Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Too Many Virus Alerts


  • Please log in to reply
14 replies to this topic

#1 cuzinwhitebread

cuzinwhitebread

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gainesville, Tx
  • Local time:09:46 PM

Posted 22 December 2006 - 02:39 PM

i keep getting a lot of virus alerts and when i do a scan it finds quite a few dangerous files. the problem is that i use defender pro antivirus and it has a hard time with password protected files. i used a zone alarm firewall because my defender pro firewall kept getting attacked by the DDOS and disabled my internet service. I was wanting to know if anything showed up on my hijack log.

Logfile of HijackThis v1.99.1
Scan saved at 1:33:18 PM, on 12/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DefenderPro AntiSpy\DPASNT.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\webHancer\Programs\whagent.exe
C:\Program Files\Common Files\{84FA5153-0D05-1033-0503-060510040001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MCROSO~1\wuauclt.exe
C:\Program Files\DefenderPro AntiSpy\AntiSpy\TSAntiSpy.exe
C:\Program Files\Hijackthis\hijackthis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{34FA5153-0D05-1033-0503-060510040001}\888.dll
O2 - BHO: OsbornTech Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O3 - Toolbar: Defender Pro Anti-Scam - {102BAD8B-CD05-46ff-94FF-A2C1ABD5F7D5} - C:\Program Files\Defender Pro\Defender Pro Anti-Scam\mscoree.dll (file missing)
O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{34FA5153-0D05-1033-0503-060510040001}\888.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DPAS] "C:\Program Files\DefenderPro AntiSpy\DPASNT.exe"
O4 - HKLM\..\Run: [DPASUpdate] "C:\Program Files\DefenderPro AntiSpy\DPASAutUpdate.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kav.exe" /minimize
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ealb] "C:\PROGRA~1\MCROSO~1\wuauclt.exe" -vt yazr
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://194.69.6.38/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{07B9A5B1-2DF3-4065-B7F7-B12DF233C126}: NameServer = 85.255.114.88,85.255.112.72
O17 - HKLM\System\CCS\Services\Tcpip\..\{90B48369-E4E5-46B7-93FC-858E27C2BB51}: NameServer = 85.255.114.88,85.255.112.72
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.88 85.255.112.72
O17 - HKLM\System\CS1\Services\Tcpip\..\{07B9A5B1-2DF3-4065-B7F7-B12DF233C126}: NameServer = 85.255.114.88,85.255.112.72
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.88 85.255.112.72
O17 - HKLM\System\CS2\Services\Tcpip\..\{07B9A5B1-2DF3-4065-B7F7-B12DF233C126}: NameServer = 85.255.114.88,85.255.112.72
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.88 85.255.112.72
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Defender Pro LLC - C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

The coolest thing since sliced bread

Posted Image


BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:46 PM

Posted 22 December 2006 - 03:10 PM

Hi cuzinwhitebread, :flowers:

We're studying your log right now and will be back to you a.s.a.p.

Thanks for your patience. :thumbsup:

#3 cuzinwhitebread

cuzinwhitebread
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gainesville, Tx
  • Local time:09:46 PM

Posted 22 December 2006 - 03:14 PM

thank you. no rush.

The coolest thing since sliced bread

Posted Image


#4 cuzinwhitebread

cuzinwhitebread
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gainesville, Tx
  • Local time:09:46 PM

Posted 23 December 2006 - 09:47 PM

did you find anything?

The coolest thing since sliced bread

Posted Image


#5 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:46 PM

Posted 24 December 2006 - 05:16 AM

Hi cuzinwhitebread, :huh:

did you find anything?


Yes I did and I prepared a fix. But since I am still in the process of learning to help people I have to wait for my coach's approval, and they are very busy people as you will understand.

thank you. no rush.


Liked that one. :thumbsup:

Don't worry we will get back to you a.s. as possible! :flowers:

#6 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:46 PM

Posted 24 December 2006 - 06:48 AM

Hi cuzinwhitebread, :thumbsup:

Welcome to BleepingComputer Forums and thanks again for your patience.

1. To begin with disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

You may re-enable it again when your computer is clean; I will let you know!

2. Download LSP-Fix from this link and save it to a location you can find later if necessary. Do not run unless instructed to.

3. Click on Start, Settings, Control Panel and double-click on Add or Remove Programs. From within Add or Remove Programs uninstall the following programs if listed:

Webhancer
Toolbar888


If you can not connect to the Internet after removing Webhancer, please run the LSP-Fix program I had you download earlier, and click on the finish button. Reboot and you should be able to get back on.

4. Run HijackThis, click Scan and checkmark the following entries:

O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{34FA5153-0D05-1033-0503-060510040001}\888.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{34FA5153-0D05-1033-0503-060510040001}\888.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKCU\..\Run: [Ealb] "C:\PROGRA~1\MCROSO~1\wuauclt.exe" -vt yazr


Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

5. Reboot and as the computer starts up, just before Windows starts to load, tap the F8 key a few times and then choose Safe Mode from the menu that will appear.

6. Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete the following folders in bold if listed:

C:\Program Files\webHancer
C:\Program Files\Common Files\{34FA5153-0D05-1033-0503-060510040001}
C:\PROGRA~1\MCROSO~1<< The folder is in Program Files and starts with: MCROSO

7. Clean your Cache and Cookies in IE:

* Close all instances of Outlook Express and Internet Explorer
* Go to Control Panel > Internet Options > General tab
* Click the "Delete Cookies" button
* Next to it, Click the "Delete Files" button
* When prompted, place a check in: "Delete all offline content", click OK

Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

* Go to Tools > Options.
* Click Privacy in the menu on the left side of the Options window.
* Click the Clear button located to the right of each option (History, Cookies, Cache).
* Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

Clean other Temporary files + Recycle bin

* Go to start > run and type: cleanmgr and click ok.
* Let it scan your system for files to remove.
* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
* Press OK to remove them.

8. Reboot to go back into Normal mode.

9. Perform an onlinescan with Panda: Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a few minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Please post the contents of the Panda scan report together with a fresh HijackThis log

#7 cuzinwhitebread

cuzinwhitebread
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gainesville, Tx
  • Local time:09:46 PM

Posted 26 December 2006 - 03:42 PM

i'm doing the panda scan now, i ran into some problems though.

i could not delete webhancer file: webhdll.dll it says access denied and i couldnt find file {34FA5153-0D05-1033-0503-060510040001}

The coolest thing since sliced bread

Posted Image


#8 cuzinwhitebread

cuzinwhitebread
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gainesville, Tx
  • Local time:09:46 PM

Posted 26 December 2006 - 03:59 PM

here is the panda scan:

ncident Status Location

Adware:Adware/Mytoolbar Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\888.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0121940.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0123848.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0128298.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0129238.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0134860.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0141925.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0151986.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0157938.exe
Adware:Adware/Mytoolbar Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0165046.dll
Adware:Adware/ActiveSearch Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0165311.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0165516.exe
Adware:Adware/ActiveSearch Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0166324.dll
Adware:Adware/ActiveSearch Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0166929.dll
Adware:Adware/Mytoolbar Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0167185.dll
Adware:Adware/ActiveSearch Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0170498.dll
Adware:Adware/Mytoolbar Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0170626.dll
Adware:Adware/Mytoolbar Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0170759.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0171172.exe
Adware:Adware/Mytoolbar Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0173174.dll
Adware:Adware/Mytoolbar Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0173401.dll
Adware:Adware/ActiveSearch Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0173585.dll
Adware:Adware/ActiveSearch Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0174011.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0174542.exe
Adware:Adware/Trymedia Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0174785.exe
Adware:Adware/Trymedia Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0174786.exe
Adware:Adware/Mytoolbar Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0177613.dll
Adware:Adware/ActiveSearch Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0178339.dll
Adware:Adware/Mytoolbar Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0178341.dll
Adware:Adware/Mytoolbar Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\backup-20061223-210203-473.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\Process.exe
Adware:Adware/ActiveSearch Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\system.dll
Adware:Adware/Trymedia Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\TonkaMonsterTrucks-dm[10.exe
Adware:Adware/Trymedia Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\TonkaMonsterTrucks-dm[1].exe
Adware:Adware/Trymedia Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\ToughTrucks_Setup-dm[10.exe
Adware:Adware/Trymedia Not disinfected C:\Documents and Settings\Owner\DoctorWeb\Quarantine\ToughTrucks_Setup-dm[1].exe
Adware:Adware/PCodec Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\b129.exe[²ÜÇ\nsRandom.dll]
Adware:Adware/PurityScan Not disinfected C:\Program Files\Cowabanga\uninstaller.exe
Adware:Adware/PurityScan Not disinfected C:\Program Files\M?crosoft\wuauclt.exe
Virus:Trj/Ruins.MK Disinfected C:\WINDOWS\system32\csisy.exe
and the hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 2:58:28 PM, on 12/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DefenderPro AntiSpy\DPASNT.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DefenderPro AntiSpy\AntiSpy\TSAntiSpy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: OsbornTech Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O3 - Toolbar: Defender Pro Anti-Scam - {102BAD8B-CD05-46ff-94FF-A2C1ABD5F7D5} - C:\Program Files\Defender Pro\Defender Pro Anti-Scam\mscoree.dll (file missing)
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DPAS] "C:\Program Files\DefenderPro AntiSpy\DPASNT.exe"
O4 - HKLM\..\Run: [DPASUpdate] "C:\Program Files\DefenderPro AntiSpy\DPASAutUpdate.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kav.exe" /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://194.69.6.38/activex/AMC.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{07B9A5B1-2DF3-4065-B7F7-B12DF233C126}: NameServer = 85.255.114.88,85.255.112.72
O17 - HKLM\System\CCS\Services\Tcpip\..\{90B48369-E4E5-46B7-93FC-858E27C2BB51}: NameServer = 85.255.114.88,85.255.112.72
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.88 85.255.112.72
O17 - HKLM\System\CS1\Services\Tcpip\..\{07B9A5B1-2DF3-4065-B7F7-B12DF233C126}: NameServer = 85.255.114.88,85.255.112.72
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.88 85.255.112.72
O17 - HKLM\System\CS2\Services\Tcpip\..\{07B9A5B1-2DF3-4065-B7F7-B12DF233C126}: NameServer = 85.255.114.88,85.255.112.72
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.88 85.255.112.72
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Defender Pro LLC - C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

