Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Surfsidekick, Winantiviruspro, Smitfraud


  • This topic is locked This topic is locked
23 replies to this topic

#1 ludek

ludek

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 26 August 2006 - 04:42 PM

I'm able to use my computer in regular and safe mode, but get dozens of pop-up internet explorer windows. I've followed all the instructions before posting. Ad-Aware, Spybot, Bit Defender and Mcafee all are able to delete and fix some of the problems, but leave some behind, no matter how many times I try. Safe mode or regular. I get errors that prevent me from completing Windows Update. (There was one update for me to install.) Sure would appreciate some help! Thanks! -- Doris

Here's my log...

Logfile of HijackThis v1.99.1
Scan saved at 5:31:35 PM, on 8/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\arservice.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\WinTVR3\Remote.exe
C:\Program Files\WinTVR3\Schedule.exe
C:\Program Files\Common Files\AOL\1143585990\ee\AOLSoftware.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HP\KBD\KBD.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\DISC\DISCover.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\mcafee\SPAMKI~1\mskagent.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PSLister\PSLister.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\common files\aol\1143585990\ee\aim6.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\HP_Administrator\My Documents\My Music\iTunes\iTunes Music\Veoh\VeohClientService.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: (no name) - _{A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\tvqrl.exe
F2 - REG:system.ini: UserInit=userinit.exe,eqxvwhj.exe
O2 - BHO: (no name) - {2706492C-9B51-40C4-8C39-6526798C998A} - C:\WINDOWS\system32\pmnlj.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\pmkhh.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [WinTVRRemote] "C:\Program Files\WinTVR3\Remote.exe"
O4 - HKLM\..\Run: [Schedule] "C:\Program Files\WinTVR3\Schedule.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143585990\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdateMgr.exe
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\system32\wfxqhv.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\mcafee\SPAMKI~1\mskagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\iTunes\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\svcs.exe
O4 - HKCU\..\Run: [kqof] C:\PROGRA~1\COMMON~1\kqof\kqofm.exe
O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe"
O4 - HKCU\..\Run: [b14012ad.exe] C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\b14012ad.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp2.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/tryaces/...gamesplayer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://aolsvc.aol.com/onlinegames/chuzzled...aploader_v7.cab
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: h618 - C:\WINDOWS\g267234.dll
O20 - Winlogon Notify: pmkhh - C:\WINDOWS\SYSTEM32\pmkhh.dll
O20 - Winlogon Notify: pmnlj - C:\WINDOWS\system32\pmnlj.dll
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\dnjs0117e.dll
O20 - Winlogon Notify: winrge32 - C:\WINDOWS\SYSTEM32\winrge32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Print Spooler Service (SpoolSvc213) - Unknown owner - C:\WINDOWS\system32\cjnr4r4izpgw.exe
O23 - Service: System Internal AntiVirus (SVSAV) - Unknown owner - C:\WINDOWS\system32\svsnt.exe (file missing)
O23 - Service: Terminal Connections (terms) - Unknown owner - C:\WINDOWS\system32\terminals.exe (file missing)
O23 - Service: Veoh Client Service - Veoh Networks, Inc. - C:\Documents and Settings\HP_Administrator\My Documents\My Music\iTunes\iTunes Music\Veoh\VeohClientService.exe

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:12 PM

Posted 26 August 2006 - 06:42 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 ludek

ludek
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 26 August 2006 - 09:35 PM

Wow, that was quick response! Thanks!

I ran ComboFix. I saw some messages about it couldn't delete some of the stuff, but the system rebooted and this is the log it produced...

HP_Administrator - 06-08-26 22:18:55.07
ComboFix 06.08.26BT - Running from: C:\Documents and Settings\HP_Administrator\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{2B8D9613-3843-48CD-A0F2-C812CF4AE66C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2B8D9613-3843-48CD-A0F2-C812CF4AE66C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2B8D9613-3843-48CD-A0F2-C812CF4AE66C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2B8D9613-3843-48CD-A0F2-C812CF4AE66C}\InprocServer32]
@="C:\\WINDOWS\\system32\\iysetup.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{A5C36A39-4EBA-4BC7-B86A-4773125F4931}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A5C36A39-4EBA-4BC7-B86A-4773125F4931}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A5C36A39-4EBA-4BC7-B86A-4773125F4931}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A5C36A39-4EBA-4BC7-B86A-4773125F4931}\InprocServer32]
@="C:\\WINDOWS\\system32\\acsmsext.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{316AC7AC-AAA8-4A36-A888-ED1325117806}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{316AC7AC-AAA8-4A36-A888-ED1325117806}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{316AC7AC-AAA8-4A36-A888-ED1325117806}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{316AC7AC-AAA8-4A36-A888-ED1325117806}\InprocServer32]
@="C:\\WINDOWS\\system32\\fcscfgwz.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{CDA9052C-D34A-4970-B825-B893E36401FF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CDA9052C-D34A-4970-B825-B893E36401FF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CDA9052C-D34A-4970-B825-B893E36401FF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CDA9052C-D34A-4970-B825-B893E36401FF}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{CF9454E1-5094-4EBF-B936-F520C170C1ED}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CF9454E1-5094-4EBF-B936-F520C170C1ED}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CF9454E1-5094-4EBF-B936-F520C170C1ED}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CF9454E1-5094-4EBF-B936-F520C170C1ED}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


O4 - HKEY_CURRENT_USER\...\Run C:\WINDOWS\system32\dmanlb.exe
O4 - HKEY_LOCAL_MACHINE\...\Run C:\WINDOWS\system32\dmanlb.exe
F2 -REG:system.ini: Shell C:\WINDOWS\system32\tvqrl.exe
F2 -REG:system.ini: UserInit C:\WINDOWS\system32\eqxvwhj.exe


* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-08-26 21:39 234817 -r--s---- C:\WINDOWS\system32\tqpmib.dll
2006-08-26 17:15 127488 --a------ C:\WINDOWS\system32\ijoqx.dat
2006-08-25 07:45 42496 --a------ C:\WINDOWS\system32\swreg.exe
2006-08-25 03:28 9728 --a----t- C:\WINDOWS\system32\DRWEBSP.DLL
2006-08-21 20:14 8464 --a------ C:\WINDOWS\system32\sporder.dll
2006-08-21 12:53 53 --a------ C:\WINDOWS\bqplpl.dat
2006-08-21 12:53 51712 --a------ C:\WINDOWS\system32\jtyndju.dll
2006-08-21 12:53 28672 --a------ C:\WINDOWS\system32\tvqrl.exe
2006-08-21 12:53 127488 --a------ C:\WINDOWS\system32\dmanlb.exe
2006-08-21 12:53 127488 --a------ C:\Documents and Settings\All Users\Start Menu\Programs\Startup\utlos.exe
2006-08-14 20:52 78848 --a------ C:\WINDOWS\system32\nsu8E.dll
2006-08-14 20:52 78848 --a------ C:\WINDOWS\system32\nse8F.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


* * * PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * *


2006-08-21 12:53 127488 C:\WINDOWS\system32\dmanlb.exe
2006-08-21 12:53 51712 C:\WINDOWS\system32\jtyndju.dll
2006-08-21 12:53 23552 C:\WINDOWS\system32\eqxvwhj.exe
2006-08-21 12:53 127488 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\utlos.exe
2006-08-26 22:16 578 C:\WINDOWS\bhgud.dll
2006-08-26 17:15 127488 C:\WINDOWS\system32\ijoqx.dat
2006-08-21 12:53 28672 C:\WINDOWS\system32\tvqrl.exe


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-08-21 12:53 127488 dmanlb.exe.qoo
06-08-26 17:15 127488 ijoqx.dat.qoo
06-08-21 12:53 127488 utlos.exe.qoo
06-08-21 12:53 51712 jtyndju.dll.qoo
06-08-21 12:53 28672 tvqrl.exe.qoo
06-08-21 12:53 53 bqplpl.dat.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\repairs303169590.dll
C:\Program Files\surfsidekick 3\Ssk.exe
C:\Program Files\surfsidekick 3\SskBho.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\HP_Administrator\Application Data\Install.dat
C:\WINDOWS\system32\aaa00000.sys
C:\WINDOWS\system32\ati2evxx.dll
C:\WINDOWS\system32\bez6n4r21.exe
C:\WINDOWS\system32\cemetrix.dll
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\zqskw.exe
C:\WINDOWS\justin.exe
C:\WINDOWS\system32bez6n4r21.exe
C:\WINDOWS\system32ghynf.exe
C:\Program Files\Deskbar
C:\Program Files\RegiFast
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{105D3B16-0953-1033-1115-050507190001}
C:\Program Files\PSLister

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\YSTEM3~1
C:\QooBox\Purity\Program Files\Common Files\RACLE~1
C:\QooBox\Purity\Program Files\Common Files\RACLE~1\RACLE~1


((((((((((((((((((((((((((((((( Files Created from 2006-07-26 to 2006-08-26 ))))))))))))))))))))))))))))))))))


2006-08-26 21:39 235,770 -r--s---- C:\WINDOWS\system32\fpnu0359e.dll
2006-08-26 21:39 234,817 -r--s---- C:\WINDOWS\system32\tqpmib.dll
2006-08-26 21:37 9,216 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2006-08-26 19:20 235,786 -r--s---- C:\WINDOWS\system32\lv6u09j9e.dll
2006-08-26 18:09 236,754 -r--s---- C:\WINDOWS\system32\ktlul7391.dll
2006-08-26 17:15 234,817 -r--s---- C:\WINDOWS\system32\k4800elmehqa0.dll
2006-08-26 10:42 234,733 -r--s---- C:\WINDOWS\system32\mmoeacct.dll
2006-08-26 10:22 49,664 --------- C:\WINDOWS\system32\admparsek.dll
2006-08-26 08:08 102,420 --a------ C:\WINDOWS\system32\viuqroxp.dll
2006-08-26 02:23 235,825 -r--s---- C:\WINDOWS\system32\l2r0lc9m1f.dll
2006-08-25 08:22 98 --a------ C:\WINDOWS\taskmen32.pif
2006-08-25 07:45 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-08-25 07:45 42,496 --a------ C:\WINDOWS\system32\swreg.exe
2006-08-25 07:45 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-08-25 07:45 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-08-25 07:39 4,476 --a------ C:\WINDOWSvundofix.reg
2006-08-25 07:34 78,336 --a------ C:\WINDOWS\system32\compstuih.dll
2006-08-25 03:28 9,728 --a----t- C:\WINDOWS\system32\DRWEBSP.DLL
2006-08-25 03:28 51,754 --a------ C:\WINDOWS\g267234.dll
2006-08-23 12:41 83,968 --a------ C:\dhcp.exe
2006-08-22 17:05 15,872 --a------ C:\WINDOWS\system32\winrge32.dll
2006-08-22 17:03 83,968 --a------ C:\dhcp.scr
2006-08-21 18:00 90,112 --a------ C:\WINDOWS\system32\mcrtl32.dll
2006-08-21 17:58 9,216 --a------ C:\WINDOWS\system32\MpfApi.dll
2006-08-21 12:53 578 --a------ C:\WINDOWS\bhgud.dll
2006-08-21 12:53 23,552 --a------ C:\WINDOWS\system32\eqxvwhj.exe
2006-08-21 12:53 186,223 --a------ C:\WINDOWS\srvvqqsfpl.exe
2006-08-21 07:57 2 --a------ C:\WINDOWS\system32\wnsapisv.exe
2006-08-21 07:06 186,219 --a------ C:\WINDOWS\srvkhxjhxw.exe
2006-08-20 23:35 83,968 --a------ C:\dhcp.com
2006-08-20 23:08 83,968 --a------ C:\regedit.exe
2006-08-20 16:21 0 --a------ C:\ofvhrx.exe
2006-08-20 16:20 0 --a------ C:\ojfos.exe
2006-08-20 16:18 167,936 --ah----- C:\WINDOWS\system32\tbhogttb.dll
2006-08-20 16:18 115,160 --a------ C:\WINDOWS\Eim03.exe
2006-08-20 16:18 1,167 --a------ C:\WINDOWS\system32\xzn49f40.sys
2006-08-19 13:32 2,292 --a------ C:\regfile.pif
2006-08-16 23:51 286 --a------ C:\WINDOWS\autoupdate.bat
2006-08-14 21:21 83,968 --a------ C:\regedit.pif
2006-08-14 20:52 78,848 --a------ C:\WINDOWS\system32\nsu8E.dll
2006-08-14 20:52 78,848 --a------ C:\WINDOWS\system32\nse8F.dll
2006-08-07 11:17 61,440 --a------ C:\WINDOWS\system32\BattyRun2.dll
2006-07-30 14:50 638,976 --a------ C:\WINDOWS\system32\divx.dll
2006-07-30 14:50 524,288 --a------ C:\WINDOWS\system32\xvidcore.dll
2006-07-30 14:50 261,632 --a------ C:\WINDOWS\system32\mcdvd_32.dll
2006-07-30 14:50 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2006-07-30 14:50 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-08-26 22:20 -------- d-------- C:\Program Files\Common Files
2006-08-26 19:13 -------- d-------- C:\Program Files\HijackThis
2006-08-26 08:43 -------- d-------- C:\Program Files\DISC
2006-08-26 07:42 -------- d-------- C:\Program Files\Batty2
2006-08-26 06:57 -------- d-------- C:\Program Files\Java
2006-08-26 06:55 -------- d-------- C:\Program Files\Common Files\Java
2006-08-26 02:27 -------- d-------- C:\Program Files\CMFibula
2006-08-25 15:55 -------- d-------- C:\Program Files\Internet Explorer
2006-08-25 03:28 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-25 03:28 -------- d-------- C:\Program Files\DrWeb
2006-08-22 23:20 -------- d-------- C:\Documents and Settings\HP_Administrator\Application Data\Lavasoft
2006-08-22 07:35 -------- d-------- C:\Program Files\Trend Micro
2006-08-22 07:24 -------- d-------- C:\Program Files\WinTVR3
2006-08-22 07:24 -------- d-------- C:\Program Files\HP
2006-08-21 20:43 -------- d-------- C:\Documents and Settings\HP_Administrator\Application Data\McAfee.com Personal Firewall
2006-08-21 20:14 8464 --a------ C:\WINDOWS\system32\sporder.dll
2006-08-21 18:12 -------- d-------- C:\Program Files\McAfee.com
2006-08-21 12:21 -------- d-------- C:\Program Files\Common Files\kqof
2006-08-21 06:55 -------- d-------- C:\Program Files\Movie Maker
2006-08-21 05:48 -------- d-------- C:\Program Files\Lavasoft
2006-08-10 08:37 -------- d-------- C:\Documents and Settings\HP_Administrator\Application Data\uTorrent
2006-08-06 14:41 53848 --a------ C:\Documents and Settings\HP_Administrator\Application Data\GDIPFONTCACHEV1.DAT
2006-08-01 17:27 223128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2006-08-01 17:22 96256 --a------ C:\WINDOWS\system32\drivers\sptd6237.sys
2006-08-01 17:22 643072 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-07-30 16:44 -------- d-------- C:\Program Files\iTunes
2006-07-30 15:52 -------- d-------- C:\Program Files\AviSynth 2.5
2006-07-30 15:14 -------- d-------- C:\Program Files\Common Files\AVSMedia
2006-07-29 01:06 -------- d-------- C:\Documents and Settings\HP_Administrator\Application Data\fltk.org
2006-07-29 00:50 -------- d---s---- C:\Documents and Settings\HP_Administrator\Application Data\Microsoft
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-23 12:29 -------- d-------- C:\Program Files\Windows Media Connect 2
2006-07-23 08:22 -------- d-a------ C:\Program Files\Common Files\LightScribe
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-08 04:49 -------- d-------- C:\Documents and Settings\HP_Administrator\Application Data\Google
2006-07-07 08:09 -------- d-------- C:\Program Files\AOL
2006-07-07 08:09 -------- d-------- C:\Program Files\AOD
2006-07-07 08:08 -------- d-------- C:\Program Files\Common Files\aolshare
2006-07-07 08:08 -------- d-------- C:\Program Files\Common Files\AOL
2006-07-06 19:27 -------- d-------- C:\Documents and Settings\HP_Administrator\Application Data\dvdcss
2006-07-06 14:14 -------- d-------- C:\Documents and Settings\HP_Administrator\Application Data\AdobeUM
2006-07-05 12:54 -------- d-------- C:\Documents and Settings\HP_Administrator\Application Data\BitTorrent
2006-06-30 02:31 -------- d-------- C:\Program Files\QuickTime
2006-06-30 02:29 -------- d-------- C:\Program Files\iPod
2006-06-28 22:16 -------- d-------- C:\Documents and Settings\HP_Administrator\Application Data\Help
2006-05-19 16:11 3050 --a------ C:\Documents and Settings\HP_Administrator\Application Data\PatchUpdate_InstantShareJPG.log
2006-05-19 16:10 6674 --a------ C:\Documents and Settings\HP_Administrator\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"AlwaysReady Power Message APP"="ARPWRMSG.EXE"
"HPHUPD08"="c:\\Program Files\\HP\\Digital Imaging\\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\\hphupd08.exe"
@=""
"PCDrProfiler"=""
"HPBootOp"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
"HP Software Update"=hex(2):43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,\
48,50,5c,48,50,20,53,6f,66,74,77,61,72,65,20,55,70,64,61,74,65,5c,48,50,77,\
75,53,63,68,64,32,2e,65,78,65,00
"WinTVRRemote"="\"C:\\Program Files\\WinTVR3\\Remote.exe\""
"Schedule"="\"C:\\Program Files\\WinTVR3\\Schedule.exe\""
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1143585990\\ee\\AOLSoftware.exe"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"DISCover"="C:\\Program Files\\DISC\\DISCover.exe"
"DiscUpdateManager"="C:\\Program Files\\DISC\\DiscUpdateMgr.exe"
"k6mmN5IOU"="\"C:\\WINDOWS\\system32\\wfxqhv.exe\""
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
"MSKAGENTEXE"="C:\\PROGRA~1\\mcafee\\SPAMKI~1\\mskagent.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Creative Detector"="C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe /R"
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BitTorrent"="\"C:\\Program Files\\iTunes\\bittorrent.exe\" --force_start_minimized"
"kqof"="C:\\PROGRA~1\\COMMON~1\\kqof\\kqofm.exe"
"PSLister"="\"C:\\Program Files\\PSLister\\PSLister.exe\""
"b14012ad.exe"="C:\\Documents and Settings\\HP_Administrator\\Local Settings\\Application Data\\b14012ad.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"{105D3B16-0953-1033-1115-050507190001}"="\"C:\\Program Files\\Common Files\\{105D3B16-0953-1033-1115-050507190001}\\Update.exe\" mc-110-12-0000488"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"{105D3B16-0953-1033-1115-050507190001}"="\"C:\\Program Files\\Common Files\\{105D3B16-0953-1033-1115-050507190001}\\Update.exe\" mc-110-12-0000488"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{259BA022-2005-45E9-A965-10EDB9C00618}"="Windowz Updater"
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00322}"="g322"
"{0B5F7FDF-0717-45BF-B49D-695F3168C7FE}"="Master Browseui"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}"="Trend Micro Anti-Spyware Shell Extension"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\h618
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrge32


