Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Seems like Vundo [RESOLVED]


  • This topic is locked This topic is locked

#1
Mati Kochen

Mati Kochen

    New Member

  • Member
  • Pip
  • 7 posts
Hello,
I'm having similar symptoms as described in the Vundo post.
I've downloaded the VundoFix, but it founds nothing infected (not even after a restart).
Windows Defender keeps finding & alerting about:
Error encountered:
Code 0x80508021. An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support. 

Category:
Trojan

Description:
This program displays advertisements and may be difficult to remove.

Advice:
Remove this software immediately.

Resources:
clsid:
HKLM\SOFTWARE\CLASSES\CLSID\{663656DF-6BAE-460C-A612-8133DF519346}

clsid:
HKLM\SOFTWARE\CLASSES\CLSID\{54BDDEC9-3DDE-4B61-9816-19D6E582F13E}

regkey:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\MSServer

regkey:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{663656DF-6BAE-460C-A612-8133DF519346}

regkey:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{54BDDEC9-3DDE-4B61-9816-19D6E582F13E}

regkey:
HKLM\SOFTWARE\CLASSES\CLSID\{663656DF-6BAE-460C-A612-8133DF519346}

regkey:
HKLM\SOFTWARE\CLASSES\CLSID\{54BDDEC9-3DDE-4B61-9816-19D6E582F13E}

regkey:
[email protected]\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{663656DF-6BAE-460C-A612-8133DF519346}

regkey:
[email protected]\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{54BDDEC9-3DDE-4B61-9816-19D6E582F13E}

regkey:
[email protected]\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{663656DF-6BAE-460C-A612-8133DF519346}

bho:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{663656DF-6BAE-460C-A612-8133DF519346}

bho:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{54BDDEC9-3DDE-4B61-9816-19D6E582F13E}

runkey:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\MSServer

ieaddon:
[email protected]\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{663656DF-6BAE-460C-A612-8133DF519346}

ieaddon:
[email protected]\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{54BDDEC9-3DDE-4B61-9816-19D6E582F13E}

ieaddon:
[email protected]\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{663656DF-6BAE-460C-A612-8133DF519346}

lsapackage:
HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA\\AUTHENTICATION PACKAGES:C:\Windows\system32\xxyxYrQg

file:
C:\Windows\system32\ybgasvbo.dll

file:
C:\Windows\system32\xxyxYrQg.dll

file:
C:\Windows\system32\kknvdvso.dll

file:
C:\Windows\system32\jkkKcYSI.dll

file:
C:\Windows\system32\eFwTMGAR.dll

file:
C:\Windows\system32\byXQKcyW.dll

file:
C:\Windows\system32\byXPFUKe.dll

file:
C:\Windows\system32\aWOghFwx.dll

View more information about this item online
but it cannot remove it...


Here is my HijacThis log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:11:30, on 13/6/2008
Platform: Windows Vista SP1, v.744 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.17128)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\LG Software\On Screen Display\HotKey.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\LG Software\BatteryMiser\BatteryMiser5.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\SSH Communications Security\SSH Tectia\SSH Tectia AUX\Support binaries\ssh-broker-gui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\explorer.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.huji.ac.il:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {54BDDEC9-3DDE-4B61-9816-19D6E582F13E} - C:\Windows\system32\xxyxYrQg.dll
O2 - BHO: (no name) - {663656DF-6BAE-460C-A612-8133DF519346} - C:\Windows\system32\jkkKcYSI.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [KeybdUtility] C:\Program Files\LG Software\On Screen Display\HotKey.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [LG Intelligent Update] "C:\Program Files\lg_swupdate\giljabistart.exe" Gilautouc
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [BatteryMiser 5] C:\Program Files\LG Software\BatteryMiser\BatteryMiser5.exe
O4 - HKLM\..\Run: [BtTray] "C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\jkkKcYSI.dll,#1
O4 - HKLM\..\Run: [BM2d87fa0e] Rundll32.exe "C:\Windows\system32\spwffmam.dll",s
O4 - HKLM\..\Run: [2eb4c992] rundll32.exe "C:\Windows\system32\kalxnylm.dll",b
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Startup: CCC.lnk = ?
O4 - Global Startup: SSH Tectia Broker.lnk = C:\Program Files\SSH Communications Security\SSH Tectia\SSH Tectia AUX\Support binaries\ssh-broker-gui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send by Bluetooth - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
O8 - Extra context menu item: Send via &Message... - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: BsMobileCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\OmniServ.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - E:\server\xampp\service.exe

--
End of file - 9142 bytes


Malwarebytes' Anti-Malware (after basic scan) found 35 infected files:
Malwarebytes' Anti-Malware 1.17
Database version: 851