The coolest thing since sliced bread

Posted Image


#9 cuzinwhitebread

cuzinwhitebread
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gainesville, Tx
  • Local time:09:46 PM

Posted 26 December 2006 - 07:57 PM

i noticed on that panda scan i had a lot of crap so i ran my defender pro spyware and took care of some of it and then i went back to run another panda scan and here is an updated on with an updated hijack log

HIGHJACKTHIS LOG:::::

Logfile of HijackThis v1.99.1
Scan saved at 6:33:19 PM, on 12/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DefenderPro AntiSpy\DPASNT.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DefenderPro AntiSpy\AntiSpy\TSAntiSpy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: OsbornTech Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O3 - Toolbar: Defender Pro Anti-Scam - {102BAD8B-CD05-46ff-94FF-A2C1ABD5F7D5} - C:\Program Files\Defender Pro\Defender Pro Anti-Scam\mscoree.dll (file missing)
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DPAS] "C:\Program Files\DefenderPro AntiSpy\DPASNT.exe"
O4 - HKLM\..\Run: [DPASUpdate] "C:\Program Files\DefenderPro AntiSpy\DPASAutUpdate.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kav.exe" /minimize
O4 - HKLM\..\Run: [dmwpn.exe] C:\WINDOWS\system32\dmwpn.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://194.69.6.38/activex/AMC.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{07B9A5B1-2DF3-4065-B7F7-B12DF233C126}: NameServer = 85.255.114.88,85.255.112.72
O17 - HKLM\System\CCS\Services\Tcpip\..\{90B48369-E4E5-46B7-93FC-858E27C2BB51}: NameServer = 85.255.114.88,85.255.112.72
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.88 85.255.112.72
O17 - HKLM\System\CS1\Services\Tcpip\..\{07B9A5B1-2DF3-4065-B7F7-B12DF233C126}: NameServer = 85.255.114.88,85.255.112.72
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.88 85.255.112.72
O17 - HKLM\System\CS2\Services\Tcpip\..\{07B9A5B1-2DF3-4065-B7F7-B12DF233C126}: NameServer = 85.255.114.88,85.255.112.72
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.88 85.255.112.72
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Defender Pro LLC - C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe





Incident Status Location

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adrevolver[2].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ads.addynamix[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@casalemedia[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@realmedia[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
Adware:Adware/PCodec Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\b129.exe[²ÜÇ\nsRandom.dll]
Adware:Adware/PurityScan Not disinfected C:\Program Files\Cowabanga\uninstaller.exe
Adware:Adware/PurityScan Not disinfected C:\Program Files\M?crosoft\wuauclt.exe

The coolest thing since sliced bread

Posted Image


#10 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:46 PM

Posted 28 December 2006 - 11:39 AM

Hi cuzinwhitebread, :thumbsup:

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

1. Download combofix.exe
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

2. Run HijackThis, click Scan and checkmark the following entries:

O4 - HKLM\..\Run: [dmwpn.exe] C:\WINDOWS\system32\dmwpn.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{07B9A5B1-2DF3-4065-B7F7-B12DF233C126}: NameServer = 85.255.114.88,85.255.112.72
O17 - HKLM\System\CCS\Services\Tcpip\..\{90B48369-E4E5-46B7-93FC-858E27C2BB51}: NameServer = 85.255.114.88,85.255.112.72
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.88 85.255.112.72
O17 - HKLM\System\CS1\Services\Tcpip\..\{07B9A5B1-2DF3-4065-B7F7-B12DF233C126}: NameServer = 85.255.114.88,85.255.112.72
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.88 85.255.112.72
O17 - HKLM\System\CS2\Services\Tcpip\..\{07B9A5B1-2DF3-4065-B7F7-B12DF233C126}: NameServer = 85.255.114.88,85.255.112.72
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.88 85.255.112.72


Click Fix Checked. Close HijackThis, and click OK to proceed.

3. There is a danger of losing internet connection involved in fixing 017 entries. For when that happens do the following:

> Go to Start -> Control Panel, and choose Network Connections.
Right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties.
Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically.
Click OK twice, and restart your computer.