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (LUDEK-HP_Administrator).job
C:\WINDOWS\tasks\Warranty Reminder 11 Months.job

Completion time: Sat 08/26/2006 22:27:21.93
ComboFix.txt

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:12 PM

Posted 27 August 2006 - 03:15 AM

We've still got quite a bit to clean up.


Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX



==============


Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 ludek

ludek
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 27 August 2006 - 11:02 AM

Ran Look2Me-Destroyer.

Here's the log...

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 8/27/2006 7:40:03 AM


Attempting to delete infected files...

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

================================================

And here is the "copy" from GMER rootkit scan

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-27 11:59:51
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT sptd.sys ZwCreateKey
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT sptd.sys ZwOpenKey
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT sptd.sys ZwSetValueKey

---- Devices - GMER 1.0.10 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 85989B78
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CREATE 853480E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 859D4808
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE 859D4808
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE 859D4808
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE 859D4808
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 859D4A40
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 859D4A40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 85428AF0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE 84F6D6B0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_NAMED_PIPE 84F6D6B0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLOSEIRP_MJ_READ 84F6D6B0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_WRITE 84F6D6B0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_INFORMATION 84F6D6B0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_INFORMATION 84F6D6B0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_EA 84F6D6B0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_EA 84F6D6B0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FLUSH_BUFFERS 84F6D6B0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_VOLUME_INFORMATION 84F6D6B0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_VOLUME_INFORMATION 84F6D6B0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DIRECTORY_CONTROL 84F6D6B0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FILE_SYSTEM_CONTROL 84F6D6B0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CONTROL 84F6D6B0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_INTERNAL_DEVICE_CONTROL 84F6D6B0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SHUTDOWN 84F6D6B0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_LOCK_CONTROL 84F6D6B0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLEANUP 84F6D6B0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_MAILSLOT 84F6D6B0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_SECURITY 84F6D6B0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_SECURITY 84F6D6B0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_POWER 84F6D6B0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SYSTEM_CONTROL 84F6D6B0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CHANGE 84F6D6B0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_QUOTA 84F6D6B0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_QUOTA 84F6D6B0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_PNP 84F6D6B0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 85428AF0
Device \Driver\usbstor \Device\00000076 IRP_MJ_CREATE 851CAEB0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 84FD38B8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 84FD38B8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CREATE 85989E30
Device \Driver\Disk \Device\Harddisk1\DR3 IRP_MJ_CREATE 85989E30
Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+7 IRP_MJ_CREATE 85989E30
Device \Driver\Disk \Device\Harddisk2\DR4 IRP_MJ_CREATE 85989E30
Device \Driver\Disk \Device\Harddisk2\DP(1)0-0+8 IRP_MJ_CREATE 85989E30
Device \Driver\Disk \Device\Harddisk3\DR5 IRP_MJ_CREATE 85989E30
Device \Driver\Disk \Device\Harddisk3\DP(1)0-0+9 IRP_MJ_CREATE 85989E30
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSEIRP_MJ_READ 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP_POWER 84FB2900
Device \Driver\Disk \Device\Harddisk4\DP(1)0-0+a IRP_MJ_CREATE 85989E30
Device \Driver\Disk \Device\Harddisk4\DR6 IRP_MJ_CREATE 85989E30
Device \Driver\usbstor \Device\0000007b IRP_MJ_CREATE 851CAEB0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSEIRP_MJ_READ 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 84FB2900
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP_POWER 84FB2900
Device \Driver\usbstor \Device\0000007c IRP_MJ_CREATE 851CAEB0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE 8527DB10
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE_NAMED_PIPE 8527DB10
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLOSEIRP_MJ_READ 8527DB10
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_WRITE 8527DB10
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_INFORMATION 8527DB10
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_INFORMATION 8527DB10
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_EA 8527DB10
Device \Driver\NetBT \Device\NetBT_Tcpip_{998BB70A-EF7C-4CB6-AB80-A3D59E01FE40} IRP_MJ_CREATE 84FD38B8
Device \Driver\usbstor \Device\0000007d IRP_MJ_CREATE 851CAEB0
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 859D4A40
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE 85143EB0
Device \Driver\usbstor \Device\0000007e IRP_MJ_CREATE 851CAEB0
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE 853480E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 855CB448

---- Processes - GMER 1.0.10 ----

Process C:\WINDOWS\system32\cjnr4r4izpgw.exe (*** hidden *** ) 3324 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\cjnr4r4izpgw.exe (*** hidden *** ) @ C:\WINDOWS\system32\cjnr4r4izpgw.exe [3324] 0x00400000 <-- ROOTKIT !!!

Process C:\WINDOWS\system32\mlsdf8hjfvm.exe (*** hidden *** ) 3476 <-- ROOTKIT !!!
Library C:\WINDOWS\system32\mlsdf8hjfvm.exe (*** hidden *** ) @ C:\WINDOWS\system32\mlsdf8hjfvm.exe [3476] 0x00400000 <-- ROOTKIT !!!

---- Services - GMER 1.0.10 ----

Service C:\WINDOWS\system32\mlsdf8hjfvm.exe (*** hidden *** ) [AUTO] Time <-- ROOTKIT !!!
Service C:\WINDOWS\system32\timedrv26.sys (*** hidden *** ) [MANUAL] WTime <-- ROOTKIT !!!

---- Registry - GMER 1.0.10 ----

Reg \Registry\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS@* 1
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL@* 1
Reg \Registry\MACHINE\SOFTWARE\Microsoft\MSE\10.0\Editors\{8281C572-2171-45AA-A642-7D8BC1662F1C}\Extensions@* 24
Reg \Registry\MACHINE\SOFTWARE\Microsoft\MSE\10.0\Editors\{8B382828-6202-11d1-8870-0000F87579D2}\Extensions@* 30
Reg \Registry\MACHINE\SOFTWARE\Microsoft\MSE\10.0\Editors\{C76D83F8-A489-11D0-8195-00A0C91BBEE3}\Extensions@* 25
Reg \Registry\MACHINE\SOFTWARE\Microsoft\MSE\10.0\Editors\{CFF630F8-2DB3-44ba-9FC9-6489665DE5B8}\Extensions@* 5
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Office\11.0\MSE\Editors\{8281C572-2171-45AA-A642-7D8BC1662F1C}\Extensions@* 24
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Office\11.0\MSE\Editors\{8B382828-6202-11d1-8870-0000F87579D2}\Extensions@* 30
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Office\11.0\MSE\Editors\{C76D83F8-A489-11D0-8195-00A0C91BBEE3}\Extensions@* 25
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Office\11.0\MSE\Editors\{CFF630F8-2DB3-44ba-9FC9-6489665DE5B8}\Extensions@* 5
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\Files@*setup*.exe
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\Files@*instal*.exe
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\Files@*setup*.bat
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\Files@*instal*.bat
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\Files@*setup*.cmd
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\Files@*instal*.cmd
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\Files@*setup*.com
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\Files@*instal*.com
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Accepted Documents@** application/vnd.ms-excel
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Accepted Documents@*** application/vnd.ms-powerpoint
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Accepted Documents@* application/msword
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedDragProtocols\0@* 0
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedDragProtocols\2@* 0
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Time
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Time@ Service
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Time
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Time@ Service
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GMER\0000\Control@*NewlyCreated* 0
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TIME
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TIME@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WTIME
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WTIME@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\Time
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\Time@Type 272
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\Time@Start 2
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\Time@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\Time@ImagePath C:\WINDOWS\system32\mlsdf8hjfvm.exe
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\Time@DisplayName Time Service