02:31:11 13/6/2008
mbam-log-6-13-2008 (02-31-07).txt

Scan type: Quick Scan
Objects scanned: 21859
Time elapsed: 9 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Windows\System32\kalxnylm.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\xxyxYrQg.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\jkkKcYSI.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54bddec9-3dde-4b61-9816-19d6e582f13e} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{54bddec9-3dde-4b61-9816-19d6e582f13e} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{663656df-6bae-460c-a612-8133df519346} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{663656df-6bae-460c-a612-8133df519346} (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2eb4c992 (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{663656df-6bae-460c-a612-8133df519346} (Trojan.Vundo) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\xxyxyrqg -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\aWOghFwx.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\xwFhgOWa.ini (Trojan.Vundo) -> No action taken.
C:\Windows\System32\xwFhgOWa.ini2 (Trojan.Vundo) -> No action taken.
C:\Windows\System32\eFwTMGAR.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\RAGMTwFe.ini (Trojan.Vundo) -> No action taken.
C:\Windows\System32\RAGMTwFe.ini2 (Trojan.Vundo) -> No action taken.
C:\Windows\System32\kalxnylm.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\mlynxlak.ini (Trojan.Vundo) -> No action taken.
C:\Windows\System32\xxyxYrQg.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\gQrYxyxx.ini (Trojan.Vundo) -> No action taken.
C:\Windows\System32\gQrYxyxx.ini2 (Trojan.Vundo) -> No action taken.
C:\Windows\System32\jkkKcYSI.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\byXPFUKe.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\byXQKcyW.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\khnjycsx.exe (Trojan.LowZones) -> No action taken.
C:\Windows\System32\wfcrcwde.exe (Trojan.LowZones) -> No action taken.
C:\Users\mtk\AppData\Local\Temp\tmp0000c2f0 (Trojan.Vundo) -> No action taken.
C:\Users\mtk\AppData\Local\Temp\tmp0000c63b (Trojan.Vundo) -> No action taken.
C:\Users\mtk\AppData\Local\Temp\tmp0000cb78 (Trojan.Vundo) -> No action taken.
C:\Users\mtk\AppData\Local\Temp\tmp0000e3b9 (Trojan.Vundo) -> No action taken.
C:\Users\mtk\AppData\Local\Temp\tmp00015456 (Trojan.Vundo) -> No action taken.
C:\Users\mtk\AppData\Local\Temp\tmp0001889f (Trojan.Vundo) -> No action taken.
C:\Users\mtk\AppData\Local\Temp\tmp00024327 (Trojan.Vundo) -> No action taken.
C:\Users\mtk\AppData\Local\Temp\tmp0004cbe6 (Trojan.Vundo) -> No action taken.

I took action to remove all, which required a reboot.
upon windows startup, I got this error message:
Posted Image


I'm running a full scan atm. will report back...



Important to mention that Windows Explorer keeps crashing & restarting itself...

Edited by Mati Kochen, 12 June 2008 - 05:42 PM.

  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Don't put the logs in code boxes

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.




Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#3
Mati Kochen

Mati Kochen

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
ComboFix:
Windows Explorer crashed again, when ComboFix finished, but here is the log:
ComboFix 08-06-11.3 - mtk 2008-06-13 10:35:45.1 - NTFSx86
Microsoft® Windows Vista™ Enterprise 6.0.6001.1.1252.1.1033.18.1568 [GMT 3:00]
Running from: E:\Download\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\Fonts\CALIBRIB.TTF
C:\Windows\System32\aGilRXyb.ini
C:\Windows\System32\aGilRXyb.ini2
C:\Windows\system32\ebrlpajb.ini
C:\Windows\system32\gtxfmjuo.ini
C:\Windows\system32\hRCbayxx.ini
C:\Windows\System32\hRCbayxx.ini2
C:\Windows\system32\kknvdvso.dll
C:\Windows\system32\lybceirj.ini
C:\Windows\system32\mcrh.tmp
C:\Windows\system32\mwarggrc.ini
C:\Windows\system32\pskiwlij.ini
C:\Windows\system32\qbupmoki.ini
C:\Windows\system32\spwffmam.dll
C:\Windows\system32\ybgasvbo.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-13 to 2008-06-13 )))))))))))))))))))))))))))))))
.

