Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page posting right, requesting malware removal help
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 11-05-2009, 02:11 AM   #1 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 13
OS: windows XP pro, Ubuntu


Exclamation posting right, requesting malware removal help
DDS will be put into the post, ark.txt as well as attach.txt are both in the zip file, please. for the love of god. help me rid of this thing, i have saved copies of the alert paths/virus names and can post upon request.

i am running avira antvirus (free) and am getting about 5 alerts at a time, i have tried scanning with avira and downloaded spybot search & destroy (after which windows has stopped detecting my antivirus). fixed all problems found. still it keeps going, no noticable damage has been done. though i'm not the expert, after spending a week getting threads closed, it may have done some damage, i am unsure.

=============


DDS (Ver_09-10-26.01) - NTFSx86
Run by matty at 8:26:17.14 on Tue 11/03/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.522 [GMT 11:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\D-Link\D-Link RangeBooster N DWA-140\AirNCFG.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\matty\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: VIPTToolbarManager Class: {1a2641ae-2c42-4c51-a05f-8ecec3fdc94d} - c:\program files\visual ip trace 2009\VisualIPTraceIE.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: MessengerUpdate Class: {5948a52a-ba3a-49a8-bcaf-d578502bda9d} - c:\documents and settings\matty\application data\messenger\drivers\MsgUpdate.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: adHlpr Object: {7037b93b-7f76-4973-a177-e0326f67f1f9} - c:\windows\system32\zkhfhslz.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Visual IP Trace: {e70c26ae-dff1-40a8-8d37-19180f56f0aa} - c:\program files\visual ip trace 2009\VisualIPTraceIE.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [IgfxSys] rundll32.exe "c:\documents and settings\matty\application data\messenger\drivers\IgfxSys.dll",StartProtector
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [D-Link D-Link RangeBooster N DWA-140] c:\program files\d-link\d-link rangebooster n dwa-140\AirNCFG.exe
mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: c:\program files\vmware\vmware player\vsocklib.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {8CB6A2E4-D65D-4D3A-B6B5-B86FECE448C0} = 203.12.160.35,203.12.160.36
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matty\applic~1\mozilla\firefox\profiles\ojtkekrx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-24 108289]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2009-10-22 70704]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2009-10-22 563760]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2009-9-13 560896]
S3 CV2K1;CommView Network Monitor;c:\windows\system32\drivers\cv2k1.sys --> c:\windows\system32\drivers\cv2k1.sys [?]

=============== Created Last 30 ================

2009-11-01 12:42:21 59952 ----a-r- c:\windows\system32\vnetinst.dll
2009-11-01 12:42:21 16560 ----a-r- c:\windows\system32\drivers\vmnetadapter.sys
2009-11-01 12:42:15 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe
2009-11-01 12:42:11 395824 ----a-w- c:\windows\system32\vmnat.exe
2009-11-01 12:42:11 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
2009-11-01 12:42:07 18736 ----a-r- c:\windows\system32\drivers\vmnet.sys
2009-11-01 12:42:04 760368 ----a-w- c:\windows\system32\vnetlib.dll
2009-11-01 12:41:44 23216 ----a-w- c:\windows\system32\drivers\VMkbd.sys
2009-11-01 12:41:37 1024 ----a-w- C:\.rnd
2009-11-01 12:41:18 0 d-----w- c:\program files\common files\VMware
2009-11-01 12:40:40 0 d-----w- c:\program files\VMware
2009-10-31 23:17:14 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-10-31 23:17:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-10-30 22:01:59 48271 ----a-w- c:\windows\system32\yjlkeblrhf.exe
2009-10-30 22:01:57 0 d-----w- c:\docume~1\matty\applic~1\Smart-Ads-Solutions
2009-10-30 22:01:52 0 d-----w- c:\docume~1\matty\applic~1\Messenger
2009-10-30 22:01:51 0 d-----w- c:\program files\Smart-Ads-Solutions
2009-10-28 2154 0 d-----w- c:\windows\system32\Adobe
2009-10-27 09:02:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Messenger Plus!
2009-10-27 06:02:44 0 d-----w- c:\program files\Circle Dvelopement
2009-10-27 06:02:42 0 d-----w- c:\program files\Messenger Plus! Live
2009-10-24 10:38:18 7677746 ----a-w- c:\windows\system\xlive.dll
2009-10-24 10:37:48 7677746 ----a-w- c:\windows\xlive.dll
2009-10-24 1056 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-10-24 10:01:55 0 d-----w- c:\windows\Logs
2009-10-24 10:01:49 0 d--h--w- c:\windows\msdownld.tmp
2009-10-23 20:39:13 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-10-21 17:45:06 51248 ----a-w- c:\windows\system32\vmnetbridge.dll
2009-10-21 17:45:06 32688 ----a-w- c:\windows\system32\drivers\vmnetbridge.sys
2009-10-21 17:45:02 853936 ----a-w- c:\windows\system32\drivers\vmx86.sys
2009-10-21 17:45:00 70704 ----a-w- c:\windows\system32\drivers\vmci.sys
2009-10-21 17:44:06 14896 ----a-w- c:\windows\system32\drivers\vmparport.sys
2009-10-21 16:47:52 32304 ----a-w- c:\windows\system32\drivers\hcmon.sys
2009-10-21 16:22:38 252464 ----a-w- c:\windows\system32\vmnc.dll
2009-10-17 19:15:32 267272 ----a-w- c:\windows\system32\xactengine2_10.dll
2009-10-17 19:15:30 17928 ----a-w- c:\windows\system32\X3DAudio1_2.dll
2009-10-17 19:15:27 444776 ----a-w- c:\windows\system32\d3dx10_36.dll
2009-10-17 19:15:27 1374232 ----a-w- c:\windows\system32\D3DCompiler_36.dll
2009-10-17 19:15:24 3734536 ----a-w- c:\windows\system32\d3dx9_36.dll
2009-10-12 03:33:00 64960 ----a-w- c:\windows\system32\drivers\stcp2v30.sys
2009-10-11 11:20:57 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-10-09 22:46:58 0 d-----w- c:\program files\MSXML 4.0
2009-10-09 22:22:07 5248 ----a-w- c:\windows\system32\drivers\a347scsi.sys
2009-10-09 22:22:07 160640 ----a-w- c:\windows\system32\drivers\a347bus.sys
2009-10-04 14:35:18 0 d-----w- c:\windows\system32\appmgmt
2009-10-04 05:35:10 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-10-04 05:35:10 215920 ----a-w- c:\windows\system32\muweb.dll
2009-10-04 05:35:10 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2009-10-04 01:47:58 0 d-----w- c:\program files\Microsoft

==================== Find3M ====================

2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-08 21:40:04 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 06:44:40 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 06:44:40 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 06:44:40 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 06:29:34 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 06:29:34 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 06:29:32 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 06:29:32 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 06:29:30 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-09-03 06:10:04 315392 ----a-w- c:\windows\system32\sbcrreag.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll

============= FINISH: 8:26:39.12 ===============
Attached Files
File Type: zip attach.zip (6.1 KB, 6 views)
)Spitfire( is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 11-05-2009, 12:51 PM   #2 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,618
OS: 2000 Pro; XP Pro; XP Home


Re: posting right, requesting malware removal help
Now that we have all the required logs, we can begin to assist.

One or more of the identified infections is a backdoor trojan/password stealer.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

You can read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

======================================

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

  1. Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

    The Recovery Console was successfully installed.



    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-05-2009, 01:28 PM   #3 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 13
OS: windows XP pro, Ubuntu


Re: posting right, requesting malware removal help
i will be at school for the next 7 hours so i wont reply sorry.
=============

ComboFix 09-11-05.01 - matty 11/06/2009 7:15.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.712 [GMT 11:00]
Running from: c:\documents and settings\matty\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.
ADS - system32: deleted 12 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\matty\Application Data\Messenger\Drivers\IgfxSys.dll
c:\windows\system32\yjlkeblrhf.exe

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.