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\Time@ObjectName LocalSystem
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\Time@Description Maintains date and time synchronization on all clients and servers in the network.
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\WTime
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\WTime@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\WTime@ImagePath \??\C:\WINDOWS\system32\timedrv26.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\WTime@Start 3
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\WTime@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\Time
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\Time@ Service
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\Time
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\Time@ Service
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TIME
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TIME@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WTIME
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WTIME@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\Time
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\Time@Type 272
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\Time@Start 2
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\Time@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\Time@ImagePath C:\WINDOWS\system32\mlsdf8hjfvm.exe
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\Time@DisplayName Time Service
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\Time@ObjectName LocalSystem
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\Time@Description Maintains date and time synchronization on all clients and servers in the network.
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\WTime
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\WTime@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\WTime@ImagePath \??\C:\WINDOWS\system32\timedrv26.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\WTime@Start 3
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\WTime@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Time
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Time@ Service
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Time
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Time@ Service
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GMER\0000\Control@*NewlyCreated* 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TIME
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TIME@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WTIME
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WTIME@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\Time
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\Time@Type 272
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\Time@Start 2
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\Time@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\Time@ImagePath C:\WINDOWS\system32\mlsdf8hjfvm.exe
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\Time@DisplayName Time Service
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\Time@ObjectName LocalSystem
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\Time@Description Maintains date and time synchronization on all clients and servers in the network.
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\WTime
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\WTime@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\WTime@ImagePath \??\C:\WINDOWS\system32\timedrv26.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\WTime@Start 3
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\WTime@Type 1
Reg \Registry\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range0@* 4
Reg \Registry\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1@* 4
Reg \Registry\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range10@* 4
Reg \Registry\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range11@* 4
Reg \Registry\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range12@* 4
Reg \Registry\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range13@* 4
Reg \Registry\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range14@* 4
Reg \Registry\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range15@* 4
Reg \Registry\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range2@* 4
Reg \Registry\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range3@* 4
Reg \Registry\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range4@* 4
Reg \Registry\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range5@* 4
Reg \Registry\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range6@* 4
Reg \Registry\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range7@* 4
Reg \Registry\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range8@* 4
Reg \Registry\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range9@* 4
Reg \Registry\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range0@* 4
Reg \Registry\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1@* 4
Reg \Registry\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range10@* 4
Reg \Registry\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range11@* 4
Reg \Registry\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range12@* 4
Reg \Registry\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range13@* 4
Reg \Registry\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range14@* 4
Reg \Registry\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range15@* 4
Reg \Registry\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range2@* 4
Reg \Registry\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range3@* 4
Reg \Registry\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range4@* 4
Reg \Registry\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range5@* 4
Reg \Registry\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range6@* 4
Reg \Registry\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range7@* 4
Reg \Registry\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range8@* 4
Reg \Registry\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range9@* 4
Reg \Registry\USER\S-1-5-19\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range0@* 4
Reg \Registry\USER\S-1-5-19\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1@* 4
Reg \Registry\USER\S-1-5-19\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range10@* 4
Reg \Registry\USER\S-1-5-19\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range11@* 4
Reg \Registry\USER\S-1-5-19\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range12@* 4
Reg \Registry\USER\S-1-5-19\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range13@* 4
Reg \Registry\USER\S-1-5-19\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range14@* 4
Reg \Registry\USER\S-1-5-19\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range15@* 4
Reg \Registry\USER\S-1-5-19\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range2@* 4
Reg \Registry\USER\S-1-5-19\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range3@* 4
Reg \Registry\USER\S-1-5-19\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range4@* 4
Reg \Registry\USER\S-1-5-19\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range5@* 4
Reg \Registry\USER\S-1-5-19\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range6@* 4
Reg \Registry\USER\S-1-5-19\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range7@* 4
Reg \Registry\USER\S-1-5-19\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range8@* 4
Reg \Registry\USER\S-1-5-19\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range9@* 4
Reg \Registry\USER\S-1-5-19_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range0@* 4
Reg \Registry\USER\S-1-5-19_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1@* 4
Reg \Registry\USER\S-1-5-19_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range10@* 4
Reg \Registry\USER\S-1-5-19_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range11@* 4
Reg \Registry\USER\S-1-5-19_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range12@* 4
Reg \Registry\USER\S-1-5-19_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range13@* 4
Reg \Registry\USER\S-1-5-19_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range14@* 4
Reg \Registry\USER\S-1-5-19_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range15@* 4
Reg \Registry\USER\S-1-5-19_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range2@* 4
Reg \Registry\USER\S-1-5-19_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range3@* 4
Reg \Registry\USER\S-1-5-19_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range4@* 4
Reg \Registry\USER\S-1-5-19_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range5@* 4
Reg \Registry\USER\S-1-5-19_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range6@* 4
Reg \Registry\USER\S-1-5-19_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range7@* 4
Reg \Registry\USER\S-1-5-19_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range8@* 4
Reg \Registry\USER\S-1-5-19_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range9@* 4
Reg \Registry\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range0@* 4
Reg \Registry\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1@* 4
Reg \Registry\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range10@* 4
Reg \Registry\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range11@* 4
Reg \Registry\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range12@* 4
Reg \Registry\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range13@* 4
Reg \Registry\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range14@* 4
Reg \Registry\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range15@* 4
Reg \Registry\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range2@*