2008-06-13 02:20 . 2008-06-13 02:20 <DIR> d-------- C:\Users\mtk\AppData\Roaming\Malwarebytes
2008-06-13 02:20 . 2008-06-13 02:20 <DIR> d-------- C:\Users\mtk\AppData\Roaming\Download Manager
2008-06-13 02:20 . 2008-06-13 02:20 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-06-13 02:20 . 2008-06-13 02:20 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-06-13 02:20 . 2008-06-13 02:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-13 02:20 . 2008-06-10 19:02 34,296 --a------ C:\Windows\System32\drivers\mbamcatchme.sys
2008-06-13 02:20 . 2008-06-10 19:02 15,864 --a------ C:\Windows\System32\drivers\mbam.sys
2008-06-13 01:37 . 2008-06-13 01:37 <DIR> d-------- C:\VundoFix Backups
2008-06-08 12:34 . 2008-06-08 12:34 <DIR> d-------- C:\Program Files\DateCafe
2008-06-08 12:30 . 2008-06-08 12:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-07 13:22 . 2008-06-07 13:23 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-06-07 13:22 . 2008-06-07 13:23 <DIR> d-------- C:\ProgramData\Lavasoft
2008-06-07 13:22 . 2008-06-07 13:22 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-07 13:22 . 2008-06-07 13:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-06 20:39 . 2008-06-06 20:39 0 --a------ C:\Windows\BsMobileModel.ini
2008-06-04 01:34 . 2008-06-04 01:34 788 --a------ C:\Windows\System32\SHORTCUT.INI
2008-06-04 01:30 . 2008-06-06 20:39 129 --a------ C:\Windows\System32\REMOTEDEVICE.INI
2008-06-01 16:56 . 2008-06-01 16:56 <DIR> d-------- C:\Program Files\Skype
2008-06-01 16:56 . 2008-06-01 16:56 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-31 13:01 . 2008-05-31 13:01 <DIR> d-------- C:\Users\mtk\AppData\Roaming\Design Science
2008-05-30 22:44 . 2008-05-30 22:44 <DIR> d-------- C:\Program Files\MathType
2008-05-25 15:33 . 2008-06-08 14:12 1,918 --a------ C:\Windows\System32\LOCALSERVICE.INI
2008-05-25 15:33 . 2008-06-06 22:02 98 --a------ C:\Windows\System32\LOCALDEVICE.INI
2008-05-24 23:15 . 2008-05-24 23:15 56 --ah----- C:\Windows\System32\ezsidmv.dat
2008-05-24 21:25 . 2008-05-24 21:25 0 --a------ C:\Windows\System32\BSPRINT.INI
2008-05-24 21:24 . 2008-05-24 21:24 <DIR> d-------- C:\Program Files\IVT Corporation
2008-05-24 11:19 . 2008-05-24 11:19 <DIR> d-------- C:\Users\mtk\AppData\Roaming\ATI
2008-05-24 00:55 . 2008-05-24 21:24 <DIR> d-------- C:\Users\All Users\Bluetooth
2008-05-24 00:55 . 2008-05-24 21:24 <DIR> d-------- C:\ProgramData\Bluetooth
2008-05-24 00:55 . 2008-05-24 00:55 <DIR> d-------- C:\Bluetooth
2008-05-23 19:34 . 2006-12-11 15:58 114,688 --a------ C:\Windows\System32\bmpsap.dll
2008-05-23 19:34 . 2005-12-14 21:30 7,552 --a------ C:\Windows\System32\drivers\lgsnd_filter.sys
2008-05-23 19:29 . 2008-05-24 21:25 32 --a------ C:\Windows\0
2008-05-23 19:29 . 2008-05-23 19:29 0 --a------ C:\Windows\System32\0
2008-05-23 01:52 . 2008-05-23 02:04 32 --a------ C:\Windows\System32\config.cfg
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\Windows\System32\lsdelete.exe
2008-05-14 12:35 . 2008-05-14 12:35 <DIR> d-------- C:\Users\mtk\.sshterm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 00:26 --------- d-----w C:\Users\mtk\AppData\Roaming\FileZilla
2008-06-12 22:59 --------- d-----w C:\Users\mtk\AppData\Roaming\Skype
2008-06-08 11:14 --------- d-----w C:\Program Files\Conduit
2008-06-06 13:18 --------- d-----w C:\Users\mtk\AppData\Roaming\SSH
2008-06-03 20:42 --------- d-----w C:\Program Files\lg_swupdate
2008-06-01 13:56 --------- d-----w C:\ProgramData\Skype
2008-06-01 13:05 --------- d-----w C:\Users\mtk\AppData\Roaming\skypePM
2008-05-25 17:34 --------- d-----w C:\Program Files\FileZilla Client
2008-05-23 16:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-23 16:34 --------- d-----w C:\Program Files\LG Software
2008-05-23 16:32 --------- d-----w C:\Program Files\ATI Technologies
2008-05-22 23:06 --------- d-----w C:\ProgramData\Installations
2008-05-22 23:06 --------- d-----w C:\Program Files\Nokia
2008-05-22 23:06 --------- d-----w C:\Program Files\Common Files\Nokia
2008-05-14 06:37 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-04 21:44 --------- d-----w C:\Program Files\WinPcap
2008-04-29 22:16 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-29 08:20 15,648 ----a-w C:\Windows\system32\drivers\NSDriver.sys
2008-04-29 08:19 15,648 ----a-w C:\Windows\system32\drivers\Awrtrd.sys
2008-04-29 08:19 12,960 ----a-w C:\Windows\system32\drivers\Awrtpd.sys
2008-04-23 05:17 --------- d-----w C:\Users\mtk\AppData\Roaming\CommitMonitor
2008-04-21 12:12 --------- d-----w C:\Users\mtk\AppData\Roaming\Nokia
2008-04-20 10:14 --------- d-----w C:\Program Files\Macromedia
2008-04-20 10:14 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-04-20 10:14 --------- d-----w C:\Program Files\Beyond Compare 2
2008-04-16 23:15 --------- d-----w C:\ProgramData\FLEXnet
2008-04-16 00:33 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-16 00:25 --------- d-----w C:\Program Files\Bonjour
2008-04-16 00:20 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-04-14 13:20 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-04-14 13:20 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-04-05 10:35 319,456 ----a-w C:\Windows\DIFxAPI.dll
2008-04-04 12:34 737,280 ----a-w C:\Windows\iun6002.exe
2008-03-26 10:21 5,369,856 ----a-w C:\Windows\RtHDVCpl.exe
2008-03-18 12:31 98,304 ----a-w C:\Windows\RTKAUDIOSERVICE.EXE
2008-01-14 22:21 174 --sha-w C:\Program Files\desktop.ini
2007-12-23 12:45 32 ----a-w C:\Users\All Users\ezsid.dat
2007-12-23 12:45 32 ----a-w C:\ProgramData\ezsid.dat
.

