Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Appreciate any help

Started by dnm5164, Aug 31 2009 11:11 PM

This topic is locked
Go to first unread post

38 replies to this topic

#1
dnm5164

Posted 31 August 2009 - 11:11 PM

New Member

Members
19 posts

Hi,

Would appreciate any help.

I ran Malwarebytes and here is the log file (log file from hijackthis follows)

Malwarebytes' Anti-Malware 1.40
Database version: 2718
Windows 5.1.2600 Service Pack 2

9/2/2009 4:35:59 PM
mbam-log-2009-09-02 (16-35-56).txt

Scan type: Quick Scan
Objects scanned: 97561
Time elapsed: 6 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 36

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Documents and Settings\Geovision\Local Settings\Temp\tmp.tmp (Malware.Packer) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{51716c09-6b08-4ccf-b526-718e912c0573} (Trojan.GamesThief) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{51716c09-6b08-4ccf-b526-718e912c0573} (Trojan.GamesThief) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: c:\windows\system32\userinit.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: system32\userinit.exe -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Geovision\Local Settings\Temp\tmp.tmp (Malware.Packer) -> No action taken.
C:\WINDOWS\system32\PERrGx5DkqSbQdwauCRQH.dll (Trojan.GamesThief) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temp\108328_xeex.exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temp\71562_xeex.exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\FVZ3W1KY\cqsj9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\FVZ3W1KY\dhwd9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\FVZ3W1KY\kx9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\FVZ3W1KY\mhxu9m1[1].exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\FVZ3W1KY\qq3g9m[1].exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\FVZ3W1KY\sx9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\FVZ3W1KY\tx29m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\FVZ3W1KY\wl9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\FVZ3W1KY\zx9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\CJSH9M[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\dh29m[1].exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\dj9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\dnf9m[1].exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\hx29m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\jxsj9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\jz9m[1].exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\mhxu9m[1].exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\RXCQ9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\wd9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\xc9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\JUIVGFOX\zt9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\N4M0SKG5\qqhx9m[1].exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\N4M0SKG5\wmgj9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\N4M0SKG5\yxd9m[1].exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\N4M0SKG5\zu9m[1].exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\N4M0SKG5\zzh9m[1].exe (Spyware.OnlineGames) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\WRU5W7PE\dh39m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\WRU5W7PE\jr9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\WRU5W7PE\mu9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\WRU5W7PE\MXD9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\WRU5W7PE\rxjh9m[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Geovision\Local Settings\Temporary Internet Files\Content.IE5\WRU5W7PE\tl9m[1].exe (Spyware.OnlineGames) -> No action taken.

Hijack this log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:19:47 PM, on 9/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Service Pack 3 Internet Explorer
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: xunlei Class - {21910D9A-058E-95F2-642F-95A6E221C648} - C:\WINDOWS\TUIKNKMV.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: xunlei Class - {84CA70D3-777F-2BFF-136F-DC274F669D53} - C:\WINDOWS\BUBJDXQUGSPAB.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: xunlei Class - {EEE9A750-3BC5-5D98-B423-C38B641E10F3} - C:\WINDOWS\VOEMAQZCTCLF.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: qqrrftfx.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: MSNServiceObj - {AD26AC5F-8421-419C-8692-ED0FE1FE74D8} - C:\Program Files\Messenger\msmsgs.dll (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: bnetroighv - Unknown owner - C:\Program Files\byrinwwuvlcnloe\iqsvpyqnfipbg.exe (file missing)
O23 - Service: CAZXE - Unknown owner - C:\Program Files\XIKWTHRW0S\0RICFOB.EXE (file missing)
O23 - Service: dasno - Unknown owner - C:\WINDOWS\system32\dasno.exe (file missing)
O23 - Service: dbsno - Unknown owner - C:\WINDOWS\system32\dbsno.exe (file missing)
O23 - Service: ddsno - Unknown owner - C:\WINDOWS\system32\ddsno.exe (file missing)
O23 - Service: desno - Unknown owner - C:\WINDOWS\system32\desno.exe (file missing)
O23 - Service: dfsno - Unknown owner - C:\WINDOWS\system32\dfsno.exe (file missing)
O23 - Service: dgsno - Unknown owner - C:\WINDOWS\system32\dgsno.exe (file missing)
O23 - Service: dkjno - Unknown owner - C:\WINDOWS\system32\dkjno.exe (file missing)
O23 - Service: dojno - Unknown owner - C:\WINDOWS\system32\dojno.exe (file missing)
O23 - Service: dsjno - Unknown owner - C:\WINDOWS\system32\dsjno.exe (file missing)
O23 - Service: dteno - Unknown owner - C:\WINDOWS\system32\dtesm.exe (file missing)
O23 - Service: dtjealqpijxfzj - Unknown owner - C:\Program Files\lewtfsevdhz\swpzyugw.exe (file missing)
O23 - Service: Intcrface Pdby Prohdure (gerbassmn) - Unknown owner - C:\WINDOWS\system32\Miekcsr.exe (file missing)
O23 - Service: H3KJ16M - Unknown owner - C:\Program Files\4DXJGE43B1O2\7MWZ6KDVV.EXE (file missing)
O23 - Service: hkyoulbzkasgllw - Unknown owner - C:\Program Files\pvldytpnxyuv\wnfiaujgh.exe (file missing)
O23 - Service: jmotuqyw - Unknown owner - C:\Program Files\zdvqqnbivm\gvpdspdjxjblfph.exe (file missing)
O23 - Service: jtesm - Unknown owner - C:\WINDOWS\system32\jtesm.exe (file missing)
O23 - Service: jzchqigczupkmo - Unknown owner - C:\Program Files\jtpwnpuqnkr\qlikorojp.exe (file missing)
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: nbjyaqolmamr - Unknown owner - C:\Program Files\vnwnxfcza\cnptyhwsbnauoy.exe (file missing)
O23 - Service: nckhnmfsh - Unknown owner - C:\Program Files\nnxxkutfvrltyt\ufrklvnzeox.exe (file missing)
O23 - Service: pvcofbbdcpiawre - Unknown owner - C:\Program Files\qgpecipqynjo\xhirdkrka.exe (file missing)
O23 - Service: pxjuzimzc - Unknown owner - C:\Program Files\qivjdqaeppeknv\xbpxxscgrmr.exe (file missing)
O23 - Service: qteno - Unknown owner - C:\WINDOWS\system32\otesm.exe (file missing)
O23 - Service: Ris tptfypuwcgweo (Risuuzijhguscjnsfe) - Unknown owner - C:\Program Files\Intel\phvuhaxaeaz.EXE (file missing)
O23 - Service: rlqynxwwajy - Unknown owner - C:\Program Files\awdnjfsk\hwwtlhmdywmpgb.exe (file missing)
O23 - Service: sejno - Unknown owner - C:\WINDOWS\system32\syjno.exe (file missing)
O23 - Service: sksno - Unknown owner - C:\WINDOWS\system32\sksno.exe (file missing)
O23 - Service: spqoydygccns - Unknown owner - C:\Program Files\sbcdvlmmy\ztwjwnonapcdihg.exe (file missing)
O23 - Service: sssno - Unknown owner - C:\WINDOWS\system32\sssno.exe (file missing)
O23 - Service: steno - Unknown owner - C:\WINDOWS\system32\stesm.exe (file missing)
O23 - Service: tteno - Unknown owner - C:\WINDOWS\system32\wtesm.exe (file missing)
O23 - Service: uewzzrjrc - Unknown owner - C:\Program Files\vxjovzxwqcxqgw\cpcbxbzxazj.exe (file missing)
O23 - Service: ukaqjmbmfgj - Unknown owner - C:\Program Files\sbinnjeyevse\kwhthdjtcsxgu.exe (file missing)
O23 - Service: uucrimqlgqcyx - Unknown owner - C:\Program Files\xeowhdzltjh\ewhjifbf.exe (file missing)
O23 - Service: valjsxfk - Unknown owner - C:\Program Files\vlyyontpvnkho\kerdqpvjed.exe (file missing)
O23 - Service: wqtesm - Unknown owner - C:\WINDOWS\system32\wqtesm.exe (file missing)
O23 - Service: wrmkjjntgjpci - Unknown owner - C:\Program Files\xczafrbzth\eusfhsdavwdfgiu.exe (file missing)
O23 - Service: yasnp - Unknown owner - C:\WINDOWS\system32\yasnp.exe (file missing)
O23 - Service: zxfrldoilnl - Unknown owner - C:\Program Files\zqsghlco\gimtjnepaazlr.exe (file missing)

--
End of file - 10045 bytes

tried running malwarebytes multiple times but cannot remove the virus. would appreciate help on this.

thanks

dm

#2
extremeboy

Posted 02 September 2009 - 03:40 PM

Elite Member

Experts
1,088 posts

Gender:Male

Hello and welcome to the forum!