> Go to Start > Run and type in cmd Click OK.
This will open a command prompt.
Type or copy and paste the following line in the command window:
ipconfig /flushdns
Hit Enter
Exit the command window.

4. Restart again and as the computer starts up, just before Windows starts to load, tap the F8 key a few times and then choose Safe Mode from the menu that will appear.

5. Using Windows Explorer, please delete the following folders in bold if listed:

C:\Program Files\Cowabanga
C:\Program Files\M?crosoft

.......... and files in bold if listed:

C:\WINDOWS\system32\dmwpn.exe

6. Clean your Cache and Cookies in IE:

* Close all instances of Outlook Express and Internet Explorer
* Go to Control Panel > Internet Options > General tab
* Click the "Delete Cookies" button
* Next to it, Click the "Delete Files" button
* When prompted, place a check in: "Delete all offline content", click OK

Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

* Go to Tools > Options.
* Click Privacy in the menu on the left side of the Options window.
* Click the Clear button located to the right of each option (History, Cookies, Cache).
* Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

Clean other Temporary files + Recycle bin

* Go to start > run and type: cleanmgr and click ok.
* Let it scan your system for files to remove.
* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
* Press OK to remove them.

7. Reboot to go back into Normal mode.

8. Please download FixWareout from here or here!

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt).

9. Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please and post the contents of the kaspersky report along with the C:\fixwareout\report.txt, the ComboFix report and a new HijackThis log.

#11 cuzinwhitebread

cuzinwhitebread
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gainesville, Tx
  • Local time:09:46 PM

Posted 28 December 2006 - 03:57 PM

KASPER LOG:
_________________________________________________________

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics
Total number of scanned objects 123236
Number of viruses found 4
Number of infected objects 38 / 0
Number of suspicious objects 0
Duration of the scan process 01:18:09

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.i0000 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.i0001 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.i0100 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.i0101 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.i0200 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.i0201 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.i0300 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.i0301 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.reph Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.repi Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.rept Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.i0000 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.i0001 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.i0100 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.i0101 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.i0200 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.i0201 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.i0300 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.i0301 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.reph Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.repi Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.rept Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Reports\RptMng.i0000 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Reports\RptMng.i0001 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Reports\RptMng.i0100 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Reports\RptMng.i0101 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Reports\RptMng.i0200 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Reports\RptMng.i0201 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Reports\RptMng.reph Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Reports\RptMng.repi Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Reports\RptMng.rept Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012006122820061229\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DF973E.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DFF5D3.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP87\A0165313.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP87\A0165313.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP87\A0165313.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP87\A0165345.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP87\A0165345.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP87\A0165345.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP87\A0165345.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP87\A0165345.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP87\A0165345.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP87\A0165345.exe NSIS: infected - 6 skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP88\A0167186.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP88\A0167186.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP88\A0167186.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP91\A0178342.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP91\A0178342.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP91\A0178342.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0186465.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0186472.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0186974.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0186975.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0186977.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0186978.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0186979.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0186980.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0186981.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0186983.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0186986.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0187002.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0187004.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0187005.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0187007.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0187018.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0187019.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0187020.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0187022.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0187025.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0187026.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0189444.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP94\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Internet Logs\DSBARTER.ldb Object is locked skipped

C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped

C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped

C:\WINDOWS\ModemLog_PCI Soft Data Fax Modem with SmartCP.txt Object is locked skipped

C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E6F002B5-7901-4215-8A77-B6EF1344F7E4}.crmlog Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{493C5124-CCD2-4916-B225-B33B27E3F747}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{F0593DA1-20A2-4887-BE3C-57E9474A1A17}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\ZLT04c18.TMP Object is locked skipped

C:\WINDOWS\Temp\ZLT04c1b.TMP Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.



FIXWAREOUT LOG:
_________________________________________________________________________

Fixwareout
Last edited 12/06/2006
Post this report in the forums please
...
Prerun check
[HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="csisy.exe"
...
...
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
...

Random Runs removed from HKLM
...
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.
...
Postrun check
[HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""

...



COMBOFIX LOG:
_________________________________________________________________________________


Owner - 06-12-28 12:38:12.09 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Program Files\Downloads"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Owner\Application Data\Install.dat
C:\Program Files\Cowabanga

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\MCROSO~1
C:\QooBox\Purity\Program Files\MCROSO~1\wuauclt.exe


((((((((((((((((((((((((((((((( Files Created from 2006-11-28 to 2006-12-28 ))))))))))))))))))))))))))))))))))


2006-12-28 10:46 <DIR> dr-h----- C:\Documents and Settings\Owner\Recent
2006-12-26 14:26 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-23 21:33 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2006-12-23 21:18 <DIR> d-------- C:\Documents and Settings\Owner\DoctorWeb
2006-12-23 20:56 <DIR> d-------- C:\!KillBox
2006-12-23 20:34 <DIR> d-------- C:\Program Files\directx
2006-12-23 20:08 <DIR> d-------- C:\Downloads
2006-12-17 17:26 69 --a-s---- C:\WINDOWS\test.bat
2006-12-16 21:22 <DIR> d-------- C:\Program Files\Axis Communications
2006-12-09 17:35 <DIR> d-------- C:\WINDOWS\Minidump
2006-12-08 19:54 61,584 --a------ C:\WINDOWS\system32\drivers\klick.sys
2006-12-08 19:54 59,536 --a------ C:\WINDOWS\system32\drivers\klin.sys
2006-12-08 19:53 <DIR> d-------- C:\Program Files\DefenderPro AntiSpy
2006-12-04 21:45 <DIR> d-------- C:\Program Files\CCleaner
2006-12-04 21:39 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2006-12-04 21:39 <DIR> d-------- C:\WINDOWS\Internet Logs
2006-12-04 21:39 <DIR> d-------- C:\Program Files\Zone Labs