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:12 PM

Posted 27 August 2006 - 11:59 AM

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 ludek

ludek
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 27 August 2006 - 02:26 PM

It looks like the site for SDfix isn't available. I get a "Page cannot be found" when I try to navigate to:

http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Now what?

And, thanks for your timely help. We aren't seeing those annoying sites anymore!

Doris

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:12 PM

Posted 27 August 2006 - 06:01 PM

Ok, we'll do it manually then.

Click Start > Run and type these commands hitting enter after each one:

sc stop SpoolSvc213

sc delete SpoolSvc213

sc stop SVSAV

sc delete SVSAV

sc stop terms

sc delete terms

sc stop time

sc delete time



============



Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\system32\cjnr4r4izpgw.exe
    C:\WINDOWS\system32\mlsdf8hjfvm.exe
    C:\WINDOWS\system32\timedrv26.sys



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
===========


Also post a new log from Combofix.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 ludek

ludek
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 27 August 2006 - 10:21 PM

I executed the sc commands.

Then, I downloaded and ran Killbox. But I wasn't sure that all three files got copied into the Killbox filelist, so I did the other two one at a time. (Don't know if it did anything.) Here's the log...

Pocket Killbox version 2.0.0.648
Running on Windows XP as HP_Administrator(Administrator)
was started @ Sunday, August 27, 2006, 10:49 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\timedrv26.sys


I Rebooted @ 10:53:32 PM
Killbox Closed(Exit) @ 10:53:39 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as HP_Administrator(Administrator)
was started @ Sunday, August 27, 2006, 10:58 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\mlsdf8hjfvm.exe


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 11:01:05 PM
# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\mlsdf8hjfvm.exe


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 11:01:34 PM
Killbox Closed(Exit) @ 11:01:40 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as HP_Administrator(Administrator)
was started @ Sunday, August 27, 2006, 11:04 PM

Killbox Closed(Exit) @ 11:05:22 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as HP_Administrator(Administrator)
was started @ Sunday, August 27, 2006, 11:09 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\cjnr4r4izpgw.exe


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 11:12:20 PM
Killbox Closed(Exit) @ 11:12:32 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as HP_Administrator(Administrator)
was started @ Sunday, August 27, 2006, 11:14 PM

=======================================================

Here's my ComboFix log...

HP_Administrator - 06-08-27 23:19:14.32
ComboFix 06.08.26BT - Running from: C:\Documents and Settings\HP_Administrator\Desktop

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\YSTEM3~1
C:\QooBox\Purity\Program Files\Common Files\RACLE~1
C:\QooBox\Purity\Program Files\Common Files\RACLE~1\RACLE~1


((((((((((((((((((((((((((((((( Files Created from 2006-07-27 to 2006-08-27 ))))))))))))))))))))))))))))))))))


