Please reveiw - just ran Malwareytes

[vmi1816]

Hey all,

I've been working with Kaspersky support in an effor to remove a rootkit virus. After following their instructions, they suggested I run your progam and upload my log file.

Can someone check it out and point me in the right direction. I still have several trojans on my PC.

Thanks in advance,

vmi1816

mbam_log_2009_05_25__19_57_08_.txt

mbam_log_2009_05_25__19_57_08_.txt

mbam_log_2009_05_25__19_57_08_.txt

mbam_log_2009_05_25__19_57_08_.txt

[negster22]

Hello and Welcome,

Please copy/paste your logs into into your topic reply.

Only attach logs, if asked to do so.

Follow the directions in this topic:

http://www.malwarebytes.org/forums/index.php?showtopic=9573

Download DDS and save it to your desktop from here or here

Disable any script blocking programs you may have installed (such as Norton script blocking), and then double-click dss.scr to run the tool.

• When done, DDS will open two (2) logs:
  • DDS.txt
    
  • Attach.txt
    

  [*]Save both reports to your desktop

  [*]Please copy and paste both logs into your next reply,

Post the DDS logs, your MBAM logs, and a HJT log in your next reply please.

[vmi1816]

Here you go and thanks for the fast reply!

attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 11/22/2005 8:32:24 PM

System Uptime: 5/26/2009 1:40:44 AM (5 hours ago)

Motherboard: Gateway | |

Processor: Intel® Celeron® M processor 1.40GHz | uFCPGA2 | 1389/400mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 49 GiB total, 35.884 GiB free.

D: is FIXED (FAT32) - 7 GiB total, 4.752 GiB free.

E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP376: 2/27/2009 9:07:03 PM - System Checkpoint

RP377: 3/3/2009 7:30:24 PM - System Checkpoint

RP378: 3/5/2009 9:13:04 PM - System Checkpoint

RP379: 3/12/2009 9:04:18 PM - Software Distribution Service 3.0

RP380: 3/13/2009 8:59:24 PM - Software Distribution Service 3.0

RP381: 3/15/2009 1:00:30 PM - Software Distribution Service 3.0

RP382: 3/18/2009 8:57:20 PM - System Checkpoint

RP383: 3/20/2009 5:55:22 PM - Software Distribution Service 3.0

RP384: 3/23/2009 4:13:59 PM - System Checkpoint

RP385: 3/29/2009 9:19:33 PM - System Checkpoint

RP386: 3/31/2009 8:37:12 PM - System Checkpoint

RP387: 4/3/2009 9:33:21 PM - System Checkpoint

RP388: 4/4/2009 10:29:14 PM - System Checkpoint

RP389: 4/8/2009 6:11:42 PM - System Checkpoint

RP390: 4/9/2009 8:30:46 PM - System Checkpoint

RP391: 4/10/2009 10:40:00 PM - System Checkpoint

RP392: 4/13/2009 6:05:19 PM - System Checkpoint

RP393: 4/14/2009 10:08:04 PM - System Checkpoint

RP394: 4/16/2009 8:12:42 PM - Software Distribution Service 3.0

RP395: 4/17/2009 12:54:53 PM - Software Distribution Service 3.0

RP396: 4/18/2009 4:58:16 PM - System Checkpoint

RP397: 4/20/2009 5:52:07 PM - System Checkpoint

RP398: 4/23/2009 9:56:33 PM - System Checkpoint

RP399: 4/25/2009 9:31:46 PM - System Checkpoint

RP400: 4/27/2009 2:19:44 PM - System Checkpoint

RP401: 4/29/2009 7:24:43 PM - System Checkpoint

RP402: 5/25/2009 8:49:41 PM - System Checkpoint

==== Installed Programs ======================

ABBYY FineReader 6.0 Sprint

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)

Adobe Flash Player 10 ActiveX

Adobe Flash Player 9 ActiveX

Adobe Flash Player Plugin

Adobe Reader 8.1.2

Adobe Reader 8.1.2 Security Update 1 (KB403742)

Adobe

[negster22]

You have a new infection that's going around.

Please download ATF Cleaner by Atribune

• Close Internet Explorer and any other open browsers
  
• Double-click ATF-Cleaner.exe to run the program.
  
• Under Main choose: Select All
  
• Click the Empty Selected button.
  

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click
  
• No at the prompt.
  

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

Click Exit on the Main menu to close the program.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

• Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  
• When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  
• When that "quick scan" is done, save the scan log to the Windows clipboard
  
• Open Notepad or a similar text editor
  
• Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  
• Exit the Program
  
• Save the Scan log as ARK.txt and post it in your next reply.
  
• Only- if the log is very long attach it please.
  

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as bonkers.exe

Notes:

• It is very important that save the newly renamed EXE file to your desktop.
  
• You must rename Combofixe.exe as you download it and not after it is on your computer.
  You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
  
• For Firefox
  • Open Firefox and click Tools -> Options -> Main
    
  • Under the downloads section check the button that says "Always ask me where to save files".
    
  • Click OK
    

  [*]For Internet Explorer:

  • When downloading, choose to save, not open the file
    
  • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.
    

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Also, disable your firewall!

You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

• Close any open browsers.
  
• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  

1. Double click on the renamed combofix.exe (bonkers.exe) & follow the prompts.

2. When finished, it will produce a log file located at C:\ComboFix.txt

3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post back ARK.txt and C:\Combofix.txt

[vmi1816]

Hello,

Here are my files.

ark.txt

GMER 1.0.15.14972 - http://www.gmer.net

Rootkit scan 2009-05-26 20:47:29

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0xEEC25940]

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0xEEC259A8]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----

combofix.txt

ComboFix 09-05-26.02 - Owner 05/26/2009 20:55.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.163 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\bonkers.exe

AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

.

((((((((((((((((((((((((( Files Created from 2009-04-27 to 2009-05-27 )))))))))))))))))))))))))))))))

.

2009-05-26 23:54 . 2009-05-27 00:46 -------- d-----w C:\ark

2009-05-25 23:10 . 2009-05-25 23:10 -------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes

2009-05-25 23:09 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-05-25 23:09 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-25 23:09 . 2009-05-26 10:26 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-05-25 23:09 . 2009-05-25 23:09 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-05-25 23:07 . 2009-05-25 23:07 -------- d-----w c:\documents and settings\Owner\Application Data\gtk-2.0

2009-05-25 22:56 . 2009-05-25 22:57 -------- d-----w c:\program files\ScreenPrint32 v3

2009-05-25 22:56 . 2009-05-25 22:56 249856 ------w c:\windows\Setup1.exe

2009-05-25 22:56 . 2009-05-25 22:56 73216 ----a-w c:\windows\ST6UNST.EXE

2009-05-25 18:03 . 2004-08-04 19:00 50176 -c--a-w c:\windows\system32\dllcache\proquota.exe

2009-05-25 15:03 . 2009-05-25 14:41 19046 ----a-w C:\sysinfo.zip

2009-05-25 14:59 . 2009-05-25 14:59 2 ---h--w c:\windows\sonce122730.dat

2009-05-25 14:59 . 2009-05-25 19:13 -------- d-----w c:\windows\system32\sysloc

2009-05-18 00:25 . 2009-05-18 00:25 23 --sha-w c:\windows\system32\edacded0_x.dat

2009-05-18 00:24 . 2009-05-18 00:25 -------- d-----w c:\program files\jv16 PowerTools 2009

2009-05-16 00:20 . 2009-05-16 00:20 -------- d-----w C:\nitromarketingBonus

2009-05-15 20:54 . 2009-05-16 02:14 -------- d-----w c:\windows\system32\796525

2009-05-10 23:42 . 2009-05-10 23:42 -------- d-----w c:\documents and settings\Owner\.thumbnails

2009-05-01 20:59 . 2004-08-04 19:00 4224 ----a-w c:\windows\system32\drivers\beep.sys

2009-05-01 20:58 . 2009-05-01 20:58 6407 ----a-w c:\windows\system32\krncode.dat

2009-05-01 20:58 . 2009-05-01 20:58 1575 ----a-w c:\windows\system32\pwrcode.dat

2009-05-01 20:58 . 2009-05-01 20:58 19434 ----a-w c:\windows\system32\wincode.dat

2009-05-01 20:58 . 2008-04-14 00:12 17408 ----a-w c:\windows\system32\osysp.dat

2009-05-01 20:58 . 2009-03-21 14:06 989696 ----a-w c:\windows\system32\osysk.dat

2009-05-01 20:58 . 2009-02-20 08:10 666112 ----a-w c:\windows\system32\osysw.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-26 23:58 . 2009-01-12 02:56 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab

2009-05-26 18:08 . 2007-03-09 02:39 -------- d-----w c:\program files\BrainBullet

2009-05-26 18:05 . 2009-01-12 02:56 2872 --sha-w c:\windows\system32\drivers\fidbox2.idx

2009-05-26 18:05 . 2009-01-12 02:56 524320 --sha-w c:\windows\system32\drivers\fidbox2.dat

2009-05-26 18:05 . 2009-01-12 02:56 2354720 --sha-w c:\windows\system32\drivers\fidbox.dat

2009-05-26 18:05 . 2009-01-12 02:56 19476 --sha-w c:\windows\system32\drivers\fidbox.idx

2009-05-20 23:45 . 2009-01-12 02:58 105395 ----a-w c:\windows\system32\drivers\klin.dat

2009-05-20 23:45 . 2009-01-12 02:58 94643 ----a-w c:\windows\system32\drivers\klick.dat

2009-05-11 20:50 . 2005-11-26 23:24 -------- d-----w c:\program files\Lx_cats

2009-04-18 22:12 . 2008-11-15 17:42 -------- d-----w c:\program files\Finding Notes Easy

2009-03-06 14:22 . 2004-08-26 16:12 284160 ----a-w c:\windows\system32\pdh.dll

2009-05-02 15:59 . 2007-04-22 20:56 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2009-05-02 15:59 . 2007-04-22 20:56 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2009-05-02 15:59 . 2007-04-22 20:56 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll

2009-05-02 15:59 . 2007-04-22 20:56 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

2009-05-02 15:59 . 2007-04-22 20:56 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-05-25_18.06.58 )))))))))))))))))))))))))))))))))))))))))

.

+ 2000-07-15 04:00 . 2000-07-15 04:00 101888 c:\windows\system32\VB6STKIT.DLL

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-12-24 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-24 118784]

"LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-04-27 69632]

"lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-05-04 200704]

"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2008-03-20 320168]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-10-08 98304]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-04-15 185896]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"lxdxmon.exe"="c:\program files\Lexmark 3600-4600 Series\lxdxmon.exe" [2008-03-20 668328]

"lxdxamon"="c:\program files\Lexmark 3600-4600 Series\lxdxamon.exe" [2008-03-20 16040]

"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-02-06 206088]

"ScreenPrint32"="c:\program files\ScreenPrint32 v3\ScreenPrint32.exe" [2003-05-16 446464]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

BBStartup.lnk.lnk - c:\program files\BrainBullet\BBStartup.exe [2007-3-8 403968]

BigFix.lnk - c:\program files\BigFix\BigFix.exe [2005-10-8 1742384]

Install Pending Files.LNK - c:\program files\SIFXINST\SIFXINST.EXE [2005-10-8 729088]

MiniEYE-MiniREAD Launch.lnk - c:\program files\Infinite Mind LC\eyeQ\ARLaunch.exe [2007-9-2 323584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"AOL ACS"=2 (0x2)

"AOL TopSpeedMonitor"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\WINDOWS\\system32\\lxcgcoms.exe"=

"c:\\WINDOWS\\system32\\lxdxcoms.exe"=

"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxamon.exe"=

"c:\\Program Files\\Lexmark 3600-4600 Series\\frun.exe"=

"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=

"c:\\Program Files\\Lexmark Fax Solutions\\FaxCtr.exe"=

"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxmon.exe"=

"c:\\WINDOWS\\system32\\lxdxcfg.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxpswx.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxjswx.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxtime.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 7:29 PM 33808]

R2 litsgt;litsgt;c:\windows\system32\drivers\litsgt.sys [9/2/2007 11:42 AM 137344]

R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]

R2 tansgt;tansgt;c:\windows\system32\drivers\tansgt.sys [9/2/2007 11:42 AM 12032]

R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 8:02 PM 26640]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 7:06 PM 24592]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AUJASNKJ

*Deregistered* - aujasnkj

.

Contents of the 'Scheduled Tasks' folder

2005-11-23 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 00:12]

2005-11-23 c:\windows\Tasks\ISP signup reminder 2.job

- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 00:12]

.

- - - - ORPHANS REMOVED - - - -

BHO-{437A43D5-E5C3-4959-BBD0-F2BFB1EDC6FD} - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.kaspersky.com/

mStart Page = hxxp://www.gatewaybiz.com

uInternet Settings,ProxyServer = http=localhost:7171

uInternet Settings,ProxyOverride = *.local;<local>

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7m7oly42.default\

FF - prefs.js: browser.search.selectedEngine - Crawler Search

FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-26 20:57

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1320)

c:\windows\system32\igfxsrvc.dll

c:\windows\system32\hccutils.DLL

- - - - - - - > 'explorer.exe'(3080)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2009-05-27 20:59

ComboFix-quarantined-files.txt 2009-05-27 00:59

ComboFix2.txt 2009-05-25 18:12

Pre-Run: 38,504,546,304 bytes free

Post-Run: 38,492,053,504 bytes free

171 --- E O F --- 2009-05-14 00:16

You have a new infection that's going around.

Please download ATF Cleaner by Atribune

• Close Internet Explorer and any other open browsers
  
• Double-click ATF-Cleaner.exe to run the program.
  
• Under Main choose: Select All
  
• Click the Empty Selected button.
  

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click
  
• No at the prompt.
  

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

Click Exit on the Main menu to close the program.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

• Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  
• When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  
• When that "quick scan" is done, save the scan log to the Windows clipboard
  
• Open Notepad or a similar text editor
  
• Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  
• Exit the Program
  
• Save the Scan log as ARK.txt and post it in your next reply.
  
• Only- if the log is very long attach it please.
  

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as bonkers.exe

Notes:

• It is very important that save the newly renamed EXE file to your desktop.
  
• You must rename Combofixe.exe as you download it and not after it is on your computer.
  You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
  
• For Firefox
  • Open Firefox and click Tools -> Options -> Main
    
  • Under the downloads section check the button that says "Always ask me where to save files".
    
  • Click OK
    

  [*]For Internet Explorer:

  • When downloading, choose to save, not open the file
    
  • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.
    

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Also, disable your firewall!

You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

• Close any open browsers.
  
• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  

1. Double click on the renamed combofix.exe (bonkers.exe) & follow the prompts.

2. When finished, it will produce a log file located at C:\ComboFix.txt

3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post back ARK.txt and C:\Combofix.txt

[negster22]

Can I see your first Combofix report please:

ComboFix2.txt 2009-05-25 18:12

[vmi1816]

Hi,

I included the combofix in my last post but I renamed the file from combofix2 to combofix.

Thanks!

Can I see your first Combofix report please:

ComboFix2.txt 2009-05-25 18:12

[vmi1816]

I am sorry,

Here's an earlier version. I may have deleted the combofix2 file. Can u use this file?

ComboFix 09-05-25.01 - Owner 05/25/2009 13:58.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.204 [GMT -4:00]

Running from: C:\123.exe

AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\123.exe

c:\documents and settings\Owner\Application Data\wiaserva.log

c:\documents and settings\Owner\Desktop\Error Cleaner.url

c:\documents and settings\Owner\Desktop\Privacy Protector.url

c:\documents and settings\Owner\Favorites\Privacy Protector.url

c:\documents and settings\Owner\Favorites\Spyware&Malware Protection.url

C:\SYS32DLL.bat

c:\windows\ld08.exe

c:\windows\new_drv.sys

c:\windows\pp10.exe

c:\windows\rs.txt

c:\windows\search_res.txt

c:\windows\st_1242343511.exe

c:\windows\st_1242351379.exe

c:\windows\st_1242434008.exe

c:\windows\system32\218538

c:\windows\system32\drivers\UACxylkspypdvbqegb.sys

c:\windows\system32\lowsec

c:\windows\system32\lowsec\local.ds

c:\windows\system32\lowsec\user.ds

c:\windows\system32\SYSDLL.exe

c:\windows\system32\UACdjwhxvrbdisteti.dll

c:\windows\system32\uacinit.dll

c:\windows\system32\UACnqfewthniwbeuom.log

c:\windows\system32\UACpbnmpxthexjecfq.dll

c:\windows\system32\UACppjwswqblovbrsb.dat

c:\windows\system32\UACqplvtakcrjqvjei.dll

c:\windows\system32\UACrfgivrqopxmewlf.log

c:\windows\system32\UACsnvsilivowfutmn.dll

c:\windows\system32\UACubdtkbmuepwojes.log

c:\windows\system32\UACxcymrmdtmafrgxr.dll

c:\windows\system32\wbem\grpconv.exe

c:\windows\system32\wbem\proquota.exe

c:\windows\t55ft2692f44.dat

c:\windows\t55ft3189f44.dat

D:\Autorun.inf

D:\Desktop.ini

%~1 was missing

Restored copy from - %~2

%~1 was missing

Restored copy from - %~2

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

-------\Legacy_NEW_DRV

((((((((((((((((((((((((( Files Created from 2009-04-25 to 2009-05-25 )))))))))))))))))))))))))))))))

.

2009-05-25 18:03 . 2004-08-04 19:00 50176 -c--a-w c:\windows\system32\dllcache\proquota.exe

2009-05-25 15:03 . 2009-05-25 14:41 19046 ----a-w C:\sysinfo.zip

2009-05-25 14:59 . 2009-05-25 14:59 2 ---h--w c:\windows\sonce122730.dat

2009-05-25 14:59 . 2009-05-25 14:59 -------- d-----w c:\windows\system32\sysloc

2009-05-18 00:25 . 2009-05-18 00:25 23 --sha-w c:\windows\system32\edacded0_x.dat

2009-05-18 00:24 . 2009-05-18 00:25 -------- d-----w c:\program files\jv16 PowerTools 2009

2009-05-16 00:20 . 2009-05-16 00:20 -------- d-----w C:\nitromarketingBonus

2009-05-15 20:54 . 2009-05-16 02:14 -------- d-----w c:\windows\system32\796525

2009-05-10 23:42 . 2009-05-10 23:42 -------- d-----w c:\documents and settings\Owner\.thumbnails

2009-05-01 20:59 . 2004-08-04 19:00 4224 ----a-w c:\windows\system32\drivers\beep.sys

2009-05-01 20:58 . 2009-05-01 20:58 6407 ----a-w c:\windows\system32\krncode.dat

2009-05-01 20:58 . 2009-05-01 20:58 1575 ----a-w c:\windows\system32\pwrcode.dat

2009-05-01 20:58 . 2009-05-01 20:58 19434 ----a-w c:\windows\system32\wincode.dat

2009-05-01 20:58 . 2008-04-14 00:12 17408 ----a-w c:\windows\system32\osysp.dat

2009-05-01 20:58 . 2009-03-21 14:06 989696 ----a-w c:\windows\system32\osysk.dat

2009-05-01 20:58 . 2009-02-20 08:10 666112 ----a-w c:\windows\system32\osysw.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-25 18:04 . 2009-01-12 02:56 466976 --sha-w c:\windows\system32\drivers\fidbox2.dat

2009-05-25 18:04 . 2009-01-12 02:56 2676 --sha-w c:\windows\system32\drivers\fidbox2.idx

2009-05-25 18:04 . 2009-01-12 02:56 1885216 --sha-w c:\windows\system32\drivers\fidbox.dat

2009-05-25 18:04 . 2009-01-12 02:56 15808 --sha-w c:\windows\system32\drivers\fidbox.idx

2009-05-25 17:45 . 2007-03-09 02:39 -------- d-----w c:\program files\BrainBullet

2009-05-25 17:45 . 2009-01-12 02:56 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab

2009-05-20 23:45 . 2009-01-12 02:58 105395 ----a-w c:\windows\system32\drivers\klin.dat

2009-05-20 23:45 . 2009-01-12 02:58 94643 ----a-w c:\windows\system32\drivers\klick.dat

2009-05-11 20:50 . 2005-11-26 23:24 -------- d-----w c:\program files\Lx_cats

2009-04-18 22:12 . 2008-11-15 17:42 -------- d-----w c:\program files\Finding Notes Easy

2009-03-06 14:22 . 2004-08-26 16:12 284160 ----a-w c:\windows\system32\pdh.dll

2009-05-02 15:59 . 2007-04-22 20:56 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2009-05-02 15:59 . 2007-04-22 20:56 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2009-05-02 15:59 . 2007-04-22 20:56 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll

2009-05-02 15:59 . 2007-04-22 20:56 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

2009-05-02 15:59 . 2007-04-22 20:56 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{437A43D5-E5C3-4959-BBD0-F2BFB1EDC6FD}]

2009-05-25 14:59 22528 ----a-w c:\windows\system32\sysloc\sysloc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-12-24 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-24 118784]

"LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-04-27 69632]

"lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-05-04 200704]

"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2008-03-20 320168]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-10-08 98304]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-04-15 185896]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"lxdxmon.exe"="c:\program files\Lexmark 3600-4600 Series\lxdxmon.exe" [2008-03-20 668328]

"lxdxamon"="c:\program files\Lexmark 3600-4600 Series\lxdxamon.exe" [2008-03-20 16040]

"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-02-06 206088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

BBStartup.lnk.lnk - c:\program files\BrainBullet\BBStartup.exe [2007-3-8 403968]

BigFix.lnk - c:\program files\BigFix\BigFix.exe [2005-10-8 1742384]

Install Pending Files.LNK - c:\program files\SIFXINST\SIFXINST.EXE [2005-10-8 729088]

MiniEYE-MiniREAD Launch.lnk - c:\program files\Infinite Mind LC\eyeQ\ARLaunch.exe [2007-9-2 323584]

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"AOL ACS"=2 (0x2)

"AOL TopSpeedMonitor"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\WINDOWS\\system32\\lxcgcoms.exe"=

"c:\\WINDOWS\\system32\\lxdxcoms.exe"=

"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxamon.exe"=

"c:\\Program Files\\Lexmark 3600-4600 Series\\frun.exe"=

"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=

"c:\\Program Files\\Lexmark Fax Solutions\\FaxCtr.exe"=

"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxmon.exe"=

"c:\\WINDOWS\\system32\\lxdxcfg.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxpswx.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxjswx.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxtime.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 7:29 PM 33808]

R2 litsgt;litsgt;c:\windows\system32\drivers\litsgt.sys [9/2/2007 11:42 AM 137344]

R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]

R2 tansgt;tansgt;c:\windows\system32\drivers\tansgt.sys [9/2/2007 11:42 AM 12032]

R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 8:02 PM 26640]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 7:06 PM 24592]

.

Contents of the 'Scheduled Tasks' folder

2005-11-23 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 00:12]

2005-11-23 c:\windows\Tasks\ISP signup reminder 2.job

- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 00:12]

.

- - - - ORPHANS REMOVED - - - -

BHO-{5E5EFA8F-9F53-418E-B78E-44866667A404} - c:\windows\system32\218538\218538.dll

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

SafeBoot-procexp90.Sys

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.kaspersky.com/

mStart Page = hxxp://www.gatewaybiz.com

uInternet Settings,ProxyServer = http=localhost:7171

uInternet Settings,ProxyOverride = *.local;<local>

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7m7oly42.default\

FF - prefs.js: browser.search.selectedEngine - Crawler Search

FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - prefs.js: network.proxy.http - localhost

FF - prefs.js: network.proxy.http_port - 7171

FF - prefs.js: network.proxy.type - 1

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-25 14:06

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\lxdxcoms.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\program files\Lexmark 3600-4600 Series\lxdxmsdmon.exe

c:\windows\system32\lxcgcoms.exe

.

**************************************************************************

.

Completion time: 2009-05-25 14:12 - machine was rebooted

ComboFix-quarantined-files.txt 2009-05-25 18:12

Pre-Run: 37,712,478,208 bytes free

Post-Run: 37,868,441,600 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

214 --- E O F --- 2009-05-14 00:16

Can I see your first Combofix report please:

ComboFix2.txt 2009-05-25 18:12

[negster22]

That's good enough.

Now, I am attaching a file called sysfiles.txt

Download it to your desktop

Very Important - rename it to sysfiles.bat

You will get a warning from Windows about renaming can make the file unusable or something to that effect - just ignore that.

Double-click sysfiles.bat on your desktop.

It will create and open a log file called sysfiles.txt.

Please post that back in your next reply.

You have several infected system files and I want to see where other authentic copies exist on your system.

Make sure you can view hidden files and folders

Please upload these files to theVirus Total Scanner by browsing to each files folder location, and then click "Send":

c:\windows\system32\osysk.dat

c:\windows\system32\osysp.dat

c:\windows\system32\osysw.dat

c:\windows\system32\kernel32.dll

If it's too busy you can try the Jotti malware scan

page.

I need the MD5 for each file and also post the full report if any threat detections are reported.

sysfiles.txt

sysfiles.txt

[vmi1816]

Here you go.

MD5: b921fb870c9ac0d509b2ccabbbbe95f3

First received: 2009.04.16 14:51:52 UTC

Date: 2009.05.18 12:38:23 UTC [>8D]

Results: 0/39

Permalink: analisis/d3b69a8b59e07e775f99871c4ad107a4f72f392325695e7f261f6aa6e590d4e6-1242650303

MD5: 50a166237a0fa771261275a405646cc0

First received: 2009.03.21 22:21:00 UTC

Date: 2009.05.17 05:14:56 UTC [>10D]

Results: 0/39

Permalink: analisis/cfa9b2c8cdcdb56c27b89593a106aae211e24d8ea433129a6e9bd2fbf39ab5bb-1242537296

MD5: 5b6a3eb7bb2f338bc2cb9f2fa4aaea9e

First received: 2009.04.21 07:03:21 UTC

Date: 2009.04.21 07:03:21 UTC [>36D]

Results: 0/40

Permalink: analisis/07dc92e59ad8e5ec6435ff5b3aadeab723453fdc0be2229b466ef86ce3f54f81-1240297401

MD5: b921fb870c9ac0d509b2ccabbbbe95f3

First received: 2009.04.16 14:51:52 UTC

Date: 2009.05.18 12:38:23 UTC [>8D]

Results: 0/39

Permalink: analisis/d3b69a8b59e07e775f99871c4ad107a4f72f392325695e7f261f6aa6e590d4e6-1242650303

======sysfiles.txt=================

Volume in drive C has no label.

Volume Serial Number is A8B8-354B

Directory of C:\WINDOWS\$hf_mig$\KB917422\SP2QFE

05/01/2009 04:59 PM 989,696 kernel32.dll

1 File(s) 989,696 bytes

Directory of C:\WINDOWS\$hf_mig$\KB935839\SP2QFE

05/01/2009 04:59 PM 989,696 kernel32.dll

1 File(s) 989,696 bytes

Directory of C:\WINDOWS\$hf_mig$\KB959426\SP3QFE

03/21/2009 09:59 AM 991,744 kernel32.dll

1 File(s) 991,744 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

04/16/2007 11:52 AM 984,576 kernel32.dll

1 File(s) 984,576 bytes

Directory of C:\WINDOWS\$NtUninstallKB917422$

08/04/2004 03:00 PM 983,552 kernel32.dll

1 File(s) 983,552 bytes

Directory of C:\WINDOWS\$NtUninstallKB935839$

07/05/2006 06:55 AM 984,064 kernel32.dll

1 File(s) 984,064 bytes

Directory of C:\WINDOWS\$NtUninstallKB959426$

04/13/2008 08:11 PM 989,696 kernel32.dll

1 File(s) 989,696 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:11 PM 989,696 kernel32.dll

1 File(s) 989,696 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e

04/13/2008 08:11 PM 989,696 kernel32.dll

1 File(s) 989,696 bytes

Directory of C:\WINDOWS\system32

03/21/2009 10:06 AM 989,696 kernel32.dll

1 File(s) 989,696 bytes

Directory of C:\WINDOWS\system32\dllcache

03/21/2009 10:06 AM 989,696 kernel32.dll

1 File(s) 989,696 bytes

Total Files Listed:

11 File(s) 10,871,808 bytes

0 Dir(s) 38,449,922,048 bytes free

Volume in drive C has no label.

Volume Serial Number is A8B8-354B

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 03:00 PM 17,408 powrprof.dll

1 File(s) 17,408 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 17,408 powrprof.dll

1 File(s) 17,408 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e

04/13/2008 08:12 PM 17,408 powrprof.dll

1 File(s) 17,408 bytes

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 17,408 powrprof.dll

1 File(s) 17,408 bytes

Total Files Listed:

4 File(s) 69,632 bytes

0 Dir(s) 38,449,922,048 bytes free

Volume in drive C has no label.

Volume Serial Number is A8B8-354B

Directory of C:\WINDOWS\$hf_mig$\KB834707\SP2QFE

05/01/2009 04:58 PM 670,208 wininet.dll

1 File(s) 670,208 bytes

Directory of C:\WINDOWS\$hf_mig$\KB867282\SP2QFE

05/01/2009 04:58 PM 670,208 wininet.dll

1 File(s) 670,208 bytes

Directory of C:\WINDOWS\$hf_mig$\KB883939\SP2QFE

05/01/2009 04:58 PM 670,208 wininet.dll

1 File(s) 670,208 bytes

Directory of C:\WINDOWS\$hf_mig$\KB890923\SP2QFE

05/01/2009 04:58 PM 670,208 wininet.dll

1 File(s) 670,208 bytes

Directory of C:\WINDOWS\$hf_mig$\KB896688\SP2QFE

05/01/2009 04:58 PM 670,208 wininet.dll

1 File(s) 670,208 bytes

Directory of C:\WINDOWS\$hf_mig$\KB905915\SP2QFE

05/01/2009 04:58 PM 670,208 wininet.dll

1 File(s) 670,208 bytes

Directory of C:\WINDOWS\$hf_mig$\KB950759\SP3GDR

04/21/2008 02:44 AM 666,112 wininet.dll

1 File(s) 666,112 bytes

Directory of C:\WINDOWS\$hf_mig$\KB950759\SP3QFE

04/21/2008 02:24 AM 666,624 wininet.dll

1 File(s) 666,624 bytes

Directory of C:\WINDOWS\$hf_mig$\KB953838\SP3GDR

06/23/2008 11:09 AM 666,112 wininet.dll

1 File(s) 666,112 bytes

Directory of C:\WINDOWS\$hf_mig$\KB953838\SP3QFE

06/23/2008 10:54 AM 666,624 wininet.dll

1 File(s) 666,624 bytes

Directory of C:\WINDOWS\$hf_mig$\KB956390\SP3GDR

08/20/2008 01:30 AM 666,112 wininet.dll

1 File(s) 666,112 bytes

Directory of C:\WINDOWS\$hf_mig$\KB956390\SP3QFE

08/20/2008 12:58 AM 666,624 wininet.dll

1 File(s) 666,624 bytes

Directory of C:\WINDOWS\$hf_mig$\KB958215\SP3GDR

10/15/2008 09:00 PM 666,112 wininet.dll

1 File(s) 666,112 bytes

Directory of C:\WINDOWS\$hf_mig$\KB958215\SP3QFE

10/15/2008 09:04 PM 667,136 wininet.dll

1 File(s) 667,136 bytes

Directory of C:\WINDOWS\$hf_mig$\KB963027\SP3QFE

02/20/2009 03:50 AM 667,648 wininet.dll

1 File(s) 667,648 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

10/16/2008 06:20 AM 667,648 wininet.dll

1 File(s) 667,648 bytes

Directory of C:\WINDOWS\$NtUninstallKB905915$

09/02/2005 07:52 PM 658,432 wininet.dll

1 File(s) 658,432 bytes

Directory of C:\WINDOWS\$NtUninstallKB912812$

10/20/2005 11:39 PM 658,432 wininet.dll

1 File(s) 658,432 bytes

Directory of C:\WINDOWS\$NtUninstallKB916281$

03/03/2006 11:58 PM 663,552 wininet.dll

1 File(s) 663,552 bytes

Directory of C:\WINDOWS\$NtUninstallKB918899$

05/10/2006 01:25 AM 663,552 wininet.dll

1 File(s) 663,552 bytes

Directory of C:\WINDOWS\$NtUninstallKB922760$

06/23/2006 07:25 AM 664,576 wininet.dll

1 File(s) 664,576 bytes

Directory of C:\WINDOWS\$NtUninstallKB925454$

09/14/2006 04:31 AM 664,576 wininet.dll

1 File(s) 664,576 bytes

Directory of C:\WINDOWS\$NtUninstallKB928090$

10/23/2006 11:34 AM 664,576 wininet.dll

1 File(s) 664,576 bytes

Directory of C:\WINDOWS\$NtUninstallKB931768$

01/04/2007 10:05 AM 665,088 wininet.dll

1 File(s) 665,088 bytes

Directory of C:\WINDOWS\$NtUninstallKB933566$

02/20/2007 05:52 AM 665,600 wininet.dll

1 File(s) 665,600 bytes

Directory of C:\WINDOWS\$NtUninstallKB937143$

04/18/2007 08:46 AM 665,600 wininet.dll

1 File(s) 665,600 bytes

Directory of C:\WINDOWS\$NtUninstallKB939653$

06/26/2007 10:35 AM 665,600 wininet.dll

1 File(s) 665,600 bytes

Directory of C:\WINDOWS\$NtUninstallKB942615$

08/22/2007 08:55 AM 665,600 wininet.dll

1 File(s) 665,600 bytes

Directory of C:\WINDOWS\$NtUninstallKB944533$

10/11/2007 01:57 AM 666,112 wininet.dll

1 File(s) 666,112 bytes

Directory of C:\WINDOWS\$NtUninstallKB947864$

12/06/2007 08:44 PM 666,112 wininet.dll

1 File(s) 666,112 bytes

Directory of C:\WINDOWS\$NtUninstallKB950759$

04/13/2008 08:12 PM 666,112 wininet.dll

1 File(s) 666,112 bytes

Directory of C:\WINDOWS\$NtUninstallKB950759_0$

02/16/2008 05:32 AM 666,112 wininet.dll

1 File(s) 666,112 bytes

Directory of C:\WINDOWS\$NtUninstallKB953838$

04/21/2008 02:44 AM 666,112 wininet.dll

1 File(s) 666,112 bytes

Directory of C:\WINDOWS\$NtUninstallKB953838_0$

04/21/2008 02:56 AM 666,624 wininet.dll

1 File(s) 666,624 bytes

Directory of C:\WINDOWS\$NtUninstallKB956390$

06/23/2008 11:09 AM 666,112 wininet.dll

1 File(s) 666,112 bytes

Directory of C:\WINDOWS\$NtUninstallKB956390_0$

06/23/2008 12:12 PM 667,136 wininet.dll

1 File(s) 667,136 bytes

Directory of C:\WINDOWS\$NtUninstallKB958215$

08/20/2008 01:33 AM 667,648 wininet.dll

1 File(s) 667,648 bytes

Directory of C:\WINDOWS\$NtUninstallKB963027$

10/15/2008 09:00 PM 666,112 wininet.dll

1 File(s) 666,112 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 666,112 wininet.dll

1 File(s) 666,112 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e

04/13/2008 08:12 PM 666,112 wininet.dll

1 File(s) 666,112 bytes

Directory of C:\WINDOWS\system32

02/20/2009 04:10 AM 666,112 wininet.dll

1 File(s) 666,112 bytes

Directory of C:\WINDOWS\system32\dllcache

02/20/2009 04:10 AM 666,112 wininet.dll

1 File(s) 666,112 bytes

Total Files Listed:

42 File(s) 27,981,824 bytes

0 Dir(s) 38,449,909,760 bytes free

That's good enough.

Now, I am attaching a file called sysfiles.txt

Download it to your desktop

Very Important - rename it to sysfiles.bat

You will get a warning from Windows about renaming can make the file unusable or something to that effect - just ignore that.

Double-click sysfiles.bat on your desktop.

It will create and open a log file called sysfiles.txt.

Please post that back in your next reply.

You have several infected system files and I want to see where other authentic copies exist on your system.

Make sure you can view hidden files and folders

Please upload these files to theVirus Total Scanner by browsing to each files folder location, and then click "Send":

c:\windows\system32\osysk.dat

c:\windows\system32\osysp.dat

c:\windows\system32\osysw.dat

c:\windows\system32\kernel32.dll

If it's too busy you can try the Jotti malware scan

page.

I need the MD5 for each file and also post the full report if any threat detections are reported.

[negster22]

Download Sigcheck and unzip it to your C:\Windows\system32 directory:

http://www.microsoft.com/technet/sysintern...k/Sigcheck.mspx

1. Open Notepad (make sure wordwrap is UNchecked under format)

2. Paste the following text in the code box below into the Notepad window:

sc config CryptSvc start= autosc start CryptSvcIf exist "%userprofile%\Documents\UnsignedFiles.txt" del "%userprofile%\Documents\UnsignedFiles.txt"sigcheck c:\windows\system32\kernel32.dll > "%userprofile%\Documents\UnsignedFiles.txt"sigcheck c:\windows\system32\powrprof.dll >> "%userprofile%\Documents\UnsignedFiles.txt"sigcheck c:\windows\system32\wininet.dll >> "%userprofile%\Documents\UnsignedFiles.txt"sigcheck c:\windows\system32\osysk.dat >> "%userprofile%\Documents\UnsignedFiles.txt"sigcheck c:\windows\system32\osysp.dat >> "%userprofile%\Documents\UnsignedFiles.txt"sigcheck c:\windows\system32\osysw.dat >> "%userprofile%\Documents\UnsignedFiles.txt"sigcheck c:\windows\system32\drivers\beep.sys >> "%userprofile%\Documents\UnsignedFiles.txt"notepad "%userprofile%\Documents\UnsignedFiles.txt"

Save the file to your desktop as UnsignedFiles.bat, by setting the "Save as Type" to "All Files".

Double-click the UnsignedFiles.bat gear icon on your desktop to execute the batch file (allow the script to run, but be sure to disable any script blocking programs that are active., first).

Note: You must grant sigcheck.exe permission to access the internet via your firewall.

A Notepad file called C:\UnsignedFiles.txt should open when the batch file has completed processing. Please copy and paste the contents of that file in a reply back here.

[vmi1816]

hi, when I run the .bat file, I get error system cannot find the specified path.

.bat is on the desktop

.exe is in c:\windows\system32

disabled my Kaspersky Internet Securty 2009.

I am not sure how to proceed.

Thanks again

vm1816

[negster22]

Sorry I have Vista and Documents is just Documents not "My Documents", so I have adjusted the batch for XP now:

Same directions but used this code:

sc config CryptSvc start= autosc start CryptSvcIf exist "%userprofile%\My My Documents\UnsignedFiles.txt" del "%userprofile%\My My Documents\UnsignedFiles.txt"sigcheck c:\windows\system32\kernel32.dll > "%userprofile%\My Documents\UnsignedFiles.txt"sigcheck c:\windows\system32\powrprof.dll >> "%userprofile%\My Documents\UnsignedFiles.txt"sigcheck c:\windows\system32\wininet.dll >> "%userprofile%\My Documents\UnsignedFiles.txt"sigcheck c:\windows\system32\osysk.dat >> "%userprofile%\My Documents\UnsignedFiles.txt"sigcheck c:\windows\system32\osysp.dat >> "%userprofile%\My Documents\UnsignedFiles.txt"sigcheck c:\windows\system32\osysw.dat >> "%userprofile%\My Documents\UnsignedFiles.txt"sigcheck c:\windows\system32\drivers\beep.sys >> "%userprofile%\My Documents\UnsignedFiles.txt"notepad "%userprofile%\My Documents\UnsignedFiles.txt"

[vmi1816]

Greetings,

Thanks for followng up; here's the text file.

c:\windows\system32\kernel32.dll:

Verified: Signed

Signing date: 1:27 PM 3/21/2009

Strong Name: Unsigned

Publisher: Microsoft Corporation

Description: Windows NT BASE API Client DLL

Product: Microsoft

[negster22]

Hello and no problem!

Do you want to keep the Nitromarketing Bonus files?

We have some more files and registry entries to clean up that we will manually specify for deletion by using a Combofix script.

It is important that you follow the next set of instructions precisely.

Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Copy/paste the text in the code box below into Notepad.

Save this to your desktop as CFScript.txt by selecting File -> Save as.

http://www.malwarebytes.org/forums/index.php?showtopic=16196&pid=83994&st=0entry83994
KillAll::
Registry::[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{437A43D5-E5C3-4959-BBD0-F2BFB1EDC6FD}][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\prh\][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\]"prd" =-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\]"USF" =-
Collect::[75]c:\windows\system32\sysloc\sysloc.dllc:\windows\sonce122730.datc:\windows\system32\edacded0_x.datc:\windows\system32\krncode.datc:\windows\system32\pwrcode.datc:\windows\system32\wincode.datc:\windows\system32\osysp.datc:\windows\system32\osysk.datc:\windows\system32\osysw.datc:\windows\system32\ldshyf1.old
DirLook::C:\nitromarketingBonusc:\windows\system32\796525\c:\windows\system32\sysloc\
Folder::c:\windows\system32\sysloc\c:\windows\system32\796525\

Now, disable your Antivirus active protection and any script blocking programs you may have running - you should re-enable your AV after Combofix produces a log.

Referring to the picture above, drag CFScript.txt into the renamed ComboFix.exe (cartwheel.exe on your desktop)

This will cause ComboFix to run again.

Please post back the log that is opens when it finishes and a new HJT log.

[vmi1816]

Hello, yes I want to keep the Nitro Bonus, do I just delete that section below?

Hello and no problem!

Do you want to keep the Nitromarketing Bonus files?

We have some more files and registry entries to clean up that we will manually specify for deletion by using a Combofix script.

It is important that you follow the next set of instructions precisely.

Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Copy/paste the text in the code box below into Notepad.

Save this to your desktop as CFScript.txt by selecting File -> Save as.

http://www.malwarebytes.org/forums/index.php?showtopic=16196&pid=83994&st=0entry83994
KillAll::
Registry::[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{437A43D5-E5C3-4959-BBD0-F2BFB1EDC6FD}][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\prh\][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\]"prd" =-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\]"USF" =-
Collect::[75]c:\windows\system32\sysloc\sysloc.dllc:\windows\sonce122730.datc:\windows\system32\edacded0_x.datc:\windows\system32\krncode.datc:\windows\system32\pwrcode.datc:\windows\system32\wincode.datc:\windows\system32\osysp.datc:\windows\system32\osysk.datc:\windows\system32\osysw.datc:\windows\system32\ldshyf1.old
DirLook::C:\nitromarketingBonusc:\windows\system32\796525\c:\windows\system32\sysloc\
Folder::c:\windows\system32\sysloc\c:\windows\system32\796525\

Now, disable your Antivirus active protection and any script blocking programs you may have running - you should re-enable your AV after Combofix produces a log.

Referring to the picture above, drag CFScript.txt into the renamed ComboFix.exe (cartwheel.exe on your desktop)

This will cause ComboFix to run again.

Please post back the log that is opens when it finishes and a new HJT log.

[negster22]

The script doesn't delete it, it just looks at the files in the directory using the DirLook command, so don't worry - you can continue with the script as is.

[vmi1816]

Great! thanks for your help.

I'll try the script this evening.

The script doesn't delete it, it just looks at the files in the directory using the DirLook command, so don't worry - you can continue with the script as is.

[vmi1816]

Here's the new Combofix Log.

ComboFix 09-05-31.02 - Owner 05/31/2009 21:02.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.203 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\bonkers.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

* Created a new restore point

file zipped: c:\windows\sonce122730.dat

file zipped: c:\windows\system32\edacded0_x.dat

file zipped: c:\windows\system32\krncode.dat

file zipped: c:\windows\system32\ldshyf1.old

file zipped: c:\windows\system32\osysk.dat

file zipped: c:\windows\system32\osysp.dat

file zipped: c:\windows\system32\osysw.dat

file zipped: c:\windows\system32\pwrcode.dat

file zipped: c:\windows\system32\wincode.dat

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\9g2234wesdf3dfgjf23

c:\windows\sonce122730.dat

c:\windows\system32\796525

c:\windows\system32\edacded0_x.dat

c:\windows\system32\krncode.dat

c:\windows\system32\ldshyf1.old

c:\windows\system32\osysk.dat

c:\windows\system32\osysp.dat

c:\windows\system32\osysw.dat

c:\windows\system32\pwrcode.dat

c:\windows\system32\sysloc

c:\windows\system32\wincode.dat

.

((((((((((((((((((((((((( Files Created from 2009-05-01 to 2009-06-01 )))))))))))))))))))))))))))))))

.

2009-05-28 00:49 . 2009-05-28 00:49 -------- d-----w- c:\windows\system32\Sigcheck

2009-05-28 00:49 . 2009-05-28 00:49 117411 ----a-w- c:\windows\system32\Sigcheck.zip

2009-05-28 00:48 . 2009-05-28 00:35 829 ----a-w- c:\windows\system32\unsignedfiles.bat

2009-05-26 23:54 . 2009-05-27 00:46 -------- d-----w- C:\ark

2009-05-25 23:10 . 2009-05-25 23:10 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2009-05-25 23:09 . 2009-04-06 19:32 15504 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-05-25 23:09 . 2009-04-06 19:32 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-25 23:09 . 2009-05-26 10:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-05-25 23:09 . 2009-05-25 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-05-25 23:07 . 2009-05-25 23:07 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0

2009-05-25 22:56 . 2009-05-25 22:57 -------- d-----w- c:\program files\ScreenPrint32 v3

2009-05-25 22:56 . 2009-05-25 22:56 249856 ------w- c:\windows\Setup1.exe

2009-05-25 22:56 . 2009-05-25 22:56 73216 ----a-w- c:\windows\ST6UNST.EXE

2009-05-25 18:03 . 2004-08-04 19:00 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe

2009-05-25 15:03 . 2009-05-25 14:41 19046 ----a-w- C:\sysinfo.zip

2009-05-18 00:24 . 2009-05-18 00:25 -------- d-----w- c:\program files\jv16 PowerTools 2009

2009-05-16 00:20 . 2009-05-16 00:20 -------- d-----w- C:\nitromarketingBonus

2009-05-10 23:42 . 2009-05-10 23:42 -------- d-----w- c:\documents and settings\Owner\.thumbnails

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-01 01:08 . 2009-01-12 02:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab

2009-06-01 01:08 . 2007-03-09 02:39 -------- d-----w- c:\program files\BrainBullet

2009-06-01 01:06 . 2009-01-12 02:56 2928 --sha-w- c:\windows\system32\drivers\fidbox2.idx

2009-06-01 01:06 . 2009-01-12 02:56 540704 --sha-w- c:\windows\system32\drivers\fidbox2.dat

2009-06-01 01:06 . 2009-01-12 02:56 2354720 --sha-w- c:\windows\system32\drivers\fidbox.dat

2009-06-01 01:06 . 2009-01-12 02:56 19476 --sha-w- c:\windows\system32\drivers\fidbox.idx

2009-05-28 00:46 . 2009-02-27 20:22 220560 ----a-w- c:\windows\system32\sigcheck.exe

2009-05-28 00:37 . 2009-02-27 20:22 220560 ----a-w- C:\sigcheck.exe

2009-05-20 23:45 . 2009-01-12 02:58 105395 ----a-w- c:\windows\system32\drivers\klin.dat

2009-05-20 23:45 . 2009-01-12 02:58 94643 ----a-w- c:\windows\system32\drivers\klick.dat

2009-05-11 20:50 . 2005-11-26 23:24 -------- d-----w- c:\program files\Lx_cats

2009-04-18 22:12 . 2008-11-15 17:42 -------- d-----w- c:\program files\Finding Notes Easy

2009-03-06 14:22 . 2004-08-26 16:12 284160 ----a-w- c:\windows\system32\pdh.dll

2009-05-02 15:59 . 2007-04-22 20:56 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2009-05-02 15:59 . 2007-04-22 20:56 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2009-05-02 15:59 . 2007-04-22 20:56 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2009-05-02 15:59 . 2007-04-22 20:56 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2009-05-02 15:59 . 2007-04-22 20:56 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of C:\nitromarketingBonus ----

2009-05-16 00:20 . 2004-10-07 19:12 697221 ----a-w- c:\nitromarketingbonus\turn-testimonials-into-traffic.pdf

2009-05-16 00:20 . 2004-10-07 19:12 312167 ----a-w- c:\nitromarketingbonus\READ ME FIRST.pdf

2009-05-16 00:20 . 2004-10-07 19:12 246851 ----a-w- c:\nitromarketingbonus\moneymagnet.exe

2009-05-16 00:20 . 2004-10-07 19:12 352353 ----a-w- c:\nitromarketingbonus\MillionTranscript.pdf

2009-05-16 00:20 . 2004-10-07 19:12 530800 ----a-w- c:\nitromarketingbonus\hypnotic-writing-swipe-file.pdf

2009-05-16 00:20 . 2004-10-07 19:12 393523 ----a-w- c:\nitromarketingbonus\hypnotic-traffic-tools.pdf

2009-05-16 00:20 . 2004-10-07 19:12 471074 ----a-w- c:\nitromarketingbonus\hypnotic-selling-tools.pdf

2009-05-16 00:20 . 2004-10-07 19:12 532709 ----a-w- c:\nitromarketingbonus\hypnotic-selling-stories.pdf

2009-05-16 00:20 . 2004-10-07 19:12 947739 ----a-w- c:\nitromarketingbonus\hypnotic-marketing.pdf

2009-05-16 00:20 . 2004-10-07 19:12 550345 ----a-w- c:\nitromarketingbonus\hypnotic-JVProposals.pdf

2009-05-16 00:20 . 2004-10-07 19:12 376700 ----a-w- c:\nitromarketingbonus\hypnotic-endorsements.pdf

2009-05-16 00:20 . 2004-10-07 19:12 430737 ----a-w- c:\nitromarketingbonus\hypnotic-articles.pdf

2009-05-16 00:20 . 2004-10-07 19:12 812047 ----a-w- c:\nitromarketingbonus\BartonReport.pdf

2009-05-16 00:20 . 2004-10-07 19:12 714396 ----a-w- c:\nitromarketingbonus\advanced-hypnotic-writing.pdf

---- Directory of c:\windows\system32\796525\ ----

---- Directory of c:\windows\system32\sysloc\ ----

((((((((((((((((((((((((((((( SnapShot@2009-05-25_18.06.58 )))))))))))))))))))))))))))))))))))))))))

.

+ 2000-07-15 04:00 . 2000-07-15 04:00 101888 c:\windows\system32\VB6STKIT.DLL

+ 2009-02-27 20:22 . 2009-05-28 00:49 220560 c:\windows\system32\Sigcheck\sigcheck.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-12-24 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-24 118784]

"LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-04-27 69632]

"lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-05-04 200704]

"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2008-03-20 320168]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-10-08 98304]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-04-15 185896]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"lxdxmon.exe"="c:\program files\Lexmark 3600-4600 Series\lxdxmon.exe" [2008-03-20 668328]

"lxdxamon"="c:\program files\Lexmark 3600-4600 Series\lxdxamon.exe" [2008-03-20 16040]

"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-02-06 206088]

"ScreenPrint32"="c:\program files\ScreenPrint32 v3\ScreenPrint32.exe" [2003-05-16 446464]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

BBStartup.lnk.lnk - c:\program files\BrainBullet\BBStartup.exe [2007-3-8 403968]

BigFix.lnk - c:\program files\BigFix\BigFix.exe [2005-10-8 1742384]

Install Pending Files.LNK - c:\program files\SIFXINST\SIFXINST.EXE [2005-10-8 729088]

MiniEYE-MiniREAD Launch.lnk - c:\program files\Infinite Mind LC\eyeQ\ARLaunch.exe [2007-9-2 323584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"AOL ACS"=2 (0x2)

"AOL TopSpeedMonitor"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\WINDOWS\\system32\\lxcgcoms.exe"=

"c:\\WINDOWS\\system32\\lxdxcoms.exe"=

"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxamon.exe"=

"c:\\Program Files\\Lexmark 3600-4600 Series\\frun.exe"=

"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=

"c:\\Program Files\\Lexmark Fax Solutions\\FaxCtr.exe"=

"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxmon.exe"=

"c:\\WINDOWS\\system32\\lxdxcfg.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxpswx.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxjswx.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxtime.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 7:29 PM 33808]

R2 litsgt;litsgt;c:\windows\system32\drivers\litsgt.sys [9/2/2007 11:42 AM 137344]

R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]

R2 tansgt;tansgt;c:\windows\system32\drivers\tansgt.sys [9/2/2007 11:42 AM 12032]

R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 8:02 PM 26640]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 7:06 PM 24592]

.

Contents of the 'Scheduled Tasks' folder

2005-11-23 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 00:12]

2005-11-23 c:\windows\Tasks\ISP signup reminder 2.job

- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 00:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.kaspersky.com/

mStart Page = hxxp://www.gatewaybiz.com

uInternet Settings,ProxyServer = http=localhost:7171

uInternet Settings,ProxyOverride = *.local;<local>

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7m7oly42.default\

FF - prefs.js: browser.search.selectedEngine - Crawler Search

FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-31 21:08

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3932)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\lxdxcoms.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\windows\system32\wscntfy.exe

c:\program files\Lexmark 3600-4600 Series\lxdxmsdmon.exe

c:\windows\system32\lxcgcoms.exe

.

**************************************************************************

.

Completion time: 2009-06-01 21:13 - machine was rebooted

ComboFix-quarantined-files.txt 2009-06-01 01:13

ComboFix2.txt 2009-05-27 01:00

ComboFix3.txt 2009-05-25 18:12

Pre-Run: 38,458,699,776 bytes free

Post-Run: 38,445,547,520 bytes free

214 --- E O F --- 2009-05-14 00:16

The script doesn't delete it, it just looks at the files in the directory using the DirLook command, so don't worry - you can continue with the script as is.

[negster22]

Good job!

I would like you to run a complete system scan with one of the ESET Online Scanner. Expect some detections in Qoobox and system volume information (they will not be active malware so don't worry):

Please perform a scan with the ESET online virus scanner:

http://www.eset.com/onlinescan/index.php

• ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs. Please disable your antivirus's Guard and any antispyware or HIPS programs you are running.
  
• Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
  
• Check the "Yes, I accept the terms of use" box.
  
• Click "Start"
  
• Check the boxes the following two boxes:
  • enable "Remove found threats"
    
  • Scan unwanted applications
    

  [*]Click the Scan button to begin scanning.

  [*]When the scan is done the log is automatically saved. To retrieve it

  • Close the ESET scan Window.
    
  • Now open a run line by clicking Start >> Run...
    
  • Copy/paste "C:\Program Files\EsetOnlineScanner\log.txt" ino the Open box:
    
  • The Scan results will now display in Notepad
    

  [*]Please copy and paste the ESET scan report that can be found in this location

  C:\Program Files\EsetOnlineScanner\log.txt into your next reply

Note to Vista users and anyone with restrictive IE security settings: Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE7 Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

Please post back:

1. C:\Program Files\EsetOnlineScanner\log.txt

2. A log from an updated MBAM scan

3. A HJT log

[vmi1816]

here's my Eset log

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=6

# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)

# OnlineScanner.ocx=1.0.0.5863

# api_version=3.0.2

# EOSSerial=aacce74d91dd34488d10f980ee097f68

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-06-01 04:02:56

# local_time=2009-06-01 12:02:56 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1281 37 100 100 59907379528816

# compatibility_mode=0 0 0 0 0

# scanned=71402

# found=15

# cleaned=15

# scan_time=4554

C:\Documents and Settings\Owner\Desktop\installprivacyprotectorfree.exe Win32/Adware.WinFixer application (cleaned by deleting - quarantined) 00000000000000000000000000000000

C:\Qoobox\Quarantine\C\WINDOWS\st_1242343511.exe.vir a variant of Win32/Tinxy.AD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000

C:\Qoobox\Quarantine\C\WINDOWS\st_1242351379.exe.vir a variant of Win32/Tinxy.AD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000

C:\Qoobox\Quarantine\C\WINDOWS\st_1242434008.exe.vir Win32/Tinxy.AE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000

C:\Qoobox\Quarantine\C\WINDOWS\system32\SYSDLL.exe.vir a variant of Win32/Tinxy.AD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000

C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\grpconv.exe.vir a variant of Win32/Kryptik.NT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000

C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir Win32/TrojanDownloader.Bredolab.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000

C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP401\A0112193.exe a variant of Win32/Kryptik.PT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000

C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP401\A0112391.exe a variant of Win32/Tinxy.AD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000

C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP401\A0112393.exe a variant of Win32/Kryptik.NT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000

C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP401\A0112394.exe Win32/TrojanDownloader.Bredolab.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000

C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP401\A0112399.exe a variant of Win32/Tinxy.AD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000

C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP401\A0112400.exe a variant of Win32/Tinxy.AD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000

C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP401\A0112401.exe Win32/Tinxy.AE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000

C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP403\A0112857.exe Win32/Adware.WinFixer application (cleaned by deleting - quarantined) 00000000000000000000000000000000

[vmi1816]

Malwarebytes' Anti-Malware 1.36

Database version: 2179

Windows 5.1.2600 Service Pack 3

6/1/2009 7:30:22 AM

mbam-log-2009-06-01 (07-30-01).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 153319

Time elapsed: 34 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 6

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\fe345.fe345mgr (Trojan.FakeAlert) -> No action taken.

HKEY_CLASSES_ROOT\fe345.fe345mgr.1 (Trojan.FakeAlert) -> No action taken.

HKEY_CLASSES_ROOT\ty667.ty667mgr.1 (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\y537.y537mgr (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\y537.y537mgr.1 (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{bb05bd70-4605-4829-93fc-ad80d8cc5b66} (Rogue.PerformanceCenter) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[vmi1816]

What is HJT log?

Good job!

I would like you to run a complete system scan with one of the ESET Online Scanner. Expect some detections in Qoobox and system volume information (they will not be active malware so don't worry):

Please perform a scan with the ESET online virus scanner:

http://www.eset.com/onlinescan/index.php

• ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs. Please disable your antivirus's Guard and any antispyware or HIPS programs you are running.
  
• Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
  
• Check the "Yes, I accept the terms of use" box.
  
• Click "Start"
  
• Check the boxes the following two boxes:
  • enable "Remove found threats"
    
  • Scan unwanted applications
    

  [*]Click the Scan button to begin scanning.

  [*]When the scan is done the log is automatically saved. To retrieve it

  • Close the ESET scan Window.
    
  • Now open a run line by clicking Start >> Run...
    
  • Copy/paste "C:\Program Files\EsetOnlineScanner\log.txt" ino the Open box:
    
  • The Scan results will now display in Notepad
    

  [*]Please copy and paste the ESET scan report that can be found in this location

  C:\Program Files\EsetOnlineScanner\log.txt into your next reply

Note to Vista users and anyone with restrictive IE security settings: Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE7 Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

Please post back:

1. C:\Program Files\EsetOnlineScanner\log.txt

2. A log from an updated MBAM scan

3. A HJT log

[negster22]

Hi vmi1816,

This is HJT but you don't have to install or run it, because we started with a DDS scan which is much more thorough:

http://www.trendsecure.com/portal/en-US/to...ools/hijackthis

These are our general posting guidelines when you create a topic:

http://www.malwarebytes.org/forums/index.php?showtopic=9573

Your ESET log only flagged items in Combofix's Qoobox - quarantined and system volume information, as anticipated.

The only other item is an installer file but no active malware was found.

Be sure to remove these orphan registry entries in your MBAM log:

Registry Keys Infected:

HKEY_CLASSES_ROOT\fe345.fe345mgr (Trojan.FakeAlert) -> No action taken.

HKEY_CLASSES_ROOT\fe345.fe345mgr.1 (Trojan.FakeAlert) -> No action taken.

HKEY_CLASSES_ROOT\ty667.ty667mgr.1 (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\y537.y537mgr (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\y537.y537mgr.1 (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{bb05bd70-4605-4829-93fc-ad80d8cc5b66} (Rogue.PerformanceCenter) -> No action taken.

Again, the above does not represent active malware so don't worry

We have a few steps to finish up now.

Let's remove Combofix and all its associated files including those in quarantine:

Click start -> run, then copy and paste the following line into the Open box and click OK.

"%userprofile%\desktop\bonkers.exe" /u

This will do the following:

• Uninstall Combofix and all its associated files and folders.
  
• It will flush your system restore points and create a new restore point.
  
• It will rehide your system files and folders
  
• Reset your system clock
  

If I asked you to download and run an ARK (Antirootkit program), then delete the contents of the C:\ARK folder and then delete the folder itself.

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI)

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

4. Download and install SpywareBlaster:

http://www.javacoolsoftware.com/spywareblaster.html

Update it and the enable protection for all unprotected items.

You will have to update the free version manually about once a month by clicking the UPdates button.

Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing!

[vmi1816]

Negster22,

Thanks so very much for sticking with me. I've learned alot and truly appreciate your professionalism.

Best Wishes!

vmi1816