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-28 12:36 -------- d-------- C:\Program Files\Downloads
2006-12-26 21:54 -------- d-------- C:\Program Files\THQ
2006-12-26 18:42 -------- d-------- C:\Program Files\QuickTime
2006-12-26 18:39 -------- d-------- C:\Program Files\Internet Explorer
2006-12-26 18:33 -------- d-------- C:\Program Files\Hijackthis
2006-12-23 21:14 -------- d-------- C:\Program Files\Common Files
2006-12-20 23:26 -------- d-------- C:\Program Files\Grisoft
2006-12-08 19:53 737280 --a------ C:\WINDOWS\iun6002.exe
2006-12-04 21:57 -------- d-------- C:\Program Files\Pure Networks
2006-12-04 21:50 -------- d-------- C:\Program Files\Common Files\AOL
2006-12-04 21:49 -------- d-------- C:\Documents and Settings\Owner\Application Data\AOL
2006-12-04 21:37 -------- d-------- C:\Program Files\Defender Pro
2006-12-04 21:37 -------- d-------- C:\Program Files\Common Files\Defender Pro Firewall
2006-11-27 17:18 -------- d-------- C:\Program Files\Lavalys
2006-11-24 19:47 -------- d-------- C:\Program Files\Real
2006-11-24 19:47 -------- d-------- C:\Program Files\Common Files\Real
2006-11-24 19:47 -------- d-------- C:\Documents and Settings\Owner\Application Data\Real
2006-11-24 19:39 -------- d-------- C:\Program Files\Windows Media Player
2006-11-24 19:36 -------- d-------- C:\Program Files\Windows Media Connect 2
2006-11-24 18:14 -------- d-------- C:\Program Files\Prison Tycoon
2006-11-18 19:43 -------- d-------- C:\Program Files\MTV Networks
2006-11-14 15:37 -------- d-------- C:\Program Files\PIXresizer
2006-11-07 21:42 -------- d-------- C:\Program Files\JustZIPit
2006-11-05 08:06 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-11-04 21:19 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-02 19:47 -------- d-------- C:\Program Files\Google
2006-11-02 19:42 -------- d-------- C:\Program Files\Yahoo!
2006-11-02 19:42 -------- d-------- C:\Program Files\SBC Self Support Tool
2006-11-02 19:42 -------- d-------- C:\Program Files\Outlook Express
2006-11-02 19:42 -------- d-------- C:\Program Files\Common Files\System
2006-11-02 19:42 -------- d-------- C:\Program Files\BroadJump(2)
2006-11-02 19:37 -------- d-------- C:\Program Files\IrfanView
2006-11-02 19:37 -------- d-------- C:\Program Files\ICQToolbar
2006-11-02 19:37 -------- d-------- C:\Program Files\Common Files\Adobe
2006-11-02 19:37 -------- d-------- C:\Program Files\BroadJump(3)
2006-11-02 19:37 -------- d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2006-11-02 19:37 -------- d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2006-11-02 19:36 -------- d-------- C:\Program Files\Messenger
2006-11-02 19:36 -------- d-------- C:\Program Files\Digital Media Reader
2006-11-02 17:57 645647 ---hs---- C:\WINDOWS\system32\kjkmp.bak2
2006-11-01 17:57 599654 ---hs---- C:\WINDOWS\system32\kjkmp.bak1
2006-10-30 22:57 -------- d-------- C:\Program Files\RedLightCenter
2006-10-28 23:51 -------- d-------- C:\Program Files\MySpace
2006-10-28 23:51 -------- d-------- C:\Documents and Settings\Owner\Application Data\MySpace
2006-10-27 15:09 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-10-27 15:09 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-27 15:09 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-27 15:09 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-10-27 02:44 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-10-18 22:58 8704 --a------ C:\WINDOWS\system32\wdfmgr.exe
2006-10-18 22:58 8704 --a------ C:\WINDOWS\system32\uwdf.exe
2006-10-18 22:47 991744 --a------ C:\WINDOWS\system32\drmv2clt.dll
2006-10-18 22:47 937984 --a------ C:\WINDOWS\system32\WMNetMgr.dll
2006-10-18 22:47 767488 --------- C:\WINDOWS\system32\WMVSENCD.dll
2006-10-18 22:47 757248 --a------ C:\WINDOWS\system32\WMADMOD.dll
2006-10-18 22:47 656896 --------- C:\WINDOWS\system32\WMVXENCD.dll
2006-10-18 22:47 63488 --a------ C:\WINDOWS\system32\wpdmtpus.dll
2006-10-18 22:47 629760 --a------ C:\WINDOWS\system32\wpd_ci.dll
2006-10-18 22:47 603648 --a------ C:\WINDOWS\system32\WMSPDMOD.dll
2006-10-18 22:47 542720 --a------ C:\WINDOWS\system32\blackbox.dll
2006-10-18 22:47 535040 --a------ C:\WINDOWS\system32\wmdrmsdk.dll
2006-10-18 22:47 429056 --a------ C:\WINDOWS\system32\wmdrmdev.dll
2006-10-18 22:47 414208 --a------ C:\WINDOWS\system32\msscp.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\wmvdmoe2.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\wmvdmod.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\WMVADVE.DLL
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\WMVADVD.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\wmsdmoe2.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\wmsdmod.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\wdfapi.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\MPG4DMOD.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\MP4SDMOD.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\MP43DMOD.dll
2006-10-18 22:47 38400 --------- C:\WINDOWS\system32\wpdshextres.dll
2006-10-18 22:47 37376 --a------ C:\WINDOWS\system32\wmdmps.dll
2006-10-18 22:47 35840 --a------ C:\WINDOWS\system32\wpdconns.dll
2006-10-18 22:47 356352 --a------ C:\WINDOWS\system32\wpdsp.dll
2006-10-18 22:47 348672 --a------ C:\WINDOWS\system32\wmdrmnet.dll
2006-10-18 22:47 33792 --a------ C:\WINDOWS\system32\wmdmlog.dll
2006-10-18 22:47 321536 --a------ C:\WINDOWS\system32\mswmdm.dll
2006-10-18 22:47 317440 --------- C:\WINDOWS\system32\MP4SDECD.dll
2006-10-18 22:47 284160 --------- C:\WINDOWS\system32\PortableDeviceApi.dll
2006-10-18 22:47 276992 --a------ C:\WINDOWS\system32\audiodev.dll
2006-10-18 22:47 27136 --a------ C:\WINDOWS\system32\mspmsnsv.dll
2006-10-18 22:47 2603008 --------- C:\WINDOWS\system32\WpdShext.dll
2006-10-18 22:47 259072 --------- C:\WINDOWS\system32\MPG4DECD.dll
2006-10-18 22:47 259072 --------- C:\WINDOWS\system32\MP43DECD.dll
2006-10-18 22:47 2450944 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-10-18 22:47 229376 --a------ C:\WINDOWS\system32\cewmdm.dll
2006-10-18 22:47 222208 --a------ C:\WINDOWS\system32\wmasf.dll
2006-10-18 22:47 212992 --a------ C:\WINDOWS\system32\MFPLAT.dll
2006-10-18 22:47 211456 --a------ C:\WINDOWS\system32\qasf.dll
2006-10-18 22:47 199168 --------- C:\WINDOWS\system32\PortableDeviceWMDRM.dll
2006-10-18 22:47 179712 --a------ C:\WINDOWS\system32\msnetobj.dll
2006-10-18 22:47 175616 --a------ C:\WINDOWS\system32\mspmsp.dll
2006-10-18 22:47 166912 --------- C:\WINDOWS\system32\PortableDeviceTypes.dll
2006-10-18 22:47 1574912 --------- C:\WINDOWS\system32\WMVENCOD.dll
2006-10-18 22:47 157184 --a------ C:\WINDOWS\system32\wmidx.dll
2006-10-18 22:47 154624 --a------ C:\WINDOWS\system32\wpdmtp.dll
2006-10-18 22:47 1543680 --------- C:\WINDOWS\system32\WMVDECOD.dll
2006-10-18 22:47 1382912 --------- C:\WINDOWS\system32\WMVSDECD.dll
2006-10-18 22:47 133632 --------- C:\WINDOWS\system32\WPDShServiceObj.dll
2006-10-18 22:47 1329152 --a------ C:\WINDOWS\system32\WMSPDMOE.dll
2006-10-18 22:47 132096 --------- C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
2006-10-18 22:47 11264 --a------ C:\WINDOWS\system32\LAPRXY.dll
2006-10-18 22:47 1117696 --a------ C:\WINDOWS\system32\WMADMOE.dll
2006-10-18 22:47 101888 --------- C:\WINDOWS\system32\PortableDeviceClassExtension.dll
2006-10-18 21:03 100864 --a------ C:\WINDOWS\system32\logagent.exe
2006-10-18 21:00 249856 --a------ C:\WINDOWS\system32\drmupgds.exe
2006-10-18 21:00 17408 --------- C:\WINDOWS\system32\wpdshextautoplay.exe
2006-10-17 13:05 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 12:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 12:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 12:57 266752 --a------ C:\WINDOWS\system32\iertutil.dll
2006-10-17 12:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-09 20:26 0 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2006-10-09 16:12 456192 --a------ C:\WINDOWS\system32\encdec.dll
2006-10-09 16:12 235008 --------- C:\WINDOWS\system32\psisdecd.dll
2006-10-02 15:28 312128 --------- C:\WINDOWS\system32\msdelta.dll
2006-09-28 20:13 95344 --------- C:\WINDOWS\system32\WUDFCoinstaller.dll
2006-09-28 18:56 55808 --------- C:\WINDOWS\system32\WudfSvc.dll
2006-09-28 18:56 316416 --------- C:\WINDOWS\system32\WUDFx.dll
2006-09-28 18:56 165376 --------- C:\WINDOWS\system32\WudfPlatform.dll
2006-09-28 18:56 146432 --------- C:\WINDOWS\system32\WudfHost.exe
2006-09-28 16:05 2414360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2006-09-28 16:05 237848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2006-09-28 16:04 68888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2006-09-28 16:03 15128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"DPAS"="\"C:\\Program Files\\DefenderPro AntiSpy\\DPASNT.exe\""
"DPASUpdate"="\"C:\\Program Files\\DefenderPro AntiSpy\\DPASAutUpdate.exe\""
"KAVPersonal50"="\"C:\\Program Files\\Defender Pro\\Defender Pro Anti-Virus\\kav.exe\" /minimize"
"dmwpn.exe"="C:\\WINDOWS\\system32\\dmwpn.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,b9,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"="NA"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Power2GoExpress"="NA"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job

Completion time: 06-12-28 12:39:01.62
C:\ComboFix.txt ... 06-12-28 12:39



HIGHJACKTHIS LOG:
_______________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 2:57:07 PM, on 12/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DefenderPro AntiSpy\DPASNT.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DefenderPro AntiSpy\AntiSpy\TSAntiSpy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\hijackthis.exe

O2 - BHO: OsbornTech Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O3 - Toolbar: Defender Pro Anti-Scam - {102BAD8B-CD05-46ff-94FF-A2C1ABD5F7D5} - C:\Program Files\Defender Pro\Defender Pro Anti-Scam\mscoree.dll (file missing)
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DPAS] "C:\Program Files\DefenderPro AntiSpy\DPASNT.exe"
O4 - HKLM\..\Run: [DPASUpdate] "C:\Program Files\DefenderPro AntiSpy\DPASAutUpdate.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kav.exe" /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://194.69.6.38/activex/AMC.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Defender Pro LLC - C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

The coolest thing since sliced bread

Posted Image


#12 cuzinwhitebread

cuzinwhitebread
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gainesville, Tx
  • Local time:09:46 PM

Posted 30 December 2006 - 02:23 PM

whatever this is on my computer, i think we pissed it off. lol. i think its trying to block access to this site or something because i'm having a hard time getting to it.

is this fixable? i'm getting kind of worried, the kasper log said i had a virus with quite a few infected files.

Mod Edit --> Removed email to protect from spam bots.

Edited by D-Trojanator, 30 December 2006 - 06:43 PM.

The coolest thing since sliced bread

Posted Image


#13 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:46 PM

Posted 31 December 2006 - 03:50 AM

Hi cuzinwhitebread, :thumbsup:

i think its trying to block access to this site or something because i'm having a hard time getting to it.


Do you mean to say that you can't get to the BleepingComputer site? Whenever a lot of people try to get access it is difficult sometimes. Why do you think something is blocking you? Please be as specific as possible.

HijackThis log looks clean which is good news as you will understand. The other logs demonstrate we still have some cleaning to do.

1. Download, install, and update AVG Anti-Spyware 7.5

1. Save the installer to desktop
2. Double click the installer, select your language, and then select OK
3. Click NEXT>>Do or don't read the "User License Agreement"
Select I Agree>>>NEXT>>>INSTALL
4. AVG will now install and afterwards click FINISH
5. AVG Anti-Spyware 7.5 should now Load
6. Click the Update tab at the top. Under Manual Update click Start update.
7. After the update finishes (the status bar at the bottom will display "Update successful")
8. Close AVG Anti-Spyware 7.5. Do not run it yet.

2. Reboot and as the computer starts up, just before Windows starts to load, tap the F8 key a few times and then choose Safe Mode from the menu that will appear.

3. Make sure you can view all files. Click Start >My Computer > Tools > Folder Options >View. Check "Show hidden files and folders", uncheck "Hide protected operating system files" and "Hide extensions for known file types". Click "Apply to all folders" >Apply then OK.

4. Empty this folder: C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine

5. Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete the following files in bold:

C:\WINDOWS\system32\kjkmp.bak2
C:\WINDOWS\system32\kjkmp.bak1

6. Now open Notepad and copy and paste the following text in the quotebox into it:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"dmwpn.exe"=-


Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

7. Clean your Cache and Cookies in IE:

* Close all instances of Outlook Express and Internet Explorer
* Go to Control Panel > Internet Options > General tab
* Click the "Delete Cookies" button
* Next to it, Click the "Delete Files" button
* When prompted, place a check in: "Delete all offline content", click OK

Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

* Go to Tools > Options.
* Click Privacy in the menu on the left side of the Options window.
* Click the Clear button located to the right of each option (History, Cookies, Cache).
* Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

Clean other Temporary files + Recycle bin

* Go to start > run and type: cleanmgr and click ok.
* Let it scan your system for files to remove.
* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
* Press OK to remove them.

8. Then run AVG Anti-Spyware 7.5 and click on the Scanner tab at the top
  • Click the "Settings" tab and then change the recommended action to Quarantine and ensure that Automatically generate report after every scan is selected and uncheck "Only if Threats are found"
  • Click back to the "Scan" tab and then click on Complete System Scan.
    This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware 7.5 will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware 7.5 will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Reboot to go back into Normal mode, post the AVG report and let me know how this went.

#14 cuzinwhitebread

cuzinwhitebread
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gainesville, Tx
  • Local time:09:46 PM

Posted 02 January 2007 - 10:48 AM

almost everytime i come the bleeping computer forums i get an error message sayin it cant download the bleeping computer forum, task aborted.

everything went well, no problems.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:40:35 AM 1/2/2007

+ Scan result:



C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP87\A0165313.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP87\A0165345.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP88\A0167186.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP91\A0178342.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0186977.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0187002.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0187004.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0187005.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0187007.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0187018.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0187022.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0187026.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0186975.exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0186978.exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0186979.exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0186980.exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0186981.exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0186986.exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0187025.exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0186974.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP93\A0186982.dll -> Adware.WebHancer : Cleaned with backup (quarantined).

The coolest thing since sliced bread

Posted Image


#15 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:46 PM

Posted 03 January 2007 - 04:49 AM

Hi cuzinwhitebread, :flowers:

almost everytime i come the bleeping computer forums i get an error message sayin it cant download the bleeping computer forum, task aborted.


Please check this site

everything went well, no problems.


That's very good news. Furthermore the AVG scan comes up 'almost' clean: I think you're almost ready to go.

1. Clean your Cache and Cookies in IE:

* Close all instances of Outlook Express and Internet Explorer
* Go to Control Panel > Internet Options > General tab
* Click the "Delete Cookies" button
* Next to it, Click the "Delete Files" button
* When prompted, place a check in: "Delete all offline content", click OK

Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

* Go to Tools > Options.
* Click Privacy in the menu on the left side of the Options window.
* Click the Clear button located to the right of each option (History, Cookies, Cache).
* Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

Clean other Temporary files + Recycle bin

* Go to start > run and type: cleanmgr and click ok.
* Let it scan your system for files to remove.
* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
* Press OK to remove them.

You may do this as often as you like but in your case I advise to do it at least once every two weeks.

2. Remove previous restore points and set a new one to purge any malware that may have been backed up:

Click Start>Help and Support>Undo changes to your computer with System Restore
Click Create A Restore Point then click Next. Give it a name it and then click Create

Click Start>Run and type Cleanmgr
Click the More Options Tab.
Click Clean Up in the System Restore section.

This will remove all previous restore points except the newly created one.

3. You may re-enable hidden files now: Open Windows Explorer >Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is unchecked. Also check "Hide protected operating system files" and tick "Hide extensions for known file types" . Now click "Apply to all folders", >Apply then OK.

4. In order to prevent future infections follow these recommendations:

a. Visit Windows Update on a regular basis to stay current with critical updates.

b. Install and run the following free programs:

* Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here!

* Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found
here! Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

* SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here!

* SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here!

* IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Keep all these programs (including your anti-virus) up-to-date and run them regularly.
If you do not update regularly they will not be able to catch any of the new variants that may come out.

c. I recommend you to read Tony Klein's excellent article: So how did I get infected in the first place?

d. If you want to fight back the Malware Writers, please take a look here!

Glad I was able to help and if there are any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BleepingComputer Forums, we also help people with other computer problems! Do not forget to tell your friends about us!

Good luck! :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users