View Full Version : Here's another Vitrumonde kick! byaaah!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:30 AM, on 9/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\gqufefue.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\iykktuqk.dll",forkonce
O4 - HKLM\..\RunOnce: [*Bandook] C:\WINDOWS\system32\ali.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Bandook] C:\WINDOWS\system32\ali.exe
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\party poker\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\party poker\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159428030033
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\gqufefue.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 4281 bytes
steamwiz
2007-09-09, 23:29
Hi
Please rename your hijackthis.exe file ...
from this :-
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
To this :-
C:\Program Files\Trend Micro\HijackThis\problems.exe.exe
Some vundo entries will hide from hijackthis unless you rename it first.
steam
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:49 PM, on 9/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\gqufefue.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\problems.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {158624A1-C4D9-4126-8E4E-3FC21B76FD65} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\system32\nufknbht.dll
O2 - BHO: (no name) - {DD8BBF58-5543-4971-8C49-45AEFF3C4456} - C:\WINDOWS\system32\pmkjj.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\iykktuqk.dll",forkonce
O4 - HKLM\..\RunOnce: [*Bandook] C:\WINDOWS\system32\ali.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Bandook] C:\WINDOWS\system32\ali.exe
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\party poker\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\party poker\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159428030033
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\gqufefue.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 4915 bytes
steamwiz
2007-09-10, 20:10
Hi
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
1. Double-click VundoFix.exe to run it.
2. When VundoFix re-opens, click the Scan for Vundo button.
3. Once it's done scanning, click the Remove Vundo button.
4. You will receive a prompt asking if you want to remove the files, click "YES".
5. Once you click yes, your desktop will go blank as it starts removing Vundo.
6. When completed, it will prompt that it will reboot your computer, click "OK".
7. Please post the contents of C:\vundofix.txt
If vundofix cannot delete a file, it will try to delete it during a reboot, after the reboot vundofix will open again, you must run vundofix again, from "Click the Scan for Vundo button" ... and you must keep running vundofix until it does delete the file... I've known a stubborn vundo file take 5 or 6 reboots before it is deleted...
Keep running vundofix untill it gives you the message "no infected files were found"
THEN ...
Please download Combofix: http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
and save to the desktop.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.
Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.
Please remember to post ...
1. C:\vundofix.txt
2. C:\ComboFix.txt
3. A new hijackthis log (run after the other 2 programs)
steam
here's the vundofix log
VundoFix V6.5.8
Checking Java version...
Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Scan started at 9:55:04 PM 9/10/2007
Listing files found while scanning....
C:\windows\system32\axffanyk.dll
C:\windows\system32\cuogncpi.dll
C:\WINDOWS\system32\gamhjgin.dll
C:\windows\system32\ipcngouc.ini
C:\windows\system32\iykktuqk.dll
C:\windows\system32\kqutkkyi.ini
C:\windows\system32\kynaffxa.ini
C:\windows\system32\mutvoouw.ini
C:\windows\system32\nigjhmag.ini
C:\WINDOWS\system32\nufknbht.dll
C:\windows\system32\wuoovtum.dll
Beginning removal...
Attempting to delete C:\windows\system32\axffanyk.dll
C:\windows\system32\axffanyk.dll Has been deleted!
Attempting to delete C:\windows\system32\cuogncpi.dll
C:\windows\system32\cuogncpi.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gamhjgin.dll
C:\WINDOWS\system32\gamhjgin.dll Could not be deleted.
Attempting to delete C:\windows\system32\ipcngouc.ini
C:\windows\system32\ipcngouc.ini Has been deleted!
Attempting to delete C:\windows\system32\iykktuqk.dll
C:\windows\system32\iykktuqk.dll Has been deleted!
Attempting to delete C:\windows\system32\kqutkkyi.ini
C:\windows\system32\kqutkkyi.ini Has been deleted!
Attempting to delete C:\windows\system32\kynaffxa.ini
C:\windows\system32\kynaffxa.ini Has been deleted!
Attempting to delete C:\windows\system32\mutvoouw.ini
C:\windows\system32\mutvoouw.ini Has been deleted!
Attempting to delete C:\windows\system32\nigjhmag.ini
C:\windows\system32\nigjhmag.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\nufknbht.dll
C:\WINDOWS\system32\nufknbht.dll Has been deleted!
Attempting to delete C:\windows\system32\wuoovtum.dll
C:\windows\system32\wuoovtum.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\gamhjgin.dll
C:\WINDOWS\system32\gamhjgin.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.8
Checking Java version...
Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Scan started at 10:03:31 PM 9/10/2007
Listing files found while scanning....
C:\WINDOWS\system32\mulwuift.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\mulwuift.dll
C:\WINDOWS\system32\mulwuift.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.8
Checking Java version...
Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Scan started at 10:07:05 PM 9/10/2007
Listing files found while scanning....
No infected files were found.
combofix log
ComboFix 07-09-11.1 - "David" 2007-09-10 22:16:19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502 [GMT -7:00]
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\DOCUME~1\David\APPLIC~1\drvcleaner.exe
C:\DOCUME~1\David\APPLIC~1\errsafer.exe
C:\WINDOWS\system32\dignosuq.exe
C:\WINDOWS\system32\gqufefue.exe
C:\WINDOWS\system32\gupnwysk.exe
C:\WINDOWS\system32\ispjijxr.dll
C:\WINDOWS\system32\pjqxbmhy.exe
C:\WINDOWS\system32\rartdcqx.exe
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_DOMAINSERVICE
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-08-11 to 2007-09-11 )))))))))))))))))))))))))))))))
.
2007-09-10 21:55 <DIR> d-------- C:\VundoFix Backups
2007-09-07 20:18 2,018,597 ---hs---- C:\WINDOWS\system32\jjkmp.bak2
2007-09-06 23:12 393,224 --a------ C:\sysktqw.exe
2007-09-06 20:18 1,989,302 ---hs---- C:\WINDOWS\system32\jjkmp.bak1
2007-09-06 20:04 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-06 20:01 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-06 13:52 25,165 --a------ C:\WINDOWS\system32\ali.exe
2007-09-05 02:14 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-09-05 02:14 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-09-05 02:14 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-09-05 02:11 244,832 --a------ C:\WINDOWS\system32\pmkjj.dll
2007-08-31 21:23 <DIR> d-------- C:\Program Files\Stardock
2007-08-31 21:23 <DIR> d-------- C:\Program Files\mozilla.org
2007-08-31 21:23 <DIR> d-------- C:\Program Files\Mozilla Firefox(2)
2007-08-31 18:48 <DIR> d-------- C:\Program Files\Lavasoft(2)
2007-08-31 18:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft(2)
2007-08-29 15:42 <DIR> d-------- C:\Temp
2007-08-28 14:22 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-08-28 04:01 <DIR> d-------- C:\Program Files\Logitech
2007-08-28 04:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Logitech
2007-08-28 03:59 <DIR> d-------- C:\Program Files\Common Files\logishrd
2007-08-14 09:54 <DIR> d-------- C:\Program Files\CursorXP
2007-08-14 09:40 <DIR> d-------- C:\Program Files\stardock(2)
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-07 19:09 --------- d-------- C:\Program Files\Warcraft III
2007-09-06 18:23 27136 --a------ C:\WINDOWS\drmclient32.dll
2007-09-06 13:35 9728 --a------ C:\WINDOWS\ncscolib.dll
2007-09-06 03:24 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-06 03:21 8704 --a------ C:\WINDOWS\gmflpr32.dll
2007-09-05 00:59 --------- d-------- C:\DOCUME~1\David\APPLIC~1\LimeWire
2007-09-04 04:18 --------- d-------- C:\DOCUME~1\David\APPLIC~1\Skype
2007-09-02 20:06 --------- d-------- C:\Program Files\World of Warcraft
2007-09-02 20:06 --------- d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-09-01 03:07 --------- d-------- C:\Program Files\Winamp
2007-08-31 21:23 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-31 21:23 --------- d-------- C:\Program Files\Common Files\Stardock
2007-04-11 00:05 95696 --a------ C:\DOCUME~1\David\APPLIC~1\sysdoctor.exe
2006-12-31 06:10 24192 --a------ C:\DOCUME~1\David\usbsermptxp.sys
2006-12-31 06:10 22768 --a------ C:\DOCUME~1\David\usbsermpt.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{158624A1-C4D9-4126-8E4E-3FC21B76FD65}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{184D5228-AFB4-4A44-B22D-18D21DB3A6AF}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90AC398E-BBDA-4843-9FF6-0562743D58AA}]
2007-09-05 02:11 244832 --a------ C:\WINDOWS\system32\pmkjj.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 21:43]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"Bandook"="C:\WINDOWS\system32\ali.exe" [2007-09-06 13:52]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"*Bandook"=C:\WINDOWS\system32\ali.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2005-12-06 21:16 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\pmkjj
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\system32\rwinqpdt.exe CHD003
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intel Audio Studio V2.0]
C:\WINDOWS\fmideploy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark_X79-55]
C:\WINDOWS\system32\lsasss.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
"C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Visual Enhance V2.1]
C:\WINDOWS\iuntfs32.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NovaBackup 7 Tray Control]
"C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Regscan]
C:\WINDOWS\system32\regscan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
"C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"D:\backup files\Skype\Phone\Skype.exe" /nosplash /minimized
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe "C:\WINDOWS\system32\mygjmbkh.dll",forkonce
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{93-31-1B-B4-ZN}]
c:\windows\system32\opdsrngs.exe CHD003
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 usbsermptxp;Motorola USB Modem Driver for MPT XP;C:\WINDOWS\system32\DRIVERS\usbsermptxp.sys
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Microsoft Visual Enhance V2.1]
C:\WINDOWS\iuntfs32.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B6A807N6-42DF-4W02-93E5-B156B3FA8AL1}]
C:\WINDOWS\system32\ali.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-09-10 07:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\8nOS6W8A.exe
"2007-09-10 16:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\8nOS6W8A.exe
"2007-09-10 17:00:00 C:\WINDOWS\Tasks\At11.job"
"2007-09-10 18:00:00 C:\WINDOWS\Tasks\At12.job"
"2007-09-10 19:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\8nOS6W8A.exe
"2007-09-10 20:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\8nOS6W8A.exe
"2007-09-10 21:00:00 C:\WINDOWS\Tasks\At15.job"
"2007-09-10 22:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\8nOS6W8A.exe
"2007-09-10 23:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\8nOS6W8A.exe
"2007-09-11 00:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\8nOS6W8A.exe
"2007-09-11 01:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\8nOS6W8A.exe
"2007-09-10 08:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\8nOS6W8A.exe
"2007-09-11 02:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\8nOS6W8A.exe
"2007-09-11 03:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\8nOS6W8A.exe
"2007-09-11 04:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\8nOS6W8A.exe
"2007-09-11 05:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\8nOS6W8A.exe
"2007-09-10 06:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\8nOS6W8A.exe
"2007-09-10 07:00:00 C:\WINDOWS\Tasks\At25.job"
- C:\WINDOWS\system32\J4I382td.exe
"2007-09-10 08:00:00 C:\WINDOWS\Tasks\At26.job"
- C:\WINDOWS\system32\J4I382td.exe
"2007-09-10 09:00:00 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\system32\J4I382td.exe
"2007-09-10 10:00:00 C:\WINDOWS\Tasks\At28.job"
- C:\WINDOWS\system32\J4I382td.exe
"2007-09-10 11:00:00 C:\WINDOWS\Tasks\At29.job"
- C:\WINDOWS\system32\J4I382td.exe
"2007-09-10 09:00:00 C:\WINDOWS\Tasks\At3.job"
"2007-09-10 12:00:00 C:\WINDOWS\Tasks\At30.job"
- C:\WINDOWS\system32\J4I382td.exe
"2007-09-10 13:00:00 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\system32\J4I382td.exe
"2007-09-10 14:00:00 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\system32\J4I382td.exe
"2007-09-10 15:00:00 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\system32\J4I382td.exe
"2007-09-10 16:00:00 C:\WINDOWS\Tasks\At34.job"
- C:\WINDOWS\system32\J4I382td.exe
"2007-09-10 17:00:00 C:\WINDOWS\Tasks\At35.job"
"2007-09-10 18:00:00 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\system32\J4I382td.exe
"2007-09-10 19:00:00 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\system32\J4I382td.exe
"2007-09-10 20:00:00 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\system32\J4I382td.exe
"2007-09-10 21:00:00 C:\WINDOWS\Tasks\At39.job"
- C:\WINDOWS\system32\J4I382td.exe
"2007-09-10 10:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\8nOS6W8A.exe
"2007-09-10 22:00:00 C:\WINDOWS\Tasks\At40.job"
- C:\WINDOWS\system32\J4I382td.exe
"2007-09-10 23:00:00 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\system32\J4I382td.exe
"2007-09-11 00:00:00 C:\WINDOWS\Tasks\At42.job"
- C:\WINDOWS\system32\J4I382td.exe
"2007-09-11 01:00:00 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\system32\J4I382td.exe
"2007-09-11 02:00:00 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\system32\J4I382td.exe
"2007-09-11 03:00:00 C:\WINDOWS\Tasks\At45.job"
- C:\WINDOWS\system32\J4I382td.exe
"2007-09-11 04:00:00 C:\WINDOWS\Tasks\At46.job"
"2007-09-11 05:00:00 C:\WINDOWS\Tasks\At47.job"
- C:\WINDOWS\system32\J4I382td.exe
"2007-09-10 06:00:00 C:\WINDOWS\Tasks\At48.job"
- C:\WINDOWS\system32\J4I382td.exe
"2007-09-10 11:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\8nOS6W8A.exe
"2007-09-10 12:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\8nOS6W8A.exe
"2007-09-10 13:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\8nOS6W8A.exe
"2007-09-10 14:00:00 C:\WINDOWS\Tasks\At8.job"
"2007-09-10 15:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\8nOS6W8A.exe
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-10 22:22:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\jjkmp.tmp
scan completed successfully
hidden files: 1
**************************************************************************
.
Completion time: 2007-09-10 22:24:56 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-10 22:24
C:\ComboFix2.txt ... 2007-09-06 20:20
.
--- E O F ---
hjt log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:30 PM, on 9/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\problems.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {158624A1-C4D9-4126-8E4E-3FC21B76FD65} - (no file)
O2 - BHO: (no name) - {184D5228-AFB4-4A44-B22D-18D21DB3A6AF} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {90AC398E-BBDA-4843-9FF6-0562743D58AA} - C:\WINDOWS\system32\pmkjj.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunOnce: [*Bandook] C:\WINDOWS\system32\ali.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Bandook] C:\WINDOWS\system32\ali.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\party poker\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\party poker\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159428030033
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 4739 bytes
steamwiz
2007-09-11, 21:59
Hi
Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-
O2 - BHO: (no name) - {158624A1-C4D9-4126-8E4E-3FC21B76FD65} - (no file)
O2 - BHO: (no name) - {184D5228-AFB4-4A44-B22D-18D21DB3A6AF} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {90AC398E-BBDA-4843-9FF6-0562743D58AA} - C:\WINDOWS\system32\pmkjj.dll
O4 - HKLM\..\RunOnce: [*Bandook] C:\WINDOWS\system32\ali.exe
O4 - HKCU\..\Run: C:\WINDOWS\system32\ali.exe
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
Then...
Open notepad and copy/paste the text in the code box below into it:
[b]NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\jjkmp.bak2
C:\sysktqw.exe
C:\WINDOWS\system32\jjkmp.bak1
C:\WINDOWS\system32\ali.exe
C:\WINDOWS\system32\pmkjj.dll
C:\WINDOWS\system32\jjkmp.tmp
C:\WINDOWS\gmflpr32.dll
C:\WINDOWS\system32\rwinqpdt.exe
C:\WINDOWS\iuntfs32.exe
C:\WINDOWS\system32\mygjmbkh.dll
c:\windows\system32\opdsrngs.exe
C:\WINDOWS\iuntfs32.exe
C:\WINDOWS\system32\ali.exe
C:\WINDOWS\system32\8nOS6W8A.exe
C:\WINDOWS\system32\J4I382td.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
Folder::
C:\Temp
C:\Program Files\Common Files\WinAntiSpyware 2007
Driver::
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Visual Enhance V2.1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{93-31-1B-B4-ZN}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Microsoft Visual Enhance V2.1]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B6A807N6-42DF-4W02-93E5-B156B3FA8AL1}]
Save this as "CFScript.txt"
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
steam
steamwiz
2007-09-12, 23:42
wats tick?
I presume you are referring to this :-
run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked)
Place the cursor over the box at the beginning of the lines I have listed in hijackthis & left click ... this places a "tick" otherwise called a "checkmark" in the box ... you know I think you're the first person who hasn't understood my instructions for doing this, in the last 5 years ... I thought those instructions were impossible to misunderstand.
steam
:oops: hehe i am from america
well heres the combofix log
ComboFix 07-09-11.1 - "David" 2007-09-13 0:29:58.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.517 [GMT -7:00]
* Created a new restore point
FILE::
C:\WINDOWS\system32\jjkmp.bak2
C:\sysktqw.exe
C:\WINDOWS\system32\jjkmp.bak1
C:\WINDOWS\system32\ali.exe
C:\WINDOWS\system32\pmkjj.dll
C:\WINDOWS\system32\jjkmp.tmp
C:\WINDOWS\gmflpr32.dll
C:\WINDOWS\system32\rwinqpdt.exe
C:\WINDOWS\iuntfs32.exe
C:\WINDOWS\system32\mygjmbkh.dll
c:\windows\system32\opdsrngs.exe
C:\WINDOWS\system32\8nOS6W8A.exe
C:\WINDOWS\system32\J4I382td.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\sysktqw.exe
C:\Temp
C:\WINDOWS\cookies.ini
C:\WINDOWS\gmflpr32.dll
C:\WINDOWS\system32\8nOS6W8A.exe
C:\WINDOWS\system32\ali.exe
C:\WINDOWS\system32\avmxumci.dll
C:\WINDOWS\system32\hejhcdir.dll
C:\WINDOWS\system32\icmuxmva.ini
C:\WINDOWS\system32\jjkmp.bak1
C:\WINDOWS\system32\jjkmp.bak2
C:\WINDOWS\system32\kdkqvuiq.exe
C:\WINDOWS\system32\nvsggyig.exe
C:\WINDOWS\system32\pmkjj.dll
C:\WINDOWS\system32\qnfncbpi.dll
C:\WINDOWS\system32\ridchjeh.ini
C:\WINDOWS\system32\uevqsjoi.dll
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_DOMAINSERVICE
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-08-13 to 2007-09-13 )))))))))))))))))))))))))))))))
.
2007-09-10 21:55 <DIR> d-------- C:\VundoFix Backups
2007-09-06 20:04 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-06 20:01 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-05 02:14 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-09-05 02:14 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-09-05 02:14 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-08-31 21:23 <DIR> d-------- C:\Program Files\Stardock
2007-08-31 21:23 <DIR> d-------- C:\Program Files\mozilla.org
2007-08-31 21:23 <DIR> d-------- C:\Program Files\Mozilla Firefox(2)
2007-08-31 18:48 <DIR> d-------- C:\Program Files\Lavasoft(2)
2007-08-31 18:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft(2)
2007-08-28 14:22 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-08-28 04:01 <DIR> d-------- C:\Program Files\Logitech
2007-08-28 04:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Logitech
2007-08-28 03:59 <DIR> d-------- C:\Program Files\Common Files\logishrd
2007-08-14 09:54 <DIR> d-------- C:\Program Files\CursorXP
2007-08-14 09:40 <DIR> d-------- C:\Program Files\stardock(2)
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-11 01:46 --------- d-------- C:\Program Files\Warcraft III
2007-09-06 18:23 27136 --a------ C:\WINDOWS\drmclient32.dll
2007-09-06 13:35 9728 --a------ C:\WINDOWS\ncscolib.dll
2007-09-06 03:24 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-05 00:59 --------- d-------- C:\DOCUME~1\David\APPLIC~1\LimeWire
2007-09-04 04:18 --------- d-------- C:\DOCUME~1\David\APPLIC~1\Skype
2007-09-02 20:06 --------- d-------- C:\Program Files\World of Warcraft
2007-09-02 20:06 --------- d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-09-01 03:07 --------- d-------- C:\Program Files\Winamp
2007-08-31 21:23 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-31 21:23 --------- d-------- C:\Program Files\Common Files\Stardock
2007-04-11 00:05 95696 --a------ C:\DOCUME~1\David\APPLIC~1\sysdoctor.exe
2006-12-31 06:10 24192 --a------ C:\DOCUME~1\David\usbsermptxp.sys
2006-12-31 06:10 22768 --a------ C:\DOCUME~1\David\usbsermpt.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90AC398E-BBDA-4843-9FF6-0562743D58AA}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 21:43]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2005-12-06 21:16 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\pmkjj
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intel Audio Studio V2.0]
C:\WINDOWS\fmideploy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark_X79-55]
C:\WINDOWS\system32\lsasss.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
"C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NovaBackup 7 Tray Control]
"C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Regscan]
C:\WINDOWS\system32\regscan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"D:\backup files\Skype\Phone\Skype.exe" /nosplash /minimized
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 usbsermptxp;Motorola USB Modem Driver for MPT XP;C:\WINDOWS\system32\DRIVERS\usbsermptxp.sys
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-13 00:35:26
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-13 0:36:33 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-13 00:36
C:\ComboFix2.txt ... 2007-09-10 22:24
C:\ComboFix3.txt ... 2007-09-06 20:20
.
--- E O F ---
hjt log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:00 AM, on 9/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\problems.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\party poker\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\party poker\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159428030033
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 4062 bytes
steamwiz
2007-09-13, 23:12
Hi
Your log's are clean now ... :)
Are your problems resolved ?
steam
yes no more pop up's! :D
THANKS ALOT Spybot team and Steamwiz!
steamwiz
2007-09-14, 20:02
You're very welcome :)
Happy surfing
steam