CastleCops® Hijacked!

Need help? Click here to register for free! Absolutely zero advertisements on this site!

**$9736.22 of $21422.68**

Help CastleCops serve the community on new servers, Donate Here to reach our goal.

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Survey

Forum FAQ

Usergroups

Profile

Select FavForums

[IN PROGRESS]Hijacked!

All -> FavForums -> Trend Micro HijackThis Logs

[del.icio.us!] [digg it!] [reddit!]

View previous topic :: View next topic

Author

Message

taxxin

Cadet
Cadet

Joined: May 12, 2008
Posts: 8
Location: USA

Posted: Mon May 12, 2008 2:09 am Post subject: Hijacked!

HiJackThis Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:01:39 PM, on 5/11/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\WINDOWS\b2new.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wmsdkns.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\LVCOMSX.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe C:\WINDOWS\system32\CTHELPER.EXE C:\WINDOWS\system32\regsvr32.exe C:\Program Files\Brother\Brmfcmon\BrMfimon.exe C:\WINDOWS\SYSTEM32\RAMASST.exe C:\Program Files\Nikon\PictureProject\NkbMonitor.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\SYSTEM32\NOTEPAD.EXE O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file) O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file) O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file) O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file) O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file) O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file) O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file) O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file) O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file) O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file) O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file) O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\urqRJYqo.dll O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file) O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file) O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file) O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKUS\S-1-5-21-299502267-1993962763-725345543-1004\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot (User 'smcconnell1') O4 - HKUS\S-1-5-21-299502267-1993962763-725345543-1004\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (User 'smcconnell1') O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\SYSTEM32\RAMASST.exe O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe O9 - Extra button: Acez.com - Download Free Screen Savers - {88E50F1D-4790-4C6B-BEE3-D54E46B6EEF6} - C:\WINDOWS\acezlink.htm O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196915030609 O20 - Winlogon Notify: urqRJYqo - C:\WINDOWS\SYSTEM32\urqRJYqo.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\b2new.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe -- End of file - 7069 bytes Have made several attempts to get all the malicious items, but obviously I am missing a key component. taxxin

Prince_Serendip

Site Moderator

Joined: Sep 07, 2002
Posts: 17111

Posted: Mon May 12, 2008 2:43 pm Post subject:

IMPORTANT: Please tell us, in your own words, what problems you are having on your computer. This will assist our development of a solution to them. (Just sticking up a log is not enough.) Thanks. _________________ Microsoft MVP Consumer Security 2006, 2007 & 2008

taxxin

Cadet
Cadet

Joined: May 12, 2008
Posts: 8
Location: USA

Posted: Mon May 12, 2008 8:19 pm Post subject: details

Well, here goes... Task Manager is disabled by the Administrator, even though I am logged on as the administrator. Desktop background states computer is infected, click here to download cleaner, doing so opens 3-5 website pages. Little yellow triangle in the systray keeps popping up messages that computer is being attacked, computer is running slowly because it has spyware, computer is infected. Large red box appears in the middle of screen detailing infections present with a link, but entire popup is one large button that in turn opens 3-5 web pages. If you attempt to ignore the boxes, they will eventually open webpages until you over run the buffer. I have scanned and followed the directions in the FAQ section, and attempted to "fix" what I did not recognize as legit but with 2 minutes of doing so, everything returns to the hijacked state. Wife states that Avast popped up a window about a trojan, but she did not know what that was so she chose ignore. Now anti-virus software is unable to delete or quarantine anything it finds.

taxxin

Cadet
Cadet

Joined: May 12, 2008
Posts: 8
Location: USA

Posted: Mon May 12, 2008 8:19 pm Post subject: details

Well, here goes... Task Manager is disabled by the Administrator, even though I am logged on as the administrator. Desktop background states computer is infected, click here to download cleaner, doing so opens 3-5 website pages. Little yellow triangle in the systray keeps popping up messages that computer is being attacked, computer is running slowly because it has spyware, computer is infected. Large red box appears in the middle of screen detailing infections present with a link, but entire popup is one large button that in turn opens 3-5 web pages. If you attempt to ignore the boxes, they will eventually open webpages until you over run the buffer. I have scanned and followed the directions in the FAQ section, and attempted to "fix" what I did not recognize as legit but with 2 minutes of doing so, everything returns to the hijacked state. Wife states that Avast popped up a window about a trojan, but she did not know what that was so she chose ignore. Now anti-virus software is unable to delete or quarantine anything it finds.

