Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Run Cmd-taskmgr-regedit


  • This topic is locked This topic is locked
15 replies to this topic

#1 boudreaup

boudreaup

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 28 February 2006 - 06:43 PM

Hi,

This is my first post, so bear with me. When I try to run cmd, taskmgr or regedit the message 'another program is currently using this file' pops up. I tried opening it from System32 folder and I'm still getting the same message. I have xp firewall. I cleaned the temp files. I already ran anti-virus (avast), anti-spyware (SD-Spybot+Ad-Aware) and Stinger. I still have the same issue. I'm running out of options here, so I ran HJT and here is the log. I am no expert with what those results mean, so any feedback would be appreciated. Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 6:29:46 PM, on 28/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Program Files\Netropa\OSD.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bw.myway.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/en-us/srchasst/srchasst.htm
R3 - URLSearchHook: (no name) - <default> - (no file)
O2 - BHO: PopThis BHO - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: svchost.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106359806694
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134220745157
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/24/install/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://collaborate.webex.com/client/v_mywe...bex/ieatgpc.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

BC AdBot (Login to Remove)

 


#2 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:08:14 PM

Posted 01 March 2006 - 08:45 AM

Hi and welcome to Bleeping. :thumbsup:

I think you may have a new variant of the Alcan worm but need to get a sample of one of your files.

Please submit the file C:\WINDOWS\System32\csrrs.exe to

http://www.bleepingcomputer.com/submit-malware.php

You may need to configure Windows to Show all hidden files & folders to reveal the file.

I'd also like to see everything you have running as startup including the entries you currently have disabled in msconfig.

Click on Start > Run and type msconfig in the 'Run' box. When the System Configuration Utility opens, click on the 'Startup Tab' and make sure there is a checkmark beside each entry. Ensure the 'General Tab' has the "normal startup" option checked. Reboot when asked to by Windows to complete any change.

Then post a fresh log in this thread and I'll post further instructions once I've had a look at that file. :flowers:




Keeping Track of Your Topic
  • Please subscribe to this thread by clicking 'Track this topic' at the top of the thread.
  • Enable email notification to subscribed threads via the My Control Panel link above.
  • Keep ALL future replies in this thread please.

Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#3 boudreaup

boudreaup
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 01 March 2006 - 09:54 PM

Hi John,

Thanks for the reply. I submitted the file csrrs.exe as requested. I also did what you asked in msconfig, then ran HJT again and here's the fresh log:

Logfile of HijackThis v1.99.1
Scan saved at 10:40:17 PM, on 01/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\winsysban12.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bw.myway.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/en-us/srchasst/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - <default> - (no file)
O2 - BHO: PopThis BHO - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\Run: [winsysupd] C:\\winsysupd12.exe
O4 - HKLM\..\Run: [winsysban] C:\\winsysban12.exe
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames12.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: svchost.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106359806694
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134220745157
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/24/install/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://collaborate.webex.com/client/v_mywe...bex/ieatgpc.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#4 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:08:14 PM

Posted 02 March 2006 - 05:55 AM

Thanks for submitting the file, it was very helpful :thumbsup:

You may want to save these instructions to notepad.

Step # 1

Run HijackThis again and checkmark the boxes before the following:-R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bw.myway.com/

R3 - URLSearchHook: (no name) - <default> - (no file)

O4 - HKLM\..\Run: [csr] csrrs.exe

O4 - HKLM\..\Run: [winsysupd] C:\\winsysupd12.exe

O4 - HKLM\..\Run: [winsysban] C:\\winsysban12.exe

O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames12.exe

O4 - HKLM\..\RunServices: [csr] csrrs.exe

O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe

O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe

O4 - Global Startup: svchost.exe

O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://collaborate.webex.com/client/v_mywe...bex/ieatgpc.cab

Close ALL OTHER OPEN WINDOWS and click "Fix Checked"


Step # 2

1. Please download The Avenger and unzip it to your Desktop.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
%systemdrive%\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
%systemdrive%\winsysban12.exe
%systemdrive%\winsysupd12.exe
%systemdrive%\gimmygames12.exe
%windir%\system32\csrrs.exe

Folders to delete:
%ProgramFiles%\Common Files\VCClient

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V)
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically perform the following 3 tasks:
  • On reboot, briefly open a black command window on your desktop, this is normal.
  • After the restart, create a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • Back up everything you've asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Step # 3

Then run the following online virus scan with Internet Explorer (saving the scan report when complete):

Panda ActiveScan
  • Once on the Panda site click the Scan your PC button and then the Check Now button on the nex screen.
  • Enter your details in the required fields.
  • Then click the big Scan Now button.
  • Allow the Active X component to install and download the necessary files. (Note: It may take a couple of minutes)
  • When the download is complete, click on Local Disks to start the scan.
  • Upon scan completion, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Step # 4

Then post the following in your next reply please:
  • New HijackThis log.
  • C:\avenger.txt.
  • Online scan results.
  • Any problems you encountered.

Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#5 boudreaup

boudreaup
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 02 March 2006 - 09:57 PM

Hi John,

Here it is.

Fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:40:00 PM, on 02/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Netropa\OSD.exe
C:\mousepad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/en-us/srchasst/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: PopThis BHO - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [keyboard] C:\\keyboard.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad.exe
O4 - HKLM\..\Run: [gimmysmileys] C:\\gimmysmileys.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106359806694
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134220745157
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/24/install/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


Avenger.txt:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\arygheei

*******************

Script file located at: \??\C:\WINDOWS\mthbaukd.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe not found!
Deletion of file C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe failed!

Could not process line:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
Status: 0xc0000034

File C:\winsysban12.exe deleted successfully.
File C:\winsysupd12.exe deleted successfully.
File C:\gimmygames12.exe deleted successfully.
File C:\WINDOWS\system32\csrrs.exe deleted successfully.


Folder C:\Program Files\Common Files\VCClient not found!
Deletion of folder C:\Program Files\Common Files\VCClient failed!

Could not process line:
C:\Program Files\Common Files\VCClient
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.



Panda Scan result:


Incident Status Location

Virus:W32/Gaobot.MJA.worm Disinfected C:\avenger\backup.zip[csrrs.exe]
Virus:Trj/Downloader.CKQ Disinfected C:\avenger\backup.zip[gimmygames12.exe]
Adware:Adware/DollarRevenue Not disinfected C:\avenger\backup.zip[winsysban12.exe]
Adware:Adware/XPlugin Not disinfected C:\avenger\backup.zip[winsysupd12.exe]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Pascal Boudreau\Application Data\Mozilla\Firefox\Profiles\xi7b8yw2.default\cookies.txt[]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Pascal Boudreau\Cookies\pascal boudreau@ad.yieldmanager[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Pascal Boudreau\Cookies\pascal boudreau@burstnet[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Pascal Boudreau\Cookies\pascal boudreau@com[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Pascal Boudreau\Cookies\pascal boudreau@go[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Pascal Boudreau\Cookies\pascal boudreau@rn11[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Pascal Boudreau\Cookies\pascal boudreau@www.burstbeacon[2].txt
Adware:Adware/BroadcastPC Not disinfected C:\DR21206.exe
Virus:W32/Gaobot.MJA.worm Disinfected C:\Program Files\HijackThis\backups\backup-20060302-204531-530-svchost.exe
Virus:W32/Gaobot.MJA.worm Disinfected C:\WINDOWS\b.exe
Adware:adware/superspider Not disinfected C:\WINDOWS\system32\a.exe
Adware:adware/eshopper Not disinfected C:\WINDOWS\system32\Eshop.xml
Adware:adware/iedriver Not disinfected C:\WINDOWS\system32\iedriver.exe
Adware:Adware/SaveNow Not disinfected C:\WINDOWS\system32\VVSN_SCNC0704Inst.exe

Again, thanks a bunch for the support!

#6 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:08:14 PM

Posted 03 March 2006 - 03:52 AM

Nice cleanup. :thumbsup:

Just a few remaining now.


Step # 1

Fix these entries in your HijackThis log:O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - (no file)

O4 - HKLM\..\Run: [gimmysmileys] C:\\gimmysmileys.exe

O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

Step # 2

Empty your Firefox cookie cache by clicking on Tools > Options > Privacy tab > Cookies. Retain any important login cookies if you like but clear the rest.


Step # 3

Then save this Avenger script as before and execute it to remove the remaining files.

Files to delete:
%systemdrive%\DR21206.exe
%windir%\system32\a.exe 
%windir%\system32\Eshop.xml
%windir%\system32\iedriver.exe 
%windir%\system32\VVSN_SCNC0704Inst.exe

Step # 4

Then post a fresh HJT log, Avenger.txt and let me know how the ,machine is performing please.

:flowers:
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#7 boudreaup

boudreaup
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 03 March 2006 - 08:55 PM

Hi John,

As requested.

Fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:47:03 PM, on 03/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\mousepad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/en-us/srchasst/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O2 - BHO: PopThis BHO - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [keyboard] C:\\keyboard.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106359806694
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134220745157
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/24/install/gtdownls.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


Avenger.txt:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\hmlfntaf

*******************

Script file located at: \??\C:\Program Files\nensjlbi.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\DR21206.exe deleted successfully.
File C:\WINDOWS\system32\a.exe deleted successfully.
File C:\WINDOWS\system32\Eshop.xml deleted successfully.
File C:\WINDOWS\system32\iedriver.exe deleted successfully.
File C:\WINDOWS\system32\VVSN_SCNC0704Inst.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Guess what! I can now run cmd-taskmgr-regedit! That was well worth it. I am still getting an error related to vcmain.exe and vcclient.exe when I restart. That leads me to believe that I might still have malware on the computer. Let me know if you see something else in the HJT log I should fix. Thanks.

#8 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:08:14 PM

Posted 04 March 2006 - 08:00 AM

I looks like you've been hijacked again though.

Silly me, I think I missed a few sneaky ones.

Go to Jotti's Malware Scan.

Paste the filepaths below into the box at the top and hit Submit to upload each of them for analysis:

C:\keyboard.exe
C:\mousepad.exe


Save the results to notepad and post them in your next reply please.


Then submit the files to:

http://www.bleepingcomputer.com/submit-malware.php

:thumbsup:
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#9 boudreaup

boudreaup
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 04 March 2006 - 08:50 AM

I've submitted both files mousepad.exe and keyboard.exe. Here are the Jotti's scan results for both files:

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
File: mousepad.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 719b8ac82a1bab354d5cf3d2a0f255b2
Packers detected: -
Scanner results
AntiVir Found Trojan/Click.VB.LI.5
ArcaVir Found Trojan.Clicker.Vb.Li
Avast Found nothing
AVG Antivirus Found Clicker.BRM
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Trojan.Click.930
F-Prot Antivirus Found nothing
Fortinet Found Adware/VB
Kaspersky Anti-Virus Found Trojan-Clicker.Win32.VB.li
NOD32 Found Win32/TrojanClicker.VB.LI
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Trojan-Clicker.Win32.VB.li


Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
File: keyboard.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 751a8c76f3a18dc730c7b45f5d17fd84
Packers detected: -
Scanner results
AntiVir Found Trojan/Dldr.VB.XV
ArcaVir Found Trojan.Downloader.Vb.Xv
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Trojan.Popuper
F-Prot Antivirus Found nothing
Fortinet Found W32/VB.XV!dldr
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.VB.xv
NOD32 Found a variant of Win32/TrojanDownloader.VB.WG
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Trojan-Downloader.Win32.VB.xv

#10 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:08:14 PM

Posted 04 March 2006 - 11:21 AM

Thankyou for the files. :thumbsup:

You may wish to save these instructions to notepad or print them out for use while in Safe Mode.


Step # 1

Configure Windows to Show all hidden files & folders and ensure you're familiar with rebooting into Safe Mode.

Download ATF Cleaner to your desktop.

Download and install Ewido Anti-Malware.
  • When installing Ewido, under "Additonal Options" uncheck "Install Background Guard" and "Install Scan Via Context Menu".
  • Launch Ewido by double-clicking the desktop icon and click 'OK' at the "Database could not be found!" warning.
  • Click "Update" on the left side of the main screen to update the definitions file.
  • Then click "Start Update".
  • When you receive the "Update successful" prompt, close the program for use later.
Step # 2

Reboot into Safe Mode now please.

Run HijackThis again and checkmark the boxes before the following:-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll

O4 - HKLM\..\Run: [keyboard] C:\\keyboard.exe

O4 - HKLM\..\Run: [mousepad] C:\\mousepad.exe

O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe

O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe


Close ALL OTHER OPEN WINDOWS and click "Fix Checked"


Step # 3

Use Windows Explorer to locate & delete the following files/folders in bold:

C:\keyboard.exe
C:\mousepad.exe

C:\Program Files\TheSearchAccelerator\

Step # 4

Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Step # 5

Launch Ewido Anti-Malware.
  • Click on Scanner.
  • Click on Complete System Scan and the scan will begin.
  • Warning: Do NOT open any other windows or your Control Panel while scanning as it may prevent scan completion!!
  • When prompted to clean the first infection, select "Remove" and checkmark the box beside "Perform action on all infections" in the left corner.
  • Upon scan completion, click the Save report button and save the report.txt to your desktop.
  • Then close Ewido and post the scan results please.
Step # 6

Then post the following in your next reply please:
  • New HijackThis log.
  • Ewido scan results.
  • Any problems you encountered.
* I'm off out for the night now so I'll look in tomorrow afternoon / evening.
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#11 boudreaup

boudreaup
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 05 March 2006 - 11:09 AM

Here's the fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:58:30 AM, on 05/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/en-us/srchasst/srchasst.htm
O2 - BHO: PopThis BHO - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106359806694
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134220745157
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/24/install/gtdownls.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


Ewido Scan results in SAFE MODE:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:30:06 AM, 05/03/2006
+ Report-Checksum: DBCD48E1

+ Scan result:

C:\avenger\backup-03.03.2006-17.36.12.92.zip/avenger/winsysban12.exe -> Hijacker.VB.li : Cleaned with backup
C:\avenger\backup-03.03.2006-17.36.12.92.zip/avenger/winsysupd12.exe -> Hijacker.StartPage.aib : Cleaned with backup
C:\avenger\backup.zip/avenger/a.exe -> Downloader.VB.xr : Cleaned with backup
C:\avenger\backup.zip/avenger/iedriver.exe -> Hijacker.Iedriver : Cleaned with backup
C:\avenger\backup.zip/avenger/VVSN_SCNC0704Inst.exe/VVSN.exe -> Adware.SaveNow : Cleaned with backup
C:\avenger\backup.zip/avenger/VVSN_SCNC0704Inst.exe/VVSN.exe -> Adware.SaveNow : Cleaned with backup
C:\Program Files\Winenger\Cache\00000029_43e3f2c8_0007a120 -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000011.exe -> Backdoor.Rbot : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000013.exe -> Backdoor.Rbot : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000019.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000020.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000021.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000022.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000023.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000024.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000025.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000026.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000027.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000028.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000029.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000030.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000031.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000032.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000033.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000034.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000035.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000036.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000037.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000038.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000039.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000040.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000041.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000042.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000043.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000044.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000045.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000046.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000047.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000048.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000049.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000050.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000051.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000052.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000053.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000054.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000055.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000056.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000057.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000058.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000059.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000060.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000061.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000062.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000063.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000064.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000065.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000066.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000067.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000068.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000069.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000070.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000071.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000072.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000073.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000074.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000075.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000076.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000077.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000078.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000079.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000080.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000081.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000082.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000083.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000084.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000085.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000086.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000087.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000088.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000089.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000090.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000091.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000092.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000093.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000094.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000095.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000096.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000097.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000098.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000099.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000100.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000101.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000102.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000103.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000104.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000105.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000106.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000107.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000108.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP1\A0000109.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP2\A0001131.exe -> Downloader.Adload.u : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP2\A0001140.exe -> Downloader.VB.xr : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP2\A0001142.exe -> Backdoor.Rbot : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP2\A0001144.exe -> Backdoor.Rbot : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP2\A0001159.exe -> Downloader.VB.xr : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP2\A0001164.exe -> Backdoor.Rbot : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP2\A0001165.exe -> Downloader.VB.xr : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP2\A0001204.exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP2\A0001204.exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP3\A0001208.exe -> Downloader.VB.nw : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP3\A0001209.exe -> Downloader.Adload.u : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP3\A0001216.exe -> Dropper.Agent.aie : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP5\A0001244.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP5\A0001258.exe -> Backdoor.Rbot : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP5\A0001259.exe -> Downloader.Adload.v : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP5\A0001260.exe -> Hijacker.VB.li : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP5\A0001261.exe -> Hijacker.StartPage.aib : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP5\A0001267.exe -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP5\A0001268.exe -> Backdoor.Rbot : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP5\A0001288.exe -> Downloader.VB.xr : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP5\A0001291.exe -> Hijacker.Iedriver : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP5\A0001292.exe/VVSN.exe -> Adware.SaveNow : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP5\A0001292.exe/VVSN.exe -> Adware.SaveNow : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP6\A0001309.dll -> Adware.Ucmore : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP6\A0001310.dll -> Adware.Ucmore : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP7\A0001377.exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP7\A0001377.exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP7\A0001379.exe -> Downloader.VB.xv : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP7\A0001380.exe -> Hijacker.VB.li : Cleaned with backup
C:\System Volume Information\_restore{987E070E-E358-41E6-B3D5-26F3116AEEDC}\RP7\A0001381.exe -> Downloader.VB.xu : Cleaned with backup
C:\visfx500.exe -> Dropper.Agent.aie : Cleaned with backup
C:\WINDOWS\offun.exe -> Downloader.VB.nw : Cleaned with backup
C:\WINDOWS\system32\dr.exe -> Downloader.Adload.t : Cleaned with backup


::Report End


Some entries in HJT you wanted me to fix in the previous post did not appear in Safe Mode, so I fixed them in normal mode.

#12 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:08:14 PM

Posted 05 March 2006 - 11:57 AM

Looking good. :thumbsup:

Were the entries not visable in Safe Mode these ones?

O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe

O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe

You may wish to run the Panda scan again to double check there's nothing left. Post back with the results if it detects anything. If it doesn't, run the machine for a few days and let me know how it's performing so we can finish up with some advice for the future. :flowers:
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#13 boudreaup

boudreaup
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 05 March 2006 - 07:17 PM

Yes, it was those entries that were invisible in Safe Mode. According to Panda, I'm clean! :thumbsup: There's just one file that I think might be a variant:

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

Check this link: ctfmon.exe

I've also submitted it if you want to take a look at it.

As requested, I'll let you know in a few days if there are any problems. I'm looking forward to those tips for the future...

Thanks.

#14 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:08:14 PM

Posted 05 March 2006 - 09:08 PM

There are a few 04 entries which look very similar to that which are indeed nasty but on this occassion that is a legitimate entry. I had the file scanned anyway and these are the results which will hopefully put your mind at rest.

From VirusTotal.com

AntiVir 6.33.1.53 03.05.2006 no virus found
Avast 4.6.695.0 03.03.2006 no virus found
AVG 718 03.03.2006 no virus found
Avira 6.33.1.53 03.05.2006 no virus found
BitDefender 7.2 03.06.2006 no virus found
CAT-QuickHeal 8.00 03.04.2006 no virus found
ClamAV devel-20060126 03.05.2006 no virus found
DrWeb 4.33 03.05.2006 no virus found
eTrust-InoculateIT 23.71.94 03.05.2006 no virus found
eTrust-Vet 12.4.2104 03.03.2006 no virus found
Ewido 3.5 03.05.2006 no virus found
Fortinet 2.71.0.0 03.06.2006 no virus found
F-Prot 3.16c 03.03.2006 no virus found
Ikarus 0.2.59.0 03.03.2006 no virus found
Kaspersky 4.0.2.24 03.06.2006 no virus found
McAfee 4710 03.03.2006 no virus found
NOD32v2 1.1431 03.05.2006 no virus found
Norman 5.70.10 03.03.2006 no virus found
Panda 9.0.0.4 03.06.2006 no virus found
Sophos 4.03.0 03.06.2006 no virus found
Symantec 8.0 03.06.2006 no virus found
TheHacker 5.9.5.107 03.06.2006 no virus found
UNA 1.83 03.02.2006 no virus found
VBA32 3.10.5 03.06.2006 no virus found


Jotti's gave the same results as well.


Everything appears to be in order so I guess we can wrap things up for the time being.

Let me know if the problems return.

Now that you're clean again, please follow these simple steps to keep yourself safe and secure in the future.


Re-enable Your Protection

If asked to reveal your hidden system files and folders during the course of the fix, please rehide those now by reversing the steps here.

Please also re-enable the real-time protection for any anti-spyware programs I asked you to disable before proceeding with the fix.


Disable and Re-enable System Restore to Flush Infected Restore Points

If you are using Windows ME or XP, you should disable and re-enable system restore to make sure there are no infected files found in your restore points.

You can find instructions on how to disable and re-enable system restore here:

Windows XP System Restore Guide

or

Managing Windows Millenium System Restore

Re-enable System Restore with instructions from the tutorial above and create a new Restore point.


Block Access to Untrustworthy Sites

You can prevent your computer from visiting a myriad of untrustworthy sites and ad-servers by installing a customised hosts file. One of the best available is the MVPS Hosts File. Simply follow the instructions to install the file in the correct location. This will not only make surfing safer but will improve website load times and block popups from many of the large ad-servers.


Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet



Safe Surfing

JM :thumbsup:
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#15 boudreaup

boudreaup
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 06 March 2006 - 07:11 PM

Hi John,

I seem to be smooth sailing here :thumbsup: . I'm usually conscientious about keeping malware out of my machine and I can't explain how all this crap got into my computer. I learned a lot in the past week I am definitely using your tips to keep my computer as secure as possible.

Keep it up,


Pascal




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users