Run a scan with RootRepeal, followed by DDS, a scanner tool so I can see the current condition of your machine.

Also, please provide a description of any remaining problems or symptoms you may still have please.

Download and run RootRepeal CR

Please download RootRepeal from the following location and save it to your desktop.

Direct Download (Recommended)
Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)

Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
Physically disconnect your machine from the internet as your system will be unprotected.
Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
Click the tab at the bottom.
Now press the button.
A box will pop up, check the boxes beside All Seven options/scan area
Now click OK.
Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
The scan will take a little while to run, so let it go unhindered.
Once it is done, click the Save Report button.
Save it as RepealScan and save it to your desktop
Reconnect to the internet.
Post the contents of that log in your reply please.

Download and run DDS

We need to see some information about what is happening in your machine. Please perform the following scan:

Download DDS by sUBs from one of the following links. Save it to your desktop.
- DDS.scr
- DDS.pif
Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool. No input is needed, the scan is running.
Notepad will open with the results soon.
Follow the instructions that pop up for posting the results and then click Ok.
The black and message box window shall then disappear.
Please save both log files on your desktop and post the DDS.txt and zip up and attach Attach.txt as instructed.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Also, please provide a description of any remaining problems or symptoms you may still have please.

With Regards,
Extremeboy

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED!

The help you receive here from me is free but if you wish to show your appreciation, you may wish to

#3
dnm5164

Posted 03 September 2009 - 05:27 AM

New Member

Members
19 posts

There you go extremeboy

RootRepeal log file data

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/04 23:29
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEEC6A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B02000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEE982000 Size: 49152 File Visible: No Signed: -
Status: -

Name: xnovlfwc.sys
Image Path: xnovlfwc.sys
Address: 0xF75D6000 Size: 61440 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\qqrrftfx.sys" at address 0xf7b5a7e2

Stealth Objects
-------------------
Object: Hidden Module [Name: qqrrftfx.dll]
Process: winlogon.exe (PID: 648) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: services.exe (PID: 692) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: lsass.exe (PID: 704) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: svchost.exe (PID: 856) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: svchost.exe (PID: 924) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: svchost.exe (PID: 964) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: svchost.exe (PID: 1032) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: svchost.exe (PID: 1084) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: spoolsv.exe (PID: 1276) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: avgwdsvc.exe (PID: 1392) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: SyncServices.exe (PID: 1512) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: SeaPort.exe (PID: 1704) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: avgnsx.exe (PID: 2024) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: explorer.exe (PID: 340) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: svchost.exe (PID: 412) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: alg.exe (PID: 1680) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: ctfmon.exe (PID: 2112) Address: 0x14960000 Size: 90112

Object: Hidden Module [Name: qqrrftfx.dll]
Process: RootRepeal.exe (PID: 3412) Address: 0x14960000 Size: 90112

==EOF==

and I have attached the attach.txt. Appreciate your help.

Regards

dm

extremeboy, on Sep 2 2009, 04:40 PM, said:

Direct Download (Recommended)
Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)

Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
Physically disconnect your machine from the internet as your system will be unprotected.
Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
Click the tab at the bottom.
Now press the button.
A box will pop up, check the boxes beside All Seven options/scan area
Now click OK.
Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
The scan will take a little while to run, so let it go unhindered.
Once it is done, click the Save Report button.
Save it as RepealScan and save it to your desktop
Reconnect to the internet.
Post the contents of that log in your reply please.

Download and run DDS

We need to see some information about what is happening in your machine. Please perform the following scan:

Download DDS by sUBs from one of the following links. Save it to your desktop.
- DDS.scr
- DDS.pif
Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool. No input is needed, the scan is running.
Notepad will open with the results soon.
Follow the instructions that pop up for posting the results and then click Ok.
The black and message box window shall then disappear.
Please save both log files on your desktop and post the DDS.txt and zip up and attach Attach.txt as instructed.

Attached Files

Attach.txt 2.12K 23 downloads

#4
extremeboy

Posted 03 September 2009 - 02:47 PM

Elite Member

Experts
1,088 posts

Gender:Male

Hello.

No need to quote everything I say. Just use the Add reply button to reply back to me.

--

You posted the Attach.txt log but not the DDS.txt log. I need to see that one as well.

#5
extremeboy

Posted 06 September 2009 - 03:07 PM

Elite Member

Experts
1,088 posts

Gender:Male

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,
Extremeboy

#6
dnm5164

Posted 06 September 2009 - 06:40 PM

New Member

Members
19 posts

Can anyone please help with the issue?

thanks

dm

#7
dnm5164

Posted 06 September 2009 - 06:56 PM

New Member

Members
19 posts

Hello Extremeboy,

Sorry for the delayed response. I am still trying to learn how to view and post messages on the messageboard.

I have attached the DDS.txt file, as requested.

Thanks for your help.

Regards

dm

Attached Files

DDS.txt 14.61K 9 downloads

#8
extremeboy

Posted 06 September 2009 - 09:30 PM

Elite Member

Experts
1,088 posts

Gender:Male

Hello.

Thanks for those logs. You appear to have quite a few infections on your system.

We are going to start with Combofix.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
Double click ComboFix.exe to start the program. Agree to the prompts.
When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.

Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

~Extremeboy

#9
dnm5164

Posted 08 September 2009 - 11:02 PM

New Member

Members
19 posts

There you go Extremeboy. I have attached is as well.

thx

dm

ComboFix 09-09-08.02 - Geovision 09/08/2009 17:41.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1016.654 [GMT 1:00]
Running from: c:\documents and settings\Geovision\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\desktop.ini
C:\RECYC.exe
c:\windows\AppPatch\AcXtrnel.dll
c:\windows\Downloaded Program Files\2yhusbzAYuevSnXtW.Ttf
c:\windows\Downloaded Program Files\CgMnxhFV2Qa68TsVz.Ttf
c:\windows\Downloaded Program Files\JjedvMTDtPyqp9ZTrgw.Ttf
c:\windows\Downloaded Program Files\NFesCyNNswv2Crfru.Ttf
c:\windows\Downloaded Program Files\u9A2PqtvjkJkzBcJxZbPc.Ttf
c:\windows\Downloaded Program Files\uMub3WCE6aZ3nFgrYRX.Ttf
c:\windows\Downloaded Program Files\xW6JeYmCY9e3yf5KD.Ttf
c:\windows\Downloaded Program Files\ZK26EzBfBUG8P9s8d.Ttf
c:\windows\Fonts\2knxWtVjbWXmUdGG.Ttf
c:\windows\Fonts\6e6EUdxVeWUYJynN.Ttf
c:\windows\Fonts\AjrMtd1HXvFm.Ttf
c:\windows\Fonts\AP2aBkXfCnZZwkTu.Ttf
c:\windows\Fonts\avJ9SdDwMd9Qzt.Ttf
c:\windows\Fonts\CcKKcpwJmND4.Ttf
c:\windows\Fonts\cD9KArZZUHxCqnyM.Ttf
c:\windows\Fonts\cFDPmh3MDPjcHMPd.Ttf
c:\windows\Fonts\CRp3uYCmcxMp3qQn9.Ttf
c:\windows\Fonts\CSzZ3gVtf.Ttf
c:\windows\Fonts\du3Q2JXbHYGxcSAe.Ttf
c:\windows\Fonts\e38H8kRkk.Ttf
c:\windows\Fonts\EEUJgNKN6xmNqKr6.Ttf
c:\windows\Fonts\eSEWZRdrSK3NeEJVy4.Ttf
c:\windows\Fonts\FCvvnT2B.Ttf
c:\windows\Fonts\FRSUApxKxh4aqhh4TnMqpe.Ttf
c:\windows\Fonts\FTQ3Xu3wZEZsJ358S.Ttf
c:\windows\Fonts\G8qZ5hBX7H.Ttf
c:\windows\Fonts\GanWM9z57VChEAfV.Ttf
c:\windows\Fonts\GbWrTV56WV24M.Ttf
c:\windows\Fonts\GD9xUjmZ8vHS5Vj.Ttf
c:\windows\Fonts\gfq7ymgpkp.Ttf
c:\windows\Fonts\HXxfduw9KeQTCeP6Z.Ttf
c:\windows\Fonts\jcPMKqwuVC7J.Ttf
c:\windows\Fonts\K7XaTBMWp8TPrYgw.Ttf
c:\windows\Fonts\KzAMjdYaws6f395.Ttf
c:\windows\Fonts\pDuuqr4BgFn65AeW.Ttf
c:\windows\Fonts\PeMTdMfqzpGTb5ps.Ttf
c:\windows\Fonts\pqgXk4S6U25v6f.Ttf
c:\windows\Fonts\qP2N8HTHkmGRq5.Ttf
c:\windows\Fonts\Qq3qg7RGSp9raxWW.Ttf
c:\windows\Fonts\qWskzsQA6.Ttf
c:\windows\Fonts\RCZbVbjCY6wYszD3.Ttf
c:\windows\Fonts\Rfs3DRdsUfkma5.Ttf
c:\windows\Fonts\rgBuFNZP2MWF7WQjA.Ttf
c:\windows\Fonts\S8a8cnEuaydPJGg8.Ttf
c:\windows\Fonts\sUfa6DfmrK.Ttf
c:\windows\Fonts\T8EkDVD578wpyAdP.Ttf
c:\windows\Fonts\tBeuadwPppCBnDUPgJH7P6.Ttf
c:\windows\Fonts\uawyv9Pr.Ttf
c:\windows\Fonts\urgU7WBMQ.Ttf
c:\windows\Fonts\usMywhxbgf5N8e9u6.Ttf
c:\windows\Fonts\uytczRnGV8NUp.Ttf
c:\windows\Fonts\VDcvXDH5px.Ttf
c:\windows\Fonts\Vx53f7Scj63HVHDE.Ttf
c:\windows\Fonts\vztr58qstaca8y8j.Ttf
c:\windows\Fonts\WD7eC3pJvgmYQYNwrVP.Ttf
c:\windows\Fonts\WFsARAucm7DAuX8.Ttf
c:\windows\Fonts\Wt2KuAXTXmrRUbAq.Ttf
c:\windows\Fonts\xSvCE2272aekx.Ttf
c:\windows\Fonts\yGMHUAj5Npydj8FZ.Ttf
c:\windows\Fonts\yHguCdqt6hp2.Ttf
c:\windows\Fonts\yrMyUq1ke.Ttf
c:\windows\Fonts\YywxhF7TSnkktrJw.Ttf
c:\windows\Fonts\Z3tcgfaZ.Ttf
c:\windows\PAXHCD0A.EXE
c:\windows\RYM531DN0T07.EXE
c:\windows\Tasks\SgF9z49Ph7g5UNpM.ico
c:\windows\W2UQ75.EXE
c:\windows\YB0Q1N1141.EXE
c:\windows\YLWVOVCCQP.EXE
c:\windows\ZZCWNB.EXE