PCBruiser

SRT Team Lead

Forums Admin

Joined: May 11, 2005
Posts: 11723

Posted: Mon May 12, 2008 9:16 pm Post subject:

Hi,

My name is PCBruiser (or PCB for short), and I will be helping you to remove any malware on your system.

Please copy and print out these instructions using Notepad so they will be readily available to you. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, please ask your question(s) before doing anything further.

1. Run HijackThis again, but this time choose Do a system scan only, that is the second option from the top in the HijackThis What would you like to do choices. After HijackThis completes the system scan, check the box immediately to the left of the following item(s):

O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\urqRJYqo.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O9 - Extra button: Acez.com - Download Free Screen Savers - {88E50F1D-4790-4C6B-BEE3-D54E46B6EEF6} - C:\WINDOWS\acezlink.htm
O20 - Winlogon Notify: urqRJYqo - C:\WINDOWS\SYSTEM32\urqRJYqo.dll

Please be very careful, do NOT check any other boxes.

Next, click on Fix checked on the bottom left side of the HijackThis screen.

Next, reboot.

2. Your system does not have a software firewall installed. This exposes you to many malware exploits you really don't want to have on your system. Please download and install Online Armor v2 Free from here:

http://www.tallemu.com/

The link to the free version is on the left hand side of that page.

If you would prefer to use a different firewall, three other good free ones are: Zone Alarm Free which is the one near the bottom of the page accessed by the radio button called "I only want ZoneAlarm basic protection", Comodo and Sunbelt Personal Firewall (Free). If one of those do not meet your needs, you can try a different one, but check it with me first to make sure it is legitimate firewall software.

3. Download Malwarebytes' Anti-Malware from HERE or from HERE

Double-click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware; then click Finish.
If an update is found, it will download and install the latest version.
Reboot into Safe Mode by tapping F8 at boot. Then open Malwarebytes' Anti-Malware.
Once the program has loaded, select "Perform Quick Scan/"; then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked and click Remove Selected.
When disinfection is completed, a log will open in Notepad. You may be prompted to Restart (See Extra Note).
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

4. Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

5. Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

6. Please post the following:

a. the MBAM log file
b. report.txt from SDFix
c. combofix.txt
d. a fresh HJT log

_________________
Don't read? Can't learn!

taxxin

Cadet
Cadet

Joined: May 12, 2008
Posts: 8
Location: USA

Posted: Wed May 14, 2008 6:12 pm Post subject: combofix log

ComboFix 08-05-12.1 - smcconnell1 2008-05-12 22:16:56.1 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.680 [GMT -5:00] Running from: C:\Documents and Settings\smcconnell1\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\smcconnell1\My Documents\ICROSO~1 C:\Documents and Settings\smcconnell1\My Documents\ICROSO~1\d?xplore.exe C:\Documents and Settings\smcconnell1\My Documents\RACLE~1 C:\Documents and Settings\smcconnell1\My Documents\RACLE~1\?dobe\ C:\Documents and Settings\smcconnell1\My Documents\RACLE~1\explorer.exe C:\WINDOWS\mainms.vpi C:\WINDOWS\pskt.ini C:\WINDOWS\start.exe C:\WINDOWS\system32\Cache C:\WINDOWS\SYSTEM32\ELoYyyay.ini C:\WINDOWS\SYSTEM32\ELoYyyay.ini2 C:\WINDOWS\SYSTEM32\TtBHOXbc.ini C:\WINDOWS\SYSTEM32\TtBHOXbc.ini2 C:\WINDOWS\system32\windows.scr C:\WINDOWS\system32\wjwssest.ini C:\WINDOWS\Web\default.htt . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_MSSECURITY1.209.4 ((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 ))))))))))))))))))))))))))))))) . 2008-05-12 22:03 . 2008-05-12 22:03 314,480 --a------ C:\WINDOWS\SYSTEM32\cbXOHBtT.dll 2008-05-12 21:41 . 2008-05-12 21:41 <DIR> d-------- C:\WINDOWS\ERUNT 2008-05-12 21:38 . 2008-05-12 05:07 <DIR> d-------- C:\SDFix 2008-05-12 21:00 . 2008-05-12 21:00 <DIR> d-------- C:\Documents and Settings\smcconnell1\Application Data\Malwarebytes 2008-05-12 20:59 . 2008-05-12 20:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-05-12 20:59 . 2008-05-12 20:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-05-12 20:59 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys 2008-05-12 20:59 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys 2008-05-12 20:28 . 2008-05-12 20:28 <DIR> d-------- C:\Documents and Settings\smcconnell1\Application Data\OnlineArmor 2008-05-12 20:28 . 2008-05-12 20:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OnlineArmor 2008-05-12 20:27 . 2008-05-12 20:27 <DIR> d-------- C:\Program Files\Tall Emu 2008-05-12 20:27 . 2008-05-12 20:27 <DIR> d-------- C:\OnlineArmor 2008-05-12 20:27 . 2008-04-17 05:25 80,584 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\OADriver.sys 2008-05-12 20:27 . 2008-04-17 05:25 32,456 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\OAmon.sys 2008-05-12 20:27 . 2008-04-17 05:25 28,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\oanet.sys 2008-05-11 21:12 . 2008-05-11 21:12 98,912 --a------ C:\WINDOWS\SYSTEM32\bmqgkiau.dll 2008-05-11 21:07 . 2008-05-11 21:07 2,048 --a------ C:\WINDOWS\SYSTEM32\iiqsbhue.exe 2008-05-11 20:32 . 2008-05-11 20:32 <DIR> d-------- C:\Program Files\Trend Micro 2008-05-11 19:42 . 2008-05-11 19:42 664 --a------ C:\WINDOWS\SYSTEM32\d3d9caps.dat 2008-05-11 13:53 . 2008-05-11 13:53 86,528 --a------ C:\WINDOWS\kjkhgzyh.dll 2008-05-11 13:53 . 2008-05-11 13:53 86,528 --a------ C:\Documents and Settings\All Users\Application Data\hshmrkdc.dll 2008-05-11 13:31 . 2008-05-11 13:31 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot_bak 2008-05-11 09:48 . 2008-05-12 22:26 13,588 --a------ C:\WINDOWS\SYSTEM32\wpa.dbl 2008-05-11 08:55 . 2008-05-12 22:20 24,264 --a------ C:\WINDOWS\SYSTEM32\BMXCtrlState-{00000000-00000000-0000000A-00001102-00000002-80271102}.rfx 2008-05-11 08:55 . 2008-05-12 22:20 24,264 --a------ C:\WINDOWS\SYSTEM32\BMXBkpCtrlState-{00000000-00000000-0000000A-00001102-00000002-80271102}.rfx 2008-05-11 08:55 . 2008-05-12 22:20 16,324 --a------ C:\WINDOWS\SYSTEM32\BMXStateBkp-{00000000-00000000-0000000A-00001102-00000002-80271102}.rfx 2008-05-11 08:55 . 2008-05-12 22:20 16,324 --a------ C:\WINDOWS\SYSTEM32\BMXState-{00000000-00000000-0000000A-00001102-00000002-80271102}.rfx 2008-05-11 08:55 . 2008-05-12 22:20 1,080 --a------ C:\WINDOWS\SYSTEM32\settingsbkup.sfm 2008-05-11 08:55 . 2008-05-12 22:20 1,080 --a------ C:\WINDOWS\SYSTEM32\settings.sfm 2008-05-11 08:55 . 2008-05-12 22:20 24 --a------ C:\WINDOWS\SYSTEM32\DVCStateBkp-{00000000-00000000-0000000A-00001102-00000002-80271102}.dat 2008-05-11 08:55 . 2008-05-12 22:20 24 --a------ C:\WINDOWS\SYSTEM32\DVCState-{00000000-00000000-0000000A-00001102-00000002-80271102}.dat 2008-05-11 07:14 . 2008-05-12 20:25 109,816 --a------ C:\WINDOWS\BM225525c6.xml 2008-05-10 12:43 . 2008-05-10 12:43 25,728 --------- C:\WINDOWS\SYSTEM32\urqRJYqo.dll 2008-05-10 12:42 . 2008-05-10 12:42 25,600 --a------ C:\WINDOWS\b2new.exe 2008-05-04 13:10 . 2008-05-04 13:10 <DIR> d-------- C:\Program Files\ExtractNow 2008-05-03 16:11 . 2008-05-11 21:18 107,832 --a------ C:\WINDOWS\SYSTEM32\PnkBstrB.exe 2008-05-03 16:11 . 2008-05-03 16:17 66,872 --a------ C:\WINDOWS\SYSTEM32\PnkBstrA.exe 2008-05-03 16:11 . 2008-05-11 21:18 22,328 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\PnkBstrK.sys 2008-05-03 16:11 . 2008-05-03 16:12 22,328 --a------ C:\Documents and Settings\smcconnell1\Application Data\PnkBstrK.sys 2008-05-03 00:29 . 2008-05-03 00:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-05-03 00:29 . 2008-05-03 00:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-05-03 00:17 . 2008-05-11 13:52 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-05-03 00:17 . 2008-05-03 00:17 1,409 --a------ C:\WINDOWS\QTFont.for 2008-05-02 21:36 . 2008-05-03 16:11 319 --a------ C:\WINDOWS\game.ini 2008-05-02 21:34 . 2008-05-02 21:34 <DIR> d-------- C:\Program Files\Activision 2008-05-02 18:55 . 2007-08-26 19:44 16,896 --a------ C:\WINDOWS\SYSTEM32\grwinsthlp.exe 2008-05-02 18:55 . 2008-05-02 18:55 228 --a------ C:\UnInstall.dat 2008-05-01 05:33 . 2008-05-01 05:34 <DIR> d-------- C:\Documents and Settings\smcconnell1\Application Data\PC-FAX TX 2008-04-26 18:42 . 2008-04-26 18:42 <DIR> d-------- C:\Program Files\Disney 2008-04-23 20:32 . 2008-04-23 20:32 <DIR> d-------- C:\Documents and Settings\smcconnell1\Application Data\Viewpoint 2008-04-22 17:29 . 2008-04-22 17:29 41,296 --a------ C:\WINDOWS\SYSTEM32\xfcodec.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-19 02:55 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT 2008-04-19 02:55 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT 2008-01-20 04:30 46,480 ----a-w C:\Documents and Settings\smcconnell1\Application Data\GDIPFONTCACHEV1.DAT 2007-05-30 22:05 40,360 ----a-w C:\Documents and Settings\Jen\Application Data\GDIPFONTCACHEV1.DAT 2004-09-12 05:27 861 ----a-w C:\Program Files\INSTALL.LOG 2000-11-01 20:51 271 --sh--w C:\Program Files\desktop.ini 2000-11-01 20:51 23,357 ---h--w C:\Program Files\folder.htt . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{09AB5F38-89D3-4191-8D5E-FA0DD538B2ED}] 2008-05-12 22:03 314480 --a------ C:\WINDOWS\system32\cbXOHBtT.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}] 2008-05-10 12:43 25728 --------- C:\WINDOWS\system32\urqRJYqo.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2004-10-08 12:06 196608] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 19:44 1200128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 01:32 208952] "SoundMan"="SOUNDMAN.EXE" [2003-11-05 14:28 144384 C:\WINDOWS\SOUNDMAN.EXE] "LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 11:52 221184] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 17:14 81920] "PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-29 21:12 30248] "IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-29 21:10 46632] "PPort11reminder"="C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 13:46 255528] "BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-23 13:14 663552] "ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 15:58 65536] "WINDVDPatch"="CTHELPER.EXE" [2002-07-02 17:56 24576 C:\WINDOWS\SYSTEM32\CTHELPER.EXE] "Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-23 08:29 282624] "OnlineArmor GUI"="C:\Program Files\Tall Emu\Online Armor\oaui.exe" [2008-04-17 05:25 5545536] "SDFix"="C:\SDFix\RunThis.bat /second" [ ] "combofix"="C:\WINDOWS\system32\CF9437.exe" [2004-08-04 03:56 388608] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "Printing Migration"="C:\WINDOWS\System32\spool\migrate.dll" [2003-03-31 12:00 30208] "tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 01:59 44544] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588] RAMASST.lnk - C:\WINDOWS\SYSTEM32\RAMASST.exe [2005-01-20 20:04:53 155648] NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2007-12-23 08:30:30 118784] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512] "{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}"= C:\WINDOWS\system32\urqRJYqo.dll [2008-05-10 12:43 25728] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqRJYqo] urqRJYqo.dll 2008-05-10 12:43 25728 C:\WINDOWS\SYSTEM32\urqRJYqo.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.VDOM"= vdowave.drv "msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm "VIDC.XFR1"= xfcodec.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DataViz Inc Messenger.lnk backup=C:\WINDOWS\pss\DataViz Inc Messenger.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dataviz Messenger.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dataviz Messenger.lnk backup=C:\WINDOWS\pss\Dataviz Messenger.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2166165a] C:\WINDOWS\system32\tsesswjw.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM225525c6] C:\WINDOWS\system32\tbqkidwa.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair] --a------ 2004-10-08 12:31 458752 C:\Program Files\Logitech\Video\ISStart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray] --a------ 2004-10-08 12:24 217088 C:\Program Files\Logitech\Video\LogiTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot] --a------ 2005-05-10 16:04 11776 C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] --a------ 2003-06-18 12:00 200704 C:\Program Files\Microsoft Money\System\mnyexpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] --a------ 2007-10-04 17:14 81920 C:\WINDOWS\system32\NvMcTray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-12-23 08:29 282624 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral] C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc] C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility] C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray] --a------ 2007-09-20 08:23 132624 C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] --a------ 2008-04-18 22:35 1271032 C:\Program Files\Steam\Steam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2004-10-10 16:22 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSProSetup] C:\DOCUME~1\SMCCON~1\LOCALS~1\TEMP\vsp9enus.tmp\setup.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebCamRT.exe] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Messenger"=2 (0x2) "mcupdmgr.exe"=3 (0x3) "iPodService"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe "Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers "Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe "RealTray"=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER "AudioHQ"=C:\Program Files\Creative\SBPCI512\AudioHQ\AHQTB.EXE "MPTBox"="C:\Program Files\Canon\MultiPASS\MPTBox.exe" "LogitechGalleryRepair"=C:\Program Files\Logitech\ImageStudio\ISStart.exe "LogitechImageStudioTray"=C:\Program Files\Logitech\ImageStudio\LogiTray.exe "InstantAccess"=C:\PROGRA~1\CANONC~1\TEXTBR~1\BIN\INSTAN~1.EXE /h "RegisterDropHandler"=C:\PROGRA~1\CANONC~1\TEXTBR~1\BIN\REGIST~1.EXE "QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime "PCHealth"=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s "MotiveMonitor"=C:\Program Files\Motive\motmon.exe "NvCplDaemon"=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize "nwiz"=nwiz.exe /install "MCUpdateExe"=C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE "Adaptec DirectCD"=C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys] "LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme "hpsysdrv"=C:\WINDOWS\SYSTEM32\hpsysdrv.exe "Delay"=C:\WINDOWS\delayrun.exe "DXM6Patch_981116"=C:\WINDOWS\p_981116.exe /Q:A "LVComs"=C:\WINDOWS\SYSTEM32\LVComS.exe "Disc Detector"=C:\Program Files\Creative\ShareDLL\CtNotify.exe "UpdReg"=C:\WINDOWS\Updreg.exe "HPLogiFinder"=\WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE "VirusScanMSC"="C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE" /EMBEDDING "QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime "MCUpdateExe"=C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE "LoadQM"=loadqm.exe "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-] "AOLEventManager"=C:\Program Files\Common Files\AOL\EventManager\EMService.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Palm\\HOTSYNC.EXE"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= "C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "C:\\WINDOWS\\System32\\muzapp.exe"= "C:\\WINDOWS\\System32\\PnkBstrA.exe"= "C:\\WINDOWS\\System32\\PnkBstrB.exe"= "C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "C:\\Program Files\\Xfire\\Xfire.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 13:31] R1 OADevice;OADriver;C:\WINDOWS\system32\drivers\OADriver.sys [2008-04-17 05:25] R1 OAmon;OAmon;C:\WINDOWS\system32\drivers\OAmon.sys [2008-04-17 05:25] R1 OAnet;OAnet;C:\WINDOWS\system32\drivers\OAnet.sys [2008-04-17 05:25] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 13:35] R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 02:01] R3 viafilter;VIA USB Filter;C:\WINDOWS\system32\Drivers\viausb1.sys [2001-09-19 13:28] S2 SvcOnlineArmor;Online Armor;"C:\Program Files\Tall Emu\Online Armor\oasrv.exe" [2008-04-17 05:25] S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-05-05 20:46] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\setup\rsrc\Autorun.exe \Shell\dinstall\command - E:\Directx\dxsetup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] \Shell\AutoRun\command - F:\autorun.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}] "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}] "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl . Contents of the 'Scheduled Tasks' folder "2008-05-11 18:37:42 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job" - C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-12 22:27:41 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv] "ImagePath"="\??\C:\WINDOWS\TEMP\mc21.tmp" . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\urqRJYqo.dll . ------------------------ Other Running Processes ------------------------ . C:\PROGRAM FILES\LAVASOFT\AD-AWARE 2007\AAWSERVICE.EXE C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASWUPDSV.EXE C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE C:\WINDOWS\SYSTEM32\BRSS01A.EXE C:\WINDOWS\SYSTEM32\DVDRAMSV.EXE C:\WINDOWS\SYSTEM32\NVSVC32.EXE C:\WINDOWS\SYSTEM32\PNKBSTRA.EXE C:\WINDOWS\SYSTEM32\SNMP.EXE C:\WINDOWS\SYSTEM32\MSPMSPSV.EXE C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE C:\WINDOWS\SYSTEM32\RUNDLL32.EXE C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE C:\PROGRAM FILES\BROTHER\BRMFCMON\BRMFIMON.EXE C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\RAPIMGR.EXE . ************************************************************************ . Completion time: 2008-05-12 22:30:18 - machine was rebooted ComboFix-quarantined-files.txt 2008-05-13 03:30:08 Pre-Run: 12,943,228,928 bytes free Post-Run: 12,908,789,760 bytes free 314 --- E O F --- 2008-04-14 11:19:12

taxxin

Cadet
Cadet

Joined: May 12, 2008
Posts: 8
Location: USA

Posted: Wed May 14, 2008 6:13 pm Post subject: SDFix log

SDFix: Version 1.182 Run by smcconnell1 on Mon 05/12/2008 at 09:46 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Windows Registry Values Restoring Windows Default Hosts File Restoring Default Desktop Wallpaper Rebooting Checking Files : Trojan Files Found: C:\LOG3.TMP - Deleted C:\LOG85.TMP - Deleted C:\LOG8C.TMP - Deleted C:\LOG4.TMP - Deleted C:\LOG2.TMP - Deleted C:\WINDOWS\default.htm - Deleted C:\WINDOWS\index.html - Deleted C:\WINDOWS\megavid.cdt - Deleted C:\WINDOWS\muotr.so - Deleted C:\WINDOWS\system32\drivers\etc\hosts.bho - Deleted C:\WINDOWS\SYSTEM32\config\systemprofile\Application Data\wsnpoem\audio.dll - Deleted Removing Temp Files ADS Check : Final Check : catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-12 22:39:45 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Palm\\HOTSYNC.EXE"="C:\\Program Files\\Palm\\HOTSYNC.EXE::Enabled:HotSyncr Manager Application" "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe::Enabled:AOL Application Loader" "C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe::Enabled:AOL" "C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager" "C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager" "C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application" "C:\\WINDOWS\\System32\\muzapp.exe"="C:\\WINDOWS\\System32\\muzapp.exe::Enabled:MUZ AOD APP player" "C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax" "C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager" "C:\\WINDOWS\\System32\\PnkBstrA.exe"="C:\\WINDOWS\\System32\\PnkBstrA.exe::Enabled:PnkBstrA" "C:\\WINDOWS\\System32\\PnkBstrB.exe"="C:\\WINDOWS\\System32\\PnkBstrB.exe::Enabled:PnkBstrB" "C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe::Enabled:Call of Duty(R) 4 - Modern Warfare(TM) " "C:\\Program Files\\Xfire\\Xfire.exe"="C:\\Program Files\\Xfire\\Xfire.exe::Enabled:Xfire" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe::Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe::Enabled:AOL" "C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager" "C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager" "C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application" Remaining Files : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Thu 8 Jun 2000 129,078 ..SH. --- "C:\LOGO.SYS" Mon 5 Apr 2004 224 ..SH. --- "C:\AUTOEXEC.BAK" Fri 16 Aug 2002 0 A.SH. --- "C:\windows.sys" Wed 15 Aug 2007 4,348 ..SH. --- "C:\WINDOWS\DRM\DRMv1.bak" Wed 13 Oct 2004 1,694,208 ...H. --- "C:\Program Files\Messenger\msmsgs.exe" Fri 14 Dec 2007 0 A.SH. --- "C:\WINDOWS\DRM\Cache\Indiv01.tmp" Sat 10 May 2008 41,724 A.SH. --- "C:\System Volume Information\_restore{C21301F7-BCE0-4263-B4F3-DC2ACD903844}\RP645\A0108944.exe" Fri 9 May 2008 187,904 A.SH. --- "C:\System Volume Information\_restore{C21301F7-BCE0-4263-B4F3-DC2ACD903844}\RP645\A0108945.exe" Wed 5 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\694301dbfd149d8645046cbc0b1067e8\BIT33.tmp" Mon 21 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab59ac72525ea90a47679441587835c9\BIT1C.tmp" Thu 15 May 2003 43,008 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe" Sat 7 Aug 2004 10,678 A..H. --- "C:\Program Files\Microsoft Office\Office\Shortcut Bar\OffD2A1.TMP" Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\Jen\Application Data\U3\temp\Launchpad Removal.exe" Fri 13 May 2005 99,328 ...H. --- "C:\Documents and Settings\smcconnell1\Application Data\Microsoft\Templates\~WRL0005.tmp" Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\smcconnell1\Application Data\U3\temp\Launchpad Removal.exe" Wed 16 Apr 2003 0 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp" Finished!

