Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help Check My Hijackthis Log


  • This topic is locked This topic is locked
11 replies to this topic

#1 mings

mings

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 07 August 2006 - 12:16 AM

Hie there,

I was recommended to this great forum.

I will deal with large amount of online currency like Egold soon. Therefore I am really concern with my pc security.

What i did before scanning with Hijackthis.
1. Nortan full scan
2. Kaspersky Internet Security scan (2 days ago) - adware/trojans deleted
3. Spybot search and destroy (today) - 3 adware/cookies deleted
4. Panda online scan and found these:

Adware:adware/maxifiles Not disinfected c:\windows\system32\x.exe
Adware:adware/ncase Not disinfected c:\windows\msbb.exe.temp
Adware:adware/whenusearch Not disinfected \Star Menu\Programs\WhenU
Adware:adware/savenow Not disinfected c:\program files\Save
Adware:adware/searchrelevancy Not disinfected c:\program files\SearchRelevant
Adware:adware/transponder Not disinfected Windows Registry
Adware:adware/wupd Not disinfected Windows Registry




Here are my HijackThis Log, I will really appreciate anyone here who can advise me what to do if theres harmful adware/trojans. I want to make sure my pc is perfectly safe before i do online transaction.
Thanks so much.

Logfile of HijackThis v1.99.1
Scan saved at 1:13:23 PM, on 8/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\CAPRPCSK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\ahsee\Desktop\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\Run: [Start Upping] iexplorerupdt.exe
O4 - HKLM\..\Run: [HP Deskjet 500] HP_DeskJet_500.exe
O4 - HKLM\..\Run: [.mscdsr] C:\WINDOWS\system\lsvchost.exe
O4 - HKLM\..\Run: [Start Uppings] mssupdate.exe
O4 - HKLM\..\Run: [CAPON] C:\WINDOWS\System32\Spool\Drivers\w32x86\3\CAPONN.EXE
O4 - HKLM\..\Run: [Windows Frame Works] frmwrks32.exe
O4 - HKLM\..\Run: [tyzgd] C:\WINDOWS\tyzgd.exe
O4 - HKLM\..\Run: [Windows Security service] Winfix.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [Windows AdService] C:\Program Files\Windows AdService\WinAdServ.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\RunServices: [Start Upping] iexplorerupdt.exe
O4 - HKLM\..\RunServices: [HP Deskjet 500] HP_DeskJet_500.exe
O4 - HKLM\..\RunServices: [Start Uppings] mssupdate.exe
O4 - HKLM\..\RunServices: [Windows Frame Works] frmwrks32.exe
O4 - HKLM\..\RunServices: [Windows Security service] Winfix.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Start Upping] iexplorerupdt.exe
O4 - HKCU\..\Run: [Start Uppings] mssupdate.exe
O4 - HKCU\..\Run: [Windows Frame Works] frmwrks32.exe
O4 - HKCU\..\Run: [HP Deskjet 500] HP_DeskJet_500.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\RunServices: [Start Uppings] mssupdate.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Finestra di stato di Canon LBP-800.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: &Download using ReGet - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download All by Re&Get - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0742F7C-8DDF-4797-BF82-4327405C7A9A}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\WinPoET Broadband Connection\WrOS.EXE

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:16 AM

Posted 07 August 2006 - 07:47 AM

Hello,

I actually wonder if you ever scanned with an updated Antispywarescanner and Antivirusscanner.. because I still see A LOT of leftovers in your log from infections which are very old and most scanners should delete these leftovers though...

And I already see it -- you are indeed running older outdated versions.
Please uninstall Adaware 6 Pro, because this scanner won't update anymore.
Then reboot.

After uninstalling Adaware 6 Pro, perform next:

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\Run: [Start Upping] iexplorerupdt.exe
O4 - HKLM\..\Run: [HP Deskjet 500] HP_DeskJet_500.exe
O4 - HKLM\..\Run: [.mscdsr] C:\WINDOWS\system\lsvchost.exe
O4 - HKLM\..\Run: [Start Uppings] mssupdate.exe
O4 - HKLM\..\Run: [Windows Frame Works] frmwrks32.exe
O4 - HKLM\..\Run: [tyzgd] C:\WINDOWS\tyzgd.exe
O4 - HKLM\..\Run: [Windows Security service] Winfix.exe
O4 - HKLM\..\Run: [Windows AdService] C:\Program Files\Windows AdService\WinAdServ.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\RunServices: [Start Upping] iexplorerupdt.exe
O4 - HKLM\..\RunServices: [HP Deskjet 500] HP_DeskJet_500.exe
O4 - HKLM\..\RunServices: [Start Uppings] mssupdate.exe
O4 - HKLM\..\RunServices: [Windows Frame Works] frmwrks32.exe
O4 - HKLM\..\RunServices: [Windows Security service] Winfix.exe
O4 - HKCU\..\Run: [Start Upping] iexplorerupdt.exe
O4 - HKCU\..\Run: [Start Uppings] mssupdate.exe
O4 - HKCU\..\Run: [Windows Frame Works] frmwrks32.exe
O4 - HKCU\..\Run: [HP Deskjet 500] HP_DeskJet_500.exe
O4 - HKCU\..\RunServices: [Start Uppings] mssupdate.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Delete next folders and files:

c:\windows\system32\x.exe
c:\windows\msbb.exe.temp
c:\program files\Save <== folder
c:\program files\SearchRelevant <== folder

Most what is present in your hijackthislog is most probably not present anymore on your system, because it should be in your running processes then.

Update your Sun Java:
Updating Java:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here:http://www.java.com/en/download/manual.jsp
Please download, install, and update Ewido anti-spyware
  • Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close Ewido and reboot!!
Download Ad-aware version SE Personal 1.06 from one of these locations:

http://www.download.com/3000-2144-10045910.html
http://www.majorgeeks.com/download506.html

Install by double-clicking on the downloaded file.
If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version. Be sure to uninstall the previous version.