------- Sigcheck -------

2008-01-23 12:06 891448 de57ee5357e3b772bea87f7301f21fd0 C:\Windows\System32\drivers\tcpip.sys
2008-01-23 12:06 891448 de57ee5357e3b772bea87f7301f21fd0 C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.17128_none_b3108d78666f2716\tcpip.sys
2006-11-02 11:58 802816 d944522b048a5feb7700b5170d3d9423 C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16386_none_5f4ed3e0926e99e4\tcpip.sys
2008-01-10 17:04 802816 028061c7f6d2d03068c72e2a27e4228a C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16567_none_5f6577ce925d75a7\tcpip.sys
2008-01-10 17:04 804352 43eae40b50fe3e60d194dd9c97ebb1fd C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.20689_none_5fdb7555ab898001\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 13:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 13:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 13:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 13:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 13:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 13:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 13:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 17:07 1828136]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KeybdUtility"="C:\Program Files\LG Software\On Screen Display\HotKey.exe" [2007-02-15 10:55 2655800]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"OmniPass"="C:\Program Files\Softex\OmniPass\scureapp.exe" [2006-12-22 17:18 2498560]
"LG Intelligent Update"="C:\Program Files\lg_swupdate\giljabistart.exe" [2008-03-10 11:53 247088]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 13:36 827392]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 16:29 2221352]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-26 13:21 5369856 C:\Windows\RtHDVCpl.exe]
"BatteryMiser 5"="C:\Program Files\LG Software\BatteryMiser\BatteryMiser5.exe" [2007-02-04 12:10 337464]
"BtTray"="C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe" [2008-05-12 17:47 227840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2008-03-26 18:41 1232896]

C:\Users\mtk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CCC.lnk - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-09-29 09:57:36 49152]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
SSH Tectia Broker.lnk - C:\Program Files\SSH Communications Security\SSH Tectia\SSH Tectia AUX\Support binaries\ssh-broker-gui.exe [2005-12-08 22:55:20 1921024]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{26F5978F-6493-4ee3-B114-C0C3ACCF9D4D}"= C:\Windows\system32\bmpsap.dll [2006-12-11 15:58 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1741207018-4134911097-3850817977-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R0 BtHidBus;Bluetooth HID Bus Service;C:\Windows\system32\Drivers\BtHidBus.sys [2008-01-21 19:28]
R2 BlueSoleilCS;BlueSoleilCS;C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe [2008-05-12 17:47]
R2 BsMobileCS;BsMobileCS;C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe [2008-05-08 13:58]
R2 CrackTcpip;CrackTcpip;C:\Windows\system32\drivers\CrackTcpip.sys [2008-01-13 17:55]
R2 SSPORT;SSPORT;C:\Windows\system32\Drivers\SSPORT.sys [2006-11-22 10:52]
R3 AGR1310_60;Agere Systems ET-13xx PCI-E Ethernet Adapter Vista Driver;C:\Windows\system32\DRIVERS\AGR1310_60.sys [2007-01-19 11:41]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-03-13 21:58]
R3 BsHelpCS;BsHelpCS;C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe [2008-05-08 13:59]
R3 IvtBtBUs;IVT Bluetooth Bus Service;C:\Windows\system32\Drivers\IvtBtBus.sys [2008-01-21 19:28]
R3 LGDMEBTN;LG Direct Media Button Device Driver for x86;C:\Windows\system32\DRIVERS\LGDMEBTN.sys [2006-12-14 01:22]
S2 HFGService;Handsfree Headset Service;C:\Windows\system32\svchost.exe [2008-01-02 10:31]
S2 XAMPP;XAMPP Service;E:\server\xampp\service.exe [2007-12-21 05:01]
S3 BthAudioHF;BthAudioHF Service;C:\Windows\system32\DRIVERS\BthAudioHF.sys [2008-03-31 21:15]
S3 lgsnd_filter;lgsnd_filter;C:\Windows\system32\drivers\lgsnd_filter.sys [2005-12-14 21:30]
S3 MBAMCatchMe;MBAMCatchMe;C:\Windows\system32\drivers\mbamcatchme.sys [2008-06-10 19:02]
S3 NPF;NetGroup Packet Filter Driver;C:\Windows\system32\drivers\npf.sys [2007-11-06 23:22]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-03-13 21:58]
S4 msvsmon90;Visual Studio 2008 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon90 []
S4 Tomcat6;Apache Tomcat Tomcat6;E:\server\xampp\tomcat\bin\tomcat6.exe [2007-07-20 06:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
bthaudiosvc REG_MULTI_SZ HFGService

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03eefb93-dfbb-11dc-b843-00e0910e95c1}]
\shell\Auto\command - sal.xls.exe
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 10:43:48
Windows 6.0.6001 Service Pack 1, v.744 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Program Files\Softex\OmniPass\SCUREDLL.dll
-> C:\Program Files\TortoiseSVN\iconv\_tbl_simple.so
-> C:\Program Files\TortoiseSVN\iconv\windows-1252.so
-> C:\Program Files\TortoiseSVN\iconv\utf-8.so
-> C:\Windows\system32\BsMobileSDK.dll
-> C:\Windows\system32\BsLangInDepRes.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Softex\OmniPass\OmniServ.exe
C:\Windows\System32\Ati2evxx.exe
C:\Windows\System32\Ati2evxx.exe
C:\Windows\System32\audiodg.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\wlanext.exe
C:\Windows\System32\conime.exe
C:\Windows\System32\agrsmsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\microsoft shared\VS7DEBUG\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\System32\IoctlSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Softex\OmniPass\opvapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\wbem\WMIADAP.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-06-13 10:51:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-13 07:50:58

Pre-Run: 756,633,600 bytes free
Post-Run: 2,752,163,840 bytes free

255 --- E O F --- 2008-06-12 22:07:56


HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:47, on 13/6/2008
Platform: Windows Vista SP1, v.744 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.17128)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\conime.exe
C:\Program Files\LG Software\On Screen Display\HotKey.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\LG Software\BatteryMiser\BatteryMiser5.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\SSH Communications Security\SSH Tectia\SSH Tectia AUX\Support binaries\ssh-broker-gui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.huji.ac.il:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [KeybdUtility] C:\Program Files\LG Software\On Screen Display\HotKey.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [LG Intelligent Update] "C:\Program Files\lg_swupdate\giljabistart.exe" Gilautouc
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [BatteryMiser 5] C:\Program Files\LG Software\BatteryMiser\BatteryMiser5.exe
O4 - HKLM\..\Run: [BtTray] "C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe"
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Startup: CCC.lnk = ?
O4 - Global Startup: SSH Tectia Broker.lnk = C:\Program Files\SSH Communications Security\SSH Tectia\SSH Tectia AUX\Support binaries\ssh-broker-gui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send by Bluetooth - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
O8 - Extra context menu item: Send via &Message... - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: BsMobileCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\OmniServ.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - E:\server\xampp\service.exe

--
End of file - 7965 bytes


Kaspersky:
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, June 13, 2008
Operating System: Microsoft Windows Vista Enterprise Edition, 32-bit Service Pack 1, v.744 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, June 13, 2008 04:33:46
Records in database: 858463
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
Scan statistics
Files scanned 330254
Threat name 8
Infected objects 16
Suspicious objects 0
Duration of the scan 04:34:10

File name Threat name Threats count
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080608-123721-123.dll Infected: Trojan-Downloader.Win32.Agent.rmg 1
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080608-123721-837.dll Infected: Trojan.Win32.Monder.gen 1
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080608-124416-424.dll Infected: Trojan-Downloader.Win32.Agent.rmg 1
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080608-124416-747.dll Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\Windows\System32\kknvdvso.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\Windows\System32\spwffmam.dll.vir Infected: Trojan.Win32.Monder.nb 1
C:\QooBox\Quarantine\C\Windows\System32\ybgasvbo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.yhx 1
C:\Users\mtk\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report0c03c24a\Report.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.yeb 1
C:\Users\mtk\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report0c151ce8\Report.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.ymg 1
C:\Users\mtk\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report0c15455e\Report.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.yeb 1
C:\Users\mtk\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report0c156933\Report.cab Infected: Trojan.Win32.Monder.gen 1
C:\Users\mtk\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report0c15ba5f\Report.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.ymg 1
C:\Users\mtk\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report0c15e989\Report.cab Infected: Trojan.Win32.Monder.gen 1
C:\Users\mtk\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report0c16037f\Report.cab Infected: Trojan.Win32.Monder.mx 1
C:\Users\mtk\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report0c162feb\Report.cab Infected: Trojan.Win32.Monder.mx 1
E:\Download\Ahead.Nero.v8.3.2.1.Incl.Keymaker-EMBRACE\embrace\Nero-8.3.2.1_eng_trial.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm 1
The selected area was scanned.

Edited by Mati Kochen, 13 June 2008 - 08:51 AM.

  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
You got infected because you downloaded a keygen, what a surprise

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
E:\Download\Ahead.Nero.v8.3.2.1.Incl.Keymaker-EMBRACE

Folder::
C:\Users\mtk\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report0c03c24a
C:\Users\mtk\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report0c151ce8
C:\Users\mtk\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report0c15455e
C:\Users\mtk\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report0c156933
C:\Users\mtk\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report0c15ba5f
C:\Users\mtk\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report0c15e989
C:\Users\mtk\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report0c16037f
C:\Users\mtk\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report0c162feb
E:\Download\Ahead.Nero.v8.3.2.1.Incl.Keymaker-EMBRACE

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03eefb93-dfbb-11dc-b843-00e0910e95c1}]

DirLook::
C:\Windows\System32\0
E:\Download


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

  • 0

#5
Mati Kochen

Mati Kochen

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks.
the log file seems to expose too much info about my HD... :)
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Well I need to see it if you want your PC clean

Edit out anything you don't want to show
  • 0

#7
Mati Kochen

Mati Kochen

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
the log file is too big.
just download it from here...
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Ok you can remove that now


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
E:\Download\NOD32.v3.0.414.RC1_Crack
E:\Download\Nokia\Vito Smartmap (Nokia Series 60) 1.0 Crack.zip
E:\Download\nod32\NOD32 v3.0.414 RC1
E:\Download\Ahead.Nero.v8.3.2.1.Incl.Keymaker-EMBRACE

Folder::
E:\Download\NOD32.v3.0.414.RC1_Crack
E:\Download\Nokia\Vito Smartmap (Nokia Series 60) 1.0 Crack.zip
E:\Download\nod32\NOD32 v3.0.414 RC1
E:\Download\Ahead.Nero.v8.3.2.1.Incl.Keymaker-EMBRACE

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Also tell me how your PC is running
  • 0

#9
Mati Kochen

Mati Kochen

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
ComboFix 08-06-11.3 - mtk 2008-06-14 0:34:37.3 - NTFSx86
Microsoft® Windows Vista™ Enterprise 6.0.6001.1.1252.1.1033.18.1535 [GMT 3:00]
Running from: E:\download\ComboFix.exe
Command switches used :: C:\Users\mtk\Desktop\CFScript.txt

FILE ::
E:\Download\Ahead.Nero.v8.3.2.1.Incl.Keymaker-EMBRACE
E:\Download\NOD32.v3.0.414.RC1_Crack
E:\Download\nod32\NOD32 v3.0.414 RC1
E:\Download\Nokia\Vito Smartmap (Nokia Series 60) 1.0 Crack.zip
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Download\NOD32.v3.0.414.RC1_Crack
E:\Download\Nokia\Vito Smartmap (Nokia Series 60) 1.0 Crack.zip
E:\Download\Nokia\Vito Smartmap (Nokia Series 60) 1.0 Crack.zip\

.
((((((((((((((((((((((((( Files Created from 2008-05-13 to 2008-06-13 )))))))))))))))))))))))))))))))
.

2008-06-14 00:33 . 2008-06-14 00:33 <DIR> d-------- C:\327882R2FWJFW
2008-06-13 02:20 . 2008-06-13 02:20 <DIR> d-------- C:\Users\mtk\AppData\Roaming\Malwarebytes
2008-06-13 02:20 . 2008-06-13 02:20 <DIR> d-------- C:\Users\mtk\AppData\Roaming\Download Manager
2008-06-13 02:20 . 2008-06-13 02:20 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-06-13 02:20 . 2008-06-13 02:20 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-06-13 02:20 . 2008-06-13 02:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-13 02:20 . 2008-06-10 19:02 34,296 --a------ C:\Windows\System32\drivers\mbamcatchme.sys
2008-06-13 02:20 . 2008-06-10 19:02 15,864 --a------ C:\Windows\System32\drivers\mbam.sys
2008-06-13 01:37 . 2008-06-13 01:37 <DIR> d-------- C:\VundoFix Backups
2008-06-08 12:34 . 2008-06-08 12:34 <DIR> d-------- C:\Program Files\DateCafe
2008-06-08 12:30 . 2008-06-08 12:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-07 13:22 . 2008-06-07 13:23 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-06-07 13:22 . 2008-06-07 13:23 <DIR> d-------- C:\ProgramData\Lavasoft
2008-06-07 13:22 . 2008-06-07 13:22 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-07 13:22 . 2008-06-07 13:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-06 20:39 . 2008-06-06 20:39 0 --a------ C:\Windows\BsMobileModel.ini
2008-06-04 01:34 . 2008-06-04 01:34 788 --a------ C:\Windows\System32\SHORTCUT.INI
2008-06-04 01:30 . 2008-06-06 20:39 129 --a------ C:\Windows\System32\REMOTEDEVICE.INI
2008-06-01 16:56 . 2008-06-01 16:56 <DIR> d-------- C:\Program Files\Skype
2008-06-01 16:56 . 2008-06-01 16:56 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-31 13:01 . 2008-05-31 13:01 <DIR> d-------- C:\Users\mtk\AppData\Roaming\Design Science
2008-05-30 22:44 . 2008-05-30 22:44 <DIR> d-------- C:\Program Files\MathType
2008-05-25 15:33 . 2008-06-08 14:12 1,918 --a------ C:\Windows\System32\LOCALSERVICE.INI
2008-05-25 15:33 . 2008-06-06 22:02 98 --a------ C:\Windows\System32\LOCALDEVICE.INI
2008-05-24 23:15 . 2008-05-24 23:15 56 --ah----- C:\Windows\System32\ezsidmv.dat
2008-05-24 21:25 . 2008-05-24 21:25 0 --a------ C:\Windows\System32\BSPRINT.INI
2008-05-24 21:24 . 2008-05-24 21:24 <DIR> d-------- C:\Program Files\IVT Corporation
2008-05-24 11:19 . 2008-05-24 11:19 <DIR> d-------- C:\Users\mtk\AppData\Roaming\ATI
2008-05-24 00:55 . 2008-05-24 21:24 <DIR> d-------- C:\Users\All Users\Bluetooth
2008-05-24 00:55 . 2008-05-24 21:24 <DIR> d-------- C:\ProgramData\Bluetooth
2008-05-24 00:55 . 2008-05-24 00:55 <DIR> d-------- C:\Bluetooth
2008-05-23 19:34 . 2006-12-11 15:58 114,688 --a------ C:\Windows\System32\bmpsap.dll
2008-05-23 19:34 . 2005-12-14 21:30 7,552 --a------ C:\Windows\System32\drivers\lgsnd_filter.sys
2008-05-23 19:29 . 2008-05-24 21:25 32 --a------ C:\Windows\0
2008-05-23 19:29 . 2008-05-23 19:29 0 --a------ C:\Windows\System32\0
2008-05-23 01:52 . 2008-05-23 02:04 32 --a------ C:\Windows\System32\config.cfg
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\Windows\System32\lsdelete.exe
2008-05-14 12:35 . 2008-05-14 12:35 <DIR> d-------- C:\Users\mtk\.sshterm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 21:37 --------- d-----w C:\Users\mtk\AppData\Roaming\Skype
2008-06-13 16:06 --------- d-----w C:\Users\mtk\AppData\Roaming\FileZilla
2008-06-08 11:14 --------- d-----w C:\Program Files\Conduit
2008-06-06 13:18 --------- d-----w C:\Users\mtk\AppData\Roaming\SSH
2008-06-03 20:42 --------- d-----w C:\Program Files\lg_swupdate
2008-06-01 13:56 --------- d-----w C:\ProgramData\Skype
2008-06-01 13:05 --------- d-----w C:\Users\mtk\AppData\Roaming\skypePM
2008-05-25 17:34 --------- d-----w C:\Program Files\FileZilla Client
2008-05-23 16:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-23 16:34 --------- d-----w C:\Program Files\LG Software
2008-05-23 16:32 --------- d-----w C:\Program Files\ATI Technologies
2008-05-22 23:06 --------- d-----w C:\ProgramData\Installations
2008-05-22 23:06 --------- d-----w C:\Program Files\Nokia
2008-05-22 23:06 --------- d-----w C:\Program Files\Common Files\Nokia
2008-05-14 06:37 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-08 11:02 9,728 ----a-w C:\Windows\System32\BsMonUI.dll
2008-05-08 11:02 57,430 ----a-w C:\Windows\System32\btfunc.dll
2008-05-08 11:02 405,589 ----a-w C:\Windows\System32\BsUI.dll
2008-05-08 11:02 278,647 ----a-w C:\Windows\System32\outlookAddin.dll
2008-05-08 11:02 18,432 ----a-w C:\Windows\System32\BsMonSvr.dll
2008-05-08 11:01 622,693 ----a-w C:\Windows\System32\BSShell.dll
2008-05-08 11:01 540,758 ----a-w C:\Windows\System32\Bscdlg.dll
2008-05-08 11:01 53,248 ----a-w C:\Windows\System32\HtmPrintHelper.dll
2008-05-08 11:01 114,788 ----a-w C:\Windows\System32\BsProfileFunc.dll
2008-05-08 11:01 114,774 ----a-w C:\Windows\System32\versit.dll
2008-05-08 11:00 94,314 ----a-w C:\Windows\System32\BsHelpCSps.dll
2008-05-08 11:00 516,211 ----a-w C:\Windows\System32\BlueSoleilCSps.dll
2008-05-08 11:00 143,450 ----a-w C:\Windows\System32\BsCommon.dll
2008-05-08 10:59 98,403 ----a-w C:\Windows\System32\Bs2Res.dll
2008-05-08 10:59 28,766 ----a-w C:\Windows\System32\PlayerCtrl.dll
2008-05-08 10:59 221,268 ----a-w C:\Windows\System32\BsSDK.dll
2008-05-08 10:58 28,760 ----a-w C:\Windows\System32\BsTrace.dll
2008-05-08 10:58 28,672 ----a-w C:\Windows\System32\BsMobileCSps.dll
2008-05-08 10:58 118,880 ----a-w C:\Windows\System32\BsMobileSDK.dll
2008-05-04 21:44 --------- d-----w C:\Program Files\WinPcap
2008-04-29 22:16 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-29 08:20 15,648 ----a-w C:\Windows\system32\drivers\NSDriver.sys
2008-04-29 08:19 15,648 ----a-w C:\Windows\system32\drivers\Awrtrd.sys
2008-04-29 08:19 12,960 ----a-w C:\Windows\system32\drivers\Awrtpd.sys
2008-04-23 05:17 --------- d-----w C:\Users\mtk\AppData\Roaming\CommitMonitor
2008-04-21 12:12 --------- d-----w C:\Users\mtk\AppData\Roaming\Nokia
2008-04-20 10:14 --------- d-----w C:\Program Files\Macromedia
2008-04-20 10:14 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-04-20 10:14 --------- d-----w C:\Program Files\Beyond Compare 2
2008-04-16 23:15 --------- d-----w C:\ProgramData\FLEXnet
2008-04-16 00:33 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-16 00:25 --------- d-----w C:\Program Files\Bonjour
2008-04-16 00:20 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-04-14 13:20 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-04-14 13:20 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-04-08 09:16 728,608 ----a-w C:\Windows\System32\OGAAddin.dll
2008-04-08 09:16 693,792 ----a-w C:\Windows\System32\OGACheckControl.dll
2008-04-08 09:16 504,864 ----a-w C:\Windows\System32\OGAVerify.exe
2008-04-05 10:35 319,456 ----a-w C:\Windows\DIFxAPI.dll
2008-04-04 12:34 737,280 ----a-w C:\Windows\iun6002.exe
2008-03-31 19:01 46,592 ----a-w C:\Windows\System32\HFGService_PS.dll
2008-03-31 19:01 411,136 ----a-w C:\Windows\System32\HFGService.dll
2008-03-26 13:40 30,208 ----a-w C:\Windows\System32\RtkCoInst.dll
2008-03-26 10:21 5,369,856 ----a-w C:\Windows\RtHDVCpl.exe
2008-03-18 12:31 98,304 ----a-w C:\Windows\RTKAUDIOSERVICE.EXE
2008-03-17 09:40 140,800 ----a-w C:\Windows\System32\FMAPO.dll
2008-03-13 13:51 2,160,640 ----a-w C:\Windows\System32\RtkAPO.dll
2008-01-14 22:21 174 --sha-w C:\Program Files\desktop.ini
2007-12-23 12:45 32 ----a-w C:\Users\All Users\ezsid.dat
2007-12-23 12:45 32 ----a-w C:\ProgramData\ezsid.dat
.

