Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection? Task Manager Application Tab Blank Window


  • This topic is locked This topic is locked
15 replies to this topic

#1 markphx

markphx

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 19 September 2010 - 05:40 PM

The Windows Task Manager Application tab is blank, even when programs are open and running. The other tabs do display information. A quick review of the internet suggests that this might be related to an infection. The PC seems a bit slow, but otherwise there are no definite problems.

Here are the scan logs. I am not confident that GMER ran correctly.

Thanks in advance for your help.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Mark at 10:31:43.46 on Sun 09/19/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1381 [GMT -7:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\svcwinra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\resfilter32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mark\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\ievkbd.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: LimeWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: LimeWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [zdrinit] c:\windows\svcwinra.exe
IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\micros~2\office\1033\phdintl.dll/phdContext.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: mayo.edu\mcalink
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {195538FD-1C39-44B1-A7C3-5D7137A8A8F1} - hxxps://mcalink.mayo.edu/vdesk/terminal/f5opswati.cab#Version=6500,2010,226,1307
DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} - hxxps://mcalink.mayo.edu/vdesk/cachecleaner.cab#version=6031,2010,0122,2102
DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} - hxxps://mcalink.mayo.edu/vdesk/terminal/urxvpn.cab#version=6031,2010,125,2117
DPF: {30CF9713-6614-4556-B5F5-66F8C7F9DEF1} - hxxps://mcalink.mayo.edu/vdesk/terminal/f5opswati.cab#Version=6500,2010,226,1307
DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://mcalink.mayo.edu/vdesk/terminal/f5tunsrv.cab#version=6031,2009,1204,1610
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - hxxps://mcalink.mayo.edu/vdesk/terminal/InstallerControl.cab#version=6031,2009,1204,1613
DPF: {49EC7987-E331-44E3-B170-748B58A268B9} - hxxps://mcalink.mayo.edu/vdesk/terminal/f5opswati.cab#Version=6500,2010,226,1307
DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} - hxxps://mcalink.mayo.edu/vdesk/terminal/f5InspectionHost.cab#version=6031,2009,1204,1603
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240774615578
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - hxxps://mcalink.mayo.edu/vdesk/terminal/urxshost.cab#version=6031,2009,1204,1608
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DBDC1CDA-B64B-49F7-9535-6317AA416E51} - hxxp://vdi.mayo.edu/downloads/VMware-viewclient.cab
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://mcalink.mayo.edu/vdesk/terminal/urxhost.cab#version=6031,2009,1204,1604
DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} - hxxps://mcalink.mayo.edu/policy/download_binary.php/win32/f5syschk.cab#Version=6031,2010,0125,2111
DPF: {EBDC91CB-F23F-477D-B152-3F7243760D04} - hxxps://mcalink.mayo.edu/vdesk/terminal/f5opswati.cab#Version=6500,2010,226,1307
TCP: {00509DA1-03C9-4F27-8098-58219E5A87C8} = 192.168.2.1
TCP: {BF48B5B3-7998-4143-9647-0ED850A8DF01} = 192.168.2.1
TCP: {D3E36978-FD26-4776-891F-9839D96C5723} = 192.168.2.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-4-26 226832]
R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe [2008-11-11 208616]
R2 ousbehci;NEC PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\ousbehci.sys [2009-5-7 39040]
R2 wsnm;VMware View Client Service;c:\program files\vmware\vmware view\client\bin\wsnm.exe [2010-2-10 151552]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
R3 ousb2hub;OrangeWare USB 2.0 Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2009-5-7 54016]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2009-8-1 637952]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [2009-10-9 33920]
S3 Belkin Belkin 11Mbps Wireless USB Network Adapter®;Belkin Belkin 11Mbps Wireless USB Network Adapter® Service for Belkin 11Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\bkusbxp.sys [2009-4-26 98432]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [2010-3-16 10752]
S3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [2009-5-1 23096]
S3 MusCVideo;MusCVideo;c:\windows\system32\drivers\MusCVideo.sys [2009-5-1 3768]

=============== Created Last 30 ================

2010-09-19 17:29:09 0 ----a-w- c:\documents and settings\mark\defogger_reenable
2010-09-15 01:27:53 0 ----a-w- c:\windows\sspra32wl.dll
2010-09-04 15:50:31 453632 ----a-w- c:\windows\system32\SetACL.ocx
2010-09-04 15:50:25 6512640 ----a-w- c:\windows\sspro.exe
2010-09-04 15:50:25 304128 ----a-w- c:\windows\msatools64.dll
2010-09-04 15:50:25 296448 ----a-w- c:\windows\perfsysdeam.dll
2010-09-04 15:50:24 566784 ----a-w- c:\windows\lsemanager.exe
2010-09-04 15:50:24 397824 ----a-w- c:\windows\resfilter32.exe
2010-09-04 15:50:23 605696 ----a-w- c:\windows\mdiwinsvr.exe
2010-09-04 15:50:22 800256 ----a-w- c:\windows\svcwinra.exe
2010-08-23 07:39:48 0 d-----w- C:\Nexon
2010-08-23 00:16:11 0 d-----w- c:\docume~1\alluse~1\applic~1\NexonUS
2010-08-22 22:52:23 0 d-----w- c:\docume~1\alluse~1\applic~1\PMB Files
2010-08-22 22:51:56 0 d-----w- c:\program files\Pando Networks

==================== Find3M ====================

2010-09-19 17:29:08 925728 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-09-19 17:29:06 5292 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-09-19 17:15:36 4365344 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-09-19 17:15:36 36232 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-09-19 16:34:54 2324 ----a-w- c:\windows\swn32reg.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-09 02:54:25 32 ----a-w- c:\docume~1\mark\applic~1\data.dat
2010-07-29 17:03:30 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-07-29 17:03:30 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-07-29 04:56:49 99 ----a-w- c:\documents and settings\mark\jagex_runescape_preferences2.dat
2010-07-29 04:56:04 46 ----a-w- c:\documents and settings\mark\jagex_runescape_preferences.dat
2010-07-29 04:54:30 0 ----a-w- c:\documents and settings\mark\jagex__preferences3.dat
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 12:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2009-08-20 08:15:08 135630545 ----a-w- c:\program files\openofficeorg1.cab
2009-08-20 08:13:26 9815040 ----a-w- c:\program files\openofficeorg31.msi
2009-08-19 08:31:00 336 ----a-w- c:\program files\setup.ini
2002-03-11 09:06:30 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45:04 1708856 ----a-w- c:\program files\instmsia.exe

============= FINISH: 10:33:07.07 ===============


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-19 15:29:42
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Mark\LOCALS~1\Temp\fwldqpog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwAdjustPrivilegesToken [0xAFD891DA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwClose [0xAFD897AE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwConnectPort [0xAFD8B1EA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateFile [0xAFD8AB9C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateKey [0xAFD88950]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xAFD8CB7C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateThread [0xAFD895AE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteKey [0xAFD88D92]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteValueKey [0xAFD88F92]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeviceIoControlFile [0xAFD8AEAC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDuplicateObject [0xAFD8D084]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0xAFD890A8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0xAFD89110]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwFsControlFile [0xAFD8AD5E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwLoadDriver [0xAFD8C620]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenFile [0xAFD8A9F8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenKey [0xAFD88AB2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenProcess [0xAFD893B2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenSection [0xAFD8CBA6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenThread [0xAFD892FE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryKey [0xAFD89178]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryMultipleValueKey [0xAFD88E7C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryValueKey [0xAFD88C5A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueueApcThread [0xAFD8C888]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwReplaceKey [0xAFD885D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRequestWaitReplyPort [0xAFD8BA74]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRestoreKey [0xAFD88734]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwResumeThread [0xAFD8CF56]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSaveKey [0xAFD883D0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSecureConnectPort [0xAFD8B08C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetContextThread [0xAFD896AC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSecurityObject [0xAFD8C71A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSystemInformation [0xAFD8CBD0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetValueKey [0xAFD88B08]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendProcess [0xAFD8CCB4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendThread [0xAFD8CDE0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSystemDebugControl [0xAFD8C54C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwTerminateProcess [0xAFD8947E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwWriteVirtualMemory [0xAFD894F0]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + C8 804E2734 4 Bytes JMP 06AFD8B1
.text ntoskrnl.exe!_abnormal_termination + 440 804E2AAC 12 Bytes [B4, CC, D8, AF, E0, CD, D8, ...]
.text ntoskrnl.exe!IoIsOperationSynchronous 804E876A 3 Bytes JMP AFDA09E0 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)
.text ntoskrnl.exe!IoIsOperationSynchronous + 4 804E876E 1 Byte [2F]
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 80512959 5 Bytes JMP AFDA0626 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[1020] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1020] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1020] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4B6F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1020] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4AA1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1020] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4B0C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1020] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4972 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1020] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E49D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1020] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4BD2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1020] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4A36 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[2044] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[2044] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [70, 11, 41, 6D] {JO 0x13; INC ECX; INSD }
.text C:\Program Files\Internet Explorer\iexplore.exe[2356] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2356] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AD5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2356] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD135 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2356] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2356] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254666 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2356] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4B6F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2356] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4AA1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2356] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4B0C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2356] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4972 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2356] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E49D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2356] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4BD2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2356] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4A36 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2356] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB80 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2356] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4EF0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[3964] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[3964] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [70, 11, 41, 6D] {JO 0x13; INC ECX; INSD }

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:24 AM

Posted 26 September 2010 - 07:01 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 markphx

markphx
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 27 September 2010 - 10:37 AM

I am ready and waiting your instructions.