2006-08-26 21:39 235,770 -r--s---- C:\WINDOWS\system32\fpnu0359e.dll
2006-08-26 21:39 234,817 -r--s---- C:\WINDOWS\system32\tqpmib.dll
2006-08-26 21:37 9,216 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2006-08-26 19:20 235,786 -r--s---- C:\WINDOWS\system32\lv6u09j9e.dll
2006-08-26 18:09 236,754 -r--s---- C:\WINDOWS\system32\ktlul7391.dll
2006-08-26 17:15 234,817 -r--s---- C:\WINDOWS\system32\k4800elmehqa0.dll
2006-08-26 10:42 234,733 -r--s---- C:\WINDOWS\system32\mmoeacct.dll
2006-08-26 10:22 49,664 --------- C:\WINDOWS\system32\admparsek.dll
2006-08-26 08:08 102,420 --a------ C:\WINDOWS\system32\viuqroxp.dll
2006-08-26 02:23 235,825 -r--s---- C:\WINDOWS\system32\l2r0lc9m1f.dll
2006-08-25 08:22 98 --a------ C:\WINDOWS\taskmen32.pif
2006-08-25 07:45 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-08-25 07:45 42,496 --a------ C:\WINDOWS\system32\swreg.exe
2006-08-25 07:45 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-08-25 07:45 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-08-25 07:39 4,476 --a------ C:\WINDOWSvundofix.reg
2006-08-25 07:34 78,336 --a------ C:\WINDOWS\system32\compstuih.dll
2006-08-25 03:28 9,728 --a----t- C:\WINDOWS\system32\DRWEBSP.DLL
2006-08-25 03:28 51,754 --a------ C:\WINDOWS\g267234.dll
2006-08-23 12:41 83,968 --a------ C:\dhcp.exe
2006-08-22 17:05 15,872 --a------ C:\WINDOWS\system32\winrge32.dll
2006-08-22 17:03 83,968 --a------ C:\dhcp.scr
2006-08-21 18:00 90,112 --a------ C:\WINDOWS\system32\mcrtl32.dll
2006-08-21 17:58 9,216 --a------ C:\WINDOWS\system32\MpfApi.dll
2006-08-21 12:53 578 --a------ C:\WINDOWS\bhgud.dll
2006-08-21 12:53 186,223 --a------ C:\WINDOWS\srvvqqsfpl.exe
2006-08-21 07:57 2 --a------ C:\WINDOWS\system32\wnsapisv.exe
2006-08-21 07:06 186,219 --a------ C:\WINDOWS\srvkhxjhxw.exe
2006-08-20 23:35 83,968 --a------ C:\dhcp.com
2006-08-20 23:08 83,968 --a------ C:\regedit.exe
2006-08-20 16:21 0 --a------ C:\ofvhrx.exe
2006-08-20 16:20 0 --a------ C:\ojfos.exe
2006-08-20 16:18 167,936 --ah----- C:\WINDOWS\system32\tbhogttb.dll
2006-08-20 16:18 115,160 --a------ C:\WINDOWS\Eim03.exe
2006-08-20 16:18 1,167 --a------ C:\WINDOWS\system32\xzn49f40.sys
2006-08-19 13:32 2,292 --a------ C:\regfile.pif
2006-08-16 23:51 286 --a------ C:\WINDOWS\autoupdate.bat
2006-08-14 21:21 83,968 --a------ C:\regedit.pif
2006-08-14 20:52 78,848 --a------ C:\WINDOWS\system32\nsu8E.dll
2006-08-14 20:52 78,848 --a------ C:\WINDOWS\system32\nse8F.dll
2006-08-07 11:17 61,440 --a------ C:\WINDOWS\system32\BattyRun2.dll
2006-07-30 14:50 638,976 --a------ C:\WINDOWS\system32\divx.dll
2006-07-30 14:50 524,288 --a------ C:\WINDOWS\system32\xvidcore.dll
2006-07-30 14:50 261,632 --a------ C:\WINDOWS\system32\mcdvd_32.dll
2006-07-30 14:50 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2006-07-30 14:50 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-08-27 18:07 -------- d-------- C:\Program Files\DISC
2006-08-27 17:15 -------- d-------- C:\Program Files\Samsung
2006-08-27 12:00 -------- d-------- C:\Program Files\HijackThis
2006-08-27 07:43 330 --a------ C:\Program Files\Look2Me-Destroyer.txt
2006-08-27 07:38 40960 --a------ C:\Program Files\Look2Me-Destroyer.exe
2006-08-27 00:44 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-27 00:43 5846759 --a------ C:\Program Files\SPH-A900.zip
2006-08-26 22:30 -------- d-------- C:\Program Files\McAfee.com
2006-08-26 22:20 -------- d-------- C:\Program Files\Common Files
2006-08-26 07:42 -------- d-------- C:\Program Files\Batty2
2006-08-26 06:57 -------- d-------- C:\Program Files\Java
2006-08-26 06:55 -------- d-------- C:\Program Files\Common Files\Java
2006-08-26 02:27 -------- d-------- C:\Program Files\CMFibula
2006-08-25 15:55 -------- d-------- C:\Program Files\Internet Explorer
2006-08-25 03:28 -------- d-------- C:\Program Files\DrWeb
2006-08-22 23:20 -------- d-------- C:\Documents and Settings\HP_Administrator\Application Data\Lavasoft
2006-08-22 07:35 -------- d-------- C:\Program Files\Trend Micro
2006-08-22 07:24 -------- d-------- C:\Program Files\WinTVR3
2006-08-22 07:24 -------- d-------- C:\Program Files\HP
2006-08-21 20:43 -------- d-------- C:\Documents and Settings\HP_Administrator\Application Data\McAfee.com Personal Firewall
2006-08-21 20:14 8464 --a------ C:\WINDOWS\system32\sporder.dll
2006-08-21 12:21 -------- d-------- C:\Program Files\Common Files\kqof
2006-08-21 06:55 -------- d-------- C:\Program Files\Movie Maker
2006-08-21 05:48 -------- d-------- C:\Program Files\Lavasoft
2006-08-10 08:37 -------- d-------- C:\Documents and Settings\HP_Administrator\Application Data\uTorrent
2006-08-06 14:41 53848 --a------ C:\Documents and Settings\HP_Administrator\Application Data\GDIPFONTCACHEV1.DAT
2006-08-01 17:27 223128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2006-08-01 17:22 96256 --a------ C:\WINDOWS\system32\drivers\sptd6237.sys
2006-08-01 17:22 643072 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-07-30 16:44 -------- d-------- C:\Program Files\iTunes
2006-07-30 15:52 -------- d-------- C:\Program Files\AviSynth 2.5
2006-07-30 15:14 -------- d-------- C:\Program Files\Common Files\AVSMedia
2006-07-29 01:06 -------- d-------- C:\Documents and Settings\HP_Administrator\Application Data\fltk.org
2006-07-29 00:50 -------- d---s---- C:\Documents and Settings\HP_Administrator\Application Data\Microsoft
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-23 12:29 -------- d-------- C:\Program Files\Windows Media Connect 2
2006-07-23 08:22 -------- d-a------ C:\Program Files\Common Files\LightScribe
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-08 04:49 -------- d-------- C:\Documents and Settings\HP_Administrator\Application Data\Google
2006-07-07 08:09 -------- d-------- C:\Program Files\AOL
2006-07-07 08:09 -------- d-------- C:\Program Files\AOD
2006-07-07 08:08 -------- d-------- C:\Program Files\Common Files\aolshare
2006-07-07 08:08 -------- d-------- C:\Program Files\Common Files\AOL
2006-07-06 19:27 -------- d-------- C:\Documents and Settings\HP_Administrator\Application Data\dvdcss
2006-07-06 14:14 -------- d-------- C:\Documents and Settings\HP_Administrator\Application Data\AdobeUM
2006-07-05 12:54 -------- d-------- C:\Documents and Settings\HP_Administrator\Application Data\BitTorrent
2006-06-30 02:31 -------- d-------- C:\Program Files\QuickTime
2006-06-30 02:29 -------- d-------- C:\Program Files\iPod
2006-06-28 22:16 -------- d-------- C:\Documents and Settings\HP_Administrator\Application Data\Help
2006-05-19 16:11 3050 --a------ C:\Documents and Settings\HP_Administrator\Application Data\PatchUpdate_InstantShareJPG.log
2006-05-19 16:10 6674 --a------ C:\Documents and Settings\HP_Administrator\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"AlwaysReady Power Message APP"="ARPWRMSG.EXE"
"HPHUPD08"="c:\\Program Files\\HP\\Digital Imaging\\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\\hphupd08.exe"
@=""
"PCDrProfiler"=""
"HPBootOp"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
"HP Software Update"=hex(2):43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,\
48,50,5c,48,50,20,53,6f,66,74,77,61,72,65,20,55,70,64,61,74,65,5c,48,50,77,\
75,53,63,68,64,32,2e,65,78,65,00
"WinTVRRemote"="\"C:\\Program Files\\WinTVR3\\Remote.exe\""
"Schedule"="\"C:\\Program Files\\WinTVR3\\Schedule.exe\""
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1143585990\\ee\\AOLSoftware.exe"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"DISCover"="C:\\Program Files\\DISC\\DISCover.exe"
"DiscUpdateManager"="C:\\Program Files\\DISC\\DiscUpdateMgr.exe"
"k6mmN5IOU"="\"C:\\WINDOWS\\system32\\wfxqhv.exe\""
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
"MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Creative Detector"="C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe /R"
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BitTorrent"="\"C:\\Program Files\\iTunes\\bittorrent.exe\" --force_start_minimized"
"kqof"="C:\\PROGRA~1\\COMMON~1\\kqof\\kqofm.exe"
"PSLister"="\"C:\\Program Files\\PSLister\\PSLister.exe\""
"b14012ad.exe"="C:\\Documents and Settings\\HP_Administrator\\Local Settings\\Application Data\\b14012ad.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"{105D3B16-0953-1033-1115-050507190001}"="\"C:\\Program Files\\Common Files\\{105D3B16-0953-1033-1115-050507190001}\\Update.exe\" mc-110-12-0000488"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"{105D3B16-0953-1033-1115-050507190001}"="\"C:\\Program Files\\Common Files\\{105D3B16-0953-1033-1115-050507190001}\\Update.exe\" mc-110-12-0000488"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{259BA022-2005-45E9-A965-10EDB9C00618}"="Windowz Updater"
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00322}"="g322"
"{0B5F7FDF-0717-45BF-B49D-695F3168C7FE}"="Master Browseui"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}"="Trend Micro Anti-Spyware Shell Extension"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\h618
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrge32

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\Time

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (LUDEK-HP_Administrator).job
C:\WINDOWS\tasks\Warranty Reminder 11 Months.job

Completion time: Sun 08/27/2006 23:20:15.89
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:12 PM

Posted 28 August 2006 - 05:30 PM

The SDFix tool has been pulled from public use for more testing, so we are going to have work through this nasty thing without it.


1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to unload:

pe386
time

Files to delete:

C:\WINDOWS\system32\cjnr4r4izpgw.exe
C:\WINDOWS\system32\mlsdf8hjfvm.exe
C:\WINDOWS\system32\timedrv26.sys
C:\WINDOWS\system32\fpnu0359e.dll
C:\WINDOWS\system32\tqpmib.dll
C:\WINDOWS\system32\lv6u09j9e.dll
C:\WINDOWS\system32\ktlul7391.dll
C:\WINDOWS\system32\k4800elmehqa0.dll
C:\WINDOWS\system32\mmoeacct.dll
C:\WINDOWS\system32\admparsek.dll
C:\WINDOWS\system32\viuqroxp.dll
C:\WINDOWS\system32\l2r0lc9m1f.dll
C:\WINDOWS\taskmen32.pif
C:\WINDOWS\system32\DRWEBSP.DLL
C:\WINDOWS\g267234.dll
C:\dhcp.exe
C:\WINDOWS\system32\winrge32.dll
C:\dhcp.scr
C:\WINDOWS\bhgud.dll
C:\WINDOWS\srvvqqsfpl.exe
C:\WINDOWS\system32\wnsapisv.exe
C:\WINDOWS\srvkhxjhxw.exe
C:\dhcp.com
C:\regedit.exe
C:\ofvhrx.exe
C:\ojfos.exe
C:\WINDOWS\system32\tbhogttb.dll
C:\WINDOWS\Eim03.exe
C:\WINDOWS\system32\xzn49f40.sys
C:\regfile.pif
C:\WINDOWS\autoupdate.bat
C:\regedit.pif
C:\WINDOWS\system32\nsu8E.dll
C:\WINDOWS\system32\nse8F.dll
C:\WINDOWS\system32\BattyRun2.dll
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\b14012ad.exe
C:\WINDOWS\system32\b14012ad.exe

Folders to delete:

C:\Program Files\Batty2
C:\Program Files\Common Files\kqof
C:\Program Files\PSLister



Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.



3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply


==========


Download F-Secure Blacklight (blbeta.exe) to your C:\ drive.
- Open a command window. (Start > Run and type: cmd)
- Copy / paste or type the following in the command window:

C:\blbeta.exe /expert

- Accept the user agreement.
- Click Scan.
After the scan finishes, click on Next, then Exit. Please do not rename anything yet!

BlackLight will create a log in your C:\ drive with the name "fsbl-xxxxxxx.log", where the xxxx's are numbers. Please post that log here for me.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 ludek

ludek
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 29 August 2006 - 06:53 AM

I downloaded and extracted Avenger. Then I pasted in the Code that specified the files and folders to delete. It rebooted but now I can't see any icons on my desktop, in regular mode or safe mode. I just get a blank desktop. When I CTL-ALT-DEL, I am able to see Windows Task Manager, but nothing is running. When I select "File" on Task Manager and select "New Task (Run...)", and open c:avenger.txt, I see the avenger log in Notepad. I'm replying to you, using my work laptop, so I'll type in the avenger log here...

logfile of The Avenger version 1, by Swandog46
Running from registry key:
\RegistryMaching\System\CurrentControlSet\Services\yoskjacu
*********************

Script file located at: \??\C:\Program Files\stlqgund.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger
**********************

Beginning to process script file:

Driver pe386 unloaded successfully.
Registry key \Registry\Machine\System\CurrentControlSet\Services\time not found!
Unload of driver time failed!

Could not process line:
time
Status: 0xc0000034

File c:\WINDOWS\system32\cjnr4r4izpgw.exe not found!
Deletion of file c:\WINDOWS\system32\cjnr4r4izpgw.exe failed!

Could not process line:
c:\WINDOWS\system32\cjnr4r4izpgw.exe
Status: 0xc0000034

File c:\WINDOWS\system32\mlsdf8hjfm.exe not found!
Deletion of file c:\WINDOWS\system32\mlsdf8hjfm.exe failed!

Could not process line:
c:\WINDOWS\system32\mlsdf8hjfm.exe
Status: 0xc0000034

File c:\WINDOWS\system32\timedrv26.sys not found!
Deletion of file c:\WINDOWS\system32\timedrv26.sys failed!

Could not process line:
c:\WINDOWS\system32\timedrv26.sys
Status: 0xc0000034

File C:\WINDOWS\system32\fpnu0359e.dll deleted successfully.
File C:\WINDOWS\system32\tqpmib.dll deleted successfully.
File C:\WINDOWS\system32\lv6u09j9e.dll deleted successfully.
File C:\WINDOWS\system32\ktlu17391.dll deleted successfully.
File C:\WINDOWS\system32\k4800elmehga0.dll deleted successfully.
File C:\WINDOWS\system32\mmoeacct.dll deleted successfully.

File C:\WINDOWS\system32\admparsek.dll not found!
Deletion of file C:\WINDOWS\system32\admparsek.dll failed!

Could not process line:
C:\WINDOWS\system32\admparsek.dll
Status: Oxc0000034

File C:\WINDOWS\system32\viuqroxp.dll deleted successfully.
File C:\WINDOWS\system32\l2r01c9m1f.dll deleted successfully.
File C:\WINDOWS\taskmen32.pif deleted successfully.
File C:\WINDOWS\system32\DRWEBSP.dll deleted successfully.
File C:\WINDOWS\system32\g267234.dll deleted successfully.
File C:\dhcp.exe deleted successfully.
File C:\WINDOWS\system32\winrge32.dll deleted successfully.
File C:\dhcp.scr deleted successfully.
File C:\WINDOWS\bhgud.dll deleted successfully.
File C:\WINDOWS\srvvqqsfp1.exe deleted successfully.
File C:\WINDOWS\system32\wnsapisv.exe deleted successfully.
File C:\WINDOWS\srvkhxjhxw.exe deleted successfully.
File C:\dhcp.com deleted successfully.
File C:\regedit.exe deleted successfully.
File C:\ofvrhrx.exe deleted successfully.
File C:\ojfos.exe deleted successfully.
File C:\WINDOWS\system32\tbhogttb.dll deleted successfully.
File C:\WINDOWS\Eim03.exe deleted successfully.
File C:\WINDOW\system32\xzn49f40.sys deleted successfully.
File C:\regfile.pif deleted successfully.
File C:\WINDOWS\autoupdate.bat deleted successfully.
File C:\regedit.pif deleted successfully.
File C:\WINDOWS\system32\nsu8e.dll deleted successfully.
File C:\WINDOWS\system32\nse8f.dll deleted successfully.
File C:\WINDOWS\system32\BattyRun2.dll deleted successfully.

File C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\b14012ad.exe not found!
Deletion of file C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\b14012ad.exe failed!

Could not process line:
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\b14012ad.exe
Status: 0xc0000034

File C:\WINDOWS\system32\b14012ad.exe not found!
Deletion of file C:\WINDOWS\system32\b14012ad.exe failed!

Could not process line:
C:\WINDOWS\system32\b14012ad.exe

Folder C:\Program Files\Batty2 deleted successfully.
Folder C:\Program Files\Common Files\kqof deleted successfully.

Folder C:\Program Files\PSLister not found!
Deletion of folder: C:\Program Files PSLister failed!

Could not process line:
C:\Program Files\PSLister
Status: 0xc000034

Completed script processing.
********************

Finished! Terminate.////////////////////////////////////////////

Logfile of the Avenger Version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\yoskjacu

******************************

Script filel located at: \??C:\Program Files\stlqgund.txt

Script file not found! Error

Could not open script file! Status: 0xc0000034 Abort!
///////////////////////////
Status: 0xc0000034

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:12 PM

Posted 29 August 2006 - 04:51 PM

Go into task manager -> New task...
Type in explorer and hit enter.

Does that bring up your desktop?


If not go to New task and click browse.
Navigate to this file and open it.

C:\WINDOWS\Explorer.EXE


Let me know how it goes.
Post a new hijackthis log as soon as you are able.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 ludek

ludek
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 29 August 2006 - 05:31 PM

Neither method of trying to execute Explorer worked. I could see Explorer in the processes tab of Task Manager, but nothing happened to bring back my desktop. In fact, I tried it several times, and then I saw several Explorer tasks in the processes tab.

I tried browsing (in New Task...) to a Word Document, then it looks like it's trying to open Word, but it never get past starting Word. (It looks like it's starting, but never really opens the document. It's like it's stuck, trying to get enough memory or something.

(I'm replying with my work laptop.)

Any other ideas? Sure appreciate your help.

#14 ludek

ludek
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 29 August 2006 - 07:29 PM

I figured out how to run HijackThis in Safe Mode w/ command prompt. I saved it to my removable usb drive and can now paste it here on my work laptop.

Logfile of HijackThis v1.99.1
Scan saved at 8:24:15 PM, on 8/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [WinTVRRemote] "C:\Program Files\WinTVR3\Remote.exe"
O4 - HKLM\..\Run: [Schedule] "C:\Program Files\WinTVR3\Schedule.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143585990\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdateMgr.exe
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\system32\wfxqhv.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ywryropa] C:\jfwoikvu.bat
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Scbu] "C:\PROGRA~1\COMMON~1\RACLE~1\msdtc.exe" -vt yazr
O4 - HKCU\..\Run: [Cllpn] C:\Program Files\?ystem32\w?auboot.exe
O4 - HKCU\..\Run: [yalgn] C:\WINDOWS\system32\dmanlb.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\drwebsp.dll' missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp2.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/tryaces/...gamesplayer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://aolsvc.aol.com/onlinegames/chuzzled...aploader_v7.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: h618 - C:\WINDOWS\g267234.dll (file missing)
O20 - Winlogon Notify: ljjjjhe - ljjjjhe.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrge32 - winrge32.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Veoh Client Service - Veoh Networks, Inc. - C:\Documents and Settings\HP_Administrator\My Documents\My Music\iTunes\iTunes Music\Veoh\VeohClientService.exe

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:12 PM

Posted 30 August 2006 - 02:38 PM

Let's work with what we we have now.

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\system32\wfxqhv.exe"
O4 - HKLM\..\Run: [ywryropa] C:\jfwoikvu.bat
O4 - HKCU\..\Run: [Scbu] "C:\PROGRA~1\COMMON~1\RACLE~1\msdtc.exe" -vt yazr
O4 - HKCU\..\Run: [Cllpn] C:\Program Files\?ystem32\w?auboot.exe
O4 - HKCU\..\Run: [yalgn] C:\WINDOWS\system32\dmanlb.exe reg_run
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O20 - Winlogon Notify: h618 - C:\WINDOWS\g267234.dll (file missing)
O20 - Winlogon Notify: ljjjjhe - ljjjjhe.dll (file missing)
O20 - Winlogon Notify: winrge32 - winrge32.dll (file missing)



Reboot your computer.


We are going to need some more information to troubleshoot this problem with explorer. Can you get a hijackthis log from normal mode by starting hijackthis through taskmanager -> New task...

I would also like to see a new log from Combofix if possible.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users