2009-11-05 04:37 . 2009-11-05 04:39 24576 ----a-w- c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\msgasst84111.dll
2009-11-05 04:37 . 2009-11-05 04:39 72704 ----a-w- c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\msgasst8411.dll
2009-11-04 21:26 . 2009-11-05 04:39 24576 ----a-w- c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\msgasst841.dll
2009-11-04 08:18 . 2009-11-04 08:18 13836 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-04 05:45 . 2009-11-05 13:12 -------- d-----w- c:\documents and settings\matty\Application Data\mIRC
2009-11-04 05:45 . 2009-11-05 09:51 -------- d-----w- c:\program files\mIRC
2009-11-04 05:30 . 2009-11-04 08:36 -------- d-----w- c:\documents and settings\matty\Local Settings\Application Data\Temporary Projects
2009-11-03 07:54 . 2009-11-03 07:54 -------- d-----w- c:\program files\Advanced Port Scanner
2009-11-02 22:17 . 2009-11-02 22:32 228996 ----a-w- c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\smartasf27.exe
2009-11-02 21:32 . 2009-11-02 22:22 133 ----a-w- c:\documents and settings\matty\Application Data\Messenger\Drivers\serial.sys
2009-11-02 21:32 . 2009-11-02 21:32 409088 ----a-w- c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\msgasst84.dll
2009-11-01 22:22 . 2009-11-01 22:36 -------- d-----w- c:\documents and settings\matty\Application Data\VMware
2009-11-01 12:43 . 2009-11-01 12:43 909320 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\uninstall.exe
2009-11-01 12:43 . 2009-11-01 12:40 958000 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib64.dll
2009-11-01 12:43 . 2009-11-01 12:40 922672 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib64.exe
2009-11-01 12:43 . 2009-11-01 12:40 760368 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib.dll
2009-11-01 12:43 . 2009-11-01 12:40 569344 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\module_core.dll
2009-11-01 12:43 . 2009-11-01 12:40 331776 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\module_ws.dll
2009-11-01 12:43 . 2009-11-01 12:40 731696 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vminstutil.dll
2009-11-01 12:43 . 2009-11-01 12:40 703024 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib.exe
2009-11-01 12:42 . 2009-10-21 13:13 59952 ----a-r- c:\windows\system32\vnetinst.dll
2009-11-01 12:42 . 2009-10-21 13:13 16560 ----a-r- c:\windows\system32\drivers\vmnetadapter.sys
2009-11-01 12:42 . 2009-10-21 17:44 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe
2009-11-01 12:42 . 2009-10-21 17:44 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
2009-11-01 12:42 . 2009-10-21 17:44 395824 ----a-w- c:\windows\system32\vmnat.exe
2009-11-01 12:42 . 2009-10-21 13:13 18736 ----a-r- c:\windows\system32\drivers\vmnet.sys
2009-11-01 12:42 . 2009-10-21 17:44 760368 ----a-w- c:\windows\system32\vnetlib.dll
2009-11-01 12:41 . 2009-10-21 17:45 23216 ----a-w- c:\windows\system32\drivers\VMkbd.sys
2009-11-01 12:41 . 2009-11-05 20:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2009-11-01 12:41 . 2009-11-01 12:41 -------- d-----w- c:\program files\Common Files\VMware
2009-11-01 12:40 . 2009-11-05 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-11-01 12:40 . 2009-11-01 12:40 -------- d-----w- c:\program files\VMware
2009-10-31 23:17 . 2009-11-01 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-31 23:17 . 2009-11-01 13:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-31 03:21 . 2009-10-31 03:22 -------- d-----w- c:\documents and settings\matty\Local Settings\Application Data\Deployment
2009-10-30 22:02 . 2009-10-30 22:55 303616 ----a-w- c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\msgutil84.dll
2009-10-30 22:01 . 2009-10-30 22:01 -------- d-----w- c:\documents and settings\matty\Application Data\Smart-Ads-Solutions
2009-10-30 22:01 . 2009-11-05 20:01 2453 ----a-w- c:\documents and settings\matty\Application Data\Messenger\Drivers\conf.sys
2009-10-30 22:01 . 2009-10-30 22:01 -------- d-----w- c:\documents and settings\matty\Application Data\Messenger
2009-10-30 22:01 . 2009-10-01 10:30 10 ----a-w- c:\documents and settings\matty\Application Data\Messenger\Drivers\pub.dll
2009-10-30 22:01 . 2009-07-27 06:48 330752 ----a-w- c:\documents and settings\matty\Application Data\Messenger\Sys\mu.dll
2009-10-30 22:01 . 2009-07-27 06:48 330752 ----a-w- c:\documents and settings\matty\Application Data\Messenger\Drivers\MsgUpdate.dll
2009-10-30 22:01 . 2009-07-27 06:48 258048 ----a-w- c:\documents and settings\matty\Application Data\Messenger\Drivers\phuninst.dll
2009-10-30 22:01 . 2009-10-30 22:01 -------- d-----w- c:\program files\Smart-Ads-Solutions
2009-10-28 21:06 . 2009-10-28 21:06 -------- d-----w- c:\windows\system32\Adobe
2009-10-27 21:02 . 2009-10-27 21:02 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-27 09:02 . 2009-10-27 09:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-10-27 06:02 . 2009-10-27 06:02 -------- d-----w- c:\program files\Circle Dvelopement
2009-10-27 06:02 . 2009-10-27 06:02 -------- d-----w- c:\program files\Messenger Plus! Live
2009-10-26 04:20 . 2009-10-26 05:07 -------- d-----w- c:\documents and settings\matty\Application Data\FileZilla
2009-10-26 04:20 . 2009-10-26 04:20 -------- d-----w- c:\program files\FileZilla FTP Client
2009-10-25 21:24 . 2009-10-25 21:24 2149888 ----a-w- c:\windows\system32\python26.dll
2009-10-24 17:53 . 2009-10-26 09:32 -------- d-----w- c:\documents and settings\matty\Local Settings\Application Data\SecondLife
2009-10-24 10:38 . 2009-10-24 10:37 7677746 ----a-w- c:\windows\system\xlive.dll
2009-10-24 10:37 . 2009-10-24 10:37 7677746 ----a-w- c:\windows\xlive.dll
2009-10-24 10:08 . 2009-10-24 10:40 -------- d-----w- c:\documents and settings\matty\Local Settings\Application Data\Fallout3
2009-10-24 10:06 . 2005-05-26 04:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-10-24 10:01 . 2009-10-24 10:01 -------- d-----w- c:\windows\Logs
2009-10-24 10:01 . 2009-10-24 10:06 -------- d--h--w- c:\windows\msdownld.tmp
2009-10-23 20:39 . 2009-10-23 20:39 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-10-23 06:51 . 2009-10-23 06:51 -------- d--h--r- c:\documents and settings\matty\Application Data\SecuROM
2009-10-23 06:40 . 2009-10-23 06:40 -------- d-----w- c:\program files\Electronic Arts
2009-10-21 17:45 . 2009-10-21 17:45 51248 ----a-w- c:\windows\system32\vmnetbridge.dll
2009-10-21 17:45 . 2009-10-21 17:45 32688 ----a-w- c:\windows\system32\drivers\vmnetbridge.sys
2009-10-21 17:45 . 2009-10-21 17:45 853936 ----a-w- c:\windows\system32\drivers\vmx86.sys
2009-10-21 17:45 . 2009-10-21 17:45 70704 ----a-w- c:\windows\system32\drivers\vmci.sys
2009-10-21 17:44 . 2009-10-21 17:44 14896 ----a-w- c:\windows\system32\drivers\vmparport.sys
2009-10-21 16:47 . 2009-10-21 16:47 32304 ----a-w- c:\windows\system32\drivers\hcmon.sys
2009-10-21 16:22 . 2009-10-21 16:22 252464 ----a-w- c:\windows\system32\vmnc.dll
2009-10-17 19:15 . 2007-10-21 16:39 267272 ----a-w- c:\windows\system32\xactengine2_10.dll
2009-10-17 19:15 . 2007-10-21 16:37 17928 ----a-w- c:\windows\system32\X3DAudio1_2.dll
2009-10-17 19:15 . 2007-10-12 04:14 1374232 ----a-w- c:\windows\system32\D3DCompiler_36.dll
2009-10-17 19:15 . 2007-10-01 22:56 444776 ----a-w- c:\windows\system32\d3dx10_36.dll
2009-10-17 19:15 . 2007-10-12 04:14 3734536 ----a-w- c:\windows\system32\d3dx9_36.dll
2009-10-12 03:33 . 2009-10-12 03:33 64960 ----a-w- c:\windows\system32\drivers\stcp2v30.sys
2009-10-11 11:20 . 2006-11-29 02:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-10-09 22:46 . 2009-10-09 22:46 -------- d-----w- c:\program files\MSXML 4.0
2009-10-09 22:22 . 2004-04-29 22:37 160640 ----a-w- c:\windows\system32\drivers\a347bus.sys
2009-10-09 22:22 . 2004-04-29 22:33 5248 ----a-w- c:\windows\system32\drivers\a347scsi.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 20:07 . 2009-07-24 02:04 -------- d-----w- c:\documents and settings\matty\Application Data\uTorrent
2009-11-03 03:54 . 2009-08-22 04:28 -------- d-----w- c:\documents and settings\matty\Application Data\vlc
2009-11-01 00:23 . 2009-08-20 06:12 -------- d-----w- c:\program files\PopCap Games
2009-10-31 10:22 . 2009-07-25 21:59 -------- d-----w- c:\documents and settings\matty\Application Data\LimeWire
2009-10-29 18:00 . 2009-07-24 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-28 13:48 . 2009-07-24 10:37 -------- d-----w- c:\program files\World of Warcraft
2009-10-24 11:28 . 2009-09-13 00:09 -------- d-----w- c:\program files\Counter-Strike 1.6
2009-10-20 04:40 . 2009-08-23 13:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-11 11:21 . 2009-07-24 04:46 -------- d-----w- c:\program files\Windows Live
2009-10-11 11:20 . 2009-09-07 12:29 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-10-07 07:24 . 2009-08-23 22:42 -------- d-----w- c:\program files\DivX
2009-10-04 01:47 . 2009-10-04 01:47 -------- d-----w- c:\program files\Microsoft
2009-09-13 05:01 . 2009-09-13 05:01 -------- d-----w- c:\program files\ANI
2009-09-13 05:01 . 2009-07-24 00:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-13 05:00 . 2009-09-13 05:00 -------- d-----w- c:\program files\D-Link
2009-09-13 05:00 . 2009-09-13 05:00 -------- d-----w- c:\documents and settings\matty\Application Data\InstallShield
2009-09-11 14:18 . 2002-08-29 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-08 21:41 . 2009-09-08 21:41 -------- d-----w- c:\program files\Alcohol Soft
2009-09-08 21:40 . 2009-09-08 21:40 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-08 08:54 . 2009-07-24 01:25 13688 ----a-w- c:\documents and settings\matty\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-07 12:30 . 2009-09-07 12:30 -------- d-----w- c:\program files\Microsoft SQL Server
2009-09-07 12:30 . 2009-09-07 11:55 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2009-09-07 12:29 . 2009-09-07 12:29 -------- d-----w- c:\program files\Microsoft Synchronization Services
2009-09-07 12:26 . 2009-09-07 11:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-07 12:24 . 2009-09-07 12:24 193824 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VBExpress\9.0\1033\ResourceCache.dll
2009-09-07 12:17 . 2009-09-07 12:17 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2009-09-07 11:55 . 2009-09-07 11:55 -------- d-----w- c:\program files\Microsoft.NET
2009-09-07 11:46 . 2009-09-07 11:46 -------- d-----w- c:\program files\Microsoft SDKs
2009-09-07 11:37 . 2009-09-07 11:37 -------- d-----w- c:\program files\MSBuild
2009-09-07 11:36 . 2009-09-07 11:36 -------- d-----w- c:\program files\Reference Assemblies
2009-09-04 21:03 . 2002-08-29 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 06:44 . 2009-10-24 10:07 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 06:44 . 2009-10-24 10:07 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 06:44 . 2009-10-24 10:07 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 06:29 . 2009-10-24 10:07 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 06:29 . 2009-10-24 10:07 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 06:29 . 2009-10-24 10:07 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 06:29 . 2009-10-24 10:07 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 06:29 . 2009-10-24 10:07 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-09-03 06:10 . 2009-09-03 06:10 315392 ----a-w- c:\windows\system32\sbcrreag.dll
2009-08-29 08:08 . 2002-08-29 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2002-08-29 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 06:13 . 2009-08-20 06:13 25 ----a-w- c:\windows\popcinfot.dat
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[-] 2008-04-13 14:10 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[-] 2002-08-29 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys
[-] 2002-08-28 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\system32\ReinstallBackups\0012\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5948A52A-BA3A-49A8-BCAF-D578502BDA9D}]
2009-07-27 06:48 330752 ----a-w- c:\documents and settings\matty\Application Data\Messenger\Drivers\MsgUpdate.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7037B93B-7F76-4973-A177-E0326F67F1F9}]
2009-06-01 04:37 325120 ----a-w- c:\windows\system32\zkhfhslz.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\System32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\System32\igfxpers.exe" [2006-03-23 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-24 149280]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"D-Link D-Link RangeBooster N DWA-140"="c:\program files\D-Link\D-Link RangeBooster N DWA-140\AirNCFG.exe" [2008-04-15 1675264]
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2009-10-21 64048]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Python26\\pythonw.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/24/2009 12:55 PM 108289]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [10/22/2009 4:45 AM 70704]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [10/22/2009 3:47 AM 563760]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [9/13/2009 4:00 PM 560896]
S3 CV2K1;CommView Network Monitor;c:\windows\system32\DRIVERS\cv2k1.sys --> c:\windows\system32\DRIVERS\cv2k1.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
TCP: {8CB6A2E4-D65D-4D3A-B6B5-B86FECE448C0} = 203.12.160.35,203.12.160.36
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\matty\Application Data\Mozilla\Firefox\Profiles\ojtkekrx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-IgfxSys - c:\documents and settings\matty\Application Data\Messenger\Drivers\IgfxSys.dll
AddRemove-Advanced Port Scanner v1.3 - F:\uninstal.exe
AddRemove-Soldat_is1 - f:\soldat15\Soldat\unins000.exe
AddRemove-yjlkeblrhf - c:\windows\system32\yjlkeblrhf.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 07:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x861B3CB0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x861b3cb0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1004336348-1177238915-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e3,07,ee,93,7f,40,7c,27,dc,9b,84,a6,8a,f2,96,b9,62,3a,ef,20,3d,c1,a1,
8b,e8,bc,74,6d,6b,6d,71,b5,75,5a,04,1a,aa,6b,d4,c0,89,73,37,9b,fb,55,b8,ef,\
"??"=hex:00,4f,b8,6d,ad,41,3c,12,68,4f,92,d6,16,9f,d7,aa
.
Completion time: 2009-11-05 7:26
ComboFix-quarantined-files.txt 2009-11-05 20:26

Pre-Run: 30,743,293,952 bytes free
Post-Run: 32,136,056,832 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut

- - End Of File - - 48084C8655E1F31D7F8A085DF41D262B
)Spitfire( is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-05-2009, 02:46 PM   #4 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,618
OS: 2000 Pro; XP Pro; XP Home


Re: posting right, requesting malware removal help
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------
  1. As mentioned in our preposting topic:

    NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

    Quote:
    3. Uninstall the following via Add or Remove Programs in Control Panel:

    • p2p programs like uTorrent, Bittorrent, LimeWire, Morpheus, etc., as they are a major conduit for malware and a likely source of your current issues.

    P2P - I see you have P2P software ( µTorrent, Ares 2.1.1, LimeWire 5.2.8 ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

    Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

    Please see this topic for more information:

    Perils of P2P File Sharing

    I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs.

    ---------------------------------------------------------------------------------------------
  2. Uninstall the following via the Add/Remove Panel (Start ->Control Panel->Add or Remove Programs) if they exist:

    RON Too1 Gooochi
    SmartAds browser enhancer


    Do not reboot if requested


    Messenger Plus! Live & Sponsor (CiD)

    You have installed Messenger Plus! Live. This program is known to install popup adware known as LOP infection. If the program is a must have, reinstall it and decline when asked to install the sponsor's software.

    More recent versions of Messenger Plus! Live have an opt-out method of toolbar installation to help pay for the project.

    ---------------------------------------------------------------------------------------------

  3. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


  4. Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/428777-posting-right-requesting-malware-removal-help.html#post2427714
Folder::
c:\Program Files\Smart-Ads-Solutions
c:\documents and settings\matty\Application Data\Smart-Ads-Solutions
c:\Program Files\Circle Dvelopement
Collect::
c:\windows\system32\zkhfhslz.dll
c:\documents and settings\matty\Application Data\Messenger\Drivers\MsgUpdate.dll
c:\documents and settings\matty\Application Data\Messenger\Drivers\serial.sys
c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\msgasst84.dll
c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\msgasst84111.dll
c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\msgasst8411.dll
c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\msgasst841.dll
c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\smartasf27.exe
c:\documents and settings\matty\Application Data\Messenger\Drivers\serial.sys
c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\msgasst84.dll
c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\msgutil84.dll
c:\documents and settings\matty\Application Data\Messenger\Drivers\conf.sys
c:\documents and settings\matty\Application Data\Messenger\Drivers\pub.dll
c:\documents and settings\matty\Application Data\Messenger\Sys\mu.dll
c:\documents and settings\matty\Application Data\Messenger\Drivers\phuninst.dll
DirLook::
c:\documents and settings\matty\Application Data\Messenger
Suspect::
c:\windows\system32\sbcrreag.dll
FileLook::
c:\windows\system32\sbcrreag.dll
Comment::
End Copy Here
    Save this as CFScript.txt




    Referring to the picture above, drag CFScript.txt into ComboFix.exe
  5. ComboFix may request an update; please allow it.
  6. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  7. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    **Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.

    Please let me know if the file was successfully submitted . Thanks.

    ------------------------------------------------------
  8. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-06-2009, 12:50 AM   #5 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 13
OS: windows XP pro, Ubuntu


Re: posting right, requesting malware removal help
ComboFix 09-11-05.01 - matty 11/06/2009 18:33.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.715 [GMT 11:00]
Running from: c:\documents and settings\matty\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\matty\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

file zipped: c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\msgasst84.dll
file zipped: c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\msgasst841.dll
file zipped: c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\msgasst8411.dll
file zipped: c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\msgasst84111.dll
file zipped: c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\msgutil84.dll
file zipped: c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\smartasf27.exe
file zipped: c:\documents and settings\matty\Application Data\Messenger\Drivers\conf.sys
file zipped: c:\documents and settings\matty\Application Data\Messenger\Drivers\MsgUpdate.dll
file zipped: c:\documents and settings\matty\Application Data\Messenger\Drivers\phuninst.dll
file zipped: c:\documents and settings\matty\Application Data\Messenger\Drivers\pub.dll
file zipped: c:\documents and settings\matty\Application Data\Messenger\Drivers\serial.sys
file zipped: c:\documents and settings\matty\Application Data\Messenger\Sys\mu.dll
file zipped: c:\windows\system32\zkhfhslz.dll
file zipped: c:\windows\system32\sbcrreag.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\msgasst84.dll
c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\msgasst841.dll
c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\msgasst8411.dll
c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\msgasst84111.dll
c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\msgutil84.dll
c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\smartasf27.exe
c:\documents and settings\matty\Application Data\Messenger\Drivers\conf.sys
c:\documents and settings\matty\Application Data\Messenger\Drivers\MsgUpdate.dll
c:\documents and settings\matty\Application Data\Messenger\Drivers\phuninst.dll
c:\documents and settings\matty\Application Data\Messenger\Drivers\pub.dll
c:\documents and settings\matty\Application Data\Messenger\Drivers\serial.sys
c:\documents and settings\matty\Application Data\Messenger\Sys\mu.dll
c:\documents and settings\matty\Application Data\Smart-Ads-Solutions
c:\program files\Smart-Ads-Solutions
c:\program files\Smart-Ads-Solutions\SmartAds\1.0.27.0\uninstall.exe
c:\windows\system32\zkhfhslz.dll

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2009-10-06 to 2009-11-06 )))))))))))))))))))))))))))))))
.

2009-11-04 08:18 . 2009-11-04 08:18 13836 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-04 05:45 . 2009-11-06 07:29 -------- d-----w- c:\documents and settings\matty\Application Data\mIRC
2009-11-04 05:45 . 2009-11-06 07:12 -------- d-----w- c:\program files\mIRC
2009-11-04 05:30 . 2009-11-04 08:36 -------- d-----w- c:\documents and settings\matty\Local Settings\Application Data\Temporary Projects
2009-11-03 07:54 . 2009-11-03 07:54 -------- d-----w- c:\program files\Advanced Port Scanner
2009-11-01 22:22 . 2009-11-01 22:36 -------- d-----w- c:\documents and settings\matty\Application Data\VMware
2009-11-01 12:43 . 2009-11-01 12:43 909320 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\uninstall.exe
2009-11-01 12:43 . 2009-11-01 12:40 958000 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib64.dll
2009-11-01 12:43 . 2009-11-01 12:40 922672 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib64.exe
2009-11-01 12:43 . 2009-11-01 12:40 760368 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib.dll
2009-11-01 12:43 . 2009-11-01 12:40 569344 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\module_core.dll
2009-11-01 12:43 . 2009-11-01 12:40 331776 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\module_ws.dll
2009-11-01 12:43 . 2009-11-01 12:40 731696 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vminstutil.dll
2009-11-01 12:43 . 2009-11-01 12:40 703024 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib.exe
2009-11-01 12:42 . 2009-10-21 13:13 59952 ----a-r- c:\windows\system32\vnetinst.dll
2009-11-01 12:42 . 2009-10-21 13:13 16560 ----a-r- c:\windows\system32\drivers\vmnetadapter.sys
2009-11-01 12:42 . 2009-10-21 17:44 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe
2009-11-01 12:42 . 2009-10-21 17:44 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
2009-11-01 12:42 . 2009-10-21 17:44 395824 ----a-w- c:\windows\system32\vmnat.exe
2009-11-01 12:42 . 2009-10-21 13:13 18736 ----a-r- c:\windows\system32\drivers\vmnet.sys
2009-11-01 12:42 . 2009-10-21 17:44 760368 ----a-w- c:\windows\system32\vnetlib.dll
2009-11-01 12:41 . 2009-10-21 17:45 23216 ----a-w- c:\windows\system32\drivers\VMkbd.sys
2009-11-01 12:41 . 2009-11-06 07:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2009-11-01 12:41 . 2009-11-01 12:41 -------- d-----w- c:\program files\Common Files\VMware
2009-11-01 12:40 . 2009-11-06 07:31 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-11-01 12:40 . 2009-11-01 12:40 -------- d-----w- c:\program files\VMware
2009-10-31 23:17 . 2009-11-01 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-31 23:17 . 2009-11-01 13:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-31 03:21 . 2009-10-31 03:22 -------- d-----w- c:\documents and settings\matty\Local Settings\Application Data\Deployment
2009-10-30 22:01 . 2009-10-30 22:01 -------- d-----w- c:\documents and settings\matty\Application Data\Messenger
2009-10-28 21:06 . 2009-10-28 21:06 -------- d-----w- c:\windows\system32\Adobe
2009-10-27 21:02 . 2009-10-27 21:02 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-27 09:02 . 2009-10-27 09:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-10-27 06:02 . 2009-10-27 06:02 -------- d-----w- c:\program files\Messenger Plus! Live
2009-10-26 04:20 . 2009-10-26 05:07 -------- d-----w- c:\documents and settings\matty\Application Data\FileZilla
2009-10-26 04:20 . 2009-10-26 04:20 -------- d-----w- c:\program files\FileZilla FTP Client
2009-10-25 21:24 . 2009-10-25 21:24 2149888 ----a-w- c:\windows\system32\python26.dll
2009-10-24 17:53 . 2009-10-26 09:32 -------- d-----w- c:\documents and settings\matty\Local Settings\Application Data\SecondLife
2009-10-24 10:38 . 2009-10-24 10:37 7677746 ----a-w- c:\windows\system\xlive.dll
2009-10-24 10:37 . 2009-10-24 10:37 7677746 ----a-w- c:\windows\xlive.dll
2009-10-24 10:08 . 2009-10-24 10:40 -------- d-----w- c:\documents and settings\matty\Local Settings\Application Data\Fallout3
2009-10-24 10:06 . 2005-05-26 04:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-10-24 10:01 . 2009-10-24 10:01 -------- d-----w- c:\windows\Logs
2009-10-24 10:01 . 2009-10-24 10:06 -------- d--h--w- c:\windows\msdownld.tmp
2009-10-23 20:39 . 2009-10-23 20:39 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-10-23 06:51 . 2009-10-23 06:51 -------- d--h--r- c:\documents and settings\matty\Application Data\SecuROM
2009-10-23 06:40 . 2009-10-23 06:40 -------- d-----w- c:\program files\Electronic Arts
2009-10-21 17:45 . 2009-10-21 17:45 51248 ----a-w- c:\windows\system32\vmnetbridge.dll
2009-10-21 17:45 . 2009-10-21 17:45 32688 ----a-w- c:\windows\system32\drivers\vmnetbridge.sys
2009-10-21 17:45 . 2009-10-21 17:45 853936 ----a-w- c:\windows\system32\drivers\vmx86.sys
2009-10-21 17:45 . 2009-10-21 17:45 70704 ----a-w- c:\windows\system32\drivers\vmci.sys
2009-10-21 17:44 . 2009-10-21 17:44 14896 ----a-w- c:\windows\system32\drivers\vmparport.sys
2009-10-21 16:47 . 2009-10-21 16:47 32304 ----a-w- c:\windows\system32\drivers\hcmon.sys
2009-10-21 16:22 . 2009-10-21 16:22 252464 ----a-w- c:\windows\system32\vmnc.dll
2009-10-17 19:15 . 2007-10-21 16:39 267272 ----a-w- c:\windows\system32\xactengine2_10.dll
2009-10-17 19:15 . 2007-10-21 16:37 17928 ----a-w- c:\windows\system32\X3DAudio1_2.dll
2009-10-17 19:15 . 2007-10-12 04:14 1374232 ----a-w- c:\windows\system32\D3DCompiler_36.dll
2009-10-17 19:15 . 2007-10-01 22:56 444776 ----a-w- c:\windows\system32\d3dx10_36.dll
2009-10-17 19:15 . 2007-10-12 04:14 3734536 ----a-w- c:\windows\system32\d3dx9_36.dll
2009-10-12 03:33 . 2009-10-12 03:33 64960 ----a-w- c:\windows\system32\drivers\stcp2v30.sys
2009-10-11 11:20 . 2006-11-29 02:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-10-09 22:46 . 2009-10-09 22:46 -------- d-----w- c:\program files\MSXML 4.0
2009-10-09 22:22 . 2004-04-29 22:37 160640 ----a-w- c:\windows\system32\drivers\a347bus.sys
2009-10-09 22:22 . 2004-04-29 22:33 5248 ----a-w- c:\windows\system32\drivers\a347scsi.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-06 07:22 . 2009-11-06 07:22 30601 ----a-w- c:\windows\java\x.exe
2009-11-06 07:21 . 2009-07-24 02:04 -------- d-----w- c:\program files\uTorrent
2009-11-06 07:21 . 2009-07-24 02:04 -------- d-----w- c:\documents and settings\matty\Application Data\uTorrent
2009-11-03 03:54 . 2009-08-22 04:28 -------- d-----w- c:\documents and settings\matty\Application Data\vlc
2009-11-01 00:23 . 2009-08-20 06:12 -------- d-----w- c:\program files\PopCap Games
2009-10-31 10:22 . 2009-07-25 21:59 -------- d-----w- c:\documents and settings\matty\Application Data\LimeWire
2009-10-29 18:00 . 2009-07-24 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-28 13:48 . 2009-07-24 10:37 -------- d-----w- c:\program files\World of Warcraft
2009-10-24 11:28 . 2009-09-13 00:09 -------- d-----w- c:\program files\Counter-Strike 1.6
2009-10-20 04:40 . 2009-08-23 13:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-11 11:21 . 2009-07-24 04:46 -------- d-----w- c:\program files\Windows Live
2009-10-11 11:20 . 2009-09-07 12:29 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-10-07 07:24 . 2009-08-23 22:42 -------- d-----w- c:\program files\DivX
2009-10-04 01:47 . 2009-10-04 01:47 -------- d-----w- c:\program files\Microsoft
2009-09-13 05:01 . 2009-09-13 05:01 -------- d-----w- c:\program files\ANI
2009-09-13 05:01 . 2009-07-24 00:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-13 05:00 . 2009-09-13 05:00 -------- d-----w- c:\program files\D-Link
2009-09-13 05:00 . 2009-09-13 05:00 -------- d-----w- c:\documents and settings\matty\Application Data\InstallShield
2009-09-11 14:18 . 2002-08-29 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-08 21:41 . 2009-09-08 21:41 -------- d-----w- c:\program files\Alcohol Soft
2009-09-08 21:40 . 2009-09-08 21:40 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-08 08:54 . 2009-07-24 01:25 13688 ----a-w- c:\documents and settings\matty\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-07 12:30 . 2009-09-07 12:30 -------- d-----w- c:\program files\Microsoft SQL Server
2009-09-07 12:30 . 2009-09-07 11:55 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2009-09-07 12:29 . 2009-09-07 12:29 -------- d-----w- c:\program files\Microsoft Synchronization Services
2009-09-07 12:26 . 2009-09-07 11:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-07 12:24 . 2009-09-07 12:24 193824 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VBExpress\9.0\1033\ResourceCache.dll
2009-09-07 12:17 . 2009-09-07 12:17 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2009-09-07 11:55 . 2009-09-07 11:55 -------- d-----w- c:\program files\Microsoft.NET
2009-09-07 11:46 . 2009-09-07 11:46 -------- d-----w- c:\program files\Microsoft SDKs
2009-09-07 11:37 . 2009-09-07 11:37 -------- d-----w- c:\program files\MSBuild
2009-09-07 11:36 . 2009-09-07 11:36 -------- d-----w- c:\program files\Reference Assemblies
2009-09-04 21:03 . 2002-08-29 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 06:44 . 2009-10-24 10:07 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 06:44 . 2009-10-24 10:07 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 06:44 . 2009-10-24 10:07 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 06:29 . 2009-10-24 10:07 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 06:29 . 2009-10-24 10:07 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 06:29 . 2009-10-24 10:07 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 06:29 . 2009-10-24 10:07 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 06:29 . 2009-10-24 10:07 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-09-03 06:10 . 2009-09-03 06:10 315392 ----a-w- c:\windows\system32\sbcrreag.dll
2009-08-29 08:08 . 2002-08-29 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2002-08-29 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 06:13 . 2009-08-20 06:13 25 ----a-w- c:\windows\popcinfot.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\system32\sbcrreag.dll ---
Company:
File Description: SB Crash Report Agent
File Version: 1, 0, 2, 3
Product Name: ------
Copyright: Copyright © 2002-2009 Proxy Labs
Original Filename: sbcrreag.dll
File size: 315392
Created time: 2009-09-03 06:10
Modified time: 2009-09-03 06:10
MD5: EA0141FC3DB6458E2B6F38EC6C3AFCC7
SHA1: B6E1033EEF7C4D007371AA86A8A5AC9CC3ABB2A6

---- Directory of c:\documents and settings\matty\Application Data\Messenger ----

2009-11-05 04:37 . 2009-11-05 04:39 24576 ----a-w- c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\msgasst84111.dll
2009-11-05 04:37 . 2009-11-05 04:39 72704 ----a-w- c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\msgasst8411.dll
2009-11-04 21:26 . 2009-11-05 04:39 24576 ----a-w- c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\msgasst841.dll
2009-11-04 08:33 . 2009-11-04 08:35 409088 ----a-w- c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\msgasst8411.VIR
2009-11-02 22:17 . 2009-11-02 22:32 228996 ----a-w- c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\smartasf27.exe
2009-11-02 21:32 . 2009-11-02 22:22 133 ----a-w- c:\documents and settings\matty\Application Data\Messenger\Drivers\serial.sys
2009-11-02 21:32 . 2009-11-02 21:32 409088 ----a-w- c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\msgasst84.dll
2009-10-30 22:02 . 2009-10-30 22:55 303616 ----a-w- c:\documents and settings\matty\Application Data\Messenger\Drivers\Aud32\msgutil84.dll
2009-10-30 22:01 . 2009-11-05 20:01 2453 ----a-w- c:\documents and settings\matty\Application Data\Messenger\Drivers\conf.sys
2009-10-30 22:01 . 2009-07-27 06:48 330752 ----a-w- c:\documents and settings\matty\Application Data\Messenger\Drivers\MsgUpdate.dll
2009-10-30 22:01 . 2009-07-27 06:48 258048 ----a-w- c:\documents and settings\matty\Application Data\Messenger\Drivers\phuninst.dll
2009-10-30 22:01 . 2009-10-01 10:30 10 ----a-w- c:\documents and settings\matty\Application Data\Messenger\Drivers\pub.dll
2009-10-30 22:01 . 2009-07-27 06:48 330752 ----a-w- c:\documents and settings\matty\Application Data\Messenger\Sys\mu.dll


------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[-] 2008-04-13 14:10 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[-] 2002-08-29 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys
[-] 2002-08-28 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\system32\ReinstallBackups\0012\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-11-05_20.24.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-06 07:32 . 2009-11-06 07:32 16384 c:\windows\Temp\Perflib_Perfdata_6a8.dat
+ 2009-11-06 07:31 . 2009-11-06 07:31 16384 c:\windows\Temp\Perflib_Perfdata_1f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\System32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\System32\igfxpers.exe" [2006-03-23 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-24 149280]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"D-Link D-Link RangeBooster N DWA-140"="c:\program files\D-Link\D-Link RangeBooster N DWA-140\AirNCFG.exe" [2008-04-15 1675264]
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2009-10-21 64048]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Python26\\pythonw.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/24/2009 12:55 PM 108289]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [10/22/2009 4:45 AM 70704]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [10/22/2009 3:47 AM 563760]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [9/13/2009 4:00 PM 560896]
S3 CV2K1;CommView Network Monitor;c:\windows\system32\DRIVERS\cv2k1.sys --> c:\windows\system32\DRIVERS\cv2k1.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
TCP: {8CB6A2E4-D65D-4D3A-B6B5-B86FECE448C0} = 203.12.160.35,203.12.160.36
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\matty\Application Data\Mozilla\Firefox\Profiles\ojtkekrx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

BHO-{5948A52A-BA3A-49A8-BCAF-D578502BDA9D} - c:\documents and settings\matty\Application Data\Messenger\Drivers\MsgUpdate.dll
BHO-{7037B93B-7F76-4973-A177-E0326F67F1F9} - c:\windows\system32\zkhfhslz.dll
AddRemove-Smart-Ads-Solutions - c:\program files\Smart-Ads-Solutions\SmartAds\1.0.27.0\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 18:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x861B3CB0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x861b3cb0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1004336348-1177238915-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e3,07,ee,93,7f,40,7c,27,dc,9b,84,a6,8a,f2,96,b9,62,3a,ef,20,3d,c1,a1,
8b,e8,bc,74,6d,6b,6d,71,b5,75,5a,04,1a,aa,6b,d4,c0,89,73,37,9b,fb,55,b8,ef,\
"??"=hex:00,4f,b8,6d,ad,41,3c,12,68,4f,92,d6,16,9f,d7,aa
.
Completion time: 2009-11-06 18:41
ComboFix-quarantined-files.txt 2009-11-06 07:40
ComboFix2.txt 2009-11-05 20:26

Pre-Run: 32,175,427,584 bytes free
Post-Run: 32,136,781,824 bytes free

- - End Of File - - 1F21D6A912345334AFD2CEC3645E741C
Upload was successful
)Spitfire( is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-06-2009, 09:02 AM   #6 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,618
OS: 2000 Pro; XP Pro; XP Home


Re: posting right, requesting malware removal help
Good job...next steps...

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------
  1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  2. Open notepad and copy/paste the text in the quotebox below into it:

    Quote:
    Fcopy::
    c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys
    Save this as CFScript.txt




    Referring to the picture above, drag CFScript.txt into ComboFix.exe
  3. ComboFix may request an update; please allow it.
  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  5. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    ---------------------------------------------------------------------------------------------
  6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.


    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-06-2009, 03:31 PM   #7 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 13
OS: windows XP pro, Ubuntu


Re: posting right, requesting malware removal help
ComboFix 09-11-05.05 - matty 11/07/2009 9:21.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.715 [GMT 11:00]
Running from: c:\documents and settings\matty\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\matty\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2009-10-06 to 2009-11-06 )))))))))))))))))))))))))))))))
.

2009-11-04 08:18 . 2009-11-04 08:18 13836 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-04 05:45 . 2009-11-06 17:00 -------- d-----w- c:\documents and settings\matty\Application Data\mIRC
2009-11-04 05:45 . 2009-11-06 12:55 -------- d-----w- c:\program files\mIRC
2009-11-04 05:30 . 2009-11-04 08:36 -------- d-----w- c:\documents and settings\matty\Local Settings\Application Data\Temporary Projects
2009-11-03 07:54 . 2009-11-06 11:46 -------- d-----w- c:\program files\Advanced Port Scanner
2009-11-01 22:22 . 2009-11-01 22:36 -------- d-----w- c:\documents and settings\matty\Application Data\VMware
2009-11-01 12:43 . 2009-11-01 12:43 909320 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\uninstall.exe
2009-11-01 12:43 . 2009-11-01 12:40 958000 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib64.dll
2009-11-01 12:43 . 2009-11-01 12:40 922672 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib64.exe
2009-11-01 12:43 . 2009-11-01 12:40 760368 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib.dll
2009-11-01 12:43 . 2009-11-01 12:40 569344 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\module_core.dll
2009-11-01 12:43 . 2009-11-01 12:40 331776 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\module_ws.dll
2009-11-01 12:43 . 2009-11-01 12:40 731696 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vminstutil.dll
2009-11-01 12:43 . 2009-11-01 12:40 703024 ----a-w- c:\documents and settings\All Users\Application Data\VMware\VMware Player\Uninstaller\vnetlib.exe
2009-11-01 12:42 . 2009-10-21 13:13 59952 ----a-r- c:\windows\system32\vnetinst.dll
2009-11-01 12:42 . 2009-10-21 13:13 16560 ----a-r- c:\windows\system32\drivers\vmnetadapter.sys
2009-11-01 12:42 . 2009-10-21 17:44 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe
2009-11-01 12:42 . 2009-10-21 17:44 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
2009-11-01 12:42 . 2009-10-21 17:44 395824 ----a-w- c:\windows\system32\vmnat.exe
2009-11-01 12:42 . 2009-10-21 13:13 18736 ----a-r- c:\windows\system32\drivers\vmnet.sys
2009-11-01 12:42 . 2009-10-21 17:44 760368 ----a-w- c:\windows\system32\vnetlib.dll
2009-11-01 12:41 . 2009-10-21 17:45 23216 ----a-w- c:\windows\system32\drivers\VMkbd.sys
2009-11-01 12:41 . 2009-11-06 22:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2009-11-01 12:41 . 2009-11-01 12:41 -------- d-----w- c:\program files\Common Files\VMware
2009-11-01 12:40 . 2009-11-06 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-11-01 12:40 . 2009-11-01 12:40 -------- d-----w- c:\program files\VMware
2009-10-31 23:17 . 2009-11-01 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-31 23:17 . 2009-11-01 13:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-31 03:21 . 2009-10-31 03:22 -------- d-----w- c:\documents and settings\matty\Local Settings\Application Data\Deployment
2009-10-30 22:01 . 2009-10-30 22:01 -------- d-----w- c:\documents and settings\matty\Application Data\Messenger
2009-10-28 21:06 . 2009-10-28 21:06 -------- d-----w- c:\windows\system32\Adobe
2009-10-27 21:02 . 2009-10-27 21:02 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-27 09:02 . 2009-10-27 09:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-10-27 06:02 . 2009-10-27 06:02 -------- d-----w- c:\program files\Messenger Plus! Live
2009-10-26 04:20 . 2009-10-26 05:07 -------- d-----w- c:\documents and settings\matty\Application Data\FileZilla
2009-10-26 04:20 . 2009-10-26 04:20 -------- d-----w- c:\program files\FileZilla FTP Client
2009-10-25 21:24 . 2009-10-25 21:24 2149888 ----a-w- c:\windows\system32\python26.dll
2009-10-24 17:53 . 2009-10-26 09:32 -------- d-----w- c:\documents and settings\matty\Local Settings\Application Data\SecondLife
2009-10-24 10:38 . 2009-10-24 10:37 7677746 ----a-w- c:\windows\system\xlive.dll
2009-10-24 10:37 . 2009-10-24 10:37 7677746 ----a-w- c:\windows\xlive.dll
2009-10-24 10:08 . 2009-10-24 10:40 -------- d-----w- c:\documents and settings\matty\Local Settings\Application Data\Fallout3
2009-10-24 10:06 . 2005-05-26 04:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-10-24 10:01 . 2009-10-24 10:01 -------- d-----w- c:\windows\Logs
2009-10-24 10:01 . 2009-10-24 10:06 -------- d--h--w- c:\windows\msdownld.tmp
2009-10-23 20:39 . 2009-10-23 20:39 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-10-23 06:51 . 2009-10-23 06:51 -------- d--h--r- c:\documents and settings\matty\Application Data\SecuROM
2009-10-23 06:40 . 2009-10-23 06:40 -------- d-----w- c:\program files\Electronic Arts
2009-10-21 17:45 . 2009-10-21 17:45 51248 ----a-w- c:\windows\system32\vmnetbridge.dll
2009-10-21 17:45 . 2009-10-21 17:45 32688 ----a-w- c:\windows\system32\drivers\vmnetbridge.sys
2009-10-21 17:45 . 2009-10-21 17:45 853936 ----a-w- c:\windows\system32\drivers\vmx86.sys
2009-10-21 17:45 . 2009-10-21 17:45 70704 ----a-w- c:\windows\system32\drivers\vmci.sys
2009-10-21 17:44 . 2009-10-21 17:44 14896 ----a-w- c:\windows\system32\drivers\vmparport.sys
2009-10-21 16:47 . 2009-10-21 16:47 32304 ----a-w- c:\windows\system32\drivers\hcmon.sys
2009-10-21 16:22 . 2009-10-21 16:22 252464 ----a-w- c:\windows\system32\vmnc.dll
2009-10-17 19:15 . 2007-10-21 16:39 267272 ----a-w- c:\windows\system32\xactengine2_10.dll
2009-10-17 19:15 . 2007-10-21 16:37 17928 ----a-w- c:\windows\system32\X3DAudio1_2.dll
2009-10-17 19:15 . 2007-10-12 04:14 1374232 ----a-w- c:\windows\system32\D3DCompiler_36.dll
2009-10-17 19:15 . 2007-10-01 22:56 444776 ----a-w- c:\windows\system32\d3dx10_36.dll
2009-10-17 19:15 . 2007-10-12 04:14 3734536 ----a-w- c:\windows\system32\d3dx9_36.dll
2009-10-12 03:33 . 2009-10-12 03:33 64960 ----a-w- c:\windows\system32\drivers\stcp2v30.sys
2009-10-11 11:20 . 2006-11-29 02:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-10-09 22:46 . 2009-10-09 22:46 -------- d-----w- c:\program files\MSXML 4.0
2009-10-09 22:22 . 2004-04-29 22:37 160640 ----a-w- c:\windows\system32\drivers\a347bus.sys
2009-10-09 22:22 . 2004-04-29 22:33 5248 ----a-w- c:\windows\system32\drivers\a347scsi.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-06 21:58 . 2009-07-24 02:04 -------- d-----w- c:\documents and settings\matty\Application Data\uTorrent
2009-11-06 15:21 . 2009-07-24 02:04 -------- d-----w- c:\program files\uTorrent
2009-11-06 07:22 . 2009-11-06 07:22 30601 ----a-w- c:\windows\java\x.exe
2009-11-03 03:54 . 2009-08-22 04:28 -------- d-----w- c:\documents and settings\matty\Application Data\vlc
2009-11-01 00:23 . 2009-08-20 06:12 -------- d-----w- c:\program files\PopCap Games
2009-10-31 10:22 . 2009-07-25 21:59 -------- d-----w- c:\documents and settings\matty\Application Data\LimeWire
2009-10-29 18:00 . 2009-07-24 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-28 13:48 . 2009-07-24 10:37 -------- d-----w- c:\program files\World of Warcraft
2009-10-24 11:28 . 2009-09-13 00:09 -------- d-----w- c:\program files\Counter-Strike 1.6
2009-10-20 04:40 . 2009-08-23 13:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-11 11:21 . 2009-07-24 04:46 -------- d-----w- c:\program files\Windows Live
2009-10-11 11:20 . 2009-09-07 12:29 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-10-07 07:24 . 2009-08-23 22:42 -------- d-----w- c:\program files\DivX
2009-10-04 01:47 . 2009-10-04 01:47 -------- d-----w- c:\program files\Microsoft
2009-09-13 05:01 . 2009-09-13 05:01 -------- d-----w- c:\program files\ANI
2009-09-13 05:01 . 2009-07-24 00:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-13 05:00 . 2009-09-13 05:00 -------- d-----w- c:\program files\D-Link
2009-09-13 05:00 . 2009-09-13 05:00 -------- d-----w- c:\documents and settings\matty\Application Data\InstallShield
2009-09-11 14:18 . 2002-08-29 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-08 21:41 . 2009-09-08 21:41 -------- d-----w- c:\program files\Alcohol Soft
2009-09-08 21:40 . 2009-09-08 21:40 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-08 08:54 . 2009-07-24 01:25 13688 ----a-w- c:\documents and settings\matty\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-07 12:24 . 2009-09-07 12:24 193824 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VBExpress\9.0\1033\ResourceCache.dll
2009-09-07 12:17 . 2009-09-07 12:17 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2009-09-04 21:03 . 2002-08-29 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 06:44 . 2009-10-24 10:07 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 06:44 . 2009-10-24 10:07 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 06:44 . 2009-10-24 10:07 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 06:29 . 2009-10-24 10:07 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 06:29 . 2009-10-24 10:07 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 06:29 . 2009-10-24 10:07 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 06:29 . 2009-10-24 10:07 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 06:29 . 2009-10-24 10:07 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-09-03 06:10 . 2009-09-03 06:10 315392 ----a-w- c:\windows\system32\sbcrreag.dll
2009-08-29 08:08 . 2002-08-29 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2002-08-29 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 06:13 . 2009-08-20 06:13 25 ----a-w- c:\windows\popcinfot.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-11-05_20.24.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-06 22:20 . 2009-11-06 22:20 16384 c:\windows\Temp\Perflib_Perfdata_d4.dat
+ 2009-11-06 22:19 . 2009-11-06 22:19 16384 c:\windows\Temp\Perflib_Perfdata_7a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\System32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\System32\igfxpers.exe" [2006-03-23 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-24 149280]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"D-Link D-Link RangeBooster N DWA-140"="c:\program files\D-Link\D-Link RangeBooster N DWA-140\AirNCFG.exe" [2008-04-15 1675264]
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2009-10-21 64048]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Python26\\pythonw.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/24/2009 12:55 PM 108289]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [10/22/2009 4:45 AM 70704]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [10/22/2009 3:47 AM 563760]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [9/13/2009 4:00 PM 560896]
S3 CV2K1;CommView Network Monitor;c:\windows\system32\DRIVERS\cv2k1.sys --> c:\windows\system32\DRIVERS\cv2k1.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
TCP: {8CB6A2E4-D65D-4D3A-B6B5-B86FECE448C0} = 203.12.160.35,203.12.160.36
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\matty\Application Data\Mozilla\Firefox\Profiles\ojtkekrx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

BHO-{5948A52A-BA3A-49A8-BCAF-D578502BDA9D} - (no file)
BHO-{7037B93B-7F76-4973-A177-E0326F67F1F9} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-07 09:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x861B3CB0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x861b3cb0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1004336348-1177238915-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e3,07,ee,93,7f,40,7c,27,dc,9b,84,a6,8a,f2,96,b9,62,3a,ef,20,3d,c1,a1,
8b,e8,bc,74,6d,6b,6d,71,b5,75,5a,04,1a,aa,6b,d4,c0,89,73,37,9b,fb,55,b8,ef,\
"??"=hex:00,4f,b8,6d,ad,41,3c,12,68,4f,92,d6,16,9f,d7,aa
.
Completion time: 2009-11-06 9:28
ComboFix-quarantined-files.txt 2009-11-06 22:28
ComboFix2.txt 2009-11-06 07:44
ComboFix3.txt 2009-11-05 20:26

Pre-Run: 31,394,676,736 bytes free
Post-Run: 31,368,396,800 bytes free

- - End Of File - - 5BE7F15E14AE23589B045D27B0864F19
)Spitfire( is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-06-2009, 05:35 PM   #8 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,618
OS: 2000 Pro; XP Pro; XP Home


Re: posting right, requesting malware removal help
Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

---------------------------------------------------------------------------------------------

How is the machine behaving?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-06-2009, 11:55 PM   #9 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 13
OS: windows XP pro, Ubuntu


Re: posting right, requesting malware removal help
Malwarebytes' Anti-Malware 1.41
Database version: 3113
Windows 5.1.2600 Service Pack 3

11/7/2009 5:54:03 PM
mbam-log-2009-11-07 (17-54-03).txt

Scan type: Quick Scan
Objects scanned: 95596
Time elapsed: 5 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{bbcc290a-5e32-4e54-80db-f0f3f3892444} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{d8c0508c-e235-4d9e-a27e-c8bb5f527dc9} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5948a52a-ba3a-49a8-bcaf-d578502bda9d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5948a52a-ba3a-49a8-bcaf-d578502bda9d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\MessengerUpdateProject.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\matty\Application Data\Messenger\Drivers (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\matty\Application Data\Messenger\Drivers\Aud32 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\matty\Application Data\Messenger\Sys (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\matty\Application Data\Messenger\Drivers\Aud32\msgasst8411.VIR (Trojan.Agent) -> Quarantined and deleted successfully.


--------------------------------------------------------------------------
the machine was doing completely fine, hadn't had a single detection since the first couple of steps you gave me, as i was removing the selected Trojans with malware, a couple of detections came up.
)Spitfire( is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-07-2009, 12:03 AM   #10 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,618
OS: 2000 Pro; XP Pro; XP Home


Re: posting right, requesting malware removal help
Quote:
as i was removing the selected Trojans with malware, a couple of detections came up.
More detail, please. Detections fom Avira? Were those detections the items MBAM was removing? This sometimes happens. Did Avira give file name/path to the detections?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-07-2009, 12:06 AM   #11 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 13
OS: windows XP pro, Ubuntu


Re: posting right, requesting malware removal help
yes it was from avira and they were the same as the original, they must have been while MBAM was moving them, i just went with the default selection (deny access) but nothing more has happened so if there is another step, i'm good to go
)Spitfire( is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-07-2009, 12:11 AM   #12 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,618
OS: 2000 Pro; XP Pro; XP Home


Re: posting right, requesting malware removal help
Ok, great.

Next steps....

This tool clears temp files and empties your Recycle Bin.

1. Download TFC (Temp File Cleaner) to your desktop, or other location.
2. Save any unsaved work. TFC will close all open application windows.
3. Double-click TFC.exe to run the program.
4. If prompted, click "Yes" to reboot.

---------------------------------------------------------------------------------------------

Your Java is out of date.

Java(TM) 6 Update 15 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

Once the install is complete....

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Please perform this online scan to help look for remnants. This scan can take quite a while, but it's very thorough.

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on Settings. Uncheck Mail databases.
  • Next, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-07-2009, 03:00 AM   #13 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 13
OS: windows XP pro, Ubuntu


Re: posting right, requesting malware removal help
sorry about the long response time but i throttled my bandwidth downloading movies
78mb @ 7kb/s
we're looing at about 2 hours to go
)Spitfire( is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-07-2009, 08:41 AM   #14 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,618
OS: 2000 Pro; XP Pro; XP Home


Re: posting right, requesting malware removal help
You really should not be using the machine for anything else while performing the online scan.

Downloading movies from where? Are they legal? Infections often come from peer2peer downloads.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-07-2009, 12:59 PM   #15 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 13
OS: windows XP pro, Ubuntu


Re: posting right, requesting malware removal help
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, November 8, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, November 07, 2009 10:41:15
Records in database: 3169988
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
F:\
H:\

Scan statistics:
Objects scanned: 63204
Threats found: 7
Infected objects found: 12
Suspicious objects found: 0
Scan duration: 02:03:56


File name / Threat / Threats count
C:\Documents and Settings\matty\My Documents\Downloads\mirc635.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP116\A0028600.exe Infected: not-a-virus:AdWare.Win32.RON.pw 1
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP116\A0028601.exe Infected: not-a-virus:AdWare.Win32.RON.pw 1
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP116\A0028602.exe Infected: not-a-virus:AdWare.Win32.RON.pw 1
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP116\A0028603.exe Infected: not-a-virus:AdWare.Win32.RON.pw 1
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP56\A0014254.exe Infected: not-a-virus:Monitor.Win32.ActualSpy.ki 1
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP56\A0014254.exe Infected: not-a-virus:Monitor.Win32.ActualSpy.kl 1
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP56\A0014254.exe Infected: not-a-virus:Monitor.Win32.ActualSpy.kj 1
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP56\A0014254.exe Infected: not-a-virus:Monitor.Win32.ActualSpy.kk 1
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP56\A0014254.exe Infected: not-a-virus:Monitor.Win32.ActualSpy.kh 1
F:\Stuff\misc\mirc635.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1

Selected area has been scanned.


------------------------

most of the movies are legal and they were downloaded days before the scan, when i posted my previous reply it was downloading not scanning
)Spitfire( is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-07-2009, 01:07 PM   #16 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,618
OS: 2000 Pro; XP Pro; XP Home


Re: posting right, requesting malware removal help
I see, throttled down for previous downloads, sure that will cause a huge slowdown for downloading the kaspersky defs, as they are quite large.


How is the machine behaving now? Any redirected searches?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-07-2009, 01:36 PM   #17 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 13
OS: windows XP pro, Ubuntu


Re: posting right, requesting malware removal help
there were none in the first place but no, completely clean, should i run avira scan to see if it detects anything?
)Spitfire( is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-07-2009, 03:18 PM   #18 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,618
OS: 2000 Pro; XP Pro; XP Home


Re: posting right, requesting malware removal help
Yes, that would be a good thing to do. Update Avira definitions, and run a full system scan. Post the Avira log when it's done. When the scan is complete, click on the Report button. A log file will open. Please post that in your next reply.

Don't worry about finds in C:\Qoobox or C:\System Volume Information....those are ComboFix quarantine, and System Restore's cache. We'll take care of those once we're done.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-07-2009, 05:12 PM   #19 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 13
OS: windows XP pro, Ubuntu


Re: posting right, requesting malware removal help
Avira AntiVir Personal
Report file date: Sunday, November 08, 2009 10:20

Scanning for 1863041 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : MATTHEW

Version information:
BUILD.DAT : 9.0.0.410 18074 Bytes 9/25/2009 11:56:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 8/6/2009 05:53:00
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 01:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 02:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 01:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 03:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 11:17:34
ANTIVIR2.VDF : 7.1.6.160 5413376 Bytes 10/28/2009 00:19:35
ANTIVIR3.VDF : 7.1.6.186 221696 Bytes 11/4/2009 1128
Engineversion : 8.2.1.53
AEVDF.DLL : 8.1.1.2 106867 Bytes 9/16/2009 06:59:32
AESCRIPT.DLL : 8.1.2.43 528764 Bytes 11/1/2009 00:20:01
AESCN.DLL : 8.1.2.5 127346 Bytes 9/5/2009 06:56:01
AERDL.DLL : 8.1.3.2 479604 Bytes 10/4/2009 02:30:24
AEPACK.DLL : 8.2.0.2 422263 Bytes 10/23/2009 10:40:45
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/24/2009 11:18:44
AEHEUR.DLL : 8.1.0.173 2064760 Bytes 11/1/2009 00:19:56
AEHELP.DLL : 8.1.7.0 237940 Bytes 9/5/2009 06:55:59
AEGEN.DLL : 8.1.1.70 364917 Bytes 11/1/2009 00:19:38
AEEMU.DLL : 8.1.1.0 393587 Bytes 10/4/2009 02:29:59
AECORE.DLL : 8.1.8.1 184693 Bytes 9/16/2009 06:58:54
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 05:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/11/2008 23:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 9/9/2009 06:53:42
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 05:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 01:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 06:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 01:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 06:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/1/2009 23:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 01:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 06:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 01:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Sunday, November 08, 2009 10:20

Starting search for hidden objects.
'46682' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'mirc.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'uTorrent.exe' - '1' Module(s) have been scanned
Scan process 'wmplayer.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'wlcomm.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'vmware-authd.exe' - '1' Module(s) have been scanned
Scan process 'vmnetdhcp.exe' - '1' Module(s) have been scanned
Scan process 'vmnat.exe' - '1' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'hqtray.exe' - '1' Module(s) have been scanned
Scan process 'AirNCFG.exe' - '1' Module(s) have been scanned
Scan process 'WZCSLDR2.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'vmware-usbarbitrator.exe' - '1' Module(s) have been scanned
Scan process 'smax4pnp.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
38 processes with 38 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '58' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\matty\My Documents\Downloads\KWF.zip
[0] Archive type: ZIP
--> KC.dll
[DETECTION] Is the TR/PSW.Cloner.D Trojan
--> MC.dll
[DETECTION] Is the TR/PSW.Cloner.D.1 Trojan
C:\Qoobox\Quarantine\[4]-Submit_2009-11-06_18.32.36.zip
[0] Archive type: ZIP
--> msgasst84.dll
[DETECTION] Is the TR/Spy.409088.1 Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\matty\Application Data\Messenger\Drivers\MsgUpdate.dll.vir
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
C:\Qoobox\Quarantine\C\Documents and Settings\matty\Application Data\Messenger\Drivers\Aud32\msgasst84.dll.vir
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
C:\Qoobox\Quarantine\C\Documents and Settings\matty\Application Data\Messenger\Drivers\Aud32\msgutil84.dll.vir
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
C:\Qoobox\Quarantine\C\Documents and Settings\matty\Application Data\Messenger\Sys\mu.dll.vir
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
C:\Qoobox\Quarantine\C\WINDOWS\system32\zkhfhslz.dll.vir
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP115\A0025146.exe
[DETECTION] Is the TR/Dldr.Swizzor.24166.17 Trojan
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP115\A0025152.exe
[DETECTION] Is the TR/C2lop.N.238 Trojan
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP116\A0028600.exe
[0] Archive type: RAR SFX (self extracting)
--> go27.exe
[1] Archive type: NSIS
--> ProgramFilesDir/[TempDir]/[UnknownDir].dll
[DETECTION] Contains recognition pattern of the ADSPY/Cpmsky.A.15 adware or spyware
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP116\A0028601.exe
[0] Archive type: RAR SFX (self extracting)
--> go27.exe
[1] Archive type: NSIS
--> ProgramFilesDir/[TempDir]/[UnknownDir].dll
[DETECTION] Contains recognition pattern of the ADSPY/Cpmsky.A.15 adware or spyware
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP116\A0028602.exe
[0] Archive type: RAR SFX (self extracting)
--> go27.exe
[1] Archive type: NSIS
--> ProgramFilesDir/[TempDir]/[UnknownDir].dll
[DETECTION] Contains recognition pattern of the ADSPY/Cpmsky.A.15 adware or spyware
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP116\A0028603.exe
[0] Archive type: RAR SFX (self extracting)
--> go27.exe
[1] Archive type: NSIS
--> ProgramFilesDir/[TempDir]/[UnknownDir].dll
[DETECTION] Contains recognition pattern of the ADSPY/Cpmsky.A.15 adware or spyware
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP123\A0031558.dll
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP123\A0031562.dll
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP123\A0031565.dll
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP123\A0031569.dll
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP123\A0031571.dll
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
C:\WINDOWS\system32\drivers\atapi.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!

Beginning disinfection:
C:\Documents and Settings\matty\My Documents\Downloads\KWF.zip
[NOTE] The file was moved to '4b3c0bbe.qua'!
C:\Qoobox\Quarantine\[4]-Submit_2009-11-06_18.32.36.zip
[NOTE] The file was moved to '4b530b9b.qua'!
C:\Qoobox\Quarantine\C\Documents and Settings\matty\Application Data\Messenger\Drivers\MsgUpdate.dll.vir
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
[NOTE] The file was moved to '4b5d0bdb.qua'!
C:\Qoobox\Quarantine\C\Documents and Settings\matty\Application Data\Messenger\Drivers\Aud32\msgasst84.dll.vir
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
[NOTE] The file was moved to '482533c4.qua'!
C:\Qoobox\Quarantine\C\Documents and Settings\matty\Application Data\Messenger\Drivers\Aud32\msgutil84.dll.vir
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
[NOTE] The file was moved to '4824343c.qua'!
C:\Qoobox\Quarantine\C\Documents and Settings\matty\Application Data\Messenger\Sys\mu.dll.vir
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
[NOTE] The file was moved to '4b240bdd.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\zkhfhslz.dll.vir
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
[NOTE] The file was moved to '4b5e0bd3.qua'!
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP115\A0025146.exe
[DETECTION] Is the TR/Dldr.Swizzor.24166.17 Trojan
[NOTE] The file was moved to '4b260b98.qua'!
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP115\A0025152.exe
[DETECTION] Is the TR/C2lop.N.238 Trojan
[NOTE] The file was moved to '4a5e5209.qua'!
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP116\A0028600.exe
[NOTE] The file was moved to '485c4c31.qua'!
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP116\A0028601.exe
[NOTE] The file was moved to '4a542179.qua'!
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP116\A0028602.exe
[NOTE] The file was moved to '4b260b9b.qua'!
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP116\A0028603.exe
[NOTE] The file was moved to '4b260b9e.qua'!
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP123\A0031558.dll
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
[NOTE] The file was moved to '4b260ba0.qua'!
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP123\A0031562.dll
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
[NOTE] The file was moved to '4a5041a1.qua'!
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP123\A0031565.dll
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
[NOTE] The file was moved to '4b260ba1.qua'!
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP123\A0031569.dll
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
[NOTE] The file was moved to '48a67052.qua'!
C:\System Volume Information\_restore{B6C92CF7-A2AA-4DC1-AC17-48D5905FC1BA}\RP123\A0031571.dll
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
[NOTE] The file was moved to '48a7881a.qua'!


End of the scan: Sunday, November 08, 2009 11:06
Used time: 41:04 Minute(s)

The scan has been done completely.

5370 Scanned directories
163985 Files were scanned
19 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
18 Files were moved to quarantine
0 Files were renamed
3 Files cannot be scanned
163963 Files not concerned
1135 Archives were scanned
3 Warnings
19 Notes
46682 Objects were scanned with rootkit scan
0 Hidden objects were found
)Spitfire( is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-07-2009, 06:05 PM   #20 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,618
OS: 2000 Pro; XP Pro; XP Home


Re: posting right, requesting malware removal help
Hi -

There's something still bothering me in these logs. A couple questions, and a couple more steps will help clear this up.

I don't see Alcohol 120% still installed, was it once, but it is no longer?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 06:28 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85