Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

UNKNOWN VIRUS


  • This topic is locked This topic is locked
12 replies to this topic

#1 ajayz2010

ajayz2010

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 20 September 2010 - 06:42 PM

Ok my problem started withe the security suit. Then being dumb I fell for the fake warnings then downloaded redcross. After that I started researching on google then found the postings about how to remove so I was prompted to download rkll and maleware bytes. This deleted security suit but redcross was still active.I then ran a combo fix then maleware bytes again all the sighns seem to have been gone in safe-mode then wen i started my pc normally it froze right after the loading screen so I restarted. Wen I restarted I chose to use the last known configs that worked option then it started. When it started it seemed fine until I tried to start up the internet browser and it worked for a few minutes until I tried to download something and it failed then security essentials poped up. I tried to run maleware bytes again and it opened and started the scan but it lasted for 24 hours and still was'nt finished yet so I quit the program and ran it in safe mode and it finished and removed 129 viruses then asked me to restart. I restarted, Now no mater how many times I run the virus scan and restart the same viruses come back soon as it restart. please help.

dds_LOG

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by admin at 14:21:15.10 on Mon 09/20/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.100 [GMT -7:00]

AV: AVG *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: StopSign Antivirus FREE TRIAL diagnostic version *On-access scanning disabled* (Updated) {3E1D4556-3240-40c8-BBED-64A8690A3FB4}
FW: StopSign Firewall FREE TRIAL version *disabled* {06936B90-CB61-4dcb-AABD-C0E25320F6C3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\svchost.exe
C:\WINDOWS\setup.exe
C:\WINDOWS\win32.exe
C:\DOCUME~1\admin\LOCALS~1\Temp\drweb.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
C:\DOCUME~1\admin\LOCALS~1\Temp\setup.exe
C:\DOCUME~1\admin\LOCALS~1\Temp\win16.exe
C:\WINDOWS\gdi32.exe
C:\DOCUME~1\admin\LOCALS~1\Temp\winamp.exe
C:\WINDOWS\iexplarer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Documents and Settings\admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://hotmail.com/
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = <local>
uWinlogon: Shell=c:\documents and settings\admin\application data\antispy.exe
BHO: c:\windows\system32\g5bks.dll: {b1ba40a1-75f2-51bd-f313-04b03a2c8953} - c:\windows\system32\g5bks.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: LimeWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Bhakupujaxa] rundll32.exe "c:\windows\msvcocm.dll",Startup
uRun: [inetserver.exe] c:\inetserver.exe\inetserver.exe
uRun: [MKfre] c:\windows\wininst.exe
uRun: [MKZe] c:\windows\avp.exe
uRun: [MKeg] c:\windows\smss.exe
uRun: [HNUmZIXnqe] c:\docume~1\admin\locals~1\temp\login.exe
uRun: [MKeta] c:\windows\services.exe
uRun: [HNUmZIXneP] c:\docume~1\admin\locals~1\temp\avp32.exe
uRun: [MKaZ] c:\windows\cmd.exe
uRun: [MKasc] c:\windows\drweb.exe
uRun: [MKerb] c:\windows\taskmgr.exe
uRun: [MKaoc] c:\windows\debug.exe
uRun: [HNUmZIXnvZ] c:\docume~1\admin\locals~1\temp\install.exe
uRun: [HNUmZIXnusc] c:\docume~1\admin\locals~1\temp\winlogon.exe
uRun: [MKayc] c:\windows\csrss.exe
uRun: [MKevc] c:\windows\setup.exe
uRun: [HNUmZIXnZP] c:\docume~1\admin\locals~1\temp\gdi32.exe
uRun: [MKbMc] c:\windows\gdi32.exe
uRun: [HNUmZIXnb] c:\docume~1\admin\locals~1\temp\mdm.exe
uRun: [HNUmZIXnfQ] c:\docume~1\admin\locals~1\temp\win16.exe
uRun: [HNUmZIXnsb] c:\docume~1\admin\locals~1\temp\drweb.exe
uRun: [HNUmZIXn0Z] c:\docume~1\admin\locals~1\temp\system.exe
uRun: [HNUmZIXnwe] c:\docume~1\admin\locals~1\temp\setup.exe
uRun: [HNUmZIXnsf] c:\docume~1\admin\locals~1\temp\lsass.exe
uRun: [HNUmZIXnxc] c:\docume~1\admin\locals~1\temp\smss.exe
uRun: [MKeuf] c:\windows\spoolsv.exe
uRun: [HNUmZIXntg] c:\docume~1\admin\locals~1\temp\wininst.exe
uRun: [MKfpe] c:\windows\winamp.exe
uRun: [HNUmZIXnuf] c:\docume~1\admin\locals~1\temp\csrss.exe
uRun: [MKbtc] c:\windows\hexdump.exe
uRun: [HNUmZIXnz49\admin\LOCALS~1\Temp\4065986940.exe] c:\docume~1\admin\locals~1\temp\4065986940.exe
uRun: [HNUmZIXn11A\admin\LOCALS~1\Temp\3919882296.exe] c:\docume~1\admin\locals~1\temp\3919882296.exe
uRun: [MKexe] c:\windows\system.exe
uRun: [HNUmZIXnth] c:\docume~1\admin\locals~1\temp\svchost.exe
uRun: [HNUmZIXnxb] c:\docume~1\admin\locals~1\temp\sysedit.exe
uRun: [HNUmZIXn01+\admin\LOCALS~1\Temp\1872738416.exe] c:\docume~1\admin\locals~1\temp\1872738416.exe
uRun: [HNUmZIXn01O\admin\LOCALS~1\Temp\314958620.exe] c:\docume~1\admin\locals~1\temp\314958620.exe
uRun: [HNUmZIXn02Q\admin\LOCALS~1\Temp\245728976.exe] c:\docume~1\admin\locals~1\temp\245728976.exe
uRun: [HNUmZIXnd] c:\docume~1\admin\locals~1\temp\avp.exe
uRun: [HNUmZIXnrc] c:\docume~1\admin\locals~1\temp\winamp.exe
uRun: [MKfa] c:\windows\win.exe
uRun: [HNUmZIXnqg] c:\docume~1\admin\locals~1\temp\hexdump.exe
uRun: [MKcZ] c:\windows\mdm.exe
uRun: [MKese] c:\windows\svchost.exe
uRun: [MKZSc] c:\windows\avp32.exe
uRun: [HNUmZIXnwpc] c:\docume~1\admin\locals~1\temp\services.exe
uRun: [MKfPc] c:\windows\win32.exe
uRun: [MKdw+] c:\windows\nvsvc32.exe
uRun: [HNUmZIXnsd] c:\docume~1\admin\locals~1\temp\taskmgr.exe
uRun: [MKcuc] c:\windows\lsass.exe
uRun: [MKetc] c:\windows\sysedit.exe
uRun: [MKbta] c:\windows\install.exe
uRun: [HNUmZIXnwg] c:\docume~1\admin\locals~1\temp\spoolsv.exe
uRun: [HNUmZIXnz9] c:\docume~1\admin\locals~1\temp\nvsvc32.exe
uRun: [MKee] c:\windows\user.exe
uRun: [MKbuqc] c:\windows\iexplarer.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [webscan] "c:\program files\acceleration software\anti-virus\stopsignav.exe" -k
mRun: [SoftwareStation] "c:\program files\eacceleration\station\station.exe" /b Startup
mRun: [PAC7302_Monitor] c:\windows\pixart\pac7302\Monitor.exe
mRun: [OnAccess] "c:\program files\stopsign\onaccess\onaccess.exe" -erk
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0379.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [@OnlineArmor GUI] "c:\program files\online armor\oaui.exe"
mRun: [Sjute] rundll32.exe "c:\windows\ucihehat.dll",Startup
mRun: [MKfre] c:\windows\wininst.exe
mRun: [MKZe] c:\windows\avp.exe
mRun: [MKeg] c:\windows\smss.exe
mRun: [HNUmZIXnqe] c:\docume~1\admin\locals~1\temp\login.exe
mRun: [MKeta] c:\windows\services.exe
mRun: [HNUmZIXneP] c:\docume~1\admin\locals~1\temp\avp32.exe
mRun: [MKaZ] c:\windows\cmd.exe
mRun: [MKasc] c:\windows\drweb.exe
mRun: [MKerb] c:\windows\taskmgr.exe
mRun: [MKaoc] c:\windows\debug.exe
mRun: [HNUmZIXnvZ] c:\docume~1\admin\locals~1\temp\install.exe
mRun: [HNUmZIXnusc] c:\docume~1\admin\locals~1\temp\winlogon.exe
mRun: [MKayc] c:\windows\csrss.exe
mRun: [MKevc] c:\windows\setup.exe
mRun: [HNUmZIXnZP] c:\docume~1\admin\locals~1\temp\gdi32.exe
mRun: [MKbMc] c:\windows\gdi32.exe
mRun: [HNUmZIXnb] c:\docume~1\admin\locals~1\temp\mdm.exe
mRun: [HNUmZIXnfQ] c:\docume~1\admin\locals~1\temp\win16.exe
mRun: [HNUmZIXnsb] c:\docume~1\admin\locals~1\temp\drweb.exe
mRun: [HNUmZIXn0Z] c:\docume~1\admin\locals~1\temp\system.exe
mRun: [HNUmZIXnwe] c:\docume~1\admin\locals~1\temp\setup.exe
mRun: [HNUmZIXnsf] c:\docume~1\admin\locals~1\temp\lsass.exe
mRun: [HNUmZIXnxc] c:\docume~1\admin\locals~1\temp\smss.exe
mRun: [MKeuf] c:\windows\spoolsv.exe
mRun: [HNUmZIXntg] c:\docume~1\admin\locals~1\temp\wininst.exe
mRun: [MKfpe] c:\windows\winamp.exe
mRun: [HNUmZIXnuf] c:\docume~1\admin\locals~1\temp\csrss.exe
mRun: [MKbtc] c:\windows\hexdump.exe
mRun: [HNUmZIXnz49\admin\LOCALS~1\Temp\4065986940.exe] c:\docume~1\admin\locals~1\temp\4065986940.exe
mRun: [HNUmZIXn11A\admin\LOCALS~1\Temp\3919882296.exe] c:\docume~1\admin\locals~1\temp\3919882296.exe
mRun: [MKexe] c:\windows\system.exe
mRun: [HNUmZIXnth] c:\docume~1\admin\locals~1\temp\svchost.exe
mRun: [HNUmZIXnxb] c:\docume~1\admin\locals~1\temp\sysedit.exe
mRun: [HNUmZIXn01+\admin\LOCALS~1\Temp\1872738416.exe] c:\docume~1\admin\locals~1\temp\1872738416.exe
mRun: [HNUmZIXn01O\admin\LOCALS~1\Temp\314958620.exe] c:\docume~1\admin\locals~1\temp\314958620.exe
mRun: [HNUmZIXn02Q\admin\LOCALS~1\Temp\245728976.exe] c:\docume~1\admin\locals~1\temp\245728976.exe
mRun: [HNUmZIXnd] c:\docume~1\admin\locals~1\temp\avp.exe
mRun: [HNUmZIXnrc] c:\docume~1\admin\locals~1\temp\winamp.exe
mRun: [MKfa] c:\windows\win.exe
mRun: [HNUmZIXnqg] c:\docume~1\admin\locals~1\temp\hexdump.exe
mRun: [MKcZ] c:\windows\mdm.exe
mRun: [MKese] c:\windows\svchost.exe
mRun: [HNUmZIXnwpc] c:\docume~1\admin\locals~1\temp\services.exe
mRun: [MKZSc] c:\windows\avp32.exe
mRun: [HNUmZIXnsd] c:\docume~1\admin\locals~1\temp\taskmgr.exe
mRun: [MKfPc] c:\windows\win32.exe
mRun: [MKdw+] c:\windows\nvsvc32.exe
mRun: [MKcuc] c:\windows\lsass.exe
mRun: [MKetc] c:\windows\sysedit.exe
mRun: [MKbta] c:\windows\install.exe
mRun: [HNUmZIXnwg] c:\docume~1\admin\locals~1\temp\spoolsv.exe
mRun: [HNUmZIXnz9] c:\docume~1\admin\locals~1\temp\nvsvc32.exe
mRun: [MKee] c:\windows\user.exe
mRun: [MKbuqc] c:\windows\iexplarer.exe
dRun: [inetserver.exe] c:\inetserver.exe\inetserver.exe
StartupFolder: c:\docume~1\admin\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230586529390
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230586594593
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} - hxxp://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {B1BA40A2-75F2-51BD-F413-04B13A2C8953} - No File
STS: c:\windows\system32\g5bks.dll: {b1ba40a1-75f2-51bd-f313-04b03a2c8953} - c:\windows\system32\g5bks.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: ExecuteMonitorShellHook Class: {42dd0873-5fa9-465d-90de-0826020416a5} - c:\program files\stopsign\onaccess\onaccess_hk32.dll
LSA: Notification Packages = msv1_0 scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\25zqgi1k.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://hotmail.com/
FF - prefs.js: keyword.URL - hxxp://search.search-tab.com/?sid=10101058100&s=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 6092
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\microsoft\search enhancement pack\search helper\firefoxextension\searchhelperextension\components\SEPsearchhelperff.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {FCAFF0A7-115F-4837-8BB0-5CD6DC54B36B} - c:\documents and settings\admin\local settings\application data\{FCAFF0A7-115F-4837-8BB0-5CD6DC54B36B}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-tab.com/?sid=10101058100&s=c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 fwcore;Fwcore Filter;c:\windows\system32\drivers\fwcore.sys [2009-4-29 109664]
S1 aesqbii32;aesqbii32;\??\c:\windows\system32\drivers\aesqbii32.sys --> c:\windows\system32\drivers\aesqbii32.sys [?]
S1 akwhsti;akwhsti;\??\c:\windows\system32\drivers\akwhsti.sys --> c:\windows\system32\drivers\akwhsti.sys [?]
S1 amgqubq;amgqubq;\??\c:\windows\system32\drivers\amgqubq.sys --> c:\windows\system32\drivers\amgqubq.sys [?]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-29 97928]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-29 26824]
S1 bwlrfcc;bwlrfcc;\??\c:\windows\system32\drivers\bwlrfcc.sys --> c:\windows\system32\drivers\bwlrfcc.sys [?]
S1 cnpkfxy32;cnpkfxy32;\??\c:\windows\system32\drivers\cnpkfxy32.sys --> c:\windows\system32\drivers\cnpkfxy32.sys [?]
S1 dyluxfm32;dyluxfm32;\??\c:\windows\system32\drivers\dyluxfm32.sys --> c:\windows\system32\drivers\dyluxfm32.sys [?]
S1 evmyqdf32;evmyqdf32;\??\c:\windows\system32\drivers\evmyqdf32.sys --> c:\windows\system32\drivers\evmyqdf32.sys [?]
S1 fblrvfe32;fblrvfe32;\??\c:\windows\system32\drivers\fblrvfe32.sys --> c:\windows\system32\drivers\fblrvfe32.sys [?]
S1 fkbhuob;fkbhuob;\??\c:\windows\system32\drivers\fkbhuob.sys --> c:\windows\system32\drivers\fkbhuob.sys [?]
S1 furnwpo;furnwpo;\??\c:\windows\system32\drivers\furnwpo.sys --> c:\windows\system32\drivers\furnwpo.sys [?]
S1 heavtot32;heavtot32;\??\c:\windows\system32\drivers\heavtot32.sys --> c:\windows\system32\drivers\heavtot32.sys [?]
S1 hskpype;hskpype;\??\c:\windows\system32\drivers\hskpype.sys --> c:\windows\system32\drivers\hskpype.sys [?]
S1 jfkfhhs;jfkfhhs;\??\c:\windows\system32\drivers\jfkfhhs.sys --> c:\windows\system32\drivers\jfkfhhs.sys [?]
S1 jkcopuv;jkcopuv;\??\c:\windows\system32\drivers\jkcopuv.sys --> c:\windows\system32\drivers\jkcopuv.sys [?]
S1 jxmpyen;jxmpyen;\??\c:\windows\system32\drivers\jxmpyen.sys --> c:\windows\system32\drivers\jxmpyen.sys [?]
S1 kbdukgi;kbdukgi;\??\c:\windows\system32\drivers\kbdukgi.sys --> c:\windows\system32\drivers\kbdukgi.sys [?]
S1 kvbacrv32;kvbacrv32;\??\c:\windows\system32\drivers\kvbacrv32.sys --> c:\windows\system32\drivers\kvbacrv32.sys [?]
S1 lbfsvja32;lbfsvja32;\??\c:\windows\system32\drivers\lbfsvja32.sys --> c:\windows\system32\drivers\lbfsvja32.sys [?]
S1 lnywajn;lnywajn;\??\c:\windows\system32\drivers\lnywajn.sys --> c:\windows\system32\drivers\lnywajn.sys [?]
S1 mfftcso;mfftcso;\??\c:\windows\system32\drivers\mfftcso.sys --> c:\windows\system32\drivers\mfftcso.sys [?]
S1 mjovspi;mjovspi;\??\c:\windows\system32\drivers\mjovspi.sys --> c:\windows\system32\drivers\mjovspi.sys [?]
S1 mmxnlcj;mmxnlcj;\??\c:\windows\system32\drivers\mmxnlcj.sys --> c:\windows\system32\drivers\mmxnlcj.sys [?]
S1 mpqslrk;mpqslrk;\??\c:\windows\system32\drivers\mpqslrk.sys --> c:\windows\system32\drivers\mpqslrk.sys [?]
S1 olatolv;olatolv;\??\c:\windows\system32\drivers\olatolv.sys --> c:\windows\system32\drivers\olatolv.sys [?]
S1 pgmncri32;pgmncri32;\??\c:\windows\system32\drivers\pgmncri32.sys --> c:\windows\system32\drivers\pgmncri32.sys [?]
S1 pxojohm32;pxojohm32;\??\c:\windows\system32\drivers\pxojohm32.sys --> c:\windows\system32\drivers\pxojohm32.sys [?]
S1 qjoypws32;qjoypws32;\??\c:\windows\system32\drivers\qjoypws32.sys --> c:\windows\system32\drivers\qjoypws32.sys [?]
S1 qoeqqqq32;qoeqqqq32;\??\c:\windows\system32\drivers\qoeqqqq32.sys --> c:\windows\system32\drivers\qoeqqqq32.sys [?]
S1 qwvjakb32;qwvjakb32;\??\c:\windows\system32\drivers\qwvjakb32.sys --> c:\windows\system32\drivers\qwvjakb32.sys [?]
S1 rllsuqx32;rllsuqx32;\??\c:\windows\system32\drivers\rllsuqx32.sys --> c:\windows\system32\drivers\rllsuqx32.sys [?]
S1 sxmwrjs32;sxmwrjs32;\??\c:\windows\system32\drivers\sxmwrjs32.sys --> c:\windows\system32\drivers\sxmwrjs32.sys [?]
S1 tdmytuv32;tdmytuv32;\??\c:\windows\system32\drivers\tdmytuv32.sys --> c:\windows\system32\drivers\tdmytuv32.sys [?]
S1 tdumvrg;tdumvrg;\??\c:\windows\system32\drivers\tdumvrg.sys --> c:\windows\system32\drivers\tdumvrg.sys [?]
S1 tewcofq32;tewcofq32;\??\c:\windows\system32\drivers\tewcofq32.sys --> c:\windows\system32\drivers\tewcofq32.sys [?]
S1 tojgbat32;tojgbat32;\??\c:\windows\system32\drivers\tojgbat32.sys --> c:\windows\system32\drivers\tojgbat32.sys [?]
S1 tqthqiu;tqthqiu;\??\c:\windows\system32\drivers\tqthqiu.sys --> c:\windows\system32\drivers\tqthqiu.sys [?]
S1 tteiilv;tteiilv;\??\c:\windows\system32\drivers\tteiilv.sys --> c:\windows\system32\drivers\tteiilv.sys [?]
S1 udnjrno32;udnjrno32;\??\c:\windows\system32\drivers\udnjrno32.sys --> c:\windows\system32\drivers\udnjrno32.sys [?]
S1 uqgkeqw32;uqgkeqw32;c:\windows\system32\drivers\uqgkeqw32.sys [2004-8-12 302528]
S1 wcesceq;wcesceq;\??\c:\windows\system32\drivers\wcesceq.sys --> c:\windows\system32\drivers\wcesceq.sys [?]
S1 wkmeuhr32;wkmeuhr32;\??\c:\windows\system32\drivers\wkmeuhr32.sys --> c:\windows\system32\drivers\wkmeuhr32.sys [?]
S2 AMPingService;AMPingService;c:\docume~1\admin\locals~1\temp\amping.exe --> c:\docume~1\admin\locals~1\temp\AMPing.exe [?]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-29 875288]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-29 231704]
S2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-29 76040]
S2 eac_notifysvc;eAcceleration Notification Service;c:\progra~1\eaccel~1\framew~1\eac_svc.exe [2009-4-29 111672]
S2 eac_productsvc;eAcceleration Product Manager Service;c:\progra~1\eaccel~1\framew~1\eac_productsvc.exe [2009-4-29 263504]
S2 FWService;FWService;c:\program files\stopsign\firewall\fwservice.exe -service --> c:\program files\stopsign\firewall\FWService.exe -Service [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-5 135664]
S2 ldr7x;ldr7x;c:\windows\system32\drivers\ldr7x.sys [2010-9-1 26496]
S2 ssfwmonsvc;StopSign Firewall Security Center Provider;c:\progra~1\eaccel~1\framew~1\eac_svc.exe [2009-4-29 111672]
S2 sstsmonsvc;StopSign Antivirus Security Center Provider;c:\progra~1\eaccel~1\framew~1\eac_svc.exe [2009-4-29 111672]
S2 tcpip7x;tcpip7x;c:\windows\system32\drivers\tcpip7x.sys [2010-9-1 256256]
S3 cpuz132;cpuz132;\??\c:\docume~1\admin\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\admin\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 zgchsdiag;ZTE CDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgchsdiag.sys [2009-2-24 105216]
S3 zgchsmdm;ZTE CDMA Handset USB Modem Proprietary;c:\windows\system32\drivers\zgchsmdm.sys [2009-2-24 105216]

=============== Created Last 30 ================

2010-09-20 21:17:48 0 ----a-w- c:\documents and settings\admin\defogger_reenable
2010-09-20 21:03:36 21636 ---h--w- c:\windows\iexplarer.exe
2010-09-20 18:53:02 21636 ---h--w- c:\windows\user.exe
2010-09-20 18:52:35 21636 ---h--w- c:\windows\install.exe
2010-09-20 18:51:50 21636 ---h--w- c:\windows\sysedit.exe
2010-09-20 18:47:40 21636 ---h--w- c:\windows\win.exe
2010-09-20 18:47:40 21636 ---h--w- c:\windows\lsass.exe
2010-09-20 18:47:29 21636 ---h--w- c:\windows\win32.exe
2010-09-20 18:47:27 21636 ---h--w- c:\windows\mdm.exe
2010-09-20 18:47:09 21636 ---h--w- c:\windows\nvsvc32.exe
2010-09-20 18:47:08 21636 ---h--w- c:\windows\avp32.exe
2010-09-20 18:47:07 21636 ---h--w- c:\windows\svchost.exe
2010-09-20 13:21:22 21636 ---h--w- c:\windows\system.exe
2010-09-20 11:31:16 21636 ---h--w- c:\windows\hexdump.exe
2010-09-20 09:45:37 21636 ---h--w- c:\windows\winamp.exe
2010-09-20 08:00:59 21636 ---h--w- c:\windows\win16.exe
2010-09-20 08:00:59 21636 ---h--w- c:\windows\spoolsv.exe
2010-09-20 02:50:40 21636 ---h--w- c:\windows\gdi32.exe
2010-09-20 01:06:25 21636 ---h--w- c:\windows\setup.exe
2010-09-20 01:00:33 21636 ---h--w- c:\windows\csrss.exe
2010-09-19 23:13:58 21636 ---h--w- c:\windows\taskmgr.exe
2010-09-19 23:13:57 21636 ---h--w- c:\windows\debug.exe
2010-09-19 23:13:57 21636 ---h--w- c:\windows\cmd.exe
2010-09-19 23:13:56 21636 ---h--w- c:\windows\drweb.exe
2010-09-19 21:40:21 21636 ---h--w- c:\windows\services.exe
2010-09-19 21:30:21 21636 ---h--w- c:\windows\smss.exe
2010-09-19 21:30:19 21636 ---h--w- c:\windows\avp.exe
2010-09-19 21:30:18 21636 ---h--w- c:\windows\wininst.exe
2010-09-18 18:07:31 30000 ----a-w- c:\windows\system32\c55ninda.dll
2010-09-18 03:55:10 30000 ----a-w- c:\windows\system32\g5bks.dll
2010-09-18 00:56:44 30000 ----a-w- c:\windows\system32\fmbk2p0ph.dll
2010-09-17 23:45:15 384879 ----a-w- c:\windows\system32\msjvkmul.dll
2010-09-17 23:45:12 30000 ----a-w- c:\windows\system32\l8yu9.dll
2010-09-17 01:27:28 0 ----a-w- c:\windows\system32\drivers\vmvlcg.sys
2010-09-17 01:26:38 0 d-----w- c:\docume~1\admin\applic~1\C7E7E282F0A2D9226FFD2296CB708F5D
2010-09-17 01:03:42 0 d-----w- c:\docume~1\alluse~1\applic~1\OnlineArmor
2010-09-17 01:03:42 0 d-----w- c:\docume~1\admin\applic~1\OnlineArmor
2010-09-17 01:03:25 38856 ----a-w- c:\windows\system32\drivers\oahlp32.sys
2010-09-17 01:03:25 29272 ----a-w- c:\windows\system32\drivers\OAnet.sys
2010-09-17 01:03:25 25000 ----a-w- c:\windows\system32\drivers\OAmon.sys
2010-09-17 01:03:25 201168 ----a-w- c:\windows\system32\drivers\OADriver.sys
2010-09-17 01:03:21 0 d-----w- c:\program files\Online Armor
2010-09-16 23:59:04 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys
2010-09-16 20:23:22 0 d-----w- c:\program files\Trend Micro
2010-09-16 20:10:09 0 d-----w- C:\_OTM
2010-09-14 01:51:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-09-14 01:00:22 0 d-----w- c:\docume~1\admin\applic~1\Malwarebytes
2010-09-14 01:00:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-14 01:00:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-14 01:00:03 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-14 01:00:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-13 20:57:56 212480 ----a-w- c:\windows\Djefid.exe
2010-09-10 15:30:29 777728 ----a-w- c:\windows\system32\drivers\bxpcsxh.sys
2010-09-10 15:29:13 2838 ----a-w- C:\zrpt.xml
2010-09-10 15:20:25 186368 ----a-w- c:\windows\Djefic.exe
2010-09-03 14:59:51 75776 --sha-r- c:\windows\system32\syskey9.dll
2010-09-02 02:19:00 0 ----a-w- c:\windows\Yteyuji.bin
2010-09-02 02:18:58 120 ----a-w- c:\windows\Gdupi.dat
2010-09-02 02:15:27 256256 ----a-w- c:\windows\system32\drivers\tcpip7x.sys
2010-09-02 02:14:58 26496 ----a-w- c:\windows\system32\drivers\ldr7x.sys
2010-08-28 16:11:43 0 d-----w- c:\windows\system32\wbem\Repository
2010-08-28 16:09:56 0 d-----w- c:\windows\system32\drivers\Avg
2010-08-28 16:09:15 0 d-----w- c:\program files\common files\eAcceleration
2010-08-28 16:09:14 0 d-----w- c:\program files\Acceleration Software
2010-08-28 15:44:57 0 d-----w- c:\program files\Acceleration Software(2)
2010-08-23 00:52:53 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-08-23 00:52:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-08-22 16:44:10 0 d-----w- C:\$AVG8.VAULT$
2010-08-22 07:36:52 0 d-----w- c:\docume~1\admin\applic~1\Odip

==================== Find3M ====================

2008-12-30 02:18:57 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122220081229\index.dat
2008-12-30 02:18:57 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122920081230\index.dat

============= FINISH: 14:21:48.96 ===============



Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:37 PM

Posted 20 September 2010 - 07:22 PM

Hello ajayz2010,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  • I will be analyzing your log. I will get back to you with instructions.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 ajayz2010

ajayz2010
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 21 September 2010 - 12:13 AM

ok I understand and I am ready to start

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:37 PM

Posted 21 September 2010 - 06:19 PM

Hello,

We are now ready to begin.

1.
Ask Toolbar is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know as stated in the following Articles:

http://www.benedelman.org/spyware/ask-toolbars/
http://vil.nai.com/vil/content/v_185490.htm


I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Ask Toolbar.

2.
Uninstalling A Program Through "add/remove"

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

StopSign Internet Security

This program is known for downloading Adware to your machine and producing false positives.

Additional instructions can be found here if needed.

3.
Download and Run RKill
    Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

4.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 ajayz2010

ajayz2010
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 21 September 2010 - 10:46 PM

ok I did what you asked. I did not see the ask toolbar but I erased stop sighn. Everything ran smooth and my computer is runnin nice here is my log. tell me if it looks good to you...


ComboFix 10-09-21.01 - admin 09/21/2010 17:55:53.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.149 [GMT -7:00]
Running from: c:\documents and settings\admin\My Documents\Downloads\ComboFix.exe
AV: AVG *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
PEV Error: TemplatesFile

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\admin\Application Data\wiaservg.log
c:\documents and settings\admin\Local Settings\Application Data\{FCAFF0A7-115F-4837-8BB0-5CD6DC54B36B}
c:\documents and settings\admin\Local Settings\Application Data\{FCAFF0A7-115F-4837-8BB0-5CD6DC54B36B}\chrome.manifest
c:\documents and settings\admin\Local Settings\Application Data\{FCAFF0A7-115F-4837-8BB0-5CD6DC54B36B}\chrome\content\_cfg.js
c:\documents and settings\admin\Local Settings\Application Data\{FCAFF0A7-115F-4837-8BB0-5CD6DC54B36B}\chrome\content\overlay.xul
c:\documents and settings\admin\Local Settings\Application Data\{FCAFF0A7-115F-4837-8BB0-5CD6DC54B36B}\install.rdf
c:\documents and settings\All Users\Application Data\Update\seupd.exe
C:\inetserver.exe
c:\program files\Mozilla Firefox\searchplugins\google_search.xml
c:\windows\system32\drivers\ldr7x.sys
c:\windows\system32\driVERs\vmvlcg.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LDR7X
-------\Service_ldr7x
-------\Legacy_vmvlcg
-------\Service_vmvlcg


((((((((((((((((((((((((( Files Created from 2010-08-22 to 2010-09-22 )))))))))))))))))))))))))))))))
.

2010-09-21 04:09 . 2010-09-21 04:09 -------- d-----w- c:\program files\ESET
2010-09-21 00:43 . 2010-09-21 00:43 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-09-17 23:45 . 2010-09-18 00:57 384879 ----a-w- c:\windows\system32\msjvkmul.dll
2010-09-17 01:26 . 2010-09-17 01:26 -------- d-----w- c:\documents and settings\admin\Application Data\C7E7E282F0A2D9226FFD2296CB708F5D
2010-09-17 01:04 . 2010-09-17 01:04 0 ----a-w- c:\windows\nsreg.dat
2010-09-17 01:04 . 2010-09-17 01:04 -------- d-----w- c:\documents and settings\admin\Local Settings\Application Data\Mozilla
2010-09-16 23:59 . 2004-08-12 12:00 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys
2010-09-16 20:23 . 2010-09-16 20:23 -------- d-----w- c:\program files\Trend Micro
2010-09-16 20:10 . 2010-09-16 20:10 -------- d-----w- C:\_OTM
2010-09-14 01:51 . 2010-09-22 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-09-14 01:00 . 2010-09-14 01:00 -------- d-----w- c:\documents and settings\admin\Application Data\Malwarebytes
2010-09-14 01:00 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-14 01:00 . 2010-09-14 01:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-14 01:00 . 2010-09-14 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-14 01:00 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-13 22:32 . 2010-09-14 04:19 -------- d-----w- c:\documents and settings\admin\Local Settings\Application Data\pasnlqlra
2010-09-13 18:58 . 2010-09-14 04:19 -------- d-----w- c:\documents and settings\admin\Local Settings\Application Data\xbilfbvfj
2010-09-08 20:00 . 2010-09-14 04:19 -------- d-----w- c:\documents and settings\admin\Local Settings\Application Data\ampnnoiiv
2010-09-04 00:47 . 2010-09-14 04:19 -------- d-----w- c:\documents and settings\admin\Local Settings\Application Data\qjmuxbmfg
2010-09-03 14:59 . 2010-09-03 14:59 75776 --sha-r- c:\windows\system32\syskey9.dll
2010-09-02 02:19 . 2010-09-19 07:08 0 ----a-w- c:\windows\Yteyuji.bin
2010-09-02 02:18 . 2010-09-19 16:24 120 ----a-w- c:\windows\Gdupi.dat
2010-09-02 02:15 . 2010-09-08 20:32 256256 ----a-w- c:\windows\system32\drivers\tcpip7x.sys
2010-08-28 16:11 . 2010-08-28 16:11 -------- d-----w- c:\windows\system32\wbem\Repository
2010-08-28 16:09 . 2010-08-28 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\avg7
2010-08-28 15:44 . 2010-08-28 16:09 -------- d-----w- c:\program files\Acceleration Software(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-21 23:58 . 2010-07-25 18:01 -------- d-----w- c:\program files\Microsoft
2010-09-21 20:29 . 2010-04-22 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-09-21 20:27 . 2010-04-22 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-09-21 17:09 . 2010-05-31 17:33 -------- d-----w- c:\documents and settings\admin\Application Data\LimeWire
2010-09-21 01:56 . 2010-06-23 15:03 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-20 19:03 . 2010-05-31 16:56 -------- d-----w- c:\program files\LimeWire
2010-09-15 03:11 . 2010-08-22 07:36 -------- d-----w- c:\documents and settings\admin\Application Data\Odip
2010-09-14 04:30 . 2010-04-22 18:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-03 23:23 . 2010-04-25 22:38 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-08-28 16:09 . 2010-08-23 00:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-28 16:09 . 2010-08-23 00:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-25 19:29 . 2008-12-30 20:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-25 19:28 . 2010-07-25 18:50 -------- d-----w- c:\program files\dvd43
2010-07-25 18:21 . 2010-07-25 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Mender
2010-07-25 17:59 . 2010-07-25 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Medic
2010-07-02 03:50 . 2008-12-29 03:19 45280 ----a-w- c:\documents and settings\admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-06-11 1233288]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-06-11 1233288]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-29 16010752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1343488]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ msv1_0 scecli

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 00:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-08-06 05:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-12 22:10 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R2 tcpip7x;tcpip7x;c:\windows\system32\drivers\tcpip7x.sys [9/1/2010 7:15 PM 256256]
S1 aesqbii32;aesqbii32;\??\c:\windows\system32\drivers\aesqbii32.sys --> c:\windows\system32\drivers\aesqbii32.sys [?]
S1 akwhsti;akwhsti;\??\c:\windows\system32\drivers\akwhsti.sys --> c:\windows\system32\drivers\akwhsti.sys [?]
S1 amgqubq;amgqubq;\??\c:\windows\system32\drivers\amgqubq.sys --> c:\windows\system32\drivers\amgqubq.sys [?]
S1 bwlrfcc;bwlrfcc;\??\c:\windows\system32\drivers\bwlrfcc.sys --> c:\windows\system32\drivers\bwlrfcc.sys [?]
S1 cnpkfxy32;cnpkfxy32;\??\c:\windows\system32\drivers\cnpkfxy32.sys --> c:\windows\system32\drivers\cnpkfxy32.sys [?]
S1 dyluxfm32;dyluxfm32;\??\c:\windows\system32\drivers\dyluxfm32.sys --> c:\windows\system32\drivers\dyluxfm32.sys [?]
S1 evmyqdf32;evmyqdf32;\??\c:\windows\system32\drivers\evmyqdf32.sys --> c:\windows\system32\drivers\evmyqdf32.sys [?]
S1 fblrvfe32;fblrvfe32;\??\c:\windows\system32\drivers\fblrvfe32.sys --> c:\windows\system32\drivers\fblrvfe32.sys [?]
S1 fkbhuob;fkbhuob;\??\c:\windows\system32\drivers\fkbhuob.sys --> c:\windows\system32\drivers\fkbhuob.sys [?]
S1 furnwpo;furnwpo;\??\c:\windows\system32\drivers\furnwpo.sys --> c:\windows\system32\drivers\furnwpo.sys [?]
S1 heavtot32;heavtot32;\??\c:\windows\system32\drivers\heavtot32.sys --> c:\windows\system32\drivers\heavtot32.sys [?]
S1 hskpype;hskpype;\??\c:\windows\system32\drivers\hskpype.sys --> c:\windows\system32\drivers\hskpype.sys [?]
S1 jfkfhhs;jfkfhhs;\??\c:\windows\system32\drivers\jfkfhhs.sys --> c:\windows\system32\drivers\jfkfhhs.sys [?]
S1 jkcopuv;jkcopuv;\??\c:\windows\system32\drivers\jkcopuv.sys --> c:\windows\system32\drivers\jkcopuv.sys [?]
S1 jxmpyen;jxmpyen;\??\c:\windows\system32\drivers\jxmpyen.sys --> c:\windows\system32\drivers\jxmpyen.sys [?]
S1 kbdukgi;kbdukgi;\??\c:\windows\system32\drivers\kbdukgi.sys --> c:\windows\system32\drivers\kbdukgi.sys [?]
S1 kvbacrv32;kvbacrv32;\??\c:\windows\system32\drivers\kvbacrv32.sys --> c:\windows\system32\drivers\kvbacrv32.sys [?]
S1 lbfsvja32;lbfsvja32;\??\c:\windows\system32\drivers\lbfsvja32.sys --> c:\windows\system32\drivers\lbfsvja32.sys [?]
S1 lnywajn;lnywajn;\??\c:\windows\system32\drivers\lnywajn.sys --> c:\windows\system32\drivers\lnywajn.sys [?]
S1 mfftcso;mfftcso;\??\c:\windows\system32\drivers\mfftcso.sys --> c:\windows\system32\drivers\mfftcso.sys [?]
S1 mjovspi;mjovspi;\??\c:\windows\system32\drivers\mjovspi.sys --> c:\windows\system32\drivers\mjovspi.sys [?]
S1 mmxnlcj;mmxnlcj;\??\c:\windows\system32\drivers\mmxnlcj.sys --> c:\windows\system32\drivers\mmxnlcj.sys [?]
S1 mpqslrk;mpqslrk;\??\c:\windows\system32\drivers\mpqslrk.sys --> c:\windows\system32\drivers\mpqslrk.sys [?]
S1 olatolv;olatolv;\??\c:\windows\system32\drivers\olatolv.sys --> c:\windows\system32\drivers\olatolv.sys [?]
S1 pgmncri32;pgmncri32;\??\c:\windows\system32\drivers\pgmncri32.sys --> c:\windows\system32\drivers\pgmncri32.sys [?]
S1 pxojohm32;pxojohm32;\??\c:\windows\system32\drivers\pxojohm32.sys --> c:\windows\system32\drivers\pxojohm32.sys [?]
S1 qjoypws32;qjoypws32;\??\c:\windows\system32\drivers\qjoypws32.sys --> c:\windows\system32\drivers\qjoypws32.sys [?]
S1 qoeqqqq32;qoeqqqq32;\??\c:\windows\system32\drivers\qoeqqqq32.sys --> c:\windows\system32\drivers\qoeqqqq32.sys [?]
S1 qwvjakb32;qwvjakb32;\??\c:\windows\system32\drivers\qwvjakb32.sys --> c:\windows\system32\drivers\qwvjakb32.sys [?]
S1 rllsuqx32;rllsuqx32;\??\c:\windows\system32\drivers\rllsuqx32.sys --> c:\windows\system32\drivers\rllsuqx32.sys [?]
S1 sxmwrjs32;sxmwrjs32;\??\c:\windows\system32\drivers\sxmwrjs32.sys --> c:\windows\system32\drivers\sxmwrjs32.sys [?]
S1 tdmytuv32;tdmytuv32;\??\c:\windows\system32\drivers\tdmytuv32.sys --> c:\windows\system32\drivers\tdmytuv32.sys [?]
S1 tdumvrg;tdumvrg;\??\c:\windows\system32\drivers\tdumvrg.sys --> c:\windows\system32\drivers\tdumvrg.sys [?]
S1 tewcofq32;tewcofq32;\??\c:\windows\system32\drivers\tewcofq32.sys --> c:\windows\system32\drivers\tewcofq32.sys [?]
S1 tojgbat32;tojgbat32;\??\c:\windows\system32\drivers\tojgbat32.sys --> c:\windows\system32\drivers\tojgbat32.sys [?]
S1 tqthqiu;tqthqiu;\??\c:\windows\system32\drivers\tqthqiu.sys --> c:\windows\system32\drivers\tqthqiu.sys [?]
S1 tteiilv;tteiilv;\??\c:\windows\system32\drivers\tteiilv.sys --> c:\windows\system32\drivers\tteiilv.sys [?]
S1 udnjrno32;udnjrno32;\??\c:\windows\system32\drivers\udnjrno32.sys --> c:\windows\system32\drivers\udnjrno32.sys [?]
S1 uqgkeqw32;uqgkeqw32;c:\windows\system32\drivers\uqgkeqw32.sys --> c:\windows\system32\drivers\uqgkeqw32.sys [?]
S1 wcesceq;wcesceq;\??\c:\windows\system32\drivers\wcesceq.sys --> c:\windows\system32\drivers\wcesceq.sys [?]
S1 wkmeuhr32;wkmeuhr32;\??\c:\windows\system32\drivers\wkmeuhr32.sys --> c:\windows\system32\drivers\wkmeuhr32.sys [?]
S2 AMPingService;AMPingService;c:\docume~1\admin\LOCALS~1\Temp\AMPing.exe --> c:\docume~1\admin\LOCALS~1\Temp\AMPing.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/5/2010 12:57 PM 135664]
S3 zgchsdiag;ZTE CDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgchsdiag.sys [2/24/2009 1:06 AM 105216]
S3 zgchsmdm;ZTE CDMA Handset USB Modem Proprietary;c:\windows\system32\drivers\zgchsmdm.sys [2/24/2009 1:06 AM 105216]
.
Contents of the 'Scheduled Tasks' folder

2010-09-22 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-11 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hotmail.com/
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\25zqgi1k.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://hotmail.com/
FF - prefs.js: keyword.URL - hxxp://search.search-tab.com/?sid=10101058100&s=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 6092
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-tab.com/?sid=10101058100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-inetserver.exe - c:\inetserver.exe\inetserver.exe
HKU-Default-Run-inetserver.exe - c:\inetserver.exe\inetserver.exe
MSConfigStartUp-@OnlineArmor GUI - c:\program files\Online Armor\oaui.exe
MSConfigStartUp-AvgRemover - c:\documents and settings\admin\Desktop\avgremover.exe
MSConfigStartUp-Microsoft Default Manager - c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
MSConfigStartUp-MSN Toolbar - c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
MSConfigStartUp-OnAccess - c:\program files\StopSign\OnAccess\onaccess.exe
MSConfigStartUp-SoftwareStation - c:\program files\eAcceleration\Station\station.exe
MSConfigStartUp-webscan - c:\program files\Acceleration Software\Anti-Virus\stopsignav.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-21 18:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):d4,8f,38,35,82,2d,75,3c,19,a7,a7,bf,4b,48,27,bd,a1,1a,d6,3a,70,
af,97,2f,e6,cc,d7,14,3a,88,a9,ad,89,01,1f,41,03,30,eb,3a,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{a2603c77-9fbc-489d-8385-6f1a20971cc6}]
@Denied: (Full) (Everyone)
"Model"=dword:00000066
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3404)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\RTHDCPL.EXE
c:\program files\Synaptics\SynTP\SynToshiba.exe
.
**************************************************************************
.
Completion time: 2010-09-21 18:24:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-22 01:24
ComboFix2.txt 2010-09-17 17:56
ComboFix3.txt 2010-09-17 00:21
ComboFix4.txt 2010-07-06 00:12
ComboFix5.txt 2010-09-22 00:54

Pre-Run: 20,757,024,768 bytes free
Post-Run: 20,865,757,184 bytes free

- - End Of File - - 4255C53B30E64BC724151903CD4AD204


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:37 PM

Posted 22 September 2010 - 03:27 PM

Hello,

We are making some progress but have work to do.


1.
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. "If you would like to continue, then follow the steps below, otherwise please let me know"

2.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

CODE
Killall::

Domains::

File::
c:\windows\system32\drivers\tcpip7x.sys
c:\windows\Yteyuji.bin
c:\windows\Gdupi.dat
c:\windows\system32\msjvkmul.dll

Folder::
c:\program files\Ask.com
c:\documents and settings\admin\Local Settings\Application Data\pasnlqlra
c:\documents and settings\admin\Local Settings\Application Data\xbilfbvfj
c:\documents and settings\admin\Local Settings\Application Data\ampnnoiiv
c:\documents and settings\admin\Local Settings\Application Data\qjmuxbmfg
c:\program files\Acceleration Software(2)

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:6092

Firefox::
FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\25zqgi1k.default\
FF - prefs.js: keyword.URL - hxxp://search.search-tab.com/?sid=10101058100&s=
FF - prefs.js: network.proxy.http_port - 6092

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=-

Driver::
AMPingService
wkmeuhr32
wcesceq
uqgkeqw32
udnjrno32
tteiilv
tqthqiu
tojgbat32
tewcofq32
tdumvrg
tdmytuv32
sxmwrjs32
rllsuqx32
qwvjakb32
qoeqqqq32
qjoypws32
pxojohm32
aesqbii32
akwhsti
amgqubq
bwlrfcc
cnpkfxy32
dyluxfm32
evmyqdf32
fblrvfe32
fkbhuob
furnwpo
heavtot32
hskpype
jfkfhhs
jkcopuv
jxmpyen
kbdukgi
kvbacrv32
lbfsvja32
lnywajn
mfftcso
mjovspi
mmxnlcj
mpqslrk
olatolv
pgmncri32
tcpip7x

Reglockdel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{a2603c77-9fbc-489d-8385-6f1a20971cc6}]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

3.
Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Things to include in your next reply::
Combofix.txt
MBAM log
A new DDS log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 ajayz2010

ajayz2010
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 22 September 2010 - 05:11 PM


DDS (Ver_10-03-17.01) - NTFSx86
Run by admin at 15:05:16.42 on Wed 09/22/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.58 [GMT -7:00]

AV: AVG *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://hotmail.com/
uInternet Settings,ProxyOverride = <local>
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
mRun: [PAC7302_Monitor] c:\windows\pixart\pac7302\Monitor.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230586529390
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230586594593
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} - hxxp://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = msv1_0 scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\25zqgi1k.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://hotmail.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

S3 cpuz132;cpuz132;\??\c:\docume~1\admin\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\admin\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-5 135664]
S3 zgchsdiag;ZTE CDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgchsdiag.sys [2009-2-24 105216]
S3 zgchsmdm;ZTE CDMA Handset USB Modem Proprietary;c:\windows\system32\drivers\zgchsmdm.sys [2009-2-24 105216]

=============== Created Last 30 ================

2010-09-21 04:09:10 0 d-----w- c:\program files\ESET
2010-09-20 21:17:48 0 ----a-w- c:\documents and settings\admin\defogger_reenable
2010-09-17 01:26:38 0 d-----w- c:\docume~1\admin\applic~1\C7E7E282F0A2D9226FFD2296CB708F5D
2010-09-16 23:59:04 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys
2010-09-16 20:23:22 0 d-----w- c:\program files\Trend Micro
2010-09-16 20:10:09 0 d-----w- C:\_OTM
2010-09-14 01:51:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-09-14 01:00:22 0 d-----w- c:\docume~1\admin\applic~1\Malwarebytes
2010-09-14 01:00:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-14 01:00:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-14 01:00:03 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-14 01:00:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-10 15:29:13 2838 ----a-w- C:\zrpt.xml
2010-09-03 14:59:51 75776 --sha-r- c:\windows\system32\syskey9.dll
2010-08-28 16:11:43 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2008-12-30 02:18:57 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122220081229\index.dat
2008-12-30 02:18:57 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122920081230\index.dat

============= FINISH: 15:05:34.56 ===============





combo fix log

ComboFix 10-09-22.02 - admin 09/22/2010 14:42:00.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.200 [GMT -7:00]
Running from: c:\documents and settings\admin\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\admin\Desktop\CFScript.txt
AV: AVG *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\Gdupi.dat"
"c:\windows\system32\drivers\tcpip7x.sys"
"c:\windows\system32\msjvkmul.dll"
"c:\windows\Yteyuji.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\admin\Local Settings\Application Data\ampnnoiiv
c:\documents and settings\admin\Local Settings\Application Data\pasnlqlra
c:\documents and settings\admin\Local Settings\Application Data\qjmuxbmfg
c:\documents and settings\admin\Local Settings\Application Data\xbilfbvfj
c:\program files\Acceleration Software(2)
c:\program files\Acceleration Software(2)\Anti-Virus(2)\customcleaner(2)\ajayz2006CustomCure.cnr
c:\program files\Acceleration Software(2)\Anti-Virus(2)\customcleaner(2)\eac_install00.dat
c:\program files\Acceleration Software(2)\Anti-Virus(2)\customcleaner(2)\stops_dlg_header_tl.gif
c:\program files\Acceleration Software(2)\Anti-Virus(2)\customcleaner(2)\stops_dlg_header_tm.gif
c:\program files\Ask.com
c:\program files\Ask.com\btn_search.png
c:\program files\Ask.com\cobrand.ico
c:\program files\Ask.com\config.xml
c:\program files\Ask.com\favicon.ico
c:\program files\Ask.com\GenericAskToolbar.dll
c:\program files\Ask.com\limewire_logo.png
c:\program files\Ask.com\mupcfg.xml
c:\program files\Ask.com\SaUpdate.exe
c:\program files\Ask.com\UpdateTask.exe
c:\windows\Gdupi.dat
c:\windows\system32\drivers\tcpip7x.sys
c:\windows\system32\msjvkmul.dll
c:\windows\Yteyuji.bin

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AESQBII32
-------\Legacy_AKWHSTI
-------\Legacy_AMGQUBQ
-------\Legacy_AMPINGSERVICE
-------\Legacy_BWLRFCC
-------\Legacy_CNPKFXY32
-------\Legacy_DYLUXFM32
-------\Legacy_EVMYQDF32
-------\Legacy_FBLRVFE32
-------\Legacy_FKBHUOB
-------\Legacy_FURNWPO
-------\Legacy_HEAVTOT32
-------\Legacy_HSKPYPE
-------\Legacy_JFKFHHS
-------\Legacy_JKCOPUV
-------\Legacy_JXMPYEN
-------\Legacy_KBDUKGI
-------\Legacy_KVBACRV32
-------\Legacy_LBFSVJA32
-------\Legacy_LNYWAJN
-------\Legacy_MFFTCSO
-------\Legacy_MJOVSPI
-------\Legacy_MMXNLCJ
-------\Legacy_MPQSLRK
-------\Legacy_OLATOLV
-------\Legacy_PGMNCRI32
-------\Legacy_PXOJOHM32
-------\Legacy_QJOYPWS32
-------\Legacy_QOEQQQQ32
-------\Legacy_QWVJAKB32
-------\Legacy_RLLSUQX32
-------\Legacy_SXMWRJS32
-------\Legacy_TCPIP7X
-------\Legacy_TDMYTUV32
-------\Legacy_TDUMVRG
-------\Legacy_TEWCOFQ32
-------\Legacy_TOJGBAT32
-------\Legacy_TQTHQIU
-------\Legacy_TTEIILV
-------\Legacy_UDNJRNO32
-------\Legacy_WCESCEQ
-------\Legacy_WKMEUHR32
-------\Service_aesqbii32
-------\Service_akwhsti
-------\Service_amgqubq
-------\Service_AMPingService
-------\Service_bwlrfcc
-------\Service_cnpkfxy32
-------\Service_dyluxfm32
-------\Service_evmyqdf32
-------\Service_fblrvfe32
-------\Service_fkbhuob
-------\Service_furnwpo
-------\Service_heavtot32
-------\Service_hskpype
-------\Service_jfkfhhs
-------\Service_jkcopuv
-------\Service_jxmpyen
-------\Service_kbdukgi
-------\Service_kvbacrv32
-------\Service_lbfsvja32
-------\Service_lnywajn
-------\Service_mfftcso
-------\Service_mjovspi
-------\Service_mmxnlcj
-------\Service_mpqslrk
-------\Service_olatolv
-------\Service_pgmncri32
-------\Service_pxojohm32
-------\Service_qjoypws32
-------\Service_qoeqqqq32
-------\Service_qwvjakb32
-------\Service_rllsuqx32
-------\Service_sxmwrjs32
-------\Service_tcpip7x
-------\Service_tdmytuv32
-------\Service_tdumvrg
-------\Service_tewcofq32
-------\Service_tojgbat32
-------\Service_tqthqiu
-------\Service_tteiilv
-------\Service_udnjrno32
-------\Service_uqgkeqw32
-------\Service_wcesceq
-------\Service_wkmeuhr32


((((((((((((((((((((((((( Files Created from 2010-08-22 to 2010-09-22 )))))))))))))))))))))))))))))))
.

2010-09-21 04:09 . 2010-09-21 04:09 -------- d-----w- c:\program files\ESET
2010-09-21 00:43 . 2010-09-21 00:43 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-09-17 01:26 . 2010-09-17 01:26 -------- d-----w- c:\documents and settings\admin\Application Data\C7E7E282F0A2D9226FFD2296CB708F5D
2010-09-17 01:04 . 2010-09-17 01:04 0 ----a-w- c:\windows\nsreg.dat
2010-09-17 01:04 . 2010-09-17 01:04 -------- d-----w- c:\documents and settings\admin\Local Settings\Application Data\Mozilla
2010-09-16 23:59 . 2004-08-12 12:00 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys
2010-09-16 20:23 . 2010-09-16 20:23 -------- d-----w- c:\program files\Trend Micro
2010-09-16 20:10 . 2010-09-16 20:10 -------- d-----w- C:\_OTM
2010-09-14 01:51 . 2010-09-22 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-09-14 01:00 . 2010-09-14 01:00 -------- d-----w- c:\documents and settings\admin\Application Data\Malwarebytes
2010-09-14 01:00 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-14 01:00 . 2010-09-14 01:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-14 01:00 . 2010-09-14 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-14 01:00 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-03 14:59 . 2010-09-03 14:59 75776 --sha-r- c:\windows\system32\syskey9.dll
2010-08-28 16:11 . 2010-08-28 16:11 -------- d-----w- c:\windows\system32\wbem\Repository
2010-08-28 16:09 . 2010-08-28 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\avg7

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-21 23:58 . 2010-07-25 18:01 -------- d-----w- c:\program files\Microsoft
2010-09-21 20:29 . 2010-04-22 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-09-21 20:27 . 2010-04-22 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-09-21 17:09 . 2010-05-31 17:33 -------- d-----w- c:\documents and settings\admin\Application Data\LimeWire
2010-09-21 01:56 . 2010-06-23 15:03 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-20 19:03 . 2010-05-31 16:56 -------- d-----w- c:\program files\LimeWire
2010-09-15 03:11 . 2010-08-22 07:36 -------- d-----w- c:\documents and settings\admin\Application Data\Odip
2010-09-14 04:30 . 2010-04-22 18:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-03 23:23 . 2010-04-25 22:38 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-08-28 16:09 . 2010-08-23 00:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-28 16:09 . 2010-08-23 00:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-25 19:29 . 2008-12-30 20:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-25 19:28 . 2010-07-25 18:50 -------- d-----w- c:\program files\dvd43
2010-07-25 18:21 . 2010-07-25 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Mender
2010-07-25 17:59 . 2010-07-25 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Medic
2010-07-02 03:50 . 2008-12-29 03:19 45280 ----a-w- c:\documents and settings\admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-29 16010752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1343488]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"RequireSignedAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ msv1_0 scecli

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 00:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-08-06 05:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-12 22:10 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

S3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/5/2010 12:57 PM 135664]
S3 zgchsdiag;ZTE CDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgchsdiag.sys [2/24/2009 1:06 AM 105216]
S3 zgchsmdm;ZTE CDMA Handset USB Modem Proprietary;c:\windows\system32\drivers\zgchsmdm.sys [2/24/2009 1:06 AM 105216]
.
Contents of the 'Scheduled Tasks' folder

2010-09-22 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-11 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hotmail.com/
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\25zqgi1k.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://hotmail.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-22 14:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3836)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\RTHDCPL.EXE
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-09-22 14:53:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-22 21:52
ComboFix2.txt 2010-09-22 01:24
ComboFix3.txt 2010-09-17 17:56
ComboFix4.txt 2010-09-17 00:21
ComboFix5.txt 2010-09-22 21:38

Pre-Run: 20,633,751,552 bytes free
Post-Run: 20,668,735,488 bytes free

- - End Of File - - 59FB6F40AE40E979CFD8A2CA8693667C

It seems to be running great I appreciate that man it was a major help. I have uploaded my logs for you, how does it look to you

Attached Files



#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:37 PM

Posted 22 September 2010 - 06:02 PM

Hello,


Things are looking alot better now thumbup2.gif We still have some work to do and final checking.


1.
Please follow my instructions for running Malwarebytes in my previous post. Then post that log.

2.
Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 21 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

3.
Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:
  • Download the latest version of Adobe Reader Version 9.3. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • Once the installation is finished, go here: Adobe Update Page and scroll down to UPDATES/PROGRAMS. From there download: Adobe Reader 9.3.2 update - multiple languages and save it to your desktop.
  • Double-click the file AdbeRdrUpd932_all_incr.msp on your desktop to start installing the update and follow the prompts.
  • Once the update is done click Exit.
Your Adobe Reader is now up to date!

4.
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.


Things to include in your next reply::
MBAM log
Eset log
A new DDS log
Don't need the Attach.txt this time
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 ajayz2010

ajayz2010
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 22 September 2010 - 08:57 PM

ok I did everything you asked. I had no threats on iether scanner. here is my dds log




DDS (Ver_10-03-17.01) - NTFSx86
Run by admin at 18:54:48.01 on Wed 09/22/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.131 [GMT -7:00]

AV: AVG *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://hotmail.com/
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
mRun: [PAC7302_Monitor] c:\windows\pixart\pac7302\Monitor.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230586529390
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230586594593
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} - hxxp://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = msv1_0 scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\25zqgi1k.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://hotmail.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

S3 cpuz132;cpuz132;\??\c:\docume~1\admin\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\admin\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-5 135664]
S3 zgchsdiag;ZTE CDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgchsdiag.sys [2009-2-24 105216]
S3 zgchsmdm;ZTE CDMA Handset USB Modem Proprietary;c:\windows\system32\drivers\zgchsmdm.sys [2009-2-24 105216]

=============== Created Last 30 ================

2010-09-23 00:09:00 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-23 00:09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-21 04:09:10 0 d-----w- c:\program files\ESET
2010-09-20 21:17:48 0 ----a-w- c:\documents and settings\admin\defogger_reenable
2010-09-17 01:26:38 0 d-----w- c:\docume~1\admin\applic~1\C7E7E282F0A2D9226FFD2296CB708F5D
2010-09-16 23:59:04 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys
2010-09-16 20:23:22 0 d-----w- c:\program files\Trend Micro
2010-09-16 20:10:09 0 d-----w- C:\_OTM
2010-09-14 01:51:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-09-14 01:00:22 0 d-----w- c:\docume~1\admin\applic~1\Malwarebytes
2010-09-14 01:00:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-14 01:00:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-14 01:00:03 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-14 01:00:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-10 15:29:13 2838 ----a-w- C:\zrpt.xml
2010-09-03 14:59:51 75776 --sha-r- c:\windows\system32\syskey9.dll
2010-08-28 16:11:43 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2008-12-30 02:18:57 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122220081229\index.dat
2008-12-30 02:18:57 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122920081230\index.dat

============= FINISH: 18:55:30.18 ===============




mbam log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/22/2010 6:48:42 PM
mbam-log-2010-09-22 (18-48-42).txt

Scan type: Full scan (C:\|)
Objects scanned: 153115
Time elapsed: 23 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#10 ajayz2010

ajayz2010
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 23 September 2010 - 02:50 AM

everything looks good

Edited by ajayz2010, 23 September 2010 - 01:12 PM.


#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:37 PM

Posted 23 September 2010 - 08:43 PM

Hello, ajayz2010.
Congratulations! You now appear clean! specool.gif


Uninstall Combofix
  • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Click on then Run....
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall



    <Notice the space between the "x" and "/".> <--- It needs to be there
    Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall


  • Please advise if this step is missed for any reason as it performs some important actions:
    "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

We Need to Clean Up Our Mess
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.



Recommendations
Below are some recommendations to lower your chances of (re)infection.
  1. Install and maintain an outbound firewall
  2. Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  3. Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  4. Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  5. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    1. Click the "Start Menu" (or Windows Orb)
    2. Click "All Programs"
    3. Click "Windows Update"
    4. On the left, choose "Change Settings"
    5. Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    6. Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    7. Click "Check for Updates" in the upper left corner.
    8. Follow the instructions to install the latest updates.
    9. Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  6. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  7. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 ajayz2010

ajayz2010
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 23 September 2010 - 10:51 PM

hey thanx man everything was a big help but those updates take alot of mb's but I guess it's worth it.

#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:37 PM

Posted 24 September 2010 - 08:51 AM

Hello,

QUOTE
hey thanx man everything was a big help but those updates take alot of mb's but I guess it's worth it.


Keeping your programs and windows up to date is essential and will leave you less vulnerable for infection. thumbup2.gif



This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send a Private Message to any one of the moderating team member or myself. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.



" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users