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\comres.dll . . . is infected!!

c:\windows\system32\drivers\asyncmac.sys . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IAS
-------\Legacy_IPRIP
-------\Legacy_KLAN
-------\Legacy_NWCWORKSTATION
-------\Legacy_NWSAPAGENT
-------\Legacy_PORTING
-------\Legacy_WMISVC
-------\Service_6to4
-------\Service_Ias
-------\Service_Iprip
-------\Service_NWCWorkstation
-------\Service_Nwsapagent

((((((((((((((((((((((((( Files Created from 2009-08-08 to 2009-09-08 )))))))))))))))))))))))))))))))
.

2009-09-06 20:53 . 2008-10-16 13:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-06 13:52 . 2009-09-06 13:52 -------- d-sh--w- c:\documents and settings\Geovision\IECompatCache
2009-09-06 13:44 . 2009-09-06 13:44 -------- d-sh--w- c:\documents and settings\Geovision\PrivacIE
2009-09-02 16:19 . 2009-09-02 16:19 -------- d-----w- c:\program files\Trend Micro
2009-08-31 10:44 . 2009-08-31 10:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-29 19:06 . 2009-08-29 19:06 -------- d-----w- c:\documents and settings\Geovision\Application Data\Malwarebytes
2009-08-29 19:05 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-29 19:05 . 2009-08-29 19:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-29 19:05 . 2009-08-29 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-29 19:05 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-21 05:36 . 2009-08-21 05:36 -------- dc-h--w- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-08 16:26 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-06 20:46 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-08-23 07:21 . 2009-07-31 01:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-23 07:21 . 2009-07-31 01:21 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-23 07:21 . 2009-07-31 01:21 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-21 05:40 . 2009-04-14 21:05 -------- d-----w- c:\program files\Google
2009-08-09 00:22 . 2009-08-01 16:00 -------- d-----w- c:\program files\xnsjkdiacqsb
2009-08-09 00:22 . 2009-07-22 23:36 -------- d-----w- c:\program files\XIKWTHRW0S
2009-08-09 00:22 . 2009-08-03 20:32 -------- d-----w- c:\program files\wkdxkkcw
2009-08-09 00:22 . 2009-07-31 02:07 -------- d-----w- c:\program files\xgzqugwmrstoxl
2009-08-09 00:22 . 2009-07-22 22:53 -------- d-----w- c:\program files\WMUGAXR
2009-08-09 00:20 . 2009-08-03 21:05 -------- d-----w- c:\program files\vqievceso
2009-08-09 00:20 . 2009-07-31 00:30 -------- d-----w- c:\program files\vnwnxfcza
2009-08-09 00:20 . 2009-07-31 02:13 -------- d-----w- c:\program files\tbxnlphnqljx
2009-08-09 00:20 . 2009-07-31 01:48 -------- d-----w- c:\program files\uhkjyhzmxgtl
2009-08-09 00:20 . 2009-07-20 21:08 -------- d-----w- c:\program files\R0974Q3IE
2009-08-09 00:20 . 2009-07-18 23:14 -------- d-----w- c:\program files\sbcdvlmmy
2009-08-09 00:20 . 2009-07-31 01:00 -------- d-----w- c:\program files\qivjdqaeppeknv
2009-08-09 00:20 . 2009-07-21 00:01 -------- d-----w- c:\program files\qgpecipqynjo
2009-08-09 00:20 . 2009-07-31 01:52 -------- d-----w- c:\program files\oopyrxlgnb
2009-08-09 00:20 . 2009-07-20 18:47 -------- d-----w- c:\program files\nnxxkutfvrltyt
2009-08-09 00:14 . 2009-08-01 16:06 -------- d-----w- c:\program files\jxtsibzbmrtjzeo
2009-08-09 00:14 . 2009-07-31 20:59 -------- d-----w- c:\program files\jwtpcqkoxymeir
2009-08-09 00:09 . 2009-07-31 02:28 -------- d-----w- c:\program files\bftrruzlyibxxk
2009-08-09 00:09 . 2009-07-29 03:38 -------- d-----w- c:\program files\awdnjfsk
2009-08-09 00:09 . 2009-07-25 07:19 -------- d-----w- c:\program files\byrinwwuvlcnloe
2009-08-09 00:09 . 2009-07-22 22:57 -------- d-----w- c:\program files\273LIR
2009-08-09 00:09 . 2009-07-20 23:41 -------- d-----w- c:\program files\4DXJGE43B1O2
2009-08-06 00:44 . 2009-07-22 22:22 -------- d-----w- c:\program files\zqsghlco
2009-08-06 00:44 . 2009-07-21 21:56 -------- d-----w- c:\program files\xczafrbzth
2009-08-06 00:44 . 2009-07-25 07:22 -------- d-----w- c:\program files\xeowhdzltjh
2009-08-06 00:44 . 2009-07-20 20:38 -------- d-----w- c:\program files\vlyyontpvnkho
2009-08-06 00:44 . 2009-07-21 22:10 -------- d-----w- c:\program files\vxjovzxwqcxqgw
2009-08-06 00:44 . 2009-07-21 22:03 -------- d-----w- c:\program files\sbinnjeyevse
2009-08-06 00:44 . 2009-07-25 19:19 -------- d-----w- c:\program files\jtpwnpuqnkr
2009-08-06 00:44 . 2009-07-22 17:33 -------- d-----w- c:\program files\zdvqqnbivm
2009-08-06 00:43 . 2009-07-29 03:45 -------- d-----w- c:\program files\pvldytpnxyuv
2009-08-06 00:43 . 2009-07-23 18:59 -------- d-----w- c:\program files\lewtfsevdhz
2009-07-31 01:22 . 2009-07-31 01:22 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-31 01:21 . 2009-07-31 01:21 -------- d-----w- c:\program files\AVG
2009-07-31 01:15 . 2009-07-29 03:49 -------- d-----w- c:\documents and settings\Geovision\Application Data\U3
2009-07-31 00:46 . 2009-07-31 00:39 1106 ----a-w- c:\windows\system32\info.dat
2009-07-23 11:57 . 2009-07-23 11:57 661352 ----a-w- C:\autoruns.exe
2009-07-23 11:57 . 2009-07-23 11:57 553832 ----a-w- C:\autorunsc.exe
2009-07-22 22:57 . 2009-07-22 22:57 28672 ----a-w- c:\windows\BUBJDXQUGSPAB.dll
2009-07-22 22:53 . 2009-07-22 22:53 28672 ----a-w- c:\windows\VOEMAQZCTCLF.dll
2009-07-20 21:08 . 2009-07-20 21:08 28672 ----a-w- c:\windows\TUIKNKMV.dll
2009-07-18 23:16 . 2009-07-18 23:16 -------- d-----w- c:\program files\Common Files\Thunder Network
2009-07-18 23:15 . 2009-07-18 23:15 -------- d-----w- c:\program files\Common Files\Java
2009-07-18 23:14 . 2009-07-18 23:14 -------- d-----w- c:\program files\Intel
2009-07-18 23:06 . 2009-07-18 23:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2009-07-03 21:45 . 2008-12-26 11:36 66144 -c--a-w- c:\documents and settings\Geovision\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-12-25 01:59 . 2008-12-25 01:59 60516 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-25 01:59 . 2008-12-25 01:59 49246 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-25 01:59 . 2008-12-25 01:59 165990 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