taxxin

Cadet
Cadet

Joined: May 12, 2008
Posts: 8
Location: USA

Posted: Wed May 14, 2008 6:15 pm Post subject: current HJT log

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:26:37 AM, on 5/14/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\savedump.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\LVCOMSX.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\WINDOWS\SYSTEM32\RAMASST.exe C:\Program Files\Nikon\PictureProject\NkbMonitor.exe C:\Program Files\Brother\Brmfcmon\BrMfimon.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\smcconnell1\Application Data\U3\00001870E1A3068C\LaunchPad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\urqRJYqo.dll O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\SYSTEM32\RAMASST.exe O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196915030609 O20 - Winlogon Notify: urqRJYqo - C:\WINDOWS\SYSTEM32\urqRJYqo.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe -- End of file - 6290 bytes

taxxin

Cadet
Cadet

Joined: May 12, 2008
Posts: 8
Location: USA

Posted: Wed May 14, 2008 6:51 pm Post subject: Malwarebyte log

The text file flaked out on this jump drive, so I will have to upload it tonight when I get back in front of that machine. I did notice that Trojan.vundu keeps showing up in the scans, but the file (urqRJYqo.dll) associated with is are not being deleted.

taxxin

Cadet
Cadet

Joined: May 12, 2008
Posts: 8
Location: USA

Posted: Wed May 14, 2008 10:58 pm Post subject: Malware log

Malwarebytes' Anti-Malware 1.12 Database version: 744 Scan type: Quick Scan Objects scanned: 41386 Time elapsed: 9 minute(s), 4 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 7 Registry Values Infected: 1 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 7 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\SYSTEM32\urqRJYqo.dll (Trojan.Vundo) -> Unloaded module successfully. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8067131a-31e3-4304-90c3-61d87fbf2833} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{8067131a-31e3-4304-90c3-61d87fbf2833} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{c7bbc1fa-e415-4926-9a47-9ab58d0b3bc8} (Trojan.Vundo) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c7bbc1fa-e415-4926-9a47-9ab58d0b3bc8} (Trojan.Vundo) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\urqrjyqo (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{c7bbc1fa-e415-4926-9a47-9ab58d0b3bc8} (Trojan.Vundo) -> Delete on reboot. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\hggayskl -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\hggayskl -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\SYSTEM32\xxyyaWOg.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\gOWayyxx.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\gOWayyxx.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\hgGaYSkl.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\lkSYaGgh.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\lkSYaGgh.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\urqRJYqo.dll (Trojan.Vundo) -> Delete on reboot.

PCBruiser

SRT Team Lead

Forums Admin

Joined: May 11, 2005
Posts: 11723

Posted: Sat May 24, 2008 6:59 pm Post subject:

Hi, I'm sorry for the delay in responding, but a little over a week ago we discovered one of our children has a very serious medical problem which will require several major surgery procedures during the next year, and extensive rehabilitation. We have been totally absorbed with that family issue and I have had little time to deal with issues here. I am going to try to catch up during the next day or two. If you still need help, please post a fresh HJT log and tell me exactly what is happening now with your system. PCB _________________ Don't read? Can't learn!

	All -> FavForums -> Trend Micro HijackThis Logs	All times are GMT
Page 1 of 1

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum