Jump to content

Malwarebytes

Got infected by antivirus 2009

- - - - -
Started by nicolai, Feb 03 2009 11:13 PM

5 replies to this topic

#1
nicolai
Posted 03 February 2009 - 11:13 PM

    New Member

  • Members
  • Pip
  • 5 posts
I got this nasty virus from installing a fake video codec.... I've managed to remove most of the virus using MBAM. However, it wont remove the infection of the userinit.exe, it keeps on popping up everytime I run MBAM even though I removed it the previous time.

I've tried to search for all userinits and it seems there are two more of those. When I upload them to a online scanner, all four show up as infected!
When I enter XP after the log-on screen I have to use Task Manager to manually start explorer, otherwise Windows won't load. And everytime I connect to the internet, the virus starts downloading more malware and redirect homepages. I've also tried F-secure but it's not able to find anything.

I would have reinstalled XP long time ago if I hadn't had a number of programs installed, which I am not able to reinstall easily. Is there anyway I can repair the userinit.exe-files? Please help me someone!

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3

2/2/2009 11:07:04 AM
mbam-log-2009-02-02 (11-07-04).txt

Scan type: Quick Scan
Objects scanned: 80120
Time elapsed: 10 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:08:51, on 2/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\F-Secure\Common\FSLAUNCH.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Økonomisk Institut
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LanzarP2006] "C:\DOCUME~1\okonk\LOCALS~1\Temp\P2006tmp\Install.exe" /SETUP:"/l0x0009"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [jsf8uiw3jnjgffght] C:\WINDOWS\TEMP\winlognn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {226ACC34-3194-70E2-5AE7-864FCFE9E80D} (CPlayFirstmsiControl Object) - http://zone.msn.com/...msi.1.0.0.9.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/...B/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ibt.ku.dk.ad
O17 - HKLM\Software\..\Telephony: DomainName = ibt.ku.dk.ad
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ibt.ku.dk.ad
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ibt.ku.dk.ad
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ibt.ku.dk.ad
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)

--
End of file - 8213 bytes

#2
Tigger93
Posted 04 February 2009 - 01:10 AM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 1,648 posts
  • Gender:Male
Hi. :D

Download ComboFix from one of the locations below, and save it to your Desktop.
[indent] Link 1
Link 2 [/indent]Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply
Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

#3
nicolai
Posted 04 February 2009 - 03:00 AM

    New Member

  • Members
  • Pip
  • 5 posts
Thanks for your quick reply!

I downloaded Combofix on the desktop and launched it. It opens up a blue window with no text in it and then nothing happens. I've let it run for 10 min or so.


View PostTigger93, on Feb 3 2009, 08:10 PM, said:

Hi. :D

Download ComboFix from one of the locations below, and save it to your Desktop.
[indent] Link 1
Link 2 [/indent]Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply
Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

#4
nicolai
Posted 04 February 2009 - 03:21 AM

    New Member

  • Members
  • Pip
  • 5 posts
and btw. the name of the virus is antispyware 2009, of course, not antivirus... I also tried using a program called smitfradfix.exe with no result.

#5
nicolai
Posted 04 February 2009 - 03:40 PM

    New Member

  • Members
  • Pip
  • 5 posts
I ran combofix in safe mode and it worked (though this means I wasn't able to install Windows recovery console)! Here's the log along with the hijack log. Thanks in advance!

ComboFix 09-02-02.04 - okoNK 2009-02-04 10:22:48.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.800 [GMT -5:00]
Running from: c:\documents and settings\okonk\Desktop\ComboFix.exe
AV: F-Secure Client Security 8.00 *On-access scanning enabled* (Updated)
FW: F-Secure Client Security 8.00 *enabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\303374.exe
c:\windows\system32\test.ttt
c:\windows\system32\tmp.reg
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf

----- BITS: Possible infected sites -----

hxxp://wsus-srv
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.

2009-02-04 09:44 . 2009-02-04 09:44 137,280 --a------ c:\windows\system32\drivers\ethorpkk.sys
2009-02-04 09:44 . 2009-02-04 09:44 66,560 ---h----- c:\windows\system32\secupdat.dat
2009-02-04 09:44 . 2009-02-04 09:44 32,768 --ah----- c:\documents and settings\okonk\gma.exe
2009-02-03 21:33 . 2009-02-03 21:33 0 --a------ c:\windows\system32\55B.tmp
2009-02-03 18:04 . 2009-02-03 18:04 <DIR> d-------- c:\program files\Trend Micro
2009-02-03 16:46 . 2009-02-03 16:46 262,144 --a------ c:\documents and settings\TESTKO~3
2009-02-03 16:42 . 2009-02-03 16:42 262,144 --a------ c:\documents and settings\TESTKO~2
2009-02-03 16:32 . 2009-02-03 16:32 262,144 --a------ c:\documents and settings\TESTKO~1
2009-02-03 16:23 . 2009-02-03 16:23 211 --a------ c:\windows\AvDetected.ini
2009-02-03 14:23 . 2009-02-03 14:23 <DIR> d-------- c:\program files\CCleaner
2009-02-03 13:43 . 2009-02-03 13:43 0 --a------ c:\windows\system32\AC.tmp
2009-02-03 08:50 . 2009-02-03 08:50 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-03 08:50 . 2009-02-03 08:50 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-03 08:50 . 2009-02-03 08:50 <DIR> d-------- c:\documents and settings\okonk\Application Data\SUPERAntiSpyware.com
2009-02-03 08:50 . 2009-02-03 08:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-02 10:19 . 2009-02-02 10:19 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-02 10:19 . 2009-02-02 10:19 <DIR> d-------- c:\documents and settings\okonk\Application Data\Malwarebytes
2009-02-02 10:19 . 2009-02-02 10:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-02 10:19 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-02 10:19 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-01 22:12 . 2009-02-01 22:12 142,848 --a--c--- c:\windows\system32\dllcache\userinit.exe
2009-02-01 22:03 . 2006-02-27 22:00 221,184 --a------ c:\windows\system32\wmpns.dll
2009-01-26 11:04 . 2009-01-26 11:04 <DIR> d-------- c:\program files\SecureW2
2009-01-26 11:04 . 2009-01-26 11:04 <DIR> d-------- C:\BrownSW
2009-01-23 13:35 . 2009-01-23 13:35 <DIR> d--h----- c:\windows\PIF
2009-01-23 13:32 . 2009-01-23 13:32 <DIR> d-------- c:\documents and settings\okonk\Application Data\Windows Search
2009-01-23 12:48 . 2009-01-25 09:27 115,224 --a------ C:\img2-001.raw
2009-01-23 12:46 . 2008-04-14 05:42 91,136 --a------ c:\windows\system32\kswdmcap.ax
2009-01-23 12:46 . 2008-04-14 05:42 91,136 --a--c--- c:\windows\system32\dllcache\kswdmcap.ax
2009-01-23 12:46 . 2008-04-14 05:42 61,952 --a------ c:\windows\system32\kstvtune.ax
2009-01-23 12:46 . 2008-04-14 05:42 61,952 --a--c--- c:\windows\system32\dllcache\kstvtune.ax
2009-01-23 12:46 . 2008-04-14 05:42 53,760 --a------ c:\windows\system32\vfwwdm32.dll
2009-01-23 12:46 . 2008-04-14 05:42 53,760 --a--c--- c:\windows\system32\dllcache\vfwwdm32.dll
2009-01-23 12:46 . 2008-04-14 05:42 43,008 --a------ c:\windows\system32\ksxbar.ax
2009-01-23 12:46 . 2008-04-14 05:42 43,008 --a--c--- c:\windows\system32\dllcache\ksxbar.ax
2009-01-23 12:46 . 2008-04-14 00:16 17,024 --a------ c:\windows\system32\drivers\CCDECODE.sys
2009-01-23 12:46 . 2008-04-14 00:16 17,024 --a--c--- c:\windows\system32\dllcache\ccdecode.sys
2009-01-23 12:44 . 2009-01-23 12:45 <DIR> d-------- c:\program files\Microsoft LifeCam
2009-01-23 12:44 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\system32\d3dx9_26.dll
2009-01-22 13:23 . 2009-02-01 09:51 <DIR> d-------- c:\documents and settings\okonk\Application Data\skypePM
2009-01-22 13:23 . 2009-01-22 13:23 56 --ah----- c:\windows\system32\ezsidmv.dat
2009-01-22 07:47 . 2009-02-01 13:59 <DIR> d-------- c:\documents and settings\okonk\Application Data\Skype
2009-01-22 07:46 . 2009-01-22 07:46 <DIR> d-------- c:\program files\Skype
2009-01-22 07:46 . 2009-01-22 07:46 <DIR> d-------- c:\program files\Common Files\Skype
2009-01-22 07:46 . 2009-01-22 07:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2009-01-21 12:02 . 2009-01-21 12:02 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-01-21 12:02 . 2009-01-21 12:02 <DIR> d-------- c:\program files\Windows Desktop Search
2009-01-21 12:02 . 2009-01-21 12:02 <DIR> d-------- c:\documents and settings\okonk\Application Data\Windows Desktop Search
2009-01-21 12:01 . 2008-03-07 12:02 192,000 -----c--- c:\windows\system32\dllcache\offfilt.dll
2009-01-21 12:01 . 2008-03-07 12:02 98,304 -----c--- c:\windows\system32\dllcache\nlhtml.dll
2009-01-21 12:01 . 2008-03-07 12:02 29,696 -----c--- c:\windows\system32\dllcache\mimefilt.dll
2009-01-19 06:46 . 2009-02-02 09:54 <DIR> d-------- c:\program files\DNA
2009-01-19 06:46 . 2009-02-02 10:03 <DIR> d-------- c:\documents and settings\okonk\Application Data\DNA
2009-01-15 10:34 . 2009-01-15 10:34 <DIR> d-------- c:\documents and settings\okonk\Application Data\MathWorks
2009-01-15 10:26 . 2004-03-01 16:05 407,104 --a------ c:\windows\system32\MSHFLXGD.OCX
2009-01-15 10:26 . 2004-02-11 08:37 203,976 --a------ c:\windows\system32\RICHTX32.OCX
2009-01-15 10:10 . 2009-01-15 10:10 <DIR> d-------- c:\program files\MATLAB
2009-01-15 10:04 . 2009-01-15 10:04 <DIR> d-------- c:\documents and settings\okonk\Application Data\Corel
2009-01-15 10:03 . 2009-01-15 10:04 313 --a------ c:\windows\PowerReg.dat
2009-01-15 10:02 . 2009-01-15 10:02 <DIR> d-------- c:\windows\Setup
2009-01-15 09:59 . 2009-01-15 09:59 <DIR> d-------- c:\program files\Corel
2009-01-15 09:58 . 2009-01-15 10:03 <DIR> d-------- c:\windows\Corel
2009-01-15 09:55 . 2009-01-22 13:34 33,408 --a------ c:\windows\system32\drivers\fsbts.sys
2009-01-15 09:39 . 2008-10-09 05:18 79,872 --a------ c:\windows\system32\drivers\fsdfw.sys
2009-01-15 09:38 . 2009-01-15 09:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\fssg
2009-01-14 08:43 . 2008-04-13 23:42 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-01-14 08:43 . 2001-08-17 16:36 5,632 --a------ c:\windows\system32\ptpusb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-04 02:35 --------- d-----w c:\program files\F-Secure
2009-02-03 21:40 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-02 02:22 --------- d-----w c:\documents and settings\okonk\Application Data\F-Secure
2009-01-15 14:39 --------- d-----w c:\documents and settings\All Users\Application Data\F-Secure
2009-01-14 13:50 --------- d-----w c:\program files\GameHouse
.

------- Sigcheck -------

2008-04-13 22:42 1051136 5b7d42a7afcfc1eaed3364598d96588b c:\windows\explorer.exe
2007-06-13 06:26 1050624 1c45e2517832bf15122d5e5db9e36bdb c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 05:23 1050624 d330f6e056d972b263ee28a437099d87 c:\windows\$NtServicePackUninstall$\explorer.exe
2008-04-13 22:42 1051136 bb27f12114ee0e2888c0c99345b6f408 c:\windows\ServicePackFiles\i386\explorer.exe

2006-02-27 22:00 32768 fd33d84c38fc26ae13acd2882cd7b187 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 22:42 32768 6a06e6a20c51784bcfab72bd8cdd8034 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 22:42 32768 4d432029e19854f14a4640d7af2a3c48 c:\windows\system32\ctfmon.exe

2005-06-10 19:17 75264 2a8780d38ea268296db4311925e621e1 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 18:53 75264 b66eb7b4766b703ebc5e24674116412a c:\windows\$NtServicePackUninstall$\spoolsv.exe
2008-04-13 22:42 75264 f5b4a3c4bba0c13af4e3fac5bc023e98 c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-13 22:42 75264 5b645231ef9bd87dfe8d637ebd9db632 c:\windows\system32\spoolsv.exe

2006-02-27 22:00 41984 ec4cacd518b1b3d3a2be51cd364d7eee c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 22:42 43520 2fffdfcf583233bff4aaed4278c1c54f c:\windows\ServicePackFiles\i386\userinit.exe
2009-02-01 22:12 142848 a9ea298e724164ff86d9c63231722837 c:\windows\system32\userinit.exe
2009-02-01 22:12 142848 a9ea298e724164ff86d9c63231722837 c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 32768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-16 8495104]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-16 81920]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 425984]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Distillr\Acrotray.exe" [2005-09-24 503808]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-05-26 136600]
"Media Codec Update Service"="c:\program files\Essentials Codec Pack\update.exe" [2007-04-08 323584]
"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2008-10-09 182936]
"F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2008-10-09 1182304]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-09-08 277296]
"VX3000"="c:\windows\vVX3000.exe" [2006-07-26 720896]
"nwiz"="nwiz.exe" [2007-11-16 c:\windows\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-11-16 c:\windows\system32\nvhotkey.dll]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-13 32768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2008-05-15 25214]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 141312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2009-01-15 79872]
S0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-01-15 33408]
S0 oqlic;oqlic;c:\windows\system32\drivers\gbsekrpw.sys --> c:\windows\system32\drivers\gbsekrpw.sys [?]
S1 ethorpkk;ethorpkk;c:\windows\system32\drivers\ethorpkk.sys [2009-02-04 137280]
S1 jyk_x;jyk_x;c:\program files\Common Files\System\jyk_x32.dll [2009-02-01 29184]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
S3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [2009-01-15 84096]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2008-09-03 39048]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [2009-01-15 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [2009-01-15 25184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbfd4580-7802-11dd-b21c-001a6b76bf43}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-jsf8uiw3jnjgffght - c:\windows\TEMP\winlognn.exe


.
------- Supplementary Scan -------
.
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\F-Secure\FSPS\program\FSLSP.DLL
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 10:28:45
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(364)
c:\program files\F-Secure\FSPS\program\FSLSP.DLL
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(420)
c:\program files\F-Secure\FSPS\program\FSLSP.DLL
.
Completion time: 2009-02-04 10:32:18 - machine was rebooted [okoNK]
ComboFix-quarantined-files.txt 2009-02-04 15:32:16

Pre-Run: 39,648,305,152 bytes free
Post-Run: 39,934,730,240 bytes free

229 --- E O F --- 2008-06-16 15:08:16


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35, on 2009-02-04
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {226ACC34-3194-70E2-5AE7-864FCFE9E80D} (CPlayFirstmsiControl Object) - http://zone.msn.com/...msi.1.0.0.9.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/...B/e-Safekey.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ibt.ku.dk.ad
O17 - HKLM\Software\..\Telephony: DomainName = ibt.ku.dk.ad
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ibt.ku.dk.ad
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ibt.ku.dk.ad
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ibt.ku.dk.ad
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7145 bytes

#6
Tigger93
Posted 04 February 2009 - 10:00 PM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 1,648 posts
  • Gender:Male
Please run this in normal mode if possible:

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote

File::
c:\windows\system32\drivers\ethorpkk.sys
c:\windows\system32\secupdat.dat
c:\documents and settings\okonk\gma.exe
c:\windows\system32\55B.tmp
c:\windows\system32\AC.tmp
c:\windows\system32\ezsidmv.dat
c:\windows\system32\drivers\gbsekrpw.sys
c:\program files\Common Files\System\jyk_x32.dll

Driver::
oqlic
ethorpkk
jyk_x

DirLook::
c:\documents and settings\TESTKO~3


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us