04-07 06:54:32 0 ----a-w- c:\windows\SC.INS
2010-04-06 20:19:11 413696 ----a-w- c:\windows\system32\OLD15D.tmp
2010-04-06 20:19:10 413696 ----a-w- c:\windows\system32\cmd.exe
2010-04-06 20:17:32 167554 ----a-w- c:\windows\system32\9867212.exe
2010-04-06 20:17:22 0 d-----w- c:\docume~1\nick\applic~1\4326C424FEE0F49AB3918A4AE86F67B3
2010-04-06 20:17:10 204800 ----a-w- c:\windows\system32\OLD14D.tmp
2010-04-06 20:17:10 204800 ----a-w- c:\windows\system32\dwwin.exe
2010-03-31 11:47:47 0 d-----w- c:\program files\FireTrust
2010-03-31 11:47:47 0 d-----w- c:\docume~1\nick\applic~1\MailWasherFree

==================== Find3M ====================

2010-04-26 09:32:01 870912 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-04-09 12:43:52 21504 ----a-w- c:\windows\system32\wscntfy.exe
2010-04-08 14:56:10 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-07 13:37:55 35840 ----a-w- c:\windows\system32\verclsid.exe
2010-04-07 13:36:48 428032 ----a-w- c:\windows\system32\ntvdm.exe
2010-04-07 13:35:50 521728 ----a-w- c:\windows\system32\logonui.exe
2010-04-07 13:34:42 143360 ----a-w- c:\windows\system32\cscript.exe
2010-03-29 23:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2008-02-27 22:06:01 2 --shatr- c:\windows\winstart.bat

============= FINISH: 12:11:38.53 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:10 PM

Posted 30 April 2010 - 11:21 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 Nick Ollivere

Nick Ollivere
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 01 May 2010 - 01:06 PM

I haven't touched my computer since I posted this, so DDR log should still be valid. GMER didn't work, but I will try it again when I get back to my computer on Monday. Many thanks, Nick.

#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:10 PM

Posted 01 May 2010 - 04:40 PM

Yep, please try it again and we will go from there smile.gif
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 Nick Ollivere

Nick Ollivere
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 04 May 2010 - 04:41 AM

I still can't run GMER in normal mode (screen either goes blank and computer restarts, or screen goes blue with white writing which I don't have time to read before it switches off). I tried in safe mode, and the scan seemed to work, but after several minutes of scanning the computer restarted again.

Many thanks for your time,
Nick.

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:10 PM

Posted 04 May 2010 - 12:47 PM

Hello, Nick Ollivere
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.





Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 Nick Ollivere

Nick Ollivere
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 05 May 2010 - 02:49 AM

Hi Tom,
I've completed the steps successfully and have attached as well as pasted below the Combofix log. A couple of things to mention: I had to uninstall Microsoft Security Essentials, as it wouldn't let me turn off its resident protection without updating it. Combofix rebooted my computer twice, and installed the recovery console, as indicated.
Thanks again for speedy replies.
Nick.

ComboFix 10-05-03.06 - Nick 04/05/2010 19:18:32.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.297 [GMT 1:00]
Running from: c:\documents and settings\Nick\Desktop\schrauber.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Nick\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\Nick\wuaucldt.exe
c:\program files\Internet Explorer\OLD166.tmp
c:\program files\WindowsUpdate
c:\recycler\S-1-5-21-3430659511-3627420953-3776851645-1003
c:\windows\Fonts\mlog
c:\windows\Fonts\services.exe
c:\windows\irc.txt
c:\windows\jestertb.dll
c:\windows\SC.INS
c:\windows\system32\1105768.exe
c:\windows\system32\1419489.exe
c:\windows\system32\1949274.exe
c:\windows\system32\1988031.exe
c:\windows\system32\2631189.exe
c:\windows\system32\3211786.exe
c:\windows\system32\4422724.exe
c:\windows\system32\5146143.exe
c:\windows\system32\5147.exe
c:\windows\system32\6737787.exe
c:\windows\system32\9867212.exe
c:\windows\system32\BtwSvc.dll
c:\windows\system32\d.bin
c:\windows\system32\drivers\FSC__PI__AMILO Pro V2040__FUJITSU SIEMENS_AMILO Pro V2040__PhoenixBIOS 4.0 Release 6.1 _PTLTD - 6040000_R01-A1B .MRK
c:\windows\system32\FInstall.sys
c:\windows\system32\Install.txt
c:\windows\system32\ms.bin
c:\windows\system32\msmxlxxq.dll
c:\windows\system32\mswacsbm.dll
c:\windows\system32\opear.exe
c:\windows\system32\PereSvc.exe
c:\windows\system32\so.bin
c:\windows\system32\w.exe
c:\windows\system32\winstartup.log
c:\windows\system32\wuaucldt.exe
c:\windows\TEMP\mta13187.dll

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

c:\windows\system32\clipsrv.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BTWSVC
-------\Legacy_NEW_DRV
-------\Service_BtwSvc
-------\Legacy_peresvc
-------\Service_peresvc


((((((((((((((((((((((((( Files Created from 2010-04-04 to 2010-05-04 )))))))))))))))))))))))))))))))
.

2010-04-26 11:04 . 2010-04-26 11:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-04-26 10:20 . 2010-04-26 10:20 -------- d-----w- c:\documents and settings\Nick\Local Settings\Application Data\PCHealth
2010-04-26 10:20 . 2010-04-26 10:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2010-04-08 11:04 . 2010-04-08 11:04 -------- d-----w- c:\program files\CCleaner
2010-04-07 18:09 . 2010-04-07 18:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-07 18:01 . 2008-10-01 10:24 637952 ----a-w- c:\windows\system32\drivers\rt2870.sys
2010-04-07 18:01 . 2010-04-07 18:01 -------- d-----w- c:\program files\Belkin
2010-04-07 17:18 . 2010-04-26 08:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-07 17:18 . 2010-04-07 18:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-07 14:36 . 2010-04-07 14:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ipswitch
2010-04-07 13:33 . 2010-04-07 13:33 -------- d-----w- c:\documents and settings\Nick\DoctorWeb
2010-04-07 09:58 . 2009-07-28 14:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-06 20:19 . 2008-04-14 00:12 413696 ----a-w- c:\windows\system32\cmd.exe
2010-04-06 20:17 . 2010-04-09 13:59 -------- d-----w- c:\documents and settings\Nick\Application Data\4326C424FEE0F49AB3918A4AE86F67B3
2010-04-06 20:17 . 2008-04-14 00:12 204800 ----a-w- c:\windows\system32\dwwin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-26 09:32 . 2005-02-02 20:38 870912 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-04-09 12:43 . 2005-02-02 20:37 21504 ----a-w- c:\windows\system32\wscntfy.exe
2010-04-08 14:56 . 2005-02-02 20:38 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-07 18:01 . 2005-12-27 15:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-07 13:37 . 2008-08-07 18:36 35840 ----a-w- c:\windows\system32\verclsid.exe
2010-04-07 13:36 . 2005-02-02 20:36 428032 ----a-w- c:\windows\system32\ntvdm.exe
2010-04-07 13:35 . 2005-02-02 20:36 521728 ----a-w- c:\windows\system32\logonui.exe
2010-04-07 13:34 . 2005-02-02 20:36 143360 ----a-w- c:\windows\system32\cscript.exe
2010-04-07 10:47 . 2008-12-25 13:24 -------- d-----w- c:\program files\QuickTime
2010-04-07 08:46 . 2010-02-24 22:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-06 13:42 . 2010-03-31 11:47 -------- d-----w- c:\documents and settings\Nick\Application Data\MailWasherFree
2010-03-31 11:47 . 2010-03-31 11:47 -------- d-----w- c:\program files\FireTrust
2010-03-29 23:46 . 2010-02-24 22:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45 . 2010-02-24 22:23 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-25 11:29 . 2009-04-08 16:11 -------- d-----w- c:\program files\VCW VicMan's Photo Editor
2010-03-17 16:25 . 2009-11-16 19:11 79488 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-24 22:27 . 2010-02-24 22:27 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2008-02-27 22:06 . 2008-02-27 22:06 2 --shatr- c:\windows\winstart.bat
.
--a------ 21/10/2005 04:39 658432 c:\windows\system32\oldwn.tmp
--a------ 04/08/2004 13:00 82944 c:\windows\system32\oldws.tmp
--a------ 21/10/2005 04:39 658432 c:\windows\system32\winrc.tmp
--a------ 04/08/2004 13:00 82944 c:\windows\system32\wsrec.tmp


------- Sigcheck -------

[-] 2008-04-14 . EE7341FF490DA05C7F8D365E2739AFD6 . 82432 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 . 2420851666234DE3D6AABBE041BB3B08 . 82432 . . [5.1.2600.5512] . . c:\windows\system32\spoolsv.exe
[-] 2005-06-11 . 4DF55879D4E7000F236D9C88B967F49D . 82432 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 . 58EC48B4429AB172AFAA25DC5A713954 . 82944 . . [5.1.2600.2696] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2004-08-04 . DBDF40A1222620898079171C868B12E2 . 82432 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896423$\spoolsv.exe

[-] 2008-04-14 . 690B888EC791A4E9965C911CBCC7161C . 50688 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 . F760C1B6BE553722B0DDEF7D10DBADB5 . 50688 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe
[-] 2004-08-04 . DC198D305D6E17934C16A5B2FB31747B . 49152 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\userinit.exe

[-] 2008-04-14 . D4050930105B0DB5B8A7D5F09EEE04B6 . 1058304 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . 96F92323401BA77D05D3A6E93213ADCF . 1058304 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2004-08-04 . 03C9FA37F8C0A181936A8AAD88509321 . 1056768 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\explorer.exe

[-] 2010-04-09 . C2205482F66DF901747E082D137019DD . 21504 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe
[-] 2008-04-14 . B3B16A96739DA92E20349CE3EBFF75F1 . 38400 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\wscntfy.exe
[-] 2004-08-04 . F0A789DCC5DC5B7E3F0955E742DBC0C5 . 38400 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\wscntfy.exe

[-] 2008-04-14 . 9A9B5576D28633A5DEAFF985213C8D39 . 39936 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 . 436C550264370DEA3FBFF46B256C0135 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
[-] 2004-08-04 . 6549EF8314FB2ACA924C85D96AFE04B5 . 39936 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2285056]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 122880]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-03-09 163840]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-03-10 52736]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-29 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 39936]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless Networking Utility.lnk - c:\program files\Belkin\F6D4050\v1\BelkinWCUI.exe [2010-4-7 1101824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0I\0\0 \0 \00):\0):\0):\0):\0(*:\0):\0P*:\0p*:\0*:\0=c:\0\0\0\0Partizan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Broadband Desktop Help.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Broadband Desktop Help.lnk
backup=c:\windows\pss\Broadband Desktop Help.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Voyager Wireless Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BT Voyager Wireless Utility.lnk
backup=c:\windows\pss\BT Voyager Wireless Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
2007-02-26 00:01 437160 ----a-w- c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-04-22 11:36 133104 ----atw- c:\documents and settings\Nick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-03-22 12:53 151552 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-03-22 12:57 180224 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2005-03-10 13:01 52736 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2005-04-26 10:15 569344 ----a-w- c:\windows\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
2005-12-30 19:29 100056 ----a-w- c:\progra~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2004-10-05 15:24 712704 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=