[-] 2006-01-06 . 2A4818AEA80ACD2C95D7D92D2F3155F8 . 360448 . . [5.1.2600.2688] . . c:\windows\system32\drivers\tcpip.sys

[-] 2006-01-09 . C3B84871DECE94E335B96FAFD756316C . 2187904 . . [5.1.2600.2765] . . c:\windows\system32\ntoskrnl.exe

[-] 2006-01-06 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\explorer.exe

[-] 2004-09-01 . 1C08FD2DA2E9D11916BB07982ADB69D1 . 24576 . . [5.1.2600.2180] . . c:\windows\system32\userinit.exe

c:\windows\system32\comres.dll ... is missing !!
c:\windows\system32\qmgr.dll ... is missing !!
c:\windows\system32\drivers\asyncmac.sys ... is missing !!
c:\windows\system32\mspmsnsv.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21910D9A-058E-95F2-642F-95A6E221C648}]
2009-07-20 21:08 28672 ----a-w- c:\windows\TUIKNKMV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84CA70D3-777F-2BFF-136F-DC274F669D53}]
2009-07-22 22:57 28672 ----a-w- c:\windows\BUBJDXQUGSPAB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE9A750-3BC5-5D98-B423-C38B641E10F3}]
2009-07-22 22:53 28672 ----a-w- c:\windows\VOEMAQZCTCLF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-23 2007832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-09-01 44544]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4894F5C2-169D-4DAC-A982-444B9BDB3AC4}"= "c:\windows\Downloaded Program Files\UYTbcaZtxE23MEzKGQ.cur" [2009-09-08 22016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-23 07:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:ooVoo TCP port 443
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675

R2 bnetroighv;bnetroighv;c:\program files\byrinwwuvlcnloe\iqsvpyqnfipbg.exe [x]
R2 CAZXE;CAZXE;c:\program files\XIKWTHRW0S\0RICFOB.EXE [x]
R2 dasno;dasno;c:\windows\system32\dasno.exe [x]
R2 dbsno;dbsno;c:\windows\system32\dbsno.exe [x]
R2 ddsno;ddsno;c:\windows\system32\ddsno.exe [x]
R2 desno;desno;c:\windows\system32\desno.exe [x]
R2 dfsno;dfsno;c:\windows\system32\dfsno.exe [x]
R2 dgsno;dgsno;c:\windows\system32\dgsno.exe [x]
R2 dkjno;dkjno;c:\windows\system32\dkjno.exe [x]
R2 dojno;dojno;c:\windows\system32\dojno.exe [x]
R2 dsjno;dsjno;c:\windows\system32\dsjno.exe [x]
R2 dteno;dteno;c:\windows\system32\dtesm.exe [x]
R2 dtjealqpijxfzj;dtjealqpijxfzj;c:\program files\lewtfsevdhz\swpzyugw.exe [x]
R2 gerbassmn;Intcrface Pdby Prohdure;c:\windows\system32\Miekcsr.exe [x]
R2 H3KJ16M;H3KJ16M;c:\program files\4DXJGE43B1O2\7MWZ6KDVV.EXE [x]
R2 hkyoulbzkasgllw;hkyoulbzkasgllw;c:\program files\pvldytpnxyuv\wnfiaujgh.exe [x]
R2 jmotuqyw;jmotuqyw;c:\program files\zdvqqnbivm\gvpdspdjxjblfph.exe [x]
R2 jtesm;jtesm;c:\windows\system32\jtesm.exe [x]
R2 jzchqigczupkmo;jzchqigczupkmo;c:\program files\jtpwnpuqnkr\qlikorojp.exe [x]
R2 nbjyaqolmamr;nbjyaqolmamr;c:\program files\vnwnxfcza\cnptyhwsbnauoy.exe [x]
R2 nckhnmfsh;nckhnmfsh;c:\program files\nnxxkutfvrltyt\ufrklvnzeox.exe [x]
R2 PCIEDump;PCIEDump;c:\windows\system32\drivers\qqrrftfx.sys [x]
R2 pvcofbbdcpiawre;pvcofbbdcpiawre;c:\program files\qgpecipqynjo\xhirdkrka.exe [x]
R2 pxjuzimzc;pxjuzimzc;c:\program files\qivjdqaeppeknv\xbpxxscgrmr.exe [x]
R2 qteno;qteno;c:\windows\system32\otesm.exe [x]
R2 Risuuzijhguscjnsfe;Ris tptfypuwcgweo;c:\program files\Intel\phvuhaxaeaz.EXE lwqrdbdfqzcdphn [x]
R2 rlqynxwwajy;rlqynxwwajy;c:\program files\awdnjfsk\hwwtlhmdywmpgb.exe [x]
R2 sejno;sejno;c:\windows\system32\syjno.exe [x]
R2 sksno;sksno;c:\windows\system32\sksno.exe [x]
R2 spqoydygccns;spqoydygccns;c:\program files\sbcdvlmmy\ztwjwnonapcdihg.exe [x]
R2 sssno;sssno;c:\windows\system32\sssno.exe [x]
R2 steno;steno;c:\windows\system32\stesm.exe [x]
R2 tteno;tteno;c:\windows\system32\wtesm.exe [x]
R2 uewzzrjrc;uewzzrjrc;c:\program files\vxjovzxwqcxqgw\cpcbxbzxazj.exe [x]
R2 ukaqjmbmfgj;ukaqjmbmfgj;c:\program files\sbinnjeyevse\kwhthdjtcsxgu.exe [x]
R2 uucrimqlgqcyx;uucrimqlgqcyx;c:\program files\xeowhdzltjh\ewhjifbf.exe [x]
R2 valjsxfk;valjsxfk;c:\program files\vlyyontpvnkho\kerdqpvjed.exe [x]
R2 wqtesm;wqtesm;c:\windows\system32\wqtesm.exe [x]
R2 wrmkjjntgjpci;wrmkjjntgjpci;c:\program files\xczafrbzth\eusfhsdavwdfgiu.exe [x]
R2 yasnp;yasnp;c:\windows\system32\yasnp.exe [x]
R2 zxfrldoilnl;zxfrldoilnl;c:\program files\zqsghlco\gimtjnepaazlr.exe [x]
R3 AGV;AGV;c:\windows\system32\drivers\AGV.sys [2006-12-04 189112]
R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2008-12-08 533344]
R3 GV800S;GV800S;c:\windows\system32\drivers\GV800S.sys [2007-03-29 82224]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-23 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-07-31 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-23 297752]
S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr_tdi.sys [2008-12-08 55136]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

SSODL-MSNServiceObj-{AD26AC5F-8421-419C-8692-ED0FE1FE74D8} - c:\program files\Messenger\msmsgs.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Geovision\Application Data\Mozilla\Firefox\Profiles\oryvhb3o.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-08 17:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2252)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-08 17:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-08 16:57

Pre-Run: 2,750,029,824 bytes free
Post-Run: 2,685,046,784 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

351

Attached Files

ComboFix.txt 21.36K 13 downloads

#10
extremeboy

Posted 09 September 2009 - 11:53 PM

Elite Member

Experts
1,088 posts

Gender:Male

Hello.

Sorry for not replying earlier, I almost missed this thread in my subscriptions... Anyways, let's continue. Sorry for the short delay.