1. Launch Ad-Aware SE and run the WebUpdate feature. (Click on the Globe icon > Click connect > Click OK > Click Finish.)
2. Set up the Configurations as follows:
-- Click the Gear wheel at the top of the Ad-Aware window
-- Click General > Safety & Settings: Check (Green) all three.
-- Click Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
3. Click "Proceed"
4. Click "Scan Now"
5. Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
6. Select "Search for low-risk threats"
7. Run the scanner using the Full Scan (Perform full system scan) mode.
8. When the scan has completed, select Next.
9. In the Scanning Results window, select the "Scan Summary" tab.
10. Check the box next to each "target family" you wish to remove.
11. Click next > Click OK.
12. Reboot your computer and post a new hijackthislog together with the log from Ewido.

Edited by miekiemoes, 07 August 2006 - 07:48 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 mings

mings
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 08 August 2006 - 01:21 AM

Hi miekiemoes, thanks alot for your help. It was very detail. :thumbsup:
I did everything you instructed exactly, except for:
c:\windows\system32\x.exe (cannot be removed)
c:\windows\msbb.exe.temp (no such file)

Alright heres my ewido and hijackthis logfile.

ewido (found 1 high risk, the rest medium/low)

C:\Documents and Settings\ahsee\Local Settings\Temp\RXQ\aurareco.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
G:\rgl18.exe/of_play_ins_w_2039.exe -> Adware.OnFlow : Cleaned with backup (quarantined).
C:\Documents and Settings\ahsee\Start Menu\Programs\WhenU -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\ahsee\Start Menu\Programs\WhenU\Learn More About WhenU Save.url -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\ahsee\Start Menu\Programs\WhenU\Learn More About WhenU SaveNow.url -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\ahsee\Start Menu\Programs\WhenU\WhenU.com Website.url -> Adware.SaveNow : Cleaned with backup (quarantined).
G:\rgl18.exe/tsad.dll -> Adware.TimeSink : Cleaned with backup (quarantined).
G:\rgl18.exe/tsadbot.exe -> Adware.TimeSink : Cleaned with backup (quarantined).
E:\MsgPlus-301.exe/sponsor.exe -> Downloader.Swizzor.ag : Cleaned with backup (quarantined).
E:\Warcraft III\URL2FILE.EXE -> Not-A-Virus.Downloader.Win32.Url2File.a : Cleaned with backup (quarantined).
E:\Warcraft III\Warcraft III.rar/URL2FILE.EXE -> Not-A-Virus.Downloader.Win32.Url2File.a : Cleaned with backup (quarantined).
:mozilla.10:C:\Documents and Settings\ahsee\Application Data\Mozilla\Firefox\Profiles\yand0lk9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.10:C:\Documents and Settings\ahsee\Application Data\Netscape\NSB\Profiles\8w73f5gl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.11:C:\Documents and Settings\ahsee\Application Data\Netscape\NSB\Profiles\8w73f5gl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.15:C:\Documents and Settings\ahsee\Application Data\Netscape\NSB\Profiles\8w73f5gl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.16:C:\Documents and Settings\ahsee\Application Data\Netscape\NSB\Profiles\8w73f5gl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.17:C:\Documents and Settings\ahsee\Application Data\Netscape\NSB\Profiles\8w73f5gl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.9:C:\Documents and Settings\ahsee\Application Data\Mozilla\Firefox\Profiles\yand0lk9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\ahsee\Cookies\ahsee@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\ahsee\Local Settings\Temp\Cookies\ahsee@abetterinternet[2].txt -> TrackingCookie.Abetterinternet : Cleaned with backup (quarantined).
:mozilla.135:C:\Documents and Settings\ahsee\Application Data\Mozilla\Firefox\Profiles\yand0lk9.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.136:C:\Documents and Settings\ahsee\Application Data\Mozilla\Firefox\Profiles\yand0lk9.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.12:C:\Documents and Settings\ahsee\Application Data\Netscape\NSB\Profiles\8w73f5gl.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.13:C:\Documents and Settings\ahsee\Application Data\Netscape\NSB\Profiles\8w73f5gl.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.14:C:\Documents and Settings\ahsee\Application Data\Netscape\NSB\Profiles\8w73f5gl.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.22:C:\Documents and Settings\ahsee\Application Data\Netscape\NSB\Profiles\8w73f5gl.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\ahsee\Local Settings\Temp\Cookies\ahsee@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\ahsee\Local Settings\Temp\Cookies\ahsee@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Documents and Settings\ahsee\Local Settings\Temp\Cookies\ahsee@cliks[2].txt -> TrackingCookie.Cliks : Cleaned with backup (quarantined).
C:\Documents and Settings\ahsee\Local Settings\Temp\Cookies\ahsee@com[2].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.117:C:\Documents and Settings\ahsee\Application Data\Mozilla\Firefox\Profiles\yand0lk9.default\cookies.txt -> TrackingCookie.Commission-junction : Cleaned with backup (quarantined).
:mozilla.118:C:\Documents and Settings\ahsee\Application Data\Mozilla\Firefox\Profiles\yand0lk9.default\cookies.txt -> TrackingCookie.Commission-junction : Cleaned with backup (quarantined).
:mozilla.18:C:\Documents and Settings\ahsee\Application Data\Netscape\NSB\Profiles\8w73f5gl.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\ahsee\Local Settings\Temp\Cookies\ahsee@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.26:C:\Documents and Settings\ahsee\Application Data\Mozilla\Firefox\Profiles\yand0lk9.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.27:C:\Documents and Settings\ahsee\Application Data\Mozilla\Firefox\Profiles\yand0lk9.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.28:C:\Documents and Settings\ahsee\Application Data\Mozilla\Firefox\Profiles\yand0lk9.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.29:C:\Documents and Settings\ahsee\Application Data\Mozilla\Firefox\Profiles\yand0lk9.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\Documents and Settings\ahsee\Cookies\ahsee@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\Documents and Settings\ahsee\Local Settings\Temp\Cookies\ahsee@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\Documents and Settings\ahsee\Local Settings\Temp\Cookies\ahsee@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\Documents and Settings\ahsee\Local Settings\Temp\Cookies\ahsee@ehg-interlifeform.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\ahsee\Local Settings\Temp\Cookies\ahsee@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\ahsee\Cookies\ahsee@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.116:C:\Documents and Settings\ahsee\Application Data\Mozilla\Firefox\Profiles\yand0lk9.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\ahsee\Local Settings\Temp\Cookies\ahsee@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.23:C:\Documents and Settings\ahsee\Application Data\Netscape\NSB\Profiles\8w73f5gl.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
C:\Documents and Settings\ahsee\Local Settings\Temp\Cookies\ahsee@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.50:C:\Documents and Settings\ahsee\Application Data\Mozilla\Firefox\Profiles\yand0lk9.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup (quarantined).
:mozilla.121:C:\Documents and Settings\ahsee\Application Data\Mozilla\Firefox\Profiles\yand0lk9.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.21:C:\Documents and Settings\ahsee\Application Data\Mozilla\Firefox\Profiles\yand0lk9.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.22:C:\Documents and Settings\ahsee\Application Data\Mozilla\Firefox\Profiles\yand0lk9.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\ahsee\Local Settings\Temp\Cookies\ahsee@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.66:C:\Documents and Settings\ahsee\Application Data\Mozilla\Firefox\Profiles\yand0lk9.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
C:\Documents and Settings\ahsee\Local Settings\Temp\Cookies\ahsee@xxxtoolbar[2].txt -> TrackingCookie.Xxxtoolbar : Cleaned with backup (quarantined).
C:\Documents and Settings\ahsee\Cookies\ahsee@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\ahsee\Local Settings\Temp\Cookies\ahsee@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).

hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 2:05:05 PM, on 8/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\CAPRPCSK.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\ahsee\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CAPON] C:\WINDOWS\System32\Spool\Drivers\w32x86\3\CAPONN.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [taskmgr] C:\WINDOWS\taskmgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Finestra di stato di Canon LBP-800.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: &Download using ReGet - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download All by Re&Get - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\WinPoET Broadband Connection\WrOS.EXE

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:16 AM

Posted 08 August 2006 - 06:26 AM

Hello,

Try to remove c:\windows\system32\x.exe in safe mode..
°To get into the Windows XP Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.

Check and fix next entry in hijackthis:

O4 - HKLM\..\Run: [taskmgr] C:\WINDOWS\taskmgr.exe

There are some additional scans I would like you to perform, so perform next:

Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
I need that log later

* Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog and the log from blacklight
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 mings

mings
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 08 August 2006 - 05:34 PM

Hi again,

I forgot to tell you previously I tried deleting x.exe in safe mode , and now i tried again, still failed.
Do I need to deleted in DOS? I am not sure how.
Ok, seems like nothing found with Backlight and Combofix
Here it goes, thanks alot!

Backlight nothing found
08/09/06 05:37:16 [Info]: BlackLight Engine 1.0.42 initialized
08/09/06 05:37:16 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/09/06 05:37:16 [Note]: 7019 4
08/09/06 05:37:16 [Note]: 7005 0
08/09/06 05:39:16 [Note]: 7006 0
08/09/06 05:39:16 [Note]: 7011 1704
08/09/06 05:39:17 [Note]: 7026 0
08/09/06 05:39:17 [Note]: 7026 0
08/09/06 05:39:42 [Note]: FSRAW library version 1.7.1019
08/09/06 05:52:14 [Note]: 7007 0



ComboFix nothing found
Start Time= 08/09/2006 Wed 6:15:28.64
Running from: C:\Documents and Settings\ahsee\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-08 13:30:20 ( .D... ) "C:\Documents and Settings\ahsee\Application Data\Lavasoft"
2006-08-08 05:24:14 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-08-05 13:14:46 ( .D... ) "C:\Documents and Settings\ahsee\Application Data\Common Files"
2006-08-05 13:14:34 ( .D... ) "C:\Documents and Settings\ahsee\Application Data\HP"
2006-08-01 13:58:20 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-07-29 21:57:44 ( .D... ) "C:\Program Files\Siber Systems"
2006-07-26 14:18:30 ( .D... ) "C:\Documents and Settings\ahsee\Application Data\Vidalia"
2006-07-26 14:18:16 ( .D... ) "C:\Program Files\Privoxy"
2006-07-26 14:18:12 ( .D... ) "C:\Program Files\Vidalia"
2006-07-26 14:18:10 ( .D... ) "C:\Program Files\Tor"
2006-07-26 14:18:10 ( .D... ) "C:\Documents and Settings\ahsee\Application Data\Tor"
2006-07-22 17:02:32 ( .D... ) "C:\Program Files\Macromedia"
2006-07-22 17:02:32 ( .D... ) "C:\Program Files\Common Files\Macromedia"
2006-07-19 00:39:38 ( .D... ) "C:\Documents and Settings\ahsee\Application Data\Yahoo!"
2006-07-07 03:18:18 ( .D... ) "C:\Program Files\BlazeVideo"
2006-07-07 03:09:10 ( .D... ) "C:\Program Files\AdvancedDVDPlayer"
2006-07-06 17:25:52 500968 ( A.... ) "C:\motherboard_bios_ga-8nsli_f5.exe"
2006-06-16 14:34:44 48936 ( A.... ) "C:\WINDOWS\system32\sirenacm.dll"
2006-06-03 20:14:50 65536 ( A.... ) "C:\WINDOWS\IFinst27.exe"
2006-06-03 19:52:02 24576 ( A.... ) "C:\WINDOWS\system32\rmoc3260.dll"
2006-05-19 20:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 20:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 20:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"
2005-12-05 21:16:40 2571 ( A.... ) "C:\Program Files\3dsmax.ini"
2005-12-05 21:16:38 64 ( A.... ) "C:\Program Files\maxscrpt.dsk"
2005-11-27 22:30:58 24 ( A.... ) "C:\Program Files\NAV product key.txt"
2005-10-13 05:04:08 445 ( A.... ) "C:\Program Files\plugin.ini"
2005-10-13 05:03:00 4585984 ( A.... ) "C:\Program Files\3dsmax.exe"
2005-08-17 03:35:24 122 ( A..H. ) "C:\Program Files\Descript.ion"
2005-06-27 23:57:44 22040920 ( A.... ) "C:\Program Files\iTunesSetup.exe"
2003-10-08 17:41:48 642381 ( A...R ) "C:\Program Files\Readme.rtf"
2003-10-04 20:12:54 131072 ( A.... ) "C:\Program Files\zip32.dll"
2003-10-04 20:12:54 36864 ( A.... ) "C:\Program Files\zlibdll.dll"
2003-10-04 20:12:52 204800 ( A.... ) "C:\Program Files\viz.dll"
2003-10-04 20:12:52 151552 ( A.... ) "C:\Program Files\unzip32.dll"
2003-10-04 20:12:52 16896 ( A.... ) "C:\Program Files\UIControls.dll"
2003-10-04 20:12:52 10752 ( A.... ) "C:\Program Files\undomgr.dll"
2003-10-04 20:12:52 10240 ( A.... ) "C:\Program Files\UndoBody.dll"
2003-10-04 20:12:52 7168 ( A.... ) "C:\Program Files\viewfile.dll"
2003-10-04 20:12:48 28727 ( A.... ) "C:\Program Files\texture7.dll"
2003-10-04 20:12:48 6144 ( A.... ) "C:\Program Files\tessint.dll"
2003-10-04 20:12:40 1238016 ( A.... ) "C:\Program Files\Rm.dll"
2003-10-04 20:12:40 1118720 ( A.... ) "C:\Program Files\splash.fla"
2003-10-04 20:12:40 602112 ( A.... ) "C:\Program Files\splash.dll"
2003-10-04 20:12:40 201611 ( A.... ) "C:\Program Files\splash.swf"
2003-10-04 20:12:40 156672 ( A.... ) "C:\Program Files\SendDmp.exe"
2003-10-04 20:12:40 117760 ( A.... ) "C:\Program Files\senddmpRes.dll"
2003-10-04 20:12:40 17043 ( A.... ) "C:\Program Files\splash.cfg"
2003-10-04 20:12:40 10752 ( A.... ) "C:\Program Files\SaveFile.dll"
2003-10-04 20:12:38 1167360 ( A.... ) "C:\Program Files\rct_preview.dll"
2003-10-04 20:12:38 224256 ( A.... ) "C:\Program Files\res3.dll"
2003-10-04 20:12:38 95232 ( A.... ) "C:\Program Files\Poly.dll"
2003-10-04 20:12:38 93696 ( A.... ) "C:\Program Files\res2.dll"
2003-10-04 20:12:38 71680 ( A.... ) "C:\Program Files\res1.dll"
2003-10-04 20:12:38 44032 ( A.... ) "C:\Program Files\res5.dll"
2003-10-04 20:12:38 35328 ( A.... ) "C:\Program Files\res4.dll"
2003-10-04 20:12:38 34816 ( A.... ) "C:\Program Files\res6.dll"
2003-10-04 20:12:38 18944 ( A.... ) "C:\Program Files\res7.dll"
2003-10-04 20:12:38 12800 ( A.... ) "C:\Program Files\preminfo.dll"
2003-10-04 20:12:38 12288 ( A.... ) "C:\Program Files\RenderUtil.dll"
2003-10-04 20:12:38 8704 ( A.... ) "C:\Program Files\resmgr.dll"
2003-10-04 20:12:38 7680 ( A.... ) "C:\Program Files\rct_registry.dll"
2003-10-04 20:12:38 7168 ( A.... ) "C:\Program Files\res10.dll"
2003-10-04 20:12:38 6144 ( A.... ) "C:\Program Files\res8.dll"
2003-10-04 20:12:36 495376 ( A.... ) "C:\Program Files\msxml.dll"
2003-10-04 20:12:36 487424 ( A.... ) "C:\Program Files\msvcp70.dll"
2003-10-04 20:12:36 344064 ( A.... ) "C:\Program Files\msvcr70.dll"
2003-10-04 20:12:36 218624 ( A.... ) "C:\Program Files\Paramblk2.dll"
2003-10-04 20:12:36 89088 ( A.... ) "C:\Program Files\oglgfx.drv"
2003-10-04 20:12:36 83968 ( A.... ) "C:\Program Files\ParticleFlow.dll"
2003-10-04 20:12:36 54784 ( A.... ) "C:\Program Files\msvci70.dll"
2003-10-04 20:12:36 32819 ( A.... ) "C:\Program Files\mtl7.dll"
2003-10-04 20:12:36 30208 ( A.... ) "C:\Program Files\particle.dll"
2003-10-04 20:12:36 10240 ( A.... ) "C:\Program Files\nulgfx.drv"
2003-10-04 20:12:34 4998144 ( A.... ) "C:\Program Files\Maxscrpt.dll"
2003-10-04 20:12:34 1015576 ( A.... ) "C:\Program Files\MaxSave.dll"
2003-10-04 20:12:34 974848 ( A.... ) "C:\Program Files\mfc70.dll"
2003-10-04 20:12:34 677888 ( A.... ) "C:\Program Files\mesh.dll"
2003-10-04 20:12:34 588800 ( A.... ) "C:\Program Files\MNMath.dll"
2003-10-04 20:12:34 143360 ( A.... ) "C:\Program Files\model.dll"
2003-10-04 20:12:34 105984 ( A.... ) "C:\Program Files\MaxNetWorker.dll"
2003-10-04 20:12:34 105472 ( A.... ) "C:\Program Files\MaxFind.exe"
2003-10-04 20:12:34 96768 ( A.... ) "C:\Program Files\maxnet.dll"
2003-10-04 20:12:34 71168 ( A.... ) "C:\Program Files\MenuMan.dll"
2003-10-04 20:12:34 63488 ( A.... ) "C:\Program Files\menus.dll"
2003-10-04 20:12:34 56832 ( A.... ) "C:\Program Files\max.task"
2003-10-04 20:12:34 55808 ( A.... ) "C:\Program Files\MAXComponents.dll"
2003-10-04 20:12:34 35328 ( A.... ) "C:\Program Files\maxutil.dll"
2003-10-04 20:12:34 12288 ( A.... ) "C:\Program Files\maxzip.exe"
2003-10-04 20:12:34 11776 ( A.... ) "C:\Program Files\maxunzip.exe"
2003-10-04 20:12:34 4096 ( A.... ) "C:\Program Files\MaxIges.msx"
2003-10-04 20:12:34 3880 ( A.... ) "C:\Program Files\max.tres"
2003-10-04 20:12:32 4853760 ( A.... ) "C:\Program Files\libiges.dll"
2003-10-04 20:12:32 2818048 ( A.... ) "C:\Program Files\libray.dll"
2003-10-04 20:12:32 1785856 ( A.... ) "C:\Program Files\libgdx.dll"
2003-10-04 20:12:32 1622016 ( A.... ) "C:\Program Files\libDLresmgt.dll"
2003-10-04 20:12:32 1032266 ( A.... ) "C:\Program Files\libmmd.dll"
2003-10-04 20:12:32 843776 ( A.... ) "C:\Program Files\libpdx.dll"
2003-10-04 20:12:32 770048 ( A.... ) "C:\Program Files\libDLbase.dll"
2003-10-04 20:12:32 450560 ( A.... ) "C:\Program Files\libDLprimitives.dll"
2003-10-04 20:12:32 352256 ( A.... ) "C:\Program Files\liblint.dll"
2003-10-04 20:12:32 133120 ( A.... ) "C:\Program Files\lprd.dll"
2003-10-04 20:12:32 119808 ( A.... ) "C:\Program Files\IGame.dll"
2003-10-04 20:12:32 97280 ( A.... ) "C:\Program Files\lsrd.dll"
2003-10-04 20:12:32 97280 ( A.... ) "C:\Program Files\libDLcomponentManager.dll"
2003-10-04 20:12:32 92160 ( A.... ) "C:\Program Files\lpwrt.dll"
2003-10-04 20:12:32 74752 ( A.... ) "C:\Program Files\imageViewers.dll"
2003-10-04 20:12:32 68096 ( A.... ) "C:\Program Files\ManipSys.dll"
2003-10-04 20:12:32 65024 ( A.... ) "C:\Program Files\libDLltutility.dll"
2003-10-04 20:12:32 57344 ( A.... ) "C:\Program Files\libDLltgeometry.dll"
2003-10-04 20:12:32 23552 ( A.... ) "C:\Program Files\libDLmaxmgr.dll"
2003-10-04 20:12:32 22528 ( A.... ) "C:\Program Files\IgesTrans.msx"
2003-10-04 20:12:32 18432 ( A.... ) "C:\Program Files\IgesLog.msx"
2003-10-04 20:12:32 6144 ( A.... ) "C:\Program Files\libDLltutilityRes.dll"
2003-10-04 20:12:32 4608 ( A.... ) "C:\Program Files\libDLltgeometryRes.dll"
2003-10-04 20:12:30 2896384 ( A.... ) "C:\Program Files\gmi.dll"
2003-10-04 20:12:30 1703936 ( A.... ) "C:\Program Files\GdiPlus.dll"
2003-10-04 20:12:30 1196085 ( A.... ) "C:\Program Files\heidi7.dll"
2003-10-04 20:12:30 105984 ( A.... ) "C:\Program Files\geom.dll"
2003-10-04 20:12:30 86016 ( A.... ) "C:\Program Files\hrigfx.drv"
2003-10-04 20:12:30 46080 ( A.... ) "C:\Program Files\geomimp.dll"
2003-10-04 20:12:30 36352 ( A.... ) "C:\Program Files\expr.dll"
2003-10-04 20:12:30 27648 ( A.... ) "C:\Program Files\gfx.dll"
2003-10-04 20:12:30 26624 ( A.... ) "C:\Program Files\gcomm2.dll"
2003-10-04 20:12:30 23552 ( A.... ) "C:\Program Files\flt.dll"
2003-10-04 20:12:30 12288 ( A.... ) "C:\Program Files\gup.dll"
2003-10-04 20:12:30 9728 ( A.... ) "C:\Program Files\helpsys.dll"
2003-10-04 20:12:30 610 ( A.... ) "C:\Program Files\hotkeyMap.html"
2003-10-04 20:12:28 5439488 ( A.... ) "C:\Program Files\core.dll"
2003-10-04 20:12:28 1383424 ( A.... ) "C:\Program Files\edmodel.dll"
2003-10-04 20:12:28 719360 ( A.... ) "C:\Program Files\d3dgfx.drv"
2003-10-04 20:12:28 532480 ( A.... ) "C:\Program Files\d3d81gfx.drv"
2003-10-04 20:12:28 486400 ( A.... ) "C:\Program Files\dbghelp.dll"
2003-10-04 20:12:28 247296 ( A.... ) "C:\Program Files\CdaC14ba.dll"
2003-10-04 20:12:28 222208 ( A.... ) "C:\Program Files\bmm.dll"
2003-10-04 20:12:28 214688 ( A.... ) "C:\Program Files\Ereg.dll"
2003-10-04 20:12:28 139264 ( A.... ) "C:\Program Files\composite.dll"
2003-10-04 20:12:28 91136 ( A.... ) "C:\Program Files\CustDlg.dll"
2003-10-04 20:12:28 84992 ( A.... ) "C:\Program Files\Atl70.dll"
2003-10-04 20:12:28 69632 ( A.... ) "C:\Program Files\CdaLCDlg.dll"
2003-10-04 20:12:28 16896 ( A.... ) "C:\Program Files\DbxHost.dll"
2003-10-04 20:12:28 16384 ( A.... ) "C:\Program Files\cfgmgr.dll"
2003-10-04 20:12:28 8192 ( A.... ) "C:\Program Files\EregRes.dll"
2003-10-04 20:12:28 2048 ( A.... ) "C:\Program Files\DxTrans.msx"
2003-10-04 20:12:28 1264 ( A.... ) "C:\Program Files\B241A000plu.cfg"
2003-10-04 20:12:28 148 ( A.... ) "C:\Program Files\CrashHandler.ini"
2003-10-04 20:12:24 1560393 ( A.... ) "C:\Program Files\adlmdll.dll"
2003-10-04 20:12:24 349392 ( A.... ) "C:\Program Files\addflow4.ocx"
2003-10-04 20:12:24 300544 ( A.... ) "C:\Program Files\Amodeler.dll"
2003-10-04 20:12:24 104448 ( A.... ) "C:\Program Files\apphelp.dll"
2003-10-04 20:12:24 93184 ( A.... ) "C:\Program Files\3dsmaxcmd.exe"
2003-10-04 20:12:24 69632 ( A.... ) "C:\Program Files\adlmres.dll"
2003-10-04 20:12:24 33280 ( A.... ) "C:\Program Files\acap.dll"
2003-10-04 20:12:22 28672 ( A.... ) "C:\Program Files\adlmswitch.exe"
2003-02-14 01:31:22 86688 ( A.... ) "C:\Program Files\AcMPolygonCom.dll"
2003-02-11 17:53:04 2049184 ( A.... ) "C:\Program Files\ASMahl80A.dll"
2002-11-18 14:33:10 750752 ( A.... ) "C:\Program Files\ASMswp80A.dll"
2002-11-18 14:33:08 1205408 ( A.... ) "C:\Program Files\ASMskin80A.dll"
2002-11-18 14:33:04 210080 ( A.... ) "C:\Program Files\ASMshl80A.dll"
2002-11-18 14:33:00 406688 ( A.... ) "C:\Program Files\ASMrbi80A.dll"
2002-11-18 14:33:00 267424 ( A.... ) "C:\Program Files\ASMrem80A.dll"
2002-11-18 14:33:00 87200 ( A.... ) "C:\Program Files\ASMsbool80A.dll"
2002-11-18 14:32:54 357536 ( A.... ) "C:\Program Files\ASMofst80A.dll"
2002-11-18 14:32:54 246944 ( A.... ) "C:\Program Files\ASMlopt80A.dll"
2002-11-18 14:32:52 820384 ( A.... ) "C:\Program Files\ASMlop80A.dll"
2002-11-18 14:32:52 804000 ( A.... ) "C:\Program Files\ASMlaw80A.dll"
2002-11-18 14:32:50 7177376 ( A.... ) "C:\Program Files\ASMkern80A.dll"
2002-11-18 14:32:48 2577568 ( A.... ) "C:\Program Files\ASMintr80A.dll"
2002-11-18 14:32:48 140448 ( A.... ) "C:\Program Files\ASMihl80A.dll"
2002-11-18 14:32:42 165024 ( A.... ) "C:\Program Files\ASMga80A.dll"
2002-11-18 14:32:40 562336 ( A.... ) "C:\Program Files\ASMfct80A.dll"
2002-11-18 14:32:40 111776 ( A.... ) "C:\Program Files\ASMeulr80A.dll"
2002-11-18 14:32:38 804000 ( A.... ) "C:\Program Files\ASMcstr80A.dll"
2002-11-18 14:32:38 259232 ( A.... ) "C:\Program Files\ASMct80A.dll"
2002-11-18 14:32:36 197792 ( A.... ) "C:\Program Files\ASMcovr80A.dll"
2002-11-18 14:32:32 2315424 ( A.... ) "C:\Program Files\ASMblnd80A.dll"
2002-11-18 14:32:32 894112 ( A.... ) "C:\Program Files\ASMbool80A.dll"
2002-11-18 14:32:30 169120 ( A.... ) "C:\Program Files\ASMbase80A.dll"
2002-11-18 14:32:28 119968 ( A.... ) "C:\Program Files\asmm80enures.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-09 06:13 536,399,872 C:\hiberfil.sys
2006-08-08 05:14 49,250 C:\WINDOWS\system32\javaw.exe
2006-08-08 05:14 49,248 C:\WINDOWS\system32\java.exe
2006-08-08 05:14 127,078 C:\WINDOWS\system32\javaws.exe
2006-08-06 21:08 73,728 C:\WINDOWS\system32\asuninst.exe
2006-07-06 17:25 500,968 C:\motherboard_bios_ga-8nsli_f5.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"CAPON"="C:\\WINDOWS\\System32\\Spool\\Drivers\\w32x86\\3\\CAPONN.EXE"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd.exe\""
"Advanced Tools Check"="C:\\PROGRA~1\\NORTON~1\\AdvTools\\ADVCHK.EXE"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"taskmgr"="C:\\WINDOWS\\taskmgr.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Vidalia"="\"C:\\Program Files\\Vidalia\\vidalia.exe\""
"RoboForm"="\"C:\\Program Files\\Siber Systems\\AI RoboForm\\RoboTaskBarIcon.exe\""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,42,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Sygate Personal Firewall Start"="servic.exe"
"Start Upping"="iexplorerupdt.exe"
"HP Deskjet 500"="HP_DeskJet_500.exe"
"Start Uppings"="mssupdate.exe"
"Windows Frame Works"="frmwrks32.exe"
"usbdrv"="servicetask.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"HP Deskjet 500"="HP_DeskJet_500.exe"
"usbdrv"="servicetask.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"Start Uppings"="mssupdate.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Sygate Personal Firewall Start"="servic.exe"
"Start Upping"="iexplorerupdt.exe"
"HP Deskjet 500"="HP_DeskJet_500.exe"
"Start Uppings"="mssupdate.exe"
"Windows Frame Works"="frmwrks32.exe"
"usbdrv"="servicetask.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"HP Deskjet 500"="HP_DeskJet_500.exe"
"usbdrv"="servicetask.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runservices]
"Start Uppings"="mssupdate.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{16664848-0E00-11D2-8059-000000000000}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-watch]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ad-watch"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Lavasoft\\Ad-aware 6\\Ad-watch.exe\""
"inimapping"="0"

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableRegistryTools REG_DWORD 0 (0x0)



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - ahsee.job

Completion time: 08/09/2006 Wed 6:18:03.62
ComboFix ver 06.07.15/29 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-09.061528.txt





HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 6:27:37 AM, on 8/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\CAPRPCSK.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\ahsee\Desktop\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CAPON] C:\WINDOWS\System32\Spool\Drivers\w32x86\3\CAPONN.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Finestra di stato di Canon LBP-800.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: &Download using ReGet - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download All by Re&Get - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0742F7C-8DDF-4797-BF82-4327405C7A9A}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\WinPoET Broadband Connection\WrOS.EXE

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:16 AM

Posted 09 August 2006 - 01:34 AM

Hello,

You have a strange way of installing programs though..., for example, I see you installed 3dmax and instead of installing it in its default folder in Program Files, you install it in the main Program Files folder itself.
Another note... From what I see in your log: C:\Program Files\NAV product key.txt
Visited a cracksite to get the product key? Keep in mind, if you want to get infected, visit a cracksite and you win the price. So is it really worth it?

I will deal with large amount of online currency like Egold soon.

If I may be honest... this system was badly infected. And most probably still is. The infections you are dealing with is one of these:
http://www.sophos.com/virusinfo/analyses/w32rbotrr.html
Problem with these is, you can never know what they already compromised... or what additional hidden malware they installed. Though the Trojans may be identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted.
So, whatever your plans are in the future with your computer, I do not recommend you use it for financial transactions.

Let's perform next first:

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"taskmgr"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Sygate Personal Firewall Start"=-
"Start Upping"=-
"HP Deskjet 500"=-
"Start Uppings"=-
"Windows Frame Works"=-
"usbdrv"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"HP Deskjet 500"=-
"usbdrv"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"Start Uppings"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Sygate Personal Firewall Start"=-
"Start Upping"=-
"HP Deskjet 500"=-
"Start Uppings"=-
"Windows Frame Works"=-
"usbdrv"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"HP Deskjet 500"=-
"usbdrv"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runservices]
"Start Uppings"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Strange that combofix doesn't list x.exe in your system32-folder though.
Let's try to deal with it...

* Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

c:\windows\system32\x.exe

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system should reboot now.

Let me know after reboot if the x.exe is gone now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 mings

mings
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 09 August 2006 - 07:19 PM

Yes, finally the x.exe is gone. What type of file issit?

Yea my NAV is a pirated one. I didnt visit any site to get the key, instead I bought it in a CD and everything is inside, amazing huh? Well, pirated software is pretty common in my country, and its ok for home users, but not anymore, I am starting with online business, that is why i am here. =)

Ok, back to security, are all the spyware in my pc including w32rbotrr removed? I visited the page and w32rbotrr really scared me off, "Steals information, Records keystrokes" OMG!! What you mean is although w32rbotrr was removed, but it might install alot more trojans in my pc which scanners may miss it?

Finally i have to accept the fact that my pc is no longer safe anymore. Please let me know what is your recommendation?
I think I have 2 options now:


1. Fully format my pc

Its the best options am I right? I didnt format my PC for quite sometime. Because:

Last year my PC was infected by a famous virus (pc restart countdown), I have many partition but I only format my C-Drive. After that, the moment I connect to the internet, my PC was infected again IF i don't install NAV and run the live updates in 3MINS (which can only be done after multiple tries in such short time).
Could you explain more on this to me? Is the virus stored in other drives or my IP simply exposed to certain sites.

2. Buy a NEW PC
This is the best of the best option for sure. I will consider buying a new personal PC for my own business usage instead of sharing with all my home family members who downloads frequently through File Sharing network.

Before ending this topic, please advise/recommend me on which product to buy or download to keep my PC as safe as possible in the future. For example getting Kaspersky/Nortan anti virus, Internet Security and Spyware Removal Tool.
I am 21, with average-limited budget, but willing to spend because I am really concern with my PC for my online business which I started recently. I am really glad to have found this forum and especially you for all the help. Thanks alot and I will appreciate your time for this. This must be the most headache case you dealt ever LOL. :thumbsup:

Edited by mings, 09 August 2006 - 07:50 PM.


#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:16 AM

Posted 10 August 2006 - 12:21 AM

Hello,

Well, pirated software is pretty common in my country, and its ok for home users, but not anymore,


Well, that is nonsense.. pirated software is never OK.

instead I bought it in a CD and everything is inside


That doesn't make sense either.. you buy a pirated version of NAV? You could buy the original software as well though, from the main site, maybe it would cost you a bit more, but then you can be sure that this version is 'clean', because you never know what files are installed along with that pirated version.

Ok, back to security, are all the spyware in my pc including w32rbotrr removed? I visited the page and w32rbotrr really scared me off, "Steals information, Records keystrokes" OMG!! What you mean is although w32rbotrr was removed, but it might install alot more trojans in my pc which scanners may miss it?


Well, it looks like we cleaned it -- however, as I said, I would never call this system ever really clean again and would never trust it again, because these types of infections use backdoors, so some ports may still be open, some infected files may still be present that no scanner will flag.

Last year my PC was infected by a famous virus (pc restart countdown), I have many partition but I only format my C-Drive. After that, the moment I connect to the internet, my PC was infected again IF i don't install NAV and run the live updates in 3MINS (which can only be done after multiple tries in such short time).
Could you explain more on this to me? Is the virus stored in other drives or my IP simply exposed to certain sites.


Yes, that happens a lot... and you know what the reason is? People format and reinstall their windows, with the internet cable plugged in. Then, once installed, they don't immediately install a firewall and antivirus, especially when they are not having XP S2 yet and have to update first. So at that moment, right after reinstall, the system is wideopen to reinfection, and once infected before, the ports are still open and that's how you got reinfected so fast.
In this case, my advise is, before formatting and reinstalling, make sure you have an antivirus and firewall install file on cd. Then, when you start with the reinstall, unplug your internet cable and leave it unplugged. Once your Windows installed, then install your firewall and antivirus. And after that, then plug your internetcable back in and immediately visit Windows update to update to SP2 if your Windows disk didn't contain it yet.

You can also slipstream your Windows XP cd with SP2. Take a look here how to do this:
http://www.winsupersite.com/showcase/windo..._slipstream.asp

Before ending this topic, please advise/recommend me on which product to buy or download to keep my PC as safe as possible in the future. For example getting Kaspersky/Nortan anti virus, Internet Security and Spyware Removal Tool.


Well, there are also a lot of good and free Virusscanners and firewalls. Just take a look in my signature for the ones I recommend. you'll find freeware and shareware there.
If you want a more powerful antivirus+firewall, then I recommend Kaspersky Internet Security. This one is no freeware, but it is certainly worth the money.

Well, you asked what is best? Format or buy a new pc. Why not both? lol
Format the infected pc, set it up properly and buy a new pc, one that you use to store data on etc... where you work on, but this one without internet connection for example?

You may also want to read next prevention tips:

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety and Microsoft Security At Home for tips to Protect your Pc, Protect yourself and Protect your Family.

More info on how to prevent malware you can also find here (By Tony Klein)
and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection

Also read: Simple and easy ways to keep your computer safe and secure on the Internet

Happy surfing again! :thumbsup:

Edited by miekiemoes, 10 August 2006 - 12:22 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 mings

mings
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 10 August 2006 - 06:11 PM

Hi

Thanks for the info. Yes although Kaspersky Int.Security is costly but I will really consider buying it. I tried the 30-day-trial before i post this log here. It looks solid and useful.

However, after installing i found out that I couldn't use Internet Explorer and Msn messenger, once a page is loaded/signed in Msn, the IE and Msn will automatically closed. After uninstalling Kaspersky, then only the
problem is fixed.

1. Do you know what cause this?
2. Do I need both Anti-Virus and Int.Security for Kaspersky?
What is your best recommended AntiVirus and Firewall? (without considering money) :thumbsup:
There're so many of them in your link.

Alright just to show you my previous Kaspersky I.S log file. Let me know if there were files with extremely high risk.
Posted Image

Thanks and good luck. :flowers:

Edited by mings, 10 August 2006 - 06:13 PM.


#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:16 AM

Posted 10 August 2006 - 06:45 PM

Hello,

I assume you uninstalled your previous antivirus and firewall before installing kaspersky? Because having more than one antivirus and firewall present can cause a lot of problems/compability issues. Kaspersky Internet security already contains an antivirus AND firewall.
I am using Kaspersky Internet Security as well and don't have any problems with my IE and msn though. This can happen if Norton was still installed in your case. Or you maybe set the Antihacker/firewall in Kaspersky to the highest security. The training option in it is still the best.

Just reset the default settings in Kaspersky again. In the kav control panel, click Settings on top and click reset below.

Alright just to show you my previous Kaspersky I.S log file. Let me know if there were files with extremely high risk.

For that, I have to research every description of the name they give it... but in general, trojan downloaders are always a high risk, because as it says... it downloads malware, and that can be everything.

What is your best recommended AntiVirus and Firewall? (without considering money)

I use Kaspersky Internet security as I already said, but there are a lot of other good ones around as well. Just look in my signature under Antivirus and Firewalls for the ones I recommend as well.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:16 AM

Posted 11 August 2006 - 06:52 AM

By the way...
There's a new FREE scanner... It is called Active Virus Shield:
http://www.activevirusshield.com/antivirus/freeav/index.adp
It uses the Kaspersky engine and layout. It doesn't have that many functions as Kaspersky have, but for a free scanner, it is worth it imho.
During install, I do NOT recommend to install the security Toolbar. So if you want to try it, UNcheck to install the security toolbar.

Also keep in mind that you need to uninstall any other scanner present.
Also take a look at the faq: http://www.activevirusshield.info/
When you install this, you still need an additional firewall, because it doesn't contain a firewall. It's only an antivirus.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:16 AM

Posted 19 August 2006 - 12:27 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users