Mark

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:24 AM

Posted 27 September 2010 - 04:43 PM

It could be a permissions issue but there are trojan entries in the log so please run Combofix and let's see what we can remove

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 markphx

markphx
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 27 September 2010 - 10:03 PM

Here is the ComboFix log. Thanks.




ComboFix 10-09-27.04 - Mark 09/27/2010 19:27:42.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1559 [GMT -7:00]
Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mark\Application Data\data.dat
c:\documents and settings\Mark\Recent\Thumbs.db
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\jestertb.dll
c:\windows\sp32snwl.dll
c:\windows\sspra32wl.dll
c:\windows\ssprb32wl.dll
E:\install.exe

.
((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-28 )))))))))))))))))))))))))))))))
.

2010-09-18 18:53 . 2010-06-04 04:24 -------- d-sh--w- c:\documents and settings\Guest\IETldCache
2010-09-18 18:52 . 2010-09-18 18:58 -------- d-----w- c:\documents and settings\Guest
2010-09-04 15:50 . 2010-06-11 03:28 6512640 ----a-w- c:\windows\sspro.exe
2010-09-04 15:50 . 2010-05-08 15:08 296448 ----a-w- c:\windows\perfsysdeam.dll
2010-09-04 15:50 . 2010-01-22 04:34 304128 ----a-w- c:\windows\msatools64.dll
2010-09-04 15:50 . 2010-01-22 05:09 566784 ----a-w- c:\windows\lsemanager.exe
2010-09-04 15:50 . 2010-01-18 19:59 397824 ----a-w- c:\windows\resfilter32.exe
2010-09-04 15:50 . 2010-01-22 05:08 605696 ----a-w- c:\windows\mdiwinsvr.exe
2010-09-04 15:50 . 2010-06-11 03:23 800256 ----a-w- c:\windows\svcwinra.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-28 02:41 . 2009-04-26 22:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-09-28 02:39 . 2009-04-26 22:10 933920 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-09-28 02:39 . 2009-04-26 22:10 5320 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-09-28 02:39 . 2009-04-26 22:10 4365344 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-09-28 02:39 . 2009-04-26 22:10 36232 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-09-26 15:54 . 2009-05-10 16:55 2324 ----a-w- c:\windows\swn32reg.dll
2010-09-18 18:55 . 2010-09-18 18:55 71640 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-18 18:55 . 2010-09-18 18:55 128 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\fusioncache.dat
2010-09-18 18:55 . 2010-09-18 18:55 -------- d-----w- c:\documents and settings\Guest\Application Data\ATI
2010-09-17 02:12 . 2009-09-15 22:41 -------- d-----w- c:\documents and settings\Mark\Application Data\uTorrent
2010-09-08 21:46 . 2009-12-12 18:33 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-03 06:06 . 2010-03-02 01:44 -------- d-----w- c:\documents and settings\Mark\Application Data\Skype
2010-09-03 02:02 . 2010-03-02 01:46 -------- d-----w- c:\documents and settings\Mark\Application Data\skypePM
2010-08-23 00:47 . 2010-08-23 00:16 98304 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2010-08-23 00:47 . 2010-08-23 00:16 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2010-08-23 00:47 . 2010-08-23 00:16 126976 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2010-08-23 00:16 . 2010-08-23 00:16 765952 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2010-08-23 00:16 . 2010-08-23 00:16 401408 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2010-08-23 00:16 . 2010-08-23 00:16 172032 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2010-08-23 00:16 . 2010-08-23 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\NexonUS
2010-08-22 22:53 . 2010-08-22 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-08-22 22:51 . 2010-08-22 22:51 -------- d-----w- c:\program files\Pando Networks
2010-08-22 16:56 . 2010-08-22 16:56 -------- d-----w- c:\program files\Common Files\Java
2010-08-22 16:55 . 2009-04-27 04:07 -------- d-----w- c:\program files\Java
2010-08-17 13:17 . 2005-06-10 23:55 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 20:23 . 2010-08-16 20:23 -------- d-----w- c:\documents and settings\Mark\Application Data\Datel
2010-08-16 20:23 . 2010-08-16 20:23 -------- d-----w- c:\program files\Datel
2010-08-14 15:41 . 2010-05-14 06:20 -------- d-----w- c:\documents and settings\Mark\Application Data\vlc
2010-08-06 08:01 . 2010-08-06 08:01 503808 ----a-w- c:\documents and settings\Mark\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-31bc4dd1-n\msvcp71.dll
2010-08-06 08:01 . 2010-08-06 08:01 499712 ----a-w- c:\documents and settings\Mark\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-31bc4dd1-n\jmc.dll
2010-08-06 08:01 . 2010-08-06 08:01 348160 ----a-w- c:\documents and settings\Mark\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-31bc4dd1-n\msvcr71.dll
2010-08-06 08:01 . 2010-08-06 08:01 12800 ----a-w- c:\documents and settings\Mark\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-474a43f9-n\decora-d3d.dll
2010-08-06 08:01 . 2010-08-06 08:01 61440 ----a-w- c:\documents and settings\Mark\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-474a43f9-n\decora-sse.dll
2010-08-06 06:08 . 2010-08-06 06:08 16286 ----a-w- c:\documents and settings\Mark\Application Data\Sun\Java\Deployment\cache\6.0\5\42c06805-37b316cc-n\ShoddyHelper.dll
2010-07-29 17:03 . 2009-04-26 22:11 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-07-29 17:03 . 2009-04-26 22:11 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-07-29 04:56 . 2010-07-29 04:54 99 ----a-w- c:\documents and settings\Mark\jagex_runescape_preferences2.dat
2010-07-29 04:56 . 2010-07-29 04:52 46 ----a-w- c:\documents and settings\Mark\jagex_runescape_preferences.dat
2010-07-29 04:54 . 2010-07-29 04:54 0 ----a-w- c:\documents and settings\Mark\jagex__preferences3.dat
2010-07-27 02:47 . 2010-07-27 02:47 134269 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{CECE33DF-71BB-44A9-AFF5-CCD551136F8F}\_B77BE1305F92F386486173.exe
2010-07-27 02:47 . 2010-07-27 02:47 134269 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{CECE33DF-71BB-44A9-AFF5-CCD551136F8F}\_6FEFF9B68218417F98F549.exe
2010-07-27 02:47 . 2010-07-27 02:47 134269 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{CECE33DF-71BB-44A9-AFF5-CCD551136F8F}\_1BBC378961B3A26A491BC7.exe
2010-07-22 15:49 . 2004-03-06 02:16 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-27 16:41 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 12:00 . 2010-07-24 17:32 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-13 18:44 . 2010-08-06 21:02 65536 ----a-w- c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\ydkp4ox2.default\extensions\{771f3037-9885-4423-b50f-a5ede4854e26}\components\Engine.dll
2010-06-30 12:31 . 2002-09-03 16:58 149504 ----a-w- c:\windows\system32\schannel.dll
2009-08-20 08:15 . 2009-08-20 08:15 135630545 ----a-w- c:\program files\openofficeorg1.cab
2009-08-20 08:13 . 2009-08-20 08:13 9815040 ----a-w- c:\program files\openofficeorg31.msi
2009-08-19 08:31 . 2009-08-19 08:31 336 ----a-w- c:\program files\setup.ini
2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\program files\instmsia.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-03-28 1196936]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-03-28 19:11 1196936 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-03-28 1196936]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-03-28 1196936]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"nwiz"="nwiz.exe" [2008-05-03 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"sprinit"="c:\windows\svcwinra.exe" [2010-06-11 800256]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-07-21 208616]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"BCMSMMSG"=BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\English\\setup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Programs Files\\World of Warcraft Public Test\\Launcher.exe"=
"e:\\Programs Files\\World of Warcraft Public Test\\WoW-0.2.0.10048-to-0.2.0.10072-enUS-downloader.exe"=
"e:\\Programs Files\\World of Warcraft Public Test\\WoW-0.2.0.10072-to-0.2.0.10083-enUS-downloader.exe"=
"e:\\Programs Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"e:\\Programs Files\\Steam\\SteamApps\\haku1343\\condition zero\\hl.exe"=
"e:\\Programs Files\\Steam\\SteamApps\\haku1343\\counter-strike\\hl.exe"=
"e:\\Programs Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"e:\\Programs Files\\World of Warcraft Public Test\\WoW-0.2.2.10257-enUS-ptr-downloader.exe"=
"e:\\My Documents\\Brandon\\Programs\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Programs Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"e:\\Programs Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"e:\\Programs Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\VMware\\VMware View\\Client\\bin\\vmware-remotemks.exe"=
"c:\\Program Files\\VMware\\VMware View\\Client\\bin\\wswc.exe"=
"e:\\My Documents\\Brandon\\Programs\\keyclone.exe"=
"e:\\Programs Files\\World of Warcraft Public Test\\WoW-0.3.0.10522-enUS-ptr-downloader.exe"=
"e:\\Programs Files\\World of Warcraft Public Test\\WoW-0.3.5.12045-to-0.3.5.12124-enUS-ptr-downloader.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader: 6112
"58094:TCP"= 58094:TCP:Pando Media Booster
"58094:UDP"= 58094:UDP:Pando Media Booster

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 5:29 PM 33808]
R2 ousbehci;NEC PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\ousbehci.sys [5/7/2009 9:11 PM 39040]
R2 wsnm;VMware View Client Service;c:\program files\VMware\VMware View\Client\bin\wsnm.exe [2/10/2010 12:54 PM 151552]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 5:06 PM 24592]
R3 ousb2hub;OrangeWare USB 2.0 Hub Support;c:\windows\system32\drivers\ousb2hub.sys [5/7/2009 9:11 PM 54016]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [10/9/2009 8:15 PM 33920]
S3 Belkin Belkin 11Mbps Wireless USB Network Adapter®;Belkin Belkin 11Mbps Wireless USB Network Adapter® Service for Belkin 11Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\bkusbxp.sys [4/26/2009 12:02 PM 98432]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [3/16/2010 4:27 PM 10752]
S3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [5/1/2009 11:37 PM 23096]
S3 MusCVideo;MusCVideo;c:\windows\system32\drivers\MusCVideo.sys [5/1/2009 11:37 PM 3768]
.
Contents of the 'Scheduled Tasks' folder

2010-09-28 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-03-28 19:11]

2010-09-28 c:\windows\Tasks\User_Feed_Synchronization-{192002E2-FC6E-46CC-8E73-72B93EE3B624}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
Trusted Zone: mayo.edu\mcalink
TCP: {00509DA1-03C9-4F27-8098-58219E5A87C8} = 192.168.2.1
TCP: {BF48B5B3-7998-4143-9647-0ED850A8DF01} = 192.168.2.1
TCP: {D3E36978-FD26-4776-891F-9839D96C5723} = 192.168.2.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {195538FD-1C39-44B1-A7C3-5D7137A8A8F1} - hxxps://mcalink.mayo.edu/vdesk/terminal/f5opswati.cab#Version=6500,2010,226,1307
DPF: {30CF9713-6614-4556-B5F5-66F8C7F9DEF1} - hxxps://mcalink.mayo.edu/vdesk/terminal/f5opswati.cab#Version=6500,2010,226,1307
DPF: {49EC7987-E331-44E3-B170-748B58A268B9} - hxxps://mcalink.mayo.edu/vdesk/terminal/f5opswati.cab#Version=6500,2010,226,1307
DPF: {DBDC1CDA-B64B-49F7-9535-6317AA416E51} - hxxp://vdi.mayo.edu/downloads/VMware-viewclient.cab
DPF: {EBDC91CB-F23F-477D-B152-3F7243760D04} - hxxps://mcalink.mayo.edu/vdesk/terminal/f5opswati.cab#Version=6500,2010,226,1307
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Power Sound Editor Free - e:\mydocu~1\Brandon\Programs\POWERS~1\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-27 19:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1068)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(300)
c:\windows\system32\WININET.dll
c:\windows\perfsysdeam.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\resfilter32.exe
.
**************************************************************************
.
Completion time: 2010-09-27 19:57:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-28 02:57

Pre-Run: 18,993,520,640 bytes free
Post-Run: 19,535,343,616 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=4 Default=4 Failed=2 LastKnownGood=1 Sets=1,2,3,4
- - End Of File - - FEFEA57C3A684FC646BABF1CE3CC6CFD


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:24 AM

Posted 28 September 2010 - 03:55 PM

the Ask toolbar is not recommended. This toolbar enhances internet browsing and provides a direct link to the "ask.com" search engine. This program is not known to be bundled with spyware - The company strongly denies the toolbar as being malware.

Please read why it might be good to remove it here.

If you choose to remove it then follow the instructions below.

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick (or right-click, if you are using Vista) the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":



Ask.com



Additional instructions can be found here if needed.


Then

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Finally run the ESET scan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

Edited by m0le, 28 September 2010 - 03:56 PM.

Posted Image
m0le is a proud member of UNITE

#7 markphx

markphx
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 28 September 2010 - 10:29 PM

Here is the recent combofix log. ESET did not find any infections.


ComboFix 10-09-27.05 - Mark 09/28/2010 18:47:54.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1534 [GMT -7:00]
Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mark\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-29 )))))))))))))))))))))))))))))))
.

2010-09-18 18:53 . 2010-06-04 04:24 -------- d-sh--w- c:\documents and settings\Guest\IETldCache
2010-09-18 18:52 . 2010-09-18 18:58 -------- d-----w- c:\documents and settings\Guest
2010-09-04 15:50 . 2010-06-11 03:28 6512640 ----a-w- c:\windows\sspro.exe
2010-09-04 15:50 . 2010-05-08 15:08 296448 ----a-w- c:\windows\perfsysdeam.dll
2010-09-04 15:50 . 2010-01-22 04:34 304128 ----a-w- c:\windows\msatools64.dll
2010-09-04 15:50 . 2010-01-22 05:09 566784 ----a-w- c:\windows\lsemanager.exe
2010-09-04 15:50 . 2010-01-18 19:59 397824 ----a-w- c:\windows\resfilter32.exe
2010-09-04 15:50 . 2010-01-22 05:08 605696 ----a-w- c:\windows\mdiwinsvr.exe
2010-09-04 15:50 . 2010-06-11 03:23 800256 ----a-w- c:\windows\svcwinra.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-28 20:39 . 2009-04-26 22:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-09-28 07:02 . 2009-04-26 22:10 933920 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-09-28 07:02 . 2009-04-26 22:10 5320 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-09-28 07:02 . 2009-04-26 22:10 4365344 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-09-28 07:02 . 2009-04-26 22:10 36232 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-09-26 15:54 . 2009-05-10 16:55 2324 ----a-w- c:\windows\swn32reg.dll
2010-09-18 18:55 . 2010-09-18 18:55 71640 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-18 18:55 . 2010-09-18 18:55 128 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\fusioncache.dat
2010-09-18 18:55 . 2010-09-18 18:55 -------- d-----w- c:\documents and settings\Guest\Application Data\ATI
2010-09-17 02:12 . 2009-09-15 22:41 -------- d-----w- c:\documents and settings\Mark\Application Data\uTorrent
2010-09-08 21:46 . 2009-12-12 18:33 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-03 06:06 . 2010-03-02 01:44 -------- d-----w- c:\documents and settings\Mark\Application Data\Skype
2010-09-03 02:02 . 2010-03-02 01:46 -------- d-----w- c:\documents and settings\Mark\Application Data\skypePM
2010-08-23 00:47 . 2010-08-23 00:16 98304 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2010-08-23 00:47 . 2010-08-23 00:16 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2010-08-23 00:47 . 2010-08-23 00:16 126976 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2010-08-23 00:16 . 2010-08-23 00:16 765952 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2010-08-23 00:16 . 2010-08-23 00:16 401408 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2010-08-23 00:16 . 2010-08-23 00:16 172032 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2010-08-23 00:16 . 2010-08-23 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\NexonUS
2010-08-22 22:53 . 2010-08-22 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-08-22 22:51 . 2010-08-22 22:51 -------- d-----w- c:\program files\Pando Networks
2010-08-22 16:56 . 2010-08-22 16:56 -------- d-----w- c:\program files\Common Files\Java
2010-08-22 16:55 . 2009-04-27 04:07 -------- d-----w- c:\program files\Java
2010-08-17 13:17 . 2005-06-10 23:55 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 20:23 . 2010-08-16 20:23 -------- d-----w- c:\documents and settings\Mark\Application Data\Datel
2010-08-16 20:23 . 2010-08-16 20:23 -------- d-----w- c:\program files\Datel
2010-08-14 15:41 . 2010-05-14 06:20 -------- d-----w- c:\documents and settings\Mark\Application Data\vlc
2010-08-06 08:01 . 2010-08-06 08:01 503808 ----a-w- c:\documents and settings\Mark\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-31bc4dd1-n\msvcp71.dll
2010-08-06 08:01 . 2010-08-06 08:01 499712 ----a-w- c:\documents and settings\Mark\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-31bc4dd1-n\jmc.dll
2010-08-06 08:01 . 2010-08-06 08:01 348160 ----a-w- c:\documents and settings\Mark\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-31bc4dd1-n\msvcr71.dll
2010-08-06 08:01 . 2010-08-06 08:01 12800 ----a-w- c:\documents and settings\Mark\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-474a43f9-n\decora-d3d.dll
2010-08-06 08:01 . 2010-08-06 08:01 61440 ----a-w- c:\documents and settings\Mark\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-474a43f9-n\decora-sse.dll
2010-08-06 06:08 . 2010-08-06 06:08 16286 ----a-w- c:\documents and settings\Mark\Application Data\Sun\Java\Deployment\cache\6.0\5\42c06805-37b316cc-n\ShoddyHelper.dll
2010-07-29 17:03 . 2009-04-26 22:11 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-07-29 17:03 . 2009-04-26 22:11 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-07-29 04:56 . 2010-07-29 04:54 99 ----a-w- c:\documents and settings\Mark\jagex_runescape_preferences2.dat
2010-07-29 04:56 . 2010-07-29 04:52 46 ----a-w- c:\documents and settings\Mark\jagex_runescape_preferences.dat
2010-07-29 04:54 . 2010-07-29 04:54 0 ----a-w- c:\documents and settings\Mark\jagex__preferences3.dat
2010-07-27 02:47 . 2010-07-27 02:47 134269 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{CECE33DF-71BB-44A9-AFF5-CCD551136F8F}\_B77BE1305F92F386486173.exe
2010-07-27 02:47 . 2010-07-27 02:47 134269 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{CECE33DF-71BB-44A9-AFF5-CCD551136F8F}\_6FEFF9B68218417F98F549.exe
2010-07-27 02:47 . 2010-07-27 02:47 134269 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{CECE33DF-71BB-44A9-AFF5-CCD551136F8F}\_1BBC378961B3A26A491BC7.exe
2010-07-22 15:49 . 2004-03-06 02:16 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-27 16:41 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 12:00 . 2010-07-24 17:32 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-13 18:44 . 2010-08-06 21:02 65536 ----a-w- c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\ydkp4ox2.default\extensions\{771f3037-9885-4423-b50f-a5ede4854e26}\components\Engine.dll
2009-08-20 08:15 . 2009-08-20 08:15 135630545 ----a-w- c:\program files\openofficeorg1.cab
2009-08-20 08:13 . 2009-08-20 08:13 9815040 ----a-w- c:\program files\openofficeorg31.msi
2009-08-19 08:31 . 2009-08-19 08:31 336 ----a-w- c:\program files\setup.ini
2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\program files\instmsia.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-03-28 1196936]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-03-28 19:11 1196936 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-03-28 1196936]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-03-28 1196936]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"nwiz"="nwiz.exe" [2008-05-03 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"sprinit"="c:\windows\svcwinra.exe" [2010-06-11 800256]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-07-21 208616]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"BCMSMMSG"=BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\English\\setup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Programs Files\\World of Warcraft Public Test\\Launcher.exe"=
"e:\\Programs Files\\World of Warcraft Public Test\\WoW-0.2.0.10048-to-0.2.0.10072-enUS-downloader.exe"=
"e:\\Programs Files\\World of Warcraft Public Test\\WoW-0.2.0.10072-to-0.2.0.10083-enUS-downloader.exe"=
"e:\\Programs Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"e:\\Programs Files\\Steam\\SteamApps\\haku1343\\condition zero\\hl.exe"=
"e:\\Programs Files\\Steam\\SteamApps\\haku1343\\counter-strike\\hl.exe"=
"e:\\Programs Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"e:\\Programs Files\\World of Warcraft Public Test\\WoW-0.2.2.10257-enUS-ptr-downloader.exe"=
"e:\\My Documents\\Brandon\\Programs\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Programs Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"e:\\Programs Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"e:\\Programs Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\VMware\\VMware View\\Client\\bin\\vmware-remotemks.exe"=
"c:\\Program Files\\VMware\\VMware View\\Client\\bin\\wswc.exe"=
"e:\\My Documents\\Brandon\\Programs\\keyclone.exe"=
"e:\\Programs Files\\World of Warcraft Public Test\\WoW-0.3.0.10522-enUS-ptr-downloader.exe"=
"e:\\Programs Files\\World of Warcraft Public Test\\WoW-0.3.5.12045-to-0.3.5.12124-enUS-ptr-downloader.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader: 6112
"58094:TCP"= 58094:TCP:Pando Media Booster
"58094:UDP"= 58094:UDP:Pando Media Booster

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 5:29 PM 33808]
R2 ousbehci;NEC PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\ousbehci.sys [5/7/2009 9:11 PM 39040]
R2 wsnm;VMware View Client Service;c:\program files\VMware\VMware View\Client\bin\wsnm.exe [2/10/2010 12:54 PM 151552]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 5:06 PM 24592]
R3 ousb2hub;OrangeWare USB 2.0 Hub Support;c:\windows\system32\drivers\ousb2hub.sys [5/7/2009 9:11 PM 54016]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [10/9/2009 8:15 PM 33920]
S3 Belkin Belkin 11Mbps Wireless USB Network Adapter®;Belkin Belkin 11Mbps Wireless USB Network Adapter® Service for Belkin 11Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\bkusbxp.sys [4/26/2009 12:02 PM 98432]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [3/16/2010 4:27 PM 10752]
S3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [5/1/2009 11:37 PM 23096]
S3 MusCVideo;MusCVideo;c:\windows\system32\drivers\MusCVideo.sys [5/1/2009 11:37 PM 3768]
.
Contents of the 'Scheduled Tasks' folder

2010-09-29 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-03-28 19:11]

2010-09-29 c:\windows\Tasks\User_Feed_Synchronization-{192002E2-FC6E-46CC-8E73-72B93EE3B624}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
Trusted Zone: mayo.edu\mcalink
TCP: {00509DA1-03C9-4F27-8098-58219E5A87C8} = 192.168.2.1
TCP: {BF48B5B3-7998-4143-9647-0ED850A8DF01} = 192.168.2.1
TCP: {D3E36978-FD26-4776-891F-9839D96C5723} = 192.168.2.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {195538FD-1C39-44B1-A7C3-5D7137A8A8F1} - hxxps://mcalink.mayo.edu/vdesk/terminal/f5opswati.cab#Version=6500,2010,226,1307
DPF: {30CF9713-6614-4556-B5F5-66F8C7F9DEF1} - hxxps://mcalink.mayo.edu/vdesk/terminal/f5opswati.cab#Version=6500,2010,226,1307
DPF: {49EC7987-E331-44E3-B170-748B58A268B9} - hxxps://mcalink.mayo.edu/vdesk/terminal/f5opswati.cab#Version=6500,2010,226,1307
DPF: {DBDC1CDA-B64B-49F7-9535-6317AA416E51} - hxxp://vdi.mayo.edu/downloads/VMware-viewclient.cab
DPF: {EBDC91CB-F23F-477D-B152-3F7243760D04} - hxxps://mcalink.mayo.edu/vdesk/terminal/f5opswati.cab#Version=6500,2010,226,1307
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-28 18:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1076)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1752)
c:\windows\system32\WININET.dll
c:\windows\perfsysdeam.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-09-28 19:02:20
ComboFix-quarantined-files.txt 2010-09-29 02:02
ComboFix2.txt 2010-09-28 02:57

Pre-Run: 19,458,576,384 bytes free
Post-Run: 19,473,534,976 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=1 Sets=1,2,3,4
- - End Of File - - 4155AD146FA07637078C40F85763CD3C


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:24 AM

Posted 29 September 2010 - 01:40 PM

Okay, you're clean of malware. thumbup2.gif

I think I know the answer to this but...are you still having the problem with Task Manager?
Posted Image
m0le is a proud member of UNITE

#9 markphx

markphx
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 29 September 2010 - 04:23 PM

Thanks for helping to clean me up.

The answer is yes. I still have the same problem with Task Manager. It loads fine using ctrl-alt-delete. It also loads fine using Run>taskmgr.exe.

It just does not display any programs that are running under the applications tab, the window is blank (even when several applications are open). The other tabs do seem to display appropriately.

Thanks.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:24 AM

Posted 29 September 2010 - 04:32 PM

Microsoft have a fix.

Link
Posted Image
m0le is a proud member of UNITE

#11 markphx

markphx
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 29 September 2010 - 06:55 PM

This appears to be a "hotfix" for Windows 2000. Do you know if it can be applied to XP?

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:24 AM

Posted 29 September 2010 - 07:03 PM

No it can't. Sorry about that.

You could reset the Task Manager by doing this:



Click "Start." Type "gpedit.msc" into the "Run" box and hit "Enter."

Click "User Configuration." Select "Administrative Templates." Click "System" and choose "Ctrl+Alt+Delete Options."

Select "Remove Task Manager" and double-click.

Click "Disable." By disabling the remove task-manager option, you will be turning the task manager back on. Close out of the registry window.


If this doesn't work replace Click "Disable" to "Not Configured" which will do a full reset.
Posted Image
m0le is a proud member of UNITE

#13 markphx

markphx
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 29 September 2010 - 08:58 PM

I get this message

"Windows cannot find gpedit.msc."

After a quick google it seems that this is a feature in XP Prof., not XP Home (I have Home).

Is there something analogous or another route for resetting Task Manager in XP Home?

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:24 AM

Posted 30 September 2010 - 05:49 PM

This is why I specialise in malware tongue.gif

Try this, on EHow

Failing that please post in the XP forum, they will be able to help there.


We can clear up here though...

You're clean. Good stuff! thumbup2.gif

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


We Need to Clean Up our Mess
Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

Use this next program to check for updates for programs already on your system. Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically, make sure that updates on any that are flagged are carried out as soon as possible

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it, happy surfing!

Cheers.

m0le

Posted Image
m0le is a proud member of UNITE

#15 markphx

markphx
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 30 September 2010 - 11:35 PM

Thank you for the help. Glad to have those malware bits gone. I'll post a new topic in the XP forum.

Thank you again.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users