------- Sigcheck -------

2008-01-25 14:35 891448 302f7c527d393058054249c83e282aeb C:\Windows\System32\drivers\tcpip.sys
2008-01-25 14:35 891448 302f7c527d393058054249c83e282aeb C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.17128_none_b3108d78666f2716\tcpip.sys
2006-11-02 11:58 802816 d944522b048a5feb7700b5170d3d9423 C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16386_none_5f4ed3e0926e99e4\tcpip.sys
2008-01-10 17:04 802816 028061c7f6d2d03068c72e2a27e4228a C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16567_none_5f6577ce925d75a7\tcpip.sys
2008-01-10 17:04 804352 43eae40b50fe3e60d194dd9c97ebb1fd C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.20689_none_5fdb7555ab898001\tcpip.sys
.
((((((((((((((((((((((((((((( [email protected]_10.50.29.82 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-13 07:43:19 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-06-13 21:14:16 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-06-13 15:32:40 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-06-13 15:32:40 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-06-13 07:43:39 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-06-13 15:37:54 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-06-13 07:43:39 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-06-13 15:37:11 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-06-13 07:43:30 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-06-13 21:14:17 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-06-13 07:43:30 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-13 21:14:17 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-13 07:43:30 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-06-13 21:14:17 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-06-13 00:28:03 102,194 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-06-13 15:40:11 102,194 ----a-w C:\Windows\System32\perfc009.dat
- 2008-06-13 00:28:03 598,588 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-06-13 15:40:11 598,588 ----a-w C:\Windows\System32\perfh009.dat
- 2008-06-13 07:45:18 10,598 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1741207018-4134911097-3850817977-1000_UserData.bin
+ 2008-06-13 15:38:45 10,614 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1741207018-4134911097-3850817977-1000_UserData.bin
- 2008-06-13 07:45:18 58,726 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-06-13 15:38:44 58,726 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-06-12 23:37:45 37,678 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-06-13 15:38:43 37,678 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-06-05 10:30:32 242,198 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2008-06-13 21:14:21 243,360 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 13:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 13:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 13:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 13:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 13:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 13:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 13:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 17:07 1828136]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KeybdUtility"="C:\Program Files\LG Software\On Screen Display\HotKey.exe" [2007-02-15 10:55 2655800]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"OmniPass"="C:\Program Files\Softex\OmniPass\scureapp.exe" [2006-12-22 17:18 2498560]
"LG Intelligent Update"="C:\Program Files\lg_swupdate\giljabistart.exe" [2008-03-10 11:53 247088]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 13:36 827392]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 16:29 2221352]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-26 13:21 5369856 C:\Windows\RtHDVCpl.exe]
"BatteryMiser 5"="C:\Program Files\LG Software\BatteryMiser\BatteryMiser5.exe" [2007-02-04 12:10 337464]
"BtTray"="C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe" [2008-05-12 17:47 227840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2008-03-26 18:41 1232896]

C:\Users\mtk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CCC.lnk - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-09-29 09:57:36 49152]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
SSH Tectia Broker.lnk - C:\Program Files\SSH Communications Security\SSH Tectia\SSH Tectia AUX\Support binaries\ssh-broker-gui.exe [2005-12-08 22:55:20 1921024]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{26F5978F-6493-4ee3-B114-C0C3ACCF9D4D}"= C:\Windows\system32\bmpsap.dll [2006-12-11 15:58 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1741207018-4134911097-3850817977-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R0 BtHidBus;Bluetooth HID Bus Service;C:\Windows\system32\Drivers\BtHidBus.sys [2008-01-21 19:28]
R2 BlueSoleilCS;BlueSoleilCS;C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe [2008-05-12 17:47]
R2 BsMobileCS;BsMobileCS;C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe [2008-05-08 13:58]
R2 CrackTcpip;CrackTcpip;C:\Windows\system32\drivers\CrackTcpip.sys [2008-01-13 17:55]
R2 SSPORT;SSPORT;C:\Windows\system32\Drivers\SSPORT.sys [2006-11-22 10:52]
R3 AGR1310_60;Agere Systems ET-13xx PCI-E Ethernet Adapter Vista Driver;C:\Windows\system32\DRIVERS\AGR1310_60.sys [2007-01-19 11:41]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-03-13 21:58]
R3 BsHelpCS;BsHelpCS;C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe [2008-05-08 13:59]
R3 IvtBtBUs;IVT Bluetooth Bus Service;C:\Windows\system32\Drivers\IvtBtBus.sys [2008-01-21 19:28]
R3 LGDMEBTN;LG Direct Media Button Device Driver for x86;C:\Windows\system32\DRIVERS\LGDMEBTN.sys [2006-12-14 01:22]
S2 HFGService;Handsfree Headset Service;C:\Windows\system32\svchost.exe [2008-01-02 10:31]
S2 XAMPP;XAMPP Service;E:\server\xampp\service.exe [2007-12-21 05:01]
S3 BthAudioHF;BthAudioHF Service;C:\Windows\system32\DRIVERS\BthAudioHF.sys [2008-03-31 21:15]
S3 lgsnd_filter;lgsnd_filter;C:\Windows\system32\drivers\lgsnd_filter.sys [2005-12-14 21:30]
S3 NPF;NetGroup Packet Filter Driver;C:\Windows\system32\drivers\npf.sys [2007-11-06 23:22]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-03-13 21:58]
S4 msvsmon90;Visual Studio 2008 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon90 []
S4 Tomcat6;Apache Tomcat Tomcat6;E:\server\xampp\tomcat\bin\tomcat6.exe [2007-07-20 06:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
bthaudiosvc REG_MULTI_SZ HFGService

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 00:37:53
Windows 6.0.6001 Service Pack 1, v.744 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-14 0:39:34
ComboFix-quarantined-files.txt 2008-06-13 21:39:28
ComboFix2.txt 2008-06-13 15:49:10
ComboFix3.txt 2008-06-13 07:51:04

Pre-Run: 2,533,842,944 bytes free
Post-Run: 2,541,408,256 bytes free

268 --- E O F --- 2008-06-12 22:07:56
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean


Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#11
Mati Kochen

Mati Kochen

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

Thank you for your patience, and performing all of the procedures requested.

No, thank you very very much... :)
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP