Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help w/ Trojan variant.Hiloti


  • This topic is locked This topic is locked
56 replies to this topic

#1 ((Vibe))

((Vibe))

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 04 January 2011 - 06:26 PM

Hello,

I believe my computer is infected with the above mentioned malware. I ran bit defender through firefox and the report is in this link http://www.bleepingcomputer.com/forums/topic354877.html

I also ran Malwarebyte's AntiMalware several times, it was able to find and recognize the malware, but apparnetly can not remove it upon restarting the computer.

Any help would be so greatfully appreciated...thank you in advance for fighting the good fight on the net!

I read the Preparation guide and have put up 2 of the 3 logs (DDS.txt is below and Attach.txt is attached) but was not able to run GMER to get the log for it (the following error messages appeared when opening GMER:)

Error Messages for GMER:
Posted Image
Posted Image

--------------------------
Here is the DDS.txt log:
--------------------------


DDS (Ver_10-12-12.02) - NTFSx86
Run by name removed at 12:28:25.40 on Tue 01/04/2011
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.553 [GMT -6:00]


============== Running Processes ===============

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\name removed\Local Settings\Application Data\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscript.exe
C:\Documents and Settings\name removed\My Documents\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

mWinlogon: Userinit=userinit.exe,c:\windows\system\svchost.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Mnutur] rundll32.exe "c:\documents and settings\name removed\local settings\application data\csginbd.dll",Startup
uRun: [Jqajewomewomewom] rundll32.exe "c:\documents and settings\name removed\local settings\application data\olukaqojo.dll",Startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\name removed\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\name removed\applic~1\mozilla\firefox\profiles\dz3gik1t.default\
FF - component: c:\documents and settings\name removed\application data\mozilla\firefox\profiles\dz3gik1t.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\name removed\application data\mozilla\firefox\profiles\dz3gik1t.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\name removed\application data\mozilla\firefox\profiles\dz3gik1t.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\name removed\local settings\application data\mozilla firefox\plugins\npnul32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Gmail Watcher: gmailwatcher@sonthakit - %profile%\extensions\gmailwatcher@sonthakit
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: FoxyProxy Standard: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
FF - Ext: FoxyProxy Basic: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
FF - Ext: InvisibleHand: canitbecheaper@trafficbroker.co.uk - %profile%\extensions\canitbecheaper@trafficbroker.co.uk
FF - Ext: Myibay Firefox extension: firefox1@myibay.com - %profile%\extensions\firefox1@myibay.com
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
FF - Ext: Karma Blocker: kabl@trac.arantius.com - %profile%\extensions\kabl@trac.arantius.com
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Ghostery: firefox@ghostery.com - %profile%\extensions\firefox@ghostery.com
FF - Ext: BugMeNot: {987311C6-B504-4aa2-90BF-60CC49808D42} - %profile%\extensions\{987311C6-B504-4aa2-90BF-60CC49808D42}
FF - Ext: OptimizeGoogle: optimizegoogle@optimizegoogle.com - %profile%\extensions\optimizegoogle@optimizegoogle.com
FF - Ext: XULRunner: {7B3E7CBB-427B-462E-B362-F0DEB21C031F} - c:\documents and settings\name removed\local settings\application data\{7B3E7CBB-427B-462E-B362-F0DEB21C031F}

============= SERVICES / DRIVERS ===============

R0 ViBus;ViBus;c:\windows\system32\drivers\ViBus.sys [2009-2-19 16896]
R0 ViPrt;VIA SATA IDE Device Driver;c:\windows\system32\drivers\ViPrt.sys [2009-2-19 52224]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2009-2-19 13696]
R3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [2007-7-11 714240]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-2-19 1684736]

=============== Created Last 30 ================


==================== Find3M ====================

2010-07-17 22:03:10 106496 --sha-r- c:\windows\system\svchost.exe
2010-07-17 22:03:10 106496 --sha-r- c:\windows\system\_sv_cmd_\_U_.exe

============= FINISH: 12:28:43.68 ===============


Thanks again!

~James

Attached Files


Edited by Orange Blossom, 17 January 2011 - 05:31 PM.
Remove sensitive info. ~ OB


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:37 AM

Posted 09 January 2011 - 06:38 PM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



IMPORTANT NOTE: :exclame:

If the system has been used after topic creation time we need to take a look at fresh logs. So, please post fresh copies of dds.txt & attach.txt logs.



Regards,
Georgi :hello:

cXfZ4wS.png


#3 ((Vibe))

((Vibe))
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 13 January 2011 - 07:34 AM

To be more specific about the problems I'm having, sometimes when I'm using the internet and click on a link it will redirect to an obvious "Spam website page" that is not what I wanted (will click a link to office depot website for instance and it will redirect me to advertisement page). Clicking the back button and clicking the same link again will usually take me to the proper destination.

I can produce GMER logs for the reason stated above (hope y'all can still help me)
Also DeFogger generates an error message saying that the program ran to completion, but that one or more errors occurred.

As for DDS and Attach logs...
Fresh logs as requested:


DDS (Ver_10-12-12.02) - NTFSx86
Run by Name removed at 6:15:36.01 on Thu 01/13/2011
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.448 [GMT -6:00]


============== Running Processes ===============

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
\\server removed\employee\AA - Company removed SCOTLAND YARD\scotland.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Name removed\Local Settings\Application Data\Mozilla Firefoxes\firefox.exe
\\server removed\employee\AA - Company removed SCOTLAND YARD\scotland.exe
C:\Documents and Settings\Name removed\My Documents\Downloads\dds(3).scr

============== Pseudo HJT Report ===============

mWinlogon: Userinit=userinit.exe,c:\windows\system\svchost.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Mnutur] rundll32.exe "c:\documents and settings\Name removed\local settings\application data\csginbd.dll",Startup
uRun: [Jqajewomewomewom] rundll32.exe "c:\documents and settings\Name removed\local settings\application data\olukaqojo.dll",Startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\Name removed\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\Name removed\applic~1\mozilla\firefox\profiles\dz3gik1t.default\
FF - component: c:\documents and settings\Name removed\application data\mozilla\firefox\profiles\dz3gik1t.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\Name removed\application data\mozilla\firefox\profiles\dz3gik1t.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\Name removed\application data\mozilla\firefox\profiles\dz3gik1t.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Name removed\local settings\application data\mozilla firefoxes\plugins\npnul32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Gmail Watcher: gmailwatcher@sonthakit - %profile%\extensions\gmailwatcher@sonthakit
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: FoxyProxy Standard: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
FF - Ext: FoxyProxy Basic: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
FF - Ext: InvisibleHand: canitbecheaper@trafficbroker.co.uk - %profile%\extensions\canitbecheaper@trafficbroker.co.uk
FF - Ext: FaceBook AntiFilter: facebookantifilter@ce.sharif.edu - %profile%\extensions\facebookantifilter@ce.sharif.edu
FF - Ext: Myibay Firefox extension: firefox1@myibay.com - %profile%\extensions\firefox1@myibay.com
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
FF - Ext: Karma Blocker: kabl@trac.arantius.com - %profile%\extensions\kabl@trac.arantius.com
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Ghostery: firefox@ghostery.com - %profile%\extensions\firefox@ghostery.com
FF - Ext: BugMeNot: {987311C6-B504-4aa2-90BF-60CC49808D42} - %profile%\extensions\{987311C6-B504-4aa2-90BF-60CC49808D42}
FF - Ext: OptimizeGoogle: optimizegoogle@optimizegoogle.com - %profile%\extensions\optimizegoogle@optimizegoogle.com
FF - Ext: ThinkfreeFox: thinkfreefox@thinkfree.com - %profile%\extensions\thinkfreefox@thinkfree.com
FF - Ext: XULRunner: {7B3E7CBB-427B-462E-B362-F0DEB21C031F} - c:\documents and settings\Name removed\local settings\application data\{7B3E7CBB-427B-462E-B362-F0DEB21C031F}

============= SERVICES / DRIVERS ===============

R0 ViBus;ViBus;c:\windows\system32\drivers\ViBus.sys [2009-2-19 16896]
R0 ViPrt;VIA SATA IDE Device Driver;c:\windows\system32\drivers\ViPrt.sys [2009-2-19 52224]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2009-2-19 13696]
R3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [2007-7-11 714240]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-2-19 1684736]

=============== Created Last 30 ================


==================== Find3M ====================

2010-07-17 22:03:10 106496 --sha-r- c:\windows\system\svchost.exe
2010-07-17 22:03:10 106496 --sha-r- c:\windows\system\_sv_cmd_\_U_.exe

============= FINISH: 6:16:15.54 ===============

Attached Files


Edited by Orange Blossom, 17 January 2011 - 05:52 PM.
Remove sensitive info. ~ OB


#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:37 AM

Posted 13 January 2011 - 11:17 AM

Hi ((Vibe)) and :welcome:


I will be handling your log to help you get cleaned up.
Please give me some time to look it over and I will get back to you as soon as possible.



Regards,
Georgi :hello:

cXfZ4wS.png


#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:37 AM

Posted 14 January 2011 - 03:10 PM

Hi ((Vibe)), :)


Sorry for the delay.


I take it this is a business computer?


If so, I strongly recommend you to ask your IT suppport/network Administrator to fix this. After all they are paid to do so.

I ask this for several reasons:
  • There may be restrictions and modifications installed on such machines that could be damaged or altered by the actions we take to remove Malware.
  • Any infection could jump terminals in a computer network.
  • There may also be legal issues regarding any loss of business data that I do not wish to deal with.
  • Some people who come here use their computers for work, and the computers may contain the patient records of a physician or the financial records of an accountant's clients or credit card and bank account information of their employer's customers.
  • There may be tremendous risks and legal liability for such users for not fully securing the computer. We will not know this unless we ask. We do not want to be accidentally putting those we help in vulnerable positions for law suits.
  • Business factors outweigh technical factors in making the reformat and reinstall decision. Sometimes friends give missing CDs or lack of expertise as a reason for not doing a reformat and reinstall.
  • The cost of replacing missing Windows XP and MS Office CDs and getting an Microsoft Certified Systems Engineer to come in for 3 hours to do the reinstall and apply all the critical updates, is trivial compared with the potential cost of a multi-million dollar lawsuit for breach of trust if confidential client or patient information is disclosed.
  • In specific situations where highly confidential information about others is on the computer, and a backdoor virus or trojan is found, we are helping people more by identifying that they have a backdoor trojan which puts them in a particularly vulnerable situation and sending them to seek local professional help from a Microsoft Certified Systems Engineer or Certified Information Systems Security Professional or Global Information Assurance Certification Certified Security Expert or Certified Computing Professional or Internet Service Provider than we would be trying to fully resolve their problems long distance.


Regards,
Georgi

cXfZ4wS.png


#6 ((Vibe))

((Vibe))
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 17 January 2011 - 05:32 PM

Hey Georgi,

Sorry for the delayed response. We are a very small company and do not have a full time designated IT person. Our data is backed up daily, but I understand if you would rather not proceed. But if you see it fit to continue, great.

Many thanks.

#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:37 AM

Posted 19 January 2011 - 10:28 AM

Hello ((Vibe)) ! Welcome to BleepingComputer Forums! :welcome:

My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.



STEP 1



We need to run an OTL Custom Scan


  • Please download OTL from the link below:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • OTL should now start. Change the following settings:
    - Click on Scan All Users checkbox given at the top.Posted Image
    - Under File Scans, change File age to 60
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized





STEP 2



Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".





STEP 3


Do you know what this file is used for ?

\\server removed\employee\AA - Company removed SCOTLAND YARD\scotland.exe




Regards,
Georgi

cXfZ4wS.png


#8 ((Vibe))

((Vibe))
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 21 January 2011 - 12:42 PM

Hey Georgi!

I was able to run OTL, would you like me to copy&paste the results or attach and send them to you or other?

Unfortunately I was unable to run the Rootkit unhooker. I got two error messages, one of them says "Failed to enable debug privilege, not critical issue" the next one says "Error, load driver privilege not adjusted."

And yes, that file refers to the program that we use to track our time, clock in and out.

Thanks again so much for helping. =)

#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:37 AM

Posted 24 January 2011 - 06:06 AM

Hi ((Vibe)), :)



Sorry for the delay.
I have some nasty flu, so there may have some delay due to it.
Thanks for your patience and understanding.


It would be extremely helpful if you could please post the logs instead of attaching them. If I ask for a specific log to be attached then that's fine, but it's a lot easier to work with the logs when they are posted to this thread instead of being attached.


Is there any way to get an account with admin rights because otherwise we will be unable to help you effectively.
It will be extremely difficult to do a rootkit scan without admin rights...However we can not consider your system clean without having you run a scan for rootkits.
Thanks for your understanding.



Regards,
Georgi

cXfZ4wS.png


#10 ((Vibe))

((Vibe))
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 24 January 2011 - 10:11 AM

Oh man, hope you get to feeling better soon. Here are the logs. I will see if I can talk someone into letting me get an account with admin rights.



--------------------------------------------------

OTL Extras logfile created on: 1/21/2011 11:24:49 AM - Run 1
OTL by OldTimer - Version 3.2.20.3 Folder = C:\Documents and Settings\jremoved\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

958.00 Mb Total Physical Memory | 333.00 Mb Available Physical Memory | 35.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 2400 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.01 Gb Total Space | 9.74 Gb Free Space | 51.24% Space Free | Partition Type: NTFS
Drive D: | 5.94 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: Eremoved | User Name: jremoved | NOT logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 60 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-2495183507-3996975793-4178747209-1120\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Documents and Settings\jremoved\Local Settings\Application Data\Mozilla Firefoxes\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Opera\opera.exe" = C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
"{262C7F33-8251-432E-88C1-E9F42A53F8F0}" = PDFill PDF Editor with FREE PDF Writer and Tools
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 11
"{2CD2C0DB-81C3-416B-9FA6-589B9235359B}" = OpenOffice.org 2.4
"{3248F0A8-6813-11D6-A77B-00B0D0160040}" = Java™ 6 Update 4
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{46DDF76F-ACD4-42BC-B48F-B89C4EE2E1A9}" = Easy CD & DVD Creator 6
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7148F0A8-6813-11D6-A77B-00B0D0142060}" = Java 2 Runtime Environment, SE v1.4.2_06
"{81A60A13-224D-4637-8203-3EAC03B121A4}" = Seagate DiscWizard
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
"{E39C74DF-58FD-4E52-9888-2CC59DFB0B34}" = PowerQuest PartitionMagic Pro 7.0
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F8131A35-47FD-27AD-116D-0E79AF5DE5EE}" = Acrobat.com
"{FB8148DD-C575-4B0A-9F6C-0CFC46937930}" = Opera 10.10
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"CutePDF Writer Installation" = CutePDF Writer 2.7
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platform Device Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"VIA Chrome9 HC IGP Family Display" = VIA Display Driver 6.14.10.0099
"VN_VUIns_Rhine_VIA" = VIA Rhine-Family Fast-Ethernet Adapter
"Windows XP Service Pack" = Windows XP Service Pack 3

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2495183507-3996975793-4178747209-1120\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Mozilla Firefox (3.5.16)" = Mozilla Firefox (3.5.16)
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)

========== Last 10 Event Log Errors ==========

Error: Unable to start EventLog service!

< End of report >

------------------------------------------------------------------------------


OTL logfile created on: 1/21/2011 11:24:49 AM - Run 1
OTL by OldTimer - Version 3.2.20.3 Folder = C:\Documents and Settings\jremoved\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

958.00 Mb Total Physical Memory | 333.00 Mb Available Physical Memory | 35.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 2400 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.01 Gb Total Space | 9.74 Gb Free Space | 51.24% Space Free | Partition Type: NTFS
Drive D: | 5.94 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: Eremoved | User Name: jremoved | NOT logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 60 Days

========== Processes (SafeList) ==========

PRC - [2011/01/21 11:24:09 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jremoved\My Documents\Downloads\OTL.exe
PRC - [2011/01/17 09:20:00 | 000,910,808 | ---- | M] (Mozilla Corporation) -- C:\Documents and Settings\jremoved\Local Settings\Application Data\Mozilla Firefoxes\firefox.exe
PRC - [2009/12/22 00:57:30 | 000,349,616 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
PRC - [2008/05/29 22:43:38 | 002,580,480 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
PRC - [2008/05/29 22:43:36 | 002,363,392 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/09/08 13:07:26 | 002,604,544 | ---- | M] (Scotland Yard Software) -- \\removedserve\employee\AA - removed Engineering SCOTLAND YARD\scotland.exe
PRC - [2004/02/10 23:36:26 | 000,069,632 | ---- | M] (Corel Corporation) -- C:\Program Files\WordPerfect Office 12\Programs\wpwin12.exe
PRC - [2004/02/10 22:32:16 | 000,139,264 | ---- | M] (Corel Corporation) -- C:\Program Files\WordPerfect Office 12\Programs\QPW.exe


========== Modules (SafeList) ==========

MOD - [2011/01/21 11:24:09 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jmckee\My Documents\Downloads\OTL.exe
MOD - [2008/04/14 05:42:10 | 000,199,168 | ---- | M] () -- C:\Documents and Settings\jmckee\Local Settings\Application Data\olukaqojo.dll
MOD - [2008/04/14 05:42:04 | 000,713,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\opengl32.dll
MOD - [2008/04/14 05:42:04 | 000,245,760 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\netui1.dll
MOD - [2008/04/14 05:42:04 | 000,080,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\netui0.dll
MOD - [2008/04/14 05:42:04 | 000,044,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntlanman.dll
MOD - [2008/04/14 05:42:02 | 000,011,776 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\netrap.dll
MOD - [2008/04/14 05:41:56 | 000,122,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\glu32.dll
MOD - [2008/04/14 05:41:54 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drprov.dll
MOD - [2008/04/14 05:41:52 | 000,279,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ddraw.dll
MOD - [2008/04/14 05:41:52 | 000,025,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\davclnt.dll
MOD - [2008/04/14 05:41:52 | 000,008,704 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dciman32.dll


========== Win32 Services (SafeList) ==========


========== Driver Services (SafeList) ==========


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2495183507-3996975793-4178747209-1120\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: YoutubeDownloader@PeterOlayev.com:1.5
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.2
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1.6.2.63
FF - prefs.js..extensions.enabledItems: {e001c731-5e37-4538-a5cb-8168736a2360}:0.9.9.52
FF - prefs.js..extensions.enabledItems: {987311C6-B504-4aa2-90BF-60CC49808D42}:2.2
FF - prefs.js..extensions.enabledItems: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}:4.0
FF - prefs.js..extensions.enabledItems: facebookantifilter@ce.sharif.edu:1.3
FF - prefs.js..extensions.enabledItems: foxyproxy@eric.h.jung:2.22.2
FF - prefs.js..extensions.enabledItems: firefox@ghostery.com:2.4.2
FF - prefs.js..extensions.enabledItems: gmailwatcher@sonthakit:1.30
FF - prefs.js..extensions.enabledItems: canitbecheaper@trafficbroker.co.uk:2.8
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: kabl@trac.arantius.com:0.4.2
FF - prefs.js..extensions.enabledItems: firefox1@myibay.com:1.1.8
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.0.7
FF - prefs.js..extensions.enabledItems: optimizegoogle@optimizegoogle.com:0.78.2
FF - prefs.js..extensions.enabledItems: thinkfreefox@thinkfree.com:0.5.5
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20100908
FF - prefs.js..extensions.enabledItems: {7B3E7CBB-427B-462E-B362-F0DEB21C031F}:1.9.1

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/04 08:55:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/10 12:36:15 | 000,000,000 | ---D | M]

[2010/07/19 07:19:15 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\jmckee\Application Data\Mozilla\Extensions
[2011/01/18 08:52:07 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\jmckee\Application Data\Mozilla\Firefox\Profiles\dz3gik1t.default\extensions
[2010/11/29 10:33:55 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\jmckee\Application Data\Mozilla\Firefox\Profiles\dz3gik1t.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010/10/21 06:07:05 | 000,000,000 | ---D | M] (BugMeNot) -- C:\Documents and Settings\jmckee\Application Data\Mozilla\Firefox\Profiles\dz3gik1t.default\extensions\{987311C6-B504-4aa2-90BF-60CC49808D42}
[2010/09/24 07:39:42 | 000,000,000 | ---D | M] (WOT) -- C:\Documents and Settings\jmckee\Application Data\Mozilla\Firefox\Profiles\dz3gik1t.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2011/01/14 08:57:14 | 000,000,000 | ---D | M] (Easy Youtube Video Downloader) -- C:\Documents and Settings\jmckee\Application Data\Mozilla\Firefox\Profiles\dz3gik1t.default\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
[2010/12/14 16:08:08 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\jmckee\Application Data\Mozilla\Firefox\Profiles\dz3gik1t.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/11/19 09:32:53 | 000,000,000 | ---D | M] ("BitDefender QuickScan") -- C:\Documents and Settings\jmckee\Application Data\Mozilla\Firefox\Profiles\dz3gik1t.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
[2010/07/19 07:31:10 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\jmckee\Application Data\Mozilla\Firefox\Profiles\dz3gik1t.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/11/08 15:12:54 | 000,000,000 | ---D | M] (InvisibleHand) -- C:\Documents and Settings\jmckee\Application Data\Mozilla\Firefox\Profiles\dz3gik1t.default\extensions\canitbecheaper@trafficbroker.co.uk
[2010/07/29 12:50:35 | 000,000,000 | ---D | M] (FaceBook AntiFilter) -- C:\Documents and Settings\jmckee\Application Data\Mozilla\Firefox\Profiles\dz3gik1t.default\extensions\facebookantifilter@ce.sharif.edu
[2010/11/29 10:33:48 | 000,000,000 | ---D | M] (Ghostery) -- C:\Documents and Settings\jmckee\Application Data\Mozilla\Firefox\Profiles\dz3gik1t.default\extensions\firefox@ghostery.com
[2010/08/24 10:25:18 | 000,000,000 | ---D | M] (Myibay Firefox extension) -- C:\Documents and Settings\jmckee\Application Data\Mozilla\Firefox\Profiles\dz3gik1t.default\extensions\firefox1@myibay.com
[2010/12/14 16:08:22 | 000,000,000 | ---D | M] (FoxyProxy Standard) -- C:\Documents and Settings\jmckee\Application Data\Mozilla\Firefox\Profiles\dz3gik1t.default\extensions\foxyproxy@eric.h.jung
[2010/11/29 10:33:56 | 000,000,000 | ---D | M] (Gmail Watcher) -- C:\Documents and Settings\jmckee\Application Data\Mozilla\Firefox\Profiles\dz3gik1t.default\extensions\gmailwatcher@sonthakit
[2010/10/21 05:35:37 | 000,000,000 | ---D | M] (Karma Blocker) -- C:\Documents and Settings\jmckee\Application Data\Mozilla\Firefox\Profiles\dz3gik1t.default\extensions\kabl@trac.arantius.com
[2010/12/17 07:56:31 | 000,000,000 | ---D | M] (OpenXMLViewer) -- C:\Documents and Settings\jmckee\Application Data\Mozilla\Firefox\Profiles\dz3gik1t.default\extensions\OpenXMLViewer@Codeplex.com
[2010/11/19 09:32:58 | 000,000,000 | ---D | M] (OptimizeGoogle) -- C:\Documents and Settings\jmckee\Application Data\Mozilla\Firefox\Profiles\dz3gik1t.default\extensions\optimizegoogle@optimizegoogle.com
[2010/12/17 08:02:02 | 000,000,000 | ---D | M] (ThinkfreeFox) -- C:\Documents and Settings\jmckee\Application Data\Mozilla\Firefox\Profiles\dz3gik1t.default\extensions\thinkfreefox@thinkfree.com
[2011/01/14 09:06:41 | 000,000,000 | ---D | M] (1-Click YouTube Video Downloader) -- C:\Documents and Settings\jremoved\Application Data\Mozilla\Firefox\Profiles\dz3gik1t.default\extensions\YoutubeDownloader@PeterOlayev.com
[2010/02/04 08:53:53 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/09/08 09:02:30 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\Jremoved\LOCAL SETTINGS\APPLICATION DATA\{7B3E7CBB-427B-462E-B362-F0DEB21C031F}
[2009/02/19 17:33:59 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF

O1 HOSTS File: ([2001/08/23 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-21-2495183507-3996975793-4178747209-1120..\Run: [Jqajewomewomewom] C:\Documents and Settings\jremoved\Local Settings\Application Data\olukaqojo.dll ()
O4 - HKU\S-1-5-21-2495183507-3996975793-4178747209-1120..\Run: [Mnutur] C:\Documents and Settings\jremoved\Local Settings\Application Data\csginbd.dll (trbarry@trbarry.com)
O4 - Startup: C:\Documents and Settings\jmckee\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-21-2495183507-3996975793-4178747209-1120\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe (PlotSoft LLC)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_06)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab (Java Plug-in 1.6.0_04)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 8.8.8.8 8.8.4.4
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = EntechEng.local
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system\svchost.exe) - C:\WINDOWS\system\svchost.exe ()
O24 - Desktop WallPaper:
O24 - Desktop BackupWallPaper:
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/19 14:19:27 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{895074ac-8b69-11df-8893-00e04d8cac13}\Shell\AutoRun\command - "" = I:\
O33 - MountPoints2\{895074ac-8b69-11df-8893-00e04d8cac13}\Shell\explore\Command - "" = I:\RECYCLER\INFO.exe
O33 - MountPoints2\{895074ac-8b69-11df-8893-00e04d8cac13}\Shell\open\Command - "" = I:\RECYCLER\INFO.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 60 Days ==========

[2011/01/04 16:57:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jremoved\Desktop\gmer
[2011/01/04 16:56:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jremoved\My Documents\New Folder
[2010/12/17 19:05:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jremoved\My Documents\HTML
[2010/12/03 09:53:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jremoved\Local Settings\Application Data\Mozilla Firefoxes
[2010/12/02 07:56:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jremoved\Application Data\Malwarebytes
[2001/08/23 06:00:00 | 000,074,752 | ---- | C] (trbarry@trbarry.com) -- C:\Documents and Settings\jmckee\Local Settings\Application Data\csginbd.dll
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 60 Days ==========

[2011/01/21 10:17:59 | 000,000,120 | ---- | M] () -- C:\Documents and Settings\jremoved\Local Settings\Application Data\Xzanoconisixejig.dat
[2011/01/21 10:17:59 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\jremoved\Local Settings\Application Data\Rxepiwumezim.bin
[2011/01/11 17:31:40 | 000,009,276 | ---- | M] () -- C:\Documents and Settings\jremoved\Desktop\Expense CK Request for WP.wpd
[2011/01/07 16:16:03 | 000,802,998 | ---- | M] () -- C:\Documents and Settings\jremoved\Desktop\SP.bmp
[2011/01/07 15:50:59 | 000,948,710 | ---- | M] () -- C:\Documents and Settings\jremoved\Desktop\Curcumin -TF2.bmp
[2011/01/05 06:07:47 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/01/04 17:10:32 | 000,136,246 | ---- | M] () -- C:\Documents and Settings\jremoved\Desktop\errormsg2.bmp
[2011/01/04 17:09:53 | 000,231,990 | ---- | M] () -- C:\Documents and Settings\jremoved\Desktop\errormsg1.bmp
[2011/01/04 16:51:19 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\jremoved\defogger_reenable
[2011/01/04 10:11:51 | 000,002,262 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/12/17 09:45:38 | 001,517,094 | ---- | M] () -- C:\Documents and Settings\jremoved\Desktop\TF.bmp
[2010/12/03 14:06:38 | 000,101,888 | ---- | M] () -- C:\Documents and Settings\jremoved\Desktop\BR1247_8 JMCK~Contractor Gate Entry Form NEW 2009 Rev. 2.doc
[2010/12/03 14:04:58 | 000,099,328 | ---- | M] () -- C:\Documents and Settings\jremoved\Desktop\BR1247_8 Mark ~Contractor Gate Entry Form NEW 2009 Rev. 2.doc
[2010/12/03 14:00:57 | 000,099,328 | ---- | M] () -- C:\Documents and Settings\jremoved\Desktop\BR1247_8 Tim ~Contractor Gate Entry Form NEW 2009 Rev. 2.doc
[2010/12/03 13:58:37 | 000,099,328 | ---- | M] () -- C:\Documents and Settings\jremoved\Desktop\BR1247_8 JOE~Contractor Gate Entry Form NEW 2009 Rev. 2.doc
[2010/12/03 09:54:00 | 000,002,100 | ---- | M] () -- C:\Documents and Settings\jremoved\Desktop\Firefox II.lnk
[2010/12/01 16:45:28 | 000,015,488 | ---- | M] () -- C:\Documents and Settings\jremoved\Desktop\BOP - Data Table .qpw
[2010/11/29 14:20:59 | 000,000,181 | ---- | M] () -- C:\WINDOWS\hpbafd.ini
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/01/11 17:31:40 | 000,009,276 | ---- | C] () -- C:\Documents and Settings\jremoved\Desktop\Expense CK Request for WP.wpd
[2011/01/07 16:16:03 | 000,802,998 | ---- | C] () -- C:\Documents and Settings\jremoved\Desktop\SP.bmp
[2011/01/07 15:50:59 | 000,948,710 | ---- | C] () -- C:\Documents and Settings\jremoved\Desktop\Curcumin -TF2.bmp
[2011/01/04 17:10:32 | 000,136,246 | ---- | C] () -- C:\Documents and Settings\jremoved\Desktop\errormsg2.bmp
[2011/01/04 17:09:53 | 000,231,990 | ---- | C] () -- C:\Documents and Settings\jremoved\Desktop\errormsg1.bmp
[2011/01/04 16:51:19 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\jremoved\defogger_reenable
[2010/12/17 09:45:37 | 001,517,094 | ---- | C] () -- C:\Documents and Settings\jremoved\Desktop\TF.bmp
[2010/12/03 13:55:38 | 000,099,328 | ---- | C] () -- C:\Documents and Settings\jremoved\Desktop\BR1247_8 Tim ~Contractor Gate Entry Form NEW 2009 Rev. 2.doc
[2010/12/03 13:52:26 | 000,099,328 | ---- | C] () -- C:\Documents and Settings\jremoved\Desktop\BR1247_8 Mark ~Contractor Gate Entry Form NEW 2009 Rev. 2.doc
[2010/12/03 09:54:00 | 000,002,100 | ---- | C] () -- C:\Documents and Settings\jremoved\Desktop\Firefox II.lnk
[2010/12/01 15:42:51 | 000,015,488 | ---- | C] () -- C:\Documents and Settings\jremoved\Desktop\BOP - Data Table .qpw
[2010/09/08 09:02:38 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\jremoved\Local Settings\Application Data\Rxepiwumezim.bin
[2010/09/08 09:02:33 | 000,000,120 | ---- | C] () -- C:\Documents and Settings\jremoved\Local Settings\Application Data\Xzanoconisixejig.dat
[2010/07/19 09:38:56 | 000,000,181 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2010/07/19 09:16:09 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\jremoved\Application Data\PFP120JPR.{PB
[2010/07/19 09:16:09 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\jremoved\Application Data\PFP120JCM.{PB
[2009/07/06 12:39:55 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\MSVolumeAP.dll
[2009/06/25 14:49:53 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\HPPLVS.dll
[2009/04/08 16:46:28 | 000,000,049 | ---- | C] () -- C:\WINDOWS\atomcl.ini
[2009/03/03 16:13:46 | 000,000,848 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2009/02/20 09:47:10 | 000,003,252 | ---- | C] () -- C:\WINDOWS\System32\drivers\PQNTDRV.SYS
[2009/02/19 16:58:01 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2009/02/19 14:45:16 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2009/02/18 23:50:35 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2001/08/23 06:00:00 | 000,199,168 | ---- | C] () -- C:\Documents and Settings\jremoved\Local Settings\Application Data\olukaqojo.dll

< End of report >

#11 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:37 AM

Posted 26 January 2011 - 06:05 PM

Hi ((Vibe)),


Did you removed the account name in the logs manually or ?

OTL by OldTimer - Version 3.2.20.3 Folder = C:\Documents and Settings\jremoved\My Documents\Downloads



Any success in finding an account with admin rights ?


If not please do this:



Let's try to boot your computer using the Ultimate Boot CD for Windows (UBCD4win).

Please print this guide for future reference!

You will need a blank CD, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. If you were unable to create the UBCD4win, please tell me what error messages you got and/or what steps you got hung up on.

1. Download and Run Ultimate Boot CD for Windows
  • Save it to your Desktop.
  • Double-Click on the UBCD4Win.EXE that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.
    NOTES:
  • Do not install to a folder with spaces in it's name.
  • Your Anti-Virus may report viruses or trojans when you extract UBCD4Win, these are "False-Positives." Read HERE for information regarding the files that normally trigger AV software.
2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive
  • Double-Click on UBCD4WinBuilder.exe located in your C:\ubcd4win folder.
  • Click "I agree" to the Builders License.
  • Click NO to Search for Windows Installation Files
  • Make the following selections from the Main Screen that pops up:
    • Builder
    • Source:(path to Windows installation files)
    • Enter the path to the drive where your XP CD is located.
    • You can click on the "..." button on the right to navigate to the path as well.
  • Custom: (include files and folders from this directory)
    • No information is necessary, leave blank.
  • Output: (C:\ubcd4win\BartPE)
    • Keep the default BartPE
  • Media output
  • Choose Create ISO image
  • Do not choose Burn to CD/DVD


Please note: If your XP install disc is SP1 then please .....

  • Disable- DComLaunch Service
  • Enable- LargeIDE Fix

    This can be done by pressing the "Plugin" button and checking or unchecking the appropriate selections

Also note: If you have a Dell XP install disc you will need to follow the instructions here
http://www.ubcd4win.com/faq.htm#dell
[/list]
3. Click on the "Build" button
  • You will see the Windows EULA message. Click on I Agree
  • You will now see the Build Screen. Let it run it's course
  • When the Build is finished you can click close, then exit


4. Burn your ISO file to CD
  • Please see HERE on how to burn an ISO to CD.
[/list]


Regards,
Georgi

cXfZ4wS.png


#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:37 AM

Posted 30 January 2011 - 12:43 PM

Hi ((Vibe)),


It's been several days. Do you still need help on this?
This thread will be closed if you don't respond within 48 hours.
Thanks for understanding on this.


Regards,
Georgi

cXfZ4wS.png


#13 ((Vibe))

((Vibe))
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 01 February 2011 - 09:29 AM

Hey Georgi, I was out sick Friday and am out doing training today, won't be back until tomorrow afternoon..was hoping you could leave the thread open until I'm able to get back to the problem computer. thanks again for the help! =)

#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:37 AM

Posted 01 February 2011 - 11:48 AM

Hi ((Vibe)), :)


Ahhh thanks for letting me know.
Don't worry I'll keep an eye on the topic.
Get well soon !


Regards,
Georgi

cXfZ4wS.png


#15 ((Vibe))

((Vibe))
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 03 February 2011 - 11:01 AM

Hey Georgi, I downloaded and then tried to install the program to make the boot CD, but it would not let me because I do not have admin rights. I'm guessing there isn't much we can do without Admin rights. He kind of pops in and out, but I will try to get a hold of our part time "IT guy" if I can within the next few days...But would understand if you need to close the thread.

Regards
~J




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users