You have quite a few system infected files here and as well as a bunch of other infections on your machine. One of them is a backdoor.
---

Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

---
If you wish to continue follow the steps below...

You don't have Service Pack 3 installed which is good as we can install that later and if there are no good replacement for certain files using the service pack can help us. Don't install it just yet please. Follow my instructions and we can deal with this effectively and efficiently.

Continue with the following...

---

Delete the existing Combofix.exe you currently have. Re-download one from one of those 2 links I linked above and save it to your desktop.

Run ComboFix with CFScript

We will run ComboFix again. This time it will be slightly different from the initial run.

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.

Open notepad (Start>Run>"notepad") and copy/paste ALL of the contents of the text in the codebox below into it:

http://www.malwarebytes.org/forums/index.php?showtopic=23222
Collect::[68]
c:\windows\BUBJDXQUGSPAB.dll
c:\windows\VOEMAQZCTCLF.dll
c:\windows\TUIKNKMV.dll
c:\program files\byrinwwuvlcnloe\iqsvpyqnfipbg.exe
c:\program files\XIKWTHRW0S\0RICFOB.EXE
c:\windows\system32\dasno.exe
c:\windows\system32\dbsno.exe
c:\windows\system32\ddsno.exe
c:\windows\system32\desno.exe
c:\windows\system32\dfsno.exe
c:\windows\system32\dgsno.exe
c:\windows\system32\dkjno.exe
c:\windows\system32\dojno.exe
c:\windows\system32\dsjno.exe
c:\windows\system32\dtesm.exe
c:\program files\lewtfsevdhz\swpzyugw.exe
c:\windows\system32\Miekcsr.exe
c:\program files\4DXJGE43B1O2\7MWZ6KDVV.EXE
c:\program files\pvldytpnxyuv\wnfiaujgh.exe
c:\program files\zdvqqnbivm\gvpdspdjxjblfph.exe
c:\windows\system32\jtesm.exe
c:\program files\jtpwnpuqnkr\qlikorojp.exe
c:\program files\vnwnxfcza\cnptyhwsbnauoy.exe
c:\program files\nnxxkutfvrltyt\ufrklvnzeox.exe
c:\windows\system32\drivers\qqrrftfx.sys
c:\program files\qgpecipqynjo\xhirdkrka.exe
c:\program files\qivjdqaeppeknv\xbpxxscgrmr.exe
c:\windows\system32\otesm.exe
c:\program files\Intel\phvuhaxaeaz.EXE lwqrdbdfqzcdphn
c:\program files\awdnjfsk\hwwtlhmdywmpgb.exe
c:\windows\system32\syjno.exe
c:\windows\system32\sksno.exe
c:\program files\sbcdvlmmy\ztwjwnonapcdihg.exe
c:\windows\system32\sssno.exe
c:\windows\system32\stesm.exe
c:\windows\system32\wtesm.exe
c:\program files\vxjovzxwqcxqgw\cpcbxbzxazj.exe
c:\program files\sbinnjeyevse\kwhthdjtcsxgu.exe
c:\program files\xeowhdzltjh\ewhjifbf.exe
c:\program files\vlyyontpvnkho\kerdqpvjed.exe
c:\windows\system32\wqtesm.exe
c:\program files\xczafrbzth\eusfhsdavwdfgiu.exe
c:\windows\system32\yasnp.exe
c:\program files\zqsghlco\gimtjnepaazlr.exe
Folder::
c:\program files\xnsjkdiacqsb
c:\program files\XIKWTHRW0S
c:\program files\wkdxkkcw
c:\program files\xgzqugwmrstoxl
c:\program files\WMUGAXR
c:\program files\vqievceso
c:\program files\vnwnxfcza
c:\program files\tbxnlphnqljx
c:\program files\uhkjyhzmxgtl
c:\program files\R0974Q3IE
c:\program files\sbcdvlmmy
c:\program files\qivjdqaeppeknv
c:\program files\qgpecipqynjo
c:\program files\oopyrxlgnb
c:\program files\nnxxkutfvrltyt
c:\program files\jxtsibzbmrtjzeo
c:\program files\jwtpcqkoxymeir
c:\program files\bftrruzlyibxxk
c:\program files\awdnjfsk
c:\program files\byrinwwuvlcnloe
c:\program files\273LIR
c:\program files\4DXJGE43B1O2
c:\program files\zqsghlco
c:\program files\xczafrbzth
c:\program files\xeowhdzltjh
c:\program files\vlyyontpvnkho
c:\program files\vxjovzxwqcxqgw
c:\program files\sbinnjeyevse
c:\program files\jtpwnpuqnkr
c:\program files\zdvqqnbivm
c:\program files\pvldytpnxyuv
c:\program files\lewtfsevdhz
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21910D9A-058E-95F2-642F-95A6E221C648}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84CA70D3-777F-2BFF-136F-DC274F669D53}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE9A750-3BC5-5D98-B423-C38B641E10F3}]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4894F5C2-169D-4DAC-A982-444B9BDB3AC4}"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"=-
Driver::
bnetroighv
CAZXE
dasno
dbsno
ddsno
desno
dfsno
dgsno
dkjno
dojno
dsjno
dteno
dtjealqpijxfzj
gerbassmn
H3KJ16M
hkyoulbzkasgllw
jmotuqyw
jtesm
jzchqigczupkmo
nbjyaqolmamr
nckhnmfsh
PCIEDump
pvcofbbdcpiawre
pxjuzimzc
qteno
Risuuzijhguscjnsfe
rlqynxwwajy
sejno
sksno
spqoydygccns
sssno
steno
tteno
uewzzrjrc
ukaqjmbmfgj
uucrimqlgqcyx
valjsxfk
wqtesm
wrmkjjntgjpci
yasnp
zxfrldoilnl
SysRst::
SrPeek::
c:\windows\system32\userinit.exe
c:\windows\system32\comres.dll 
c:\windows\system32\drivers\asyncmac.sys

Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Please post the contents of the Combofix log in your next reply.

Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.

Important: Ensure you are connected to the internet before clicking OK on the message box.
A blue-screen would appear auto-uploading the zipped file I requested.
After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".

**NOTE**
=================

IF for some reason Combofix fails to upload anything please do the following:
Go to Start >> My Computer > C:\
Then Navigate to the C:\Qoobox\Quarantine folder.
Find the archive zip file called "[68]-Submit_Date_Time.zip"
Simply go to This Channel and upload the submit.zip archive file to me.
Follow the instructions on that page to copy/paste/send the requested file.

Let me know how it goes and if the upload went successfully or not in your next reply.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1

Make sure you are connected to the Internet.
Double-click on Download_mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
- Make sure the "Perform Quick Scan" option is selected.
- Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
Copy and Paste the content of the following codebox into the main textfield under "File":
```
:filefind
userinit.exe
comres.dll 
asyncmac.sys
ntoskrnl.exe
tcpip.sys
explorer.exe
```
Please Confirm everything is copied and Pasted as I have provided above
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan.
Please ATTACH this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task

Thanks.

With Regards,
Extremeboy

#11
dnm5164

Posted 11 September 2009 - 01:14 AM

New Member

Members
19 posts

Extremeboy,

I ll try to use your help in getting the viruses out and if that doesnt work then i ll reformat it. And I appreciate your patience.

Here is the combofix file. I have posted the zip file using the info you provided. I have also attached the malwarebytes log file and systemlook log file.

Please let me know if I missed anything.

Thanks

dm

ComboFix 09-09-09.04 - Geovision 09/09/2009 21:25.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1016.613 [GMT 1:00]
Running from: c:\documents and settings\Geovision\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Geovision\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\windows\BUBJDXQUGSPAB.dll
file zipped: c:\windows\TUIKNKMV.dll
file zipped: c:\windows\VOEMAQZCTCLF.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\273LIR
c:\program files\4DXJGE43B1O2
c:\program files\awdnjfsk
c:\program files\bftrruzlyibxxk
c:\program files\byrinwwuvlcnloe
c:\program files\jtpwnpuqnkr
c:\program files\jwtpcqkoxymeir
c:\program files\jxtsibzbmrtjzeo
c:\program files\lewtfsevdhz
c:\program files\nnxxkutfvrltyt
c:\program files\oopyrxlgnb
c:\program files\pvldytpnxyuv
c:\program files\qgpecipqynjo
c:\program files\qivjdqaeppeknv
c:\program files\R0974Q3IE
c:\program files\sbcdvlmmy
c:\program files\sbinnjeyevse
c:\program files\tbxnlphnqljx
c:\program files\uhkjyhzmxgtl
c:\program files\vlyyontpvnkho
c:\program files\vnwnxfcza
c:\program files\vqievceso
c:\program files\vxjovzxwqcxqgw
c:\program files\wkdxkkcw
c:\program files\WMUGAXR
c:\program files\xczafrbzth
c:\program files\xeowhdzltjh
c:\program files\xgzqugwmrstoxl
c:\program files\XIKWTHRW0S
c:\program files\xnsjkdiacqsb
c:\program files\zdvqqnbivm
c:\program files\zqsghlco
c:\windows\BUBJDXQUGSPAB.dll
c:\windows\Downloaded Program Files\UYTBcaztxe23mezkgq.cur
c:\windows\SWEPVWJ17OXH.EXE
c:\windows\TUIKNKMV.dll
c:\windows\UDXVHFM16.EXE
c:\windows\VOEMAQZCTCLF.dll

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\comres.dll . . . is infected!!

c:\windows\system32\drivers\asyncmac.sys . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BNETROIGHV
-------\Legacy_CAZXE
-------\Legacy_DASNO
-------\Legacy_DBSNO
-------\Legacy_DDSNO
-------\Legacy_DESNO
-------\Legacy_DFSNO
-------\Legacy_DGSNO
-------\Legacy_DKJNO
-------\Legacy_DOJNO
-------\Legacy_DSJNO
-------\Legacy_DTENO
-------\Legacy_DTJEALQPIJXFZJ
-------\Legacy_GERBASSMN
-------\Legacy_H3KJ16M
-------\Legacy_HKYOULBZKASGLLW
-------\Legacy_JMOTUQYW
-------\Legacy_JTESM
-------\Legacy_JZCHQIGCZUPKMO
-------\Legacy_NBJYAQOLMAMR
-------\Legacy_NCKHNMFSH
-------\Legacy_PCIEDUMP
-------\Legacy_PVCOFBBDCPIAWRE
-------\Legacy_PXJUZIMZC
-------\Legacy_QTENO
-------\Legacy_RISUUZIJHGUSCJNSFE
-------\Legacy_RLQYNXWWAJY
-------\Legacy_SEJNO
-------\Legacy_SKSNO
-------\Legacy_SPQOYDYGCCNS
-------\Legacy_SSSNO
-------\Legacy_STENO
-------\Legacy_TTENO
-------\Legacy_UEWZZRJRC
-------\Legacy_UKAQJMBMFGJ
-------\Legacy_UUCRIMQLGQCYX
-------\Legacy_VALJSXFK
-------\Legacy_WQTESM
-------\Legacy_WRMKJJNTGJPCI
-------\Legacy_YASNP
-------\Legacy_ZXFRLDOILNL
-------\Service_bnetroighv
-------\Service_CAZXE
-------\Service_dasno
-------\Service_dbsno
-------\Service_ddsno
-------\Service_desno
-------\Service_dfsno
-------\Service_dgsno
-------\Service_dkjno
-------\Service_dojno
-------\Service_dsjno
-------\Service_dteno
-------\Service_dtjealqpijxfzj
-------\Service_gerbassmn
-------\Service_H3KJ16M
-------\Service_hkyoulbzkasgllw
-------\Service_jmotuqyw
-------\Service_jtesm
-------\Service_jzchqigczupkmo
-------\Service_nbjyaqolmamr
-------\Service_nckhnmfsh
-------\Service_PCIEDump
-------\Service_pvcofbbdcpiawre
-------\Service_pxjuzimzc
-------\Service_qteno
-------\Service_Risuuzijhguscjnsfe
-------\Service_rlqynxwwajy
-------\Service_sejno
-------\Service_sksno
-------\Service_spqoydygccns
-------\Service_sssno
-------\Service_steno
-------\Service_tteno
-------\Service_uewzzrjrc
-------\Service_ukaqjmbmfgj
-------\Service_uucrimqlgqcyx
-------\Service_valjsxfk
-------\Service_wqtesm
-------\Service_wrmkjjntgjpci
-------\Service_yasnp
-------\Service_zxfrldoilnl

((((((((((((((((((((((((( Files Created from 2009-08-09 to 2009-09-09 )))))))))))))))))))))))))))))))
.

2009-09-06 20:53 . 2008-10-16 13:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-06 13:52 . 2009-09-06 13:52 -------- d-sh--w- c:\documents and settings\Geovision\IECompatCache
2009-09-06 13:44 . 2009-09-06 13:44 -------- d-sh--w- c:\documents and settings\Geovision\PrivacIE
2009-09-02 16:19 . 2009-09-02 16:19 -------- d-----w- c:\program files\Trend Micro
2009-08-31 10:44 . 2009-08-31 10:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-29 19:06 . 2009-08-29 19:06 -------- d-----w- c:\documents and settings\Geovision\Application Data\Malwarebytes
2009-08-29 19:05 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-29 19:05 . 2009-08-29 19:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-29 19:05 . 2009-08-29 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-29 19:05 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-21 05:36 . 2009-08-21 05:36 -------- dc-h--w- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-08 16:26 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-06 20:46 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-08-23 07:21 . 2009-07-31 01:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-23 07:21 . 2009-07-31 01:21 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-23 07:21 . 2009-07-31 01:21 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-21 05:40 . 2009-04-14 21:05 -------- d-----w- c:\program files\Google
2009-07-31 01:22 . 2009-07-31 01:22 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-31 01:21 . 2009-07-31 01:21 -------- d-----w- c:\program files\AVG
2009-07-31 01:15 . 2009-07-29 03:49 -------- d-----w- c:\documents and settings\Geovision\Application Data\U3
2009-07-31 00:46 . 2009-07-31 00:39 1106 ----a-w- c:\windows\system32\info.dat
2009-07-23 11:57 . 2009-07-23 11:57 661352 ----a-w- C:\autoruns.exe
2009-07-23 11:57 . 2009-07-23 11:57 553832 ----a-w- C:\autorunsc.exe
2009-07-18 23:16 . 2009-07-18 23:16 -------- d-----w- c:\program files\Common Files\Thunder Network
2009-07-18 23:15 . 2009-07-18 23:15 -------- d-----w- c:\program files\Common Files\Java
2009-07-18 23:14 . 2009-07-18 23:14 -------- d-----w- c:\program files\Intel
2009-07-18 23:06 . 2009-07-18 23:06 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-07-18 23:06 . 2009-07-18 23:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2009-07-03 21:45 . 2008-12-26 11:36 66144 -c--a-w- c:\documents and settings\Geovision\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-12-25 01:59 . 2008-12-25 01:59 60516 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-25 01:59 . 2008-12-25 01:59 49246 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-25 01:59 . 2008-12-25 01:59 165990 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
------- Sigcheck -------

[-] 2006-01-06 . 2A4818AEA80ACD2C95D7D92D2F3155F8 . 360448 . . [5.1.2600.2688] . . c:\windows\system32\drivers\tcpip.sys

[-] 2006-01-09 . C3B84871DECE94E335B96FAFD756316C . 2187904 . . [5.1.2600.2765] . . c:\windows\system32\ntoskrnl.exe

[-] 2004-09-01 . 1C08FD2DA2E9D11916BB07982ADB69D1 . 24576 . . [5.1.2600.2180] . . c:\windows\system32\userinit.exe

[-] 2006-01-06 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\explorer.exe

c:\windows\system32\drivers\asyncmac.sys ... is missing !!
c:\windows\system32\qmgr.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-23 2007832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-09-01 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-23 07:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:ooVoo TCP port 443
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675

R3 AGV;AGV;c:\windows\system32\drivers\AGV.sys [2006-12-04 189112]
R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2008-12-08 533344]
R3 GV800S;GV800S;c:\windows\system32\drivers\GV800S.sys [2007-03-29 82224]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-23 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-07-31 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-23 297752]
S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr_tdi.sys [2008-12-08 55136]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Geovision\Application Data\Mozilla\Firefox\Profiles\oryvhb3o.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-09 21:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3596)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
.
**************************************************************************
.
Completion time: 2009-09-09 21:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-09 20:37
ComboFix2.txt 2009-09-08 16:57

Pre-Run: 2,674,049,024 bytes free
Post-Run: 2,654,560,256 bytes free

293

======

Attached Files

SystemLook.txt 1.76K 10 downloads
mbam_log_2009_09_10__11_23_25_.txt 833bytes 9 downloads

#12
extremeboy

Posted 11 September 2009 - 08:49 PM

Elite Member

Experts
1,088 posts

Gender:Male

Hello again.

Quote

I ll try to use your help in getting the viruses out and if that doesnt work then i ll reformat it. And I appreciate your patience.

Not that it's not going to work but if you plan on formatting, why not do it now? If you are going to plan formatting anyways why waste the time here to continue with the disinfection process?

Anyways, If you do wish to continue, follow instructions below otherwise, please let me know. Still some more work we need to do here before we are done.

There are a couple of odd things in the logs... Do the following...

Create and Run batch script

Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "quote".

Quote
@ECHO OFF

For %%a in (
C:\WINDOWS\explorer.exe
c:\windows\system32\userinit.exe
c:\windows\system32\ntoskrnl.exe
c:\windows\system32\drivers\tcpip.sys
c:\windows\system32\comres.dll
) DO (
zip FilesToUpload %%a
)
del %0
Click File, then Save As... .
Click Desktop on the left.
Under the Save as type dropdown, select All Files.
In the box File Name, input Zip.bat.
Hit OK.

When done properly, the icon should look like Posted Image

for XP machines and Posted Image

for Vista machines.

Double click on Zip.bat to run it. If you are using Windows Vista, please right-click and Run As Administrator...

A Black DOS window shall appear and then disappear. This is normal please do not panic. Then a zipped compressed file called FilesToUpload.zip file should be created in the same location that zip.bat was ran. Should be on your desktop.

Please upload that file to me...

Submit file samples

Open to the Submission Channel.

Under Link to topic where this file was requested, input:

http://www.malwarebytes.org/forums/index.php?showtopic=23222

Click Browse and select the FilesToUpload.zip on your desktop.
Under the comments section, say that Extremeboy asked for the submission.
Then select Send File to send it
After that you should get a confirmation if it was uploaded successfully.

Run a scan with Systemlook again...

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop if you lost your copy...
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".

Copy and Paste the content of the following codebox into the main textfield under "File":

:filefind
asyncmac.sys
qmgr.dll
comres.dll
:dir
C:\Windows\system32\dllcache
C:\WINDOWS\ERDNT\cache

Please Confirm everything is copied and Pasted as I have provided above
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan.
Close notepad. On your desktop there should be a text file called Systemlook.txt.
Please right-click on Systemlook.txt and press send to >. From the drop down list select Compressed (zipped) folder
Now a compressed zipped folder called Systemlook.zip shall be created on your desktop
Please ATTACH the Systemlook.zip folder in your next reply. DO NOT post it. ATTACH IT please.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.

Please download GMER from one of the following locations, and save it to your desktop:
- Main Mirror
  This version will download a randomly named file (Recommended)
- Zip Mirror
  Alternate Zip Mirror 1
  Alternate Zip Mirror 2
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

Close any and all open programs, as this process may crash your computer.
Double click or on your desktop.
When you have done this, close all running programs.
There is a small chance this application may crash your computer so save any work you have open.

Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
Allow the gmer.sys driver to load if asked.
If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..

In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
- Sections
- IAT/EAT
- Registry
- Drives/Partition other than Systemdrive (typically C:\)
- Show all (Don't miss this one!)
Click on and wait for the scan to finish.
If you see a rootkit warning window, click OK.
Push and save the logfile to your desktop.
Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

For your next reply I would like to see:
-Successfully uploaded FilesToUpload.zip to my channel
-ATTACHED the Systemlook.zip log as instructed
-The GMER log

Thanks. :unsure:

Any problems, please do not hesitate to ask.

With Regards,
Extremeboy

#13
dnm5164

Posted 13 September 2009 - 10:30 PM

New Member

Members
19 posts

Thanks Extremeboy, I ll run these and post the information as directed tonight.

Please do not get me wrong, I have no intention of reformatting it after going thru these steps. I only threw out that option not knowing that this will work.

Thanks for the continued support.

Regards

dm

#14
extremeboy

Posted 13 September 2009 - 10:48 PM

Elite Member

Experts
1,088 posts

Gender:Male

Hello.

Thanks for letting me know.

Quote

Please do not get me wrong, I have no intention of reformatting it after going thru these steps. I only threw out that option not knowing that this will work.

I'm not getting your wrong and I understand what you mean. What I'm saying is that we can clean this machine still but your computer WAS compromised and your security may also be altered and therefore I can not way be sure it's 100% trustworthy any longer.

With Regards,
Extremeboy

#15
dnm5164

Posted 14 September 2009 - 03:57 AM

New Member

Members
19 posts

the zip.bat file is not generating any zip file. not sure why. any idea

#16
dnm5164

Posted 14 September 2009 - 12:53 PM

New Member

Members
19 posts

here is the log file for GMER. Couldnt run zip.bat.

Thx

dm

GMER 1.0.15.15077 [wpoxrsiq.exe] - http://www.gmer.net
Rootkit scan 2009-09-14 07:27:01
Windows 5.1.2600 Service Pack 2

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Attached Files

SystemLook.zip 2.05K 11 downloads

#17
extremeboy

Posted 15 September 2009 - 10:18 PM

Elite Member

Experts
1,088 posts

Gender:Male

Okay.

Please delete the existing Combofix.exe you currently have.

Re-download one from one of the links below and save it to your desktop.

Then run it again and once it's done post the log to me.

Link 1
Link 2

With Regards,
Extremeboy

#18
dnm5164

Posted 16 September 2009 - 03:36 AM

New Member

Members
19 posts

There you go. Thx

dm

ComboFix 09-09-14.02 - Geovision 09/15/2009 22:12.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1016.670 [GMT 1:00]
Running from: c:\documents and settings\Geovision\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\comres.dll . . . is infected!!

c:\windows\system32\drivers\asyncmac.sys . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 )))))))))))))))))))))))))))))))
.

2009-09-06 20:53 . 2008-10-16 13:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-06 13:52 . 2009-09-06 13:52 -------- d-sh--w- c:\documents and settings\Geovision\IECompatCache
2009-09-06 13:44 . 2009-09-06 13:44 -------- d-sh--w- c:\documents and settings\Geovision\PrivacIE
2009-09-02 16:19 . 2009-09-02 16:19 -------- d-----w- c:\program files\Trend Micro
2009-08-31 10:44 . 2009-08-31 10:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-29 19:06 . 2009-08-29 19:06 -------- d-----w- c:\documents and settings\Geovision\Application Data\Malwarebytes
2009-08-29 19:05 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-29 19:05 . 2009-08-29 19:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-29 19:05 . 2009-08-29 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-29 19:05 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-21 05:36 . 2009-08-21 05:36 -------- dc-h--w- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-08 16:26 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-06 20:46 . 2009-07-31 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-08-23 07:21 . 2009-07-31 01:22 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-23 07:21 . 2009-07-31 01:21 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-23 07:21 . 2009-07-31 01:21 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-21 05:40 . 2009-04-14 21:05 -------- d-----w- c:\program files\Google
2009-07-31 01:22 . 2009-07-31 01:22 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-31 01:21 . 2009-07-31 01:21 -------- d-----w- c:\program files\AVG
2009-07-31 01:15 . 2009-07-29 03:49 -------- d-----w- c:\documents and settings\Geovision\Application Data\U3
2009-07-31 00:46 . 2009-07-31 00:39 1106 ----a-w- c:\windows\system32\info.dat
2009-07-23 11:57 . 2009-07-23 11:57 661352 ----a-w- C:\autoruns.exe
2009-07-23 11:57 . 2009-07-23 11:57 553832 ----a-w- C:\autorunsc.exe
2009-07-18 23:16 . 2009-07-18 23:16 -------- d-----w- c:\program files\Common Files\Thunder Network
2009-07-18 23:15 . 2009-07-18 23:15 -------- d-----w- c:\program files\Common Files\Java
2009-07-18 23:14 . 2009-07-18 23:14 -------- d-----w- c:\program files\Intel
2009-07-18 23:06 . 2009-07-18 23:06 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-07-18 23:06 . 2009-07-18 23:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2009-07-03 21:45 . 2008-12-26 11:36 66144 -c--a-w- c:\documents and settings\Geovision\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-12-25 01:59 . 2008-12-25 01:59 60516 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-25 01:59 . 2008-12-25 01:59 49246 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-25 01:59 . 2008-12-25 01:59 165990 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

[-] 2006-01-06 . 2A4818AEA80ACD2C95D7D92D2F3155F8 . 360448 . . [5.1.2600.2688] . . c:\windows\system32\drivers\tcpip.sys

[-] 2006-01-09 . C3B84871DECE94E335B96FAFD756316C . 2187904 . . [5.1.2600.2765] . . c:\windows\system32\ntoskrnl.exe

[-] 2004-09-01 . 1C08FD2DA2E9D11916BB07982ADB69D1 . 24576 . . [5.1.2600.2180] . . c:\windows\system32\userinit.exe

[-] 2006-01-06 . 2DEACA71A7FD77205F59D48D76B2F565 . 1075200 . . [6.00.2900.2649] . . c:\windows\explorer.exe

c:\windows\system32\drivers\asyncmac.sys ... is missing !!
c:\windows\system32\qmgr.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-23 2007832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-09-01 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-23 07:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:ooVoo TCP port 443
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675

R3 AGV;AGV;c:\windows\system32\drivers\AGV.sys [2006-12-04 189112]
R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2008-12-08 533344]
R3 GV800S;GV800S;c:\windows\system32\drivers\GV800S.sys [2007-03-29 82224]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-23 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-07-31 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-23 297752]
S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr_tdi.sys [2008-12-08 55136]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Geovision\Application Data\Mozilla\Firefox\Profiles\oryvhb3o.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-15 22:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2272)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-09-15 22:21
ComboFix-quarantined-files.txt 2009-09-15 21:21
ComboFix2.txt 2009-09-08 16:57

Pre-Run: 2,645,417,984 bytes free
Post-Run: 2,623,598,592 bytes free

156

#19
extremeboy

Posted 16 September 2009 - 08:45 PM

Elite Member

Experts
1,088 posts

Gender:Male

Hello.

I want samples of those files so, let's try it again.

Create and Run batch script

Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "quote".

Quote
@ECHO OFF

For %%a in (
C:\WINDOWS\explorer.exe
c:\windows\system32\userinit.exe
c:\windows\system32\ntoskrnl.exe
c:\windows\system32\drivers\tcpip.sys
c:\windows\system32\comres.dll
) DO (
zip FilesToUpload %%a
)
del %0
Click File, then Save As... .
Click Desktop on the left.
Under the Save as type dropdown, select All Files.
In the box File Name, input Upload.bat
Hit OK.

When done properly, the icon should look like Posted Image

for XP machines and Posted Image

Open to the Submission Channel.

Under Link to topic where this file was requested, input:

http://www.malwarebytes.org/forums/index.php?showtopic=23222

Click Browse and select the FilesToUpload.zip on your desktop.
Under the comments section, say that Extremeboy asked for the submission.
Then select Send File to send it
After that you should get a confirmation if it was uploaded successfully.

Do you still have your Windows XP Professional Sp2 disk still with you? If so, we can use that to do some fixing as well.

Please scans these files with VirusTotal... Somethings doesn't look quite right with some of the information

Submit File to Online Scanner

There is a file that I would like you to check out for me using VirusTotal/VirSCAN

Open VirusTotal Online Scanner or VirSCAN. If one site is busy or down, try the other
At the top of the page you'll see a box. Browse to the location of each file and select that file. (do one line at a time).
- c:\windows\explorer.exe
- c:\windows\system32\userinit.exe
- c:\windows\system32\ntoskrnl.exe
- c:\windows\system32\drivers\tcpip.sys

Click Submit.
Wait for the scan to finish.
Copy Scanner Results into your next reply.
If more than one file was listed, repeat for each of them.

Post the results here once done.

Take a new DDS run as well and post back with both the DDS and Attach logs.

With Regards,
Extremeboy

#20
dnm5164

Posted 17 September 2009 - 12:37 AM

New Member

Members
19 posts

Tried running the upload.bat but it again did not generate any zip file.

Ran the other things that you requested and have attached the results of the online scan as well as the dds.txt and attach.txt.

Please let me know if i missed anything.

seems like the userinit.exe is the culprit.

Thanks

DM

Attached Files

Results_explore_exe.txt 11.89K 18 downloads
results_ntokrnl_exe.txt 37.73K 14 downloads
results_tcpip_sys.txt 7.92K 16 downloads
resultsuserinit_exe.txt 4.01K 16 downloads
DDS.txt 9.13K 14 downloads
Attach.txt 15.16K 24 downloads

Back to Resolved HijackThis Logs · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

Malwarebytes

Appreciate any help

#1
dnm5164

Posted 31 August 2009 - 11:11 PM

#2
extremeboy

Posted 02 September 2009 - 03:40 PM

#3
dnm5164

Posted 03 September 2009 - 05:27 AM

Attached Files

#4
extremeboy

Posted 03 September 2009 - 02:47 PM

#5
extremeboy

Posted 06 September 2009 - 03:07 PM

#6
dnm5164

Posted 06 September 2009 - 06:40 PM

#7
dnm5164

Posted 06 September 2009 - 06:56 PM

Attached Files

#8
extremeboy

Posted 06 September 2009 - 09:30 PM

#9
dnm5164

Posted 08 September 2009 - 11:02 PM

Attached Files

#10
extremeboy

Posted 09 September 2009 - 11:53 PM

#11
dnm5164

Posted 11 September 2009 - 01:14 AM

Attached Files

#12
extremeboy

Posted 11 September 2009 - 08:49 PM

#13
dnm5164

Posted 13 September 2009 - 10:30 PM

#14
extremeboy

Posted 13 September 2009 - 10:48 PM

#15
dnm5164

Posted 14 September 2009 - 03:57 AM

#16
dnm5164

Posted 14 September 2009 - 12:53 PM

Attached Files

#17
extremeboy

Posted 15 September 2009 - 10:18 PM

#18
dnm5164

Posted 16 September 2009 - 03:36 AM

#19
extremeboy

Posted 16 September 2009 - 08:45 PM

#20
dnm5164

Posted 17 September 2009 - 12:37 AM

Attached Files

1 user(s) are reading this topic

Products

About

Partners

Follow Us

Malwarebytes

Appreciate any help

#1 dnm5164 Posted 31 August 2009 - 11:11 PM

#2 extremeboy Posted 02 September 2009 - 03:40 PM

#3 dnm5164 Posted 03 September 2009 - 05:27 AM

Attached Files

#4 extremeboy Posted 03 September 2009 - 02:47 PM

#5 extremeboy Posted 06 September 2009 - 03:07 PM

#6 dnm5164 Posted 06 September 2009 - 06:40 PM

#7 dnm5164 Posted 06 September 2009 - 06:56 PM

Attached Files

#8 extremeboy Posted 06 September 2009 - 09:30 PM

#9 dnm5164 Posted 08 September 2009 - 11:02 PM

Attached Files

#10 extremeboy Posted 09 September 2009 - 11:53 PM

#11 dnm5164 Posted 11 September 2009 - 01:14 AM

Attached Files

#12 extremeboy Posted 11 September 2009 - 08:49 PM

#13 dnm5164 Posted 13 September 2009 - 10:30 PM

#14 extremeboy Posted 13 September 2009 - 10:48 PM

#15 dnm5164 Posted 14 September 2009 - 03:57 AM

#16 dnm5164 Posted 14 September 2009 - 12:53 PM

Attached Files

#17 extremeboy Posted 15 September 2009 - 10:18 PM

#18 dnm5164 Posted 16 September 2009 - 03:36 AM

#19 extremeboy Posted 16 September 2009 - 08:45 PM

#20 dnm5164 Posted 17 September 2009 - 12:37 AM

Attached Files

1 user(s) are reading this topic

Products

About

Partners

Follow Us

#1
dnm5164

Posted 31 August 2009 - 11:11 PM

#2
extremeboy

Posted 02 September 2009 - 03:40 PM

#3
dnm5164

Posted 03 September 2009 - 05:27 AM

#4
extremeboy

Posted 03 September 2009 - 02:47 PM

#5
extremeboy

Posted 06 September 2009 - 03:07 PM

#6
dnm5164

Posted 06 September 2009 - 06:40 PM

#7
dnm5164

Posted 06 September 2009 - 06:56 PM

#8
extremeboy

Posted 06 September 2009 - 09:30 PM

#9
dnm5164

Posted 08 September 2009 - 11:02 PM

#10
extremeboy

Posted 09 September 2009 - 11:53 PM

#11
dnm5164

Posted 11 September 2009 - 01:14 AM

#12
extremeboy

Posted 11 September 2009 - 08:49 PM

#13
dnm5164

Posted 13 September 2009 - 10:30 PM

#14
extremeboy

Posted 13 September 2009 - 10:48 PM

#15
dnm5164

Posted 14 September 2009 - 03:57 AM

#16
dnm5164

Posted 14 September 2009 - 12:53 PM

#17
extremeboy

Posted 15 September 2009 - 10:18 PM

#18
dnm5164

Posted 16 September 2009 - 03:36 AM

#19
extremeboy

Posted 16 September 2009 - 08:45 PM

#20
dnm5164

Posted 17 September 2009 - 12:37 AM