S3 AtmElan;ATM Emulated LAN;c:\windows\system32\drivers\atmlane.sys [02/02/2005 21:38 55808]
S3 AtmLane;ATM LAN Emulation;c:\windows\system32\drivers\atmlane.sys [02/02/2005 21:38 55808]
S3 BTUsbrXP®;BT Voyager 1010 USB Adapter;c:\windows\system32\DRIVERS\btusbrxp.sys --> c:\windows\system32\DRIVERS\btusbrxp.sys [?]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [27/02/2008 23:06 30946]
S3 TIAU5CO;Actiontec Home DSL Modem(WAN) Service;c:\windows\system32\DRIVERS\TIAU5CO.sys --> c:\windows\system32\DRIVERS\TIAU5CO.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-04-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3605485236-762764250-2582422503-1006Core.job
- c:\documents and settings\Nick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-22 11:36]

2010-05-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3605485236-762764250-2582422503-1006UA.job
- c:\documents and settings\Nick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-22 11:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = 127.0.0.1
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-syncman - c:\windows\system32\wuaucldt.exe
HKLM-Run-xdrdtg - c:\windows\system32\mswacsbm.dll
HKU-Default-Run-syncman - c:\documents and settings\nick\wuaucldt.exe
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-klmdb.sys
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-DSLAGENTEXE - c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe
MSConfigStartUp-DSLSTATEXE - c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe
MSConfigStartUp-kvbrck - c:\windows\system32\msmxlxxq.dll
MSConfigStartUp-Motive SmartBridge - c:\progra~1\BROADB~1\SMARTB~1\BTHelpNotifier.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_02\bin\jusched.exe
MSConfigStartUp-Systweak AntiSpyware 2008 - c:\program files\Systweak AntiSpyware\AntiSpyware.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-04 19:26
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2010-05-04 19:30:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-04 18:30

Pre-Run: 51,655,204,864 bytes free
Post-Run: 51,508,707,328 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - EFE40697E56DBCDD7D2B21445259FE7B

Attached Files



#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:10 PM

Posted 06 May 2010 - 01:19 PM

Hi,


Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

c:\windows\system32\userinit.exe

c:\windows\system32\spoolsv.exe

c:\windows\explorer.exe

c:\windows\system32\clipsrv.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 Nick Ollivere

Nick Ollivere
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 06 May 2010 - 02:46 PM

Hi,
My infected computer won't let me access those sites (I can access this one and others - Google, twitter etc..). So I have a feeling it is the virus doing this, rather than any connection problems. How do I navigate around it? Or are there other sites I can use?

Nick.

#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:10 PM

Posted 07 May 2010 - 03:39 PM

Can you zip copies of the files? If yes, please upload it here and let me know when you did that

http://www.bleepingcomputer.com/submit-mal....php?channel=93
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 Nick Ollivere

Nick Ollivere
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 09 May 2010 - 04:42 AM

Hi,
I've uploaded the file successfully. I put all four files in one zip called 'explorer.zip', I hope this is what you wanted, rather than them all in different zips.
Nick.

#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:10 PM

Posted 11 May 2010 - 11:42 AM

I'm afraid I have very bad news.

Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). Virux is an even more complex file infector which can embed an iframe into the body of web-related files and infect script files (.php, .asp, .htm, .html, .xml). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of infection can vary.

QUOTE
The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.
CA Virus detail of W32/Virut

QUOTE
The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.
McAfee Risk Assessment and Overview of W32/Virut

QUOTE
There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.
AVG Overview of W32/VirutThis kind of infection is contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smrgsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

QUOTE
...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...
Keygen and Crack Sites Distribute VIRUX and FakeAV

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Virut is not effectively disinfectable. Your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 Nick Ollivere

Nick Ollivere
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 12 May 2010 - 04:23 AM

Hi,

I have reformatted and reinstalled windows and all seems to be working fine again. Luckily it was not such a great problem as I have another computer, and there was not a great deal on my laptop to begin with. I saved all important personal files easily. I believe an attempt may have been made to take money from my bank account, but my bank blocked it.
Many thanks again for your hard work. All the best,
Nick.

#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:10 PM

Posted 13 May 2010 - 09:18 AM

You're welcome smile.gif

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. smile.gif

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users