Bankerfox.a, win32/nuqel.e, and other issues

View previous topic View next topic Go down

Solved Re: Bankerfox.a, win32/nuqel.e, and other issues

Post by PENGUINKK on Thu Feb 05, 2009 12:23 am

I don't know. It just got back to the desktop and I have the log, but I can't get to the internet, so the only way I can post it is through the flash drive. What should I do to get the malware off the drive? And I think it's still on my other computer as well. Trend Micro couldn't get rid of it and didn't bother to quarantine it for me.

PENGUINKK
Novice
Novice

Posts Posts : 42
Joined Joined : 2009-02-03
OS OS : Windows Vista 32 bit Home Edition
Points Points : 28753
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Bankerfox.a, win32/nuqel.e, and other issues

Post by Belahzur on Thu Feb 05, 2009 12:25 am

Use the other machine, but hold down shift key when you plug it in, this should by pass the autorun.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Bankerfox.a, win32/nuqel.e, and other issues

Post by PENGUINKK on Thu Feb 05, 2009 12:29 am

ComboFix 09-01-10.01 - Kevin Kaminski 2009-02-04 19:09:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.173 [GMT -5:00]
Running from: E:\Combo-Fix.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *disabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\documents and settings\Kevin Kaminski\Kevin Kaminski.exe
c:\program files\INSTALL.LOG
c:\windows\system32\iehelper.dll
c:\windows\system32\msrdo20.dll
c:\windows\system32\rdocurs.dll
c:\windows\system32\WinCtrl32.dl_
c:\windows\system32\WinCtrl32.dll
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))
.

2009-02-04 19:14 . 9,216 c:\windows\system32\iehelper.dll
2009-02-04 19:13 . 2009-02-04 19:13 33,920 --a------ c:\windows\system32\drivers\epzinkyu.sys
2009-02-04 19:13 . 2009-02-04 19:13 44 --a------ c:\windows\system32\8.tmp
2009-02-04 18:46 . 2008-04-13 19:11 96,256 --a------ c:\windows\system32\ati2cqa.dll
2009-02-04 18:46 . 2009-02-04 18:46 66,560 ---h----- c:\windows\system32\secupdat.dat
2009-02-04 18:46 . 2009-02-04 18:46 53,248 --a------ c:\windows\system32\drivers\ndisio.sys
2009-02-04 18:46 . 2009-02-04 18:46 32,768 --ah----- c:\documents and settings\Kevin Kaminski\vopxq.exe
2009-02-04 18:46 . 2009-02-04 18:46 616 --a------ c:\windows\system32\3A.tmp
2009-02-04 18:46 . 2009-02-04 18:46 44 --a------ c:\windows\system32\37.tmp
2009-02-03 22:00 . 2009-02-03 21:59 398,340 --a------ c:\windows\sysguard.exe
2009-02-03 22:00 . 2009-02-03 22:00 15,000 --a------ c:\windows\system32\_hs78k4rgf4d.dll
2009-02-03 21:37 . 2009-02-03 21:37 d-------- C:\_OTMoveIt
2009-02-03 16:44 . 2009-02-03 16:44 d-------- c:\windows\system32\CatRoot2-Old
2009-02-02 22:27 . 2009-02-02 22:27 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-02 22:26 . 2009-02-02 22:26 d-------- c:\program files\SUPERAntiSpyware
2009-02-02 22:26 . 2009-02-02 22:26 d-------- c:\documents and settings\Kevin Kaminski\Application Data\SUPERAntiSpyware.com
2009-02-02 22:25 . 2009-02-02 22:25 d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-02 22:07 . 2009-02-02 22:07 d-------- c:\program files\Trend Micro
2009-02-02 21:01 . 2009-02-02 21:01 d-------- c:\program files\Prevx
2009-02-02 21:01 . 2009-02-02 21:01 d-------- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-02-02 21:01 . 2009-02-02 21:01 21,512 --a------ c:\windows\system32\drivers\pxscan.sys
2009-02-02 21:01 . 2009-02-02 21:01 67 --a------ c:\windows\wininit.ini
2009-02-02 17:15 . 2009-02-02 17:15 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2009-02-01 20:49 . 2008-04-13 19:12 43,520 --a------ c:\windows\system32\stu2.exe
2009-01-28 18:54 . 2009-01-28 18:54 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-28 18:54 . 2009-01-28 18:54 1,409 --a------ c:\windows\QTFont.for
2009-01-26 16:57 . 2009-01-26 16:57 d-------- c:\documents and settings\Kevin Kaminski\Application Data\Malwarebytes
2009-01-26 16:57 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-26 16:56 . 2009-02-02 22:09 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-26 16:56 . 2009-01-26 16:56 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-26 16:56 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-20 17:38 . 2009-01-20 17:38 d-------- c:\program files\about_files
2009-01-20 17:18 . 2009-01-20 17:47 d-------- c:\documents and settings\Kevin Kaminski\workspace
2009-01-20 17:15 . 2009-01-20 17:17 d-------- c:\program files\eclipse
2009-01-18 16:08 . 2009-01-18 16:08 d-------- c:\program files\BitZipper
2009-01-18 16:08 . 2009-01-18 16:08 d-------- c:\documents and settings\Kevin Kaminski\Application Data\BitZipper

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-05 00:13 31,616 ----a-w c:\windows\system32\drivers\Winko72.sys
2009-02-05 00:13 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-02 22:45 806 -c--a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-02-02 22:45 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-02 22:45 10,635 -c--a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-02 22:45 --------- d-----w c:\program files\Symantec
2009-01-23 02:31 139,152 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-19 19:49 --------- d-----w c:\documents and settings\Kevin Kaminski\Application Data\PLT Scheme
2008-12-08 21:49 --------- d-----w c:\program files\Synthesia
2008-12-08 21:49 --------- d-----w c:\documents and settings\Kevin Kaminski\Application Data\Synthesia
2008-12-06 21:59 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-06 21:58 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-06 21:57 --------- d-----w c:\program files\TabPlayer
2008-12-06 21:55 --------- d-----w c:\program files\Real
2008-12-06 21:43 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2008-12-06 21:42 --------- d-----w c:\program files\Punch! Super Home
2008-12-06 21:40 --------- d-----w c:\program files\EA GAMES
2008-12-06 19:04 --------- d-----w c:\documents and settings\All Users\Application Data\2DBoy
2008-12-06 19:03 --------- d-----w c:\program files\WorldOfGooDemo
2008-09-06 22:19 22,328 -c--a-w c:\documents and settings\Kevin Kaminski\Application Data\PnkBstrK.sys
2008-06-18 13:54 7,959 ----a-w c:\program files\about.html
2008-06-18 13:54 589 ----a-w c:\program files\.classpath
2008-06-18 13:54 373 ----a-w c:\program files\.project
2008-06-18 13:54 2,073,870 ----a-w c:\program files\swt-debug.jar
2008-06-18 13:54 1,488,516 ----a-w c:\program files\swt.jar
2000-09-18 22:07 2,285,568 ----a-w c:\program files\Power Tab Editor.exe
2008-05-18 22:36 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051820080519\index.dat
.
c:\windows\system32\user32.dll ... is infected !!
577,024 2005-03-02 18:19:56 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
578,048 2007-03-08 15:48:36 c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
577,536 2007-03-08 15:36:28 c:\windows\$NtServicePackUninstall$\user32.dll
577,024 2004-08-04 08:00:00 c:\windows\$NtUninstallKB890859$\user32.dll
577,024 2005-03-02 18:09:30 c:\windows\$NtUninstallKB925902$\user32.dll
578,560 2008-04-14 00:12:08 c:\windows\ServicePackFiles\i386\user32.dll
578,560 2009-02-02 22:15:51 c:\windows\system32\user32.DLL
578,560 2009-02-02 22:15:51 c:\windows\system32\dllcache\user32.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NCLaunch"="c:\windows\NCLAUNCH.EXe" [2008-01-14 86016]
"PhanTim30"="c:\program files\PhanTim3\PhanTim3.exe" [2004-06-14 1229312]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 32768]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1850608]
"sysguard"="c:\windows\sysguard.exe" [2009-02-03 398340]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 118874]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 708698]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-11-05 254014]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 192512]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 84640]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2006-09-05 26248]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 583048]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 274432]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 69632]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 262144]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 139264]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-05 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-05-12 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\documents and settings\Kevin Kaminski\vopxq.exe \s"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\epzinkyu.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winko72.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin Kaminski^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
backup=c:\windows\pss\GameSpot Download Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2005-08-05 15:08 67160 c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 32768 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2008-04-13 19:12 1712640 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2005-05-12 06:02 118784 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-05-12 05:33 57452 c:\program files\Java\jre1.5.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-05 20:41 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

PENGUINKK
Novice
Novice

Posts Posts : 42
Joined Joined : 2009-02-03
OS OS : Windows Vista 32 bit Home Edition
Points Points : 28753
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Bankerfox.a, win32/nuqel.e, and other issues

Post by PENGUINKK on Thu Feb 05, 2009 12:30 am

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\WINDOWS\\system32\\logonui.exe"=
"c:\\WINDOWS\\system32\\stu2.exe"=
"c:\\Program Files\\Prevx\\prevx.exe"=
"c:\\WINDOWS\\Explorer.EXE"=

R0 epzinkyu;epzinkyu;c:\windows\system32\drivers\epzinkyu.sys [2009-02-04 33920]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-02-02 21512]
R0 Winko72;Winko72;c:\windows\system32\drivers\Winko72.sys [2008-12-09 31616]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-08-26 99376]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
R4 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2009-02-02 4107832]
R4 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [2008-04-16 689416]
S1 nfr.sys;nfr.sys;\??\c:\windows\system32\drivers\nfr.sys --> c:\windows\system32\drivers\nfr.sys [?]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [2008-04-16 894216]
S4 DNADownloader;DNADownloader;c:\program files\GameSpot\DownloadManager_Win32.exe --> c:\program files\GameSpot\DownloadManager_Win32.exe [?]
S4 Logical Disk Manager (NDIS);Logical Disk Manager (NDIS);c:\program files\system\smss.exe --> c:\program files\system\smss.exe [?]
S4 ws2_32sik;ws2_32sik;c:\windows\system32\drivers\ws2_32sik.sys [2004-08-04 22784]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
*NewlyCreated* - EPZINKYU
.
Contents of the 'Scheduled Tasks' folder

2009-01-17 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Dad.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2006-09-07 01:38]

2009-02-05 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []

2009-02-05 c:\windows\Tasks\tezxinug.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Kevin Kaminski - c:\documents and settings\Kevin Kaminski\Kevin Kaminski.exe
HKCU-Run-jsf8uiw3jnjgffght - c:\windows\TEMP\winlognn.exe
HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
HKLM-Run-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe
HKLM-Run-jsf8uiw3jnjgffght - c:\windows\TEMP\winlognn.exe
HKU-Default-Run-jsf8uiw3jnjgffght - c:\windows\TEMP\winlognn.exe
HKU-Default-Run-tezrtsjhfr84iusjfo84f - c:\windows\TEMP\csrssc.exe
SharedTaskScheduler-{C5BF49A2-94F3-42BD-F434-3604812C8955} - (no file)
Notify-WinCtrl32 - WinCtrl32.dll
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-Uniblue RegistryBooster2 - f:\uniblue\RegistryBooster 2\RegistryBooster.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:7070
uInternet Settings,ProxyOverride = *.local;
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-02-04 19:13:58
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????1?5?7?9??????? ?,?B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys]
"imagepath"="\systemroot\system32\drivers\gaopdxraehxued.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-529307107-3761115793-1089377387-1006\Software\CrucialSoft Ltd\MS AntiSpyware 2009\5.7]
@DACL=(02 0000)
"Start Counter"=dword:00000001
"InstallTime"=hex:79,bf,0b,08,d7,74,e3,40

[HKEY_USERS\S-1-5-21-529307107-3761115793-1089377387-1006\Software\id\Doom95\Config\ (* *]
"mouse_sensitivity"=dword:00000009
"sfx_volume"=dword:00000008
"music_volume"=dword:00000003
"show_messages"=dword:00000001
"key_right"=dword:0000004d
"key_left"=dword:0000004b
"key_up"=dword:00000048
"key_down"=dword:00000050
"key_strafeleft"=dword:00000033
"key_straferight"=dword:00000034
"key_fire"=dword:0000001d
"key_use"=dword:00000039
"key_strafe"=dword:00000038
"key_speed"=dword:00000036
"use_mouse"=dword:00000000
"full_screen"=dword:00000000
"full_keyboard"=dword:00000000
"mouseb_fire"=dword:00000000
"mouseb_strafe"=dword:00000001
"mouseb_forward"=dword:00000002
"use_joystick"=dword:00000000
"joyb_fire"=dword:00000000
"joyb_strafe"=dword:00000001
"joyb_use"=dword:00000003
"joyb_speed"=dword:00000002
"joy_id"=dword:00000000
"joy_axis_map"="yx "
"joy_feedback_DLL"=""
"joy_move_threshold"=dword:00000800
"joy_move_sensitivity"=dword:00000250
"joy_turn_threshold"=dword:00001000
"joy_turn_sensitivity"=dword:00000020
"joyb_fist_saw"=dword:ffffffff
"joyb_pistol"=dword:ffffffff
"joyb_shotgun"=dword:ffffffff
"joyb_chaingun"=dword:ffffffff
"joyb_missile"=dword:ffffffff
"joyb_plasma"=dword:ffffffff
"joyb_bfg"=dword:ffffffff
"joyb_inc"=dword:ffffffff
"joyb_dec"=dword:ffffffff
"screenblocks"=dword:00000008
"detaillevel"=dword:00000000
"snd_channels"=dword:00000003
"usegamma"=dword:00000000
"chatmacro0"="No"
"chatmacro1"="I'm ready to kick butt!"
"chatmacro2"="I'm OK."
"chatmacro3"="I'm not looking too good!"
"chatmacro4"="Help!"
"chatmacro5"="You suck!"
"chatmacro6"="Next time, scumbag..."
"chatmacro7"="Come here!"
"chatmacro8"="I'll take care of it."
"chatmacro9"="Yes"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=expand:"\\systemroot\\system32\\drivers\\gaopdxraehxued.sys"
"group"="file system"
"userdata"=dword:ffffffff
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1084)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WinCtrl32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PnkBstrA.exe
c:\windows\Temp\BN5.tmp
c:\windows\Temp\BN6.tmp
c:\program files\Hp\hpcoretech\comp\hptskmgr.exe
.
**************************************************************************
.
Completion time: 2009-02-04 19:17:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-05 00:17:51

Pre-Run: 33,963,139,072 bytes free
Post-Run: 34,049,560,576 bytes free

335 --- E O F --- 2008-07-08 22:03:01

PENGUINKK
Novice
Novice

Posts Posts : 42
Joined Joined : 2009-02-03
OS OS : Windows Vista 32 bit Home Edition
Points Points : 28753
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Bankerfox.a, win32/nuqel.e, and other issues

Post by Belahzur on Thu Feb 05, 2009 12:40 am

Hello.
As you know, there is serious damage done. The malware is using a legit service name, so I can't kill it, otherwise I kill your machine at the same time. Sad tearing This is why I want you to format, there is no other option, this can't be fixed.

But, I will post this and this is all I can do.
Please plug the infected stick back in this machine (the one were working on, CF will delete that autorun.inf file for us)
Please download a new version of Combofix too from my link location.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
epzinkyu
Winko72
nfr.sys
ws2_32sik

File::
c:\windows\system32\iehelper.dll
c:\windows\system32\drivers\epzinkyu.sys
c:\windows\system32\8.tmp
c:\windows\system32\drivers\ndisio.sys
c:\windows\system32\secupdat.dat
c:\documents and settings\Kevin Kaminski\vopxq.exe
c:\windows\system32\3A.tmp
c:\windows\system32\37.tmp
c:\windows\sysguard.exe
c:\windows\system32\_hs78k4rgf4d.dll
c:\windows\system32\drivers\Winko72.sys
c:\windows\Tasks\tezxinug.job
c:\windows\system32\WinCtrl32.dll

Folder::
C:\_OTMoveIt
c:\program files\system

RegLock::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys]
[HKEY_USERS\S-1-5-21-529307107-3761115793-1089377387-1006\Software\CrucialSoft Ltd\MS AntiSpyware 2009\5.7]

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sysguard"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe"
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\epzinkyu.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winko72.sys]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\stu2.exe"=-
"c:\\WINDOWS\\Explorer.EXE"=-
[-HKEY_USERS\S-1-5-21-529307107-3761115793-1089377387-1006\Software\CrucialSoft Ltd\MS AntiSpyware 2009\5.7]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Bankerfox.a, win32/nuqel.e, and other issues

Post by PENGUINKK on Thu Feb 05, 2009 12:47 am

Ah, that's alright. I didn't have very high hopes in the first place, and I would never trust my computer again even if it was fixed. I asked my computer programming teacher about reformatting, and he told me for Dell and HP laptops that Windows XP is actually stored on a hidden partition on the laptop itself, so I can reformat without the disc.

And so I'm doing your entire next step on the healthy computer?

PENGUINKK
Novice
Novice

Posts Posts : 42
Joined Joined : 2009-02-03
OS OS : Windows Vista 32 bit Home Edition
Points Points : 28753
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Bankerfox.a, win32/nuqel.e, and other issues

Post by PENGUINKK on Thu Feb 05, 2009 12:48 am

And where's the link to the new version of Combofix?

PENGUINKK
Novice
Novice

Posts Posts : 42
Joined Joined : 2009-02-03
OS OS : Windows Vista 32 bit Home Edition
Points Points : 28753
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Bankerfox.a, win32/nuqel.e, and other issues

Post by Belahzur on Thu Feb 05, 2009 12:53 am

No, leave the healthy computer alone. Run the script from the infected one, and have the flash drive plugged in at the same time.

Yes, XP has a hidden formatting like button on it, it's called Factory Restore.
Once we remove the flash drive infection, the stick should be fine, but the machine will still be junk.

Link:
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Bankerfox.a, win32/nuqel.e, and other issues

Post by PENGUINKK on Thu Feb 05, 2009 1:06 am

Alright, it's running right now. So once it's finished, the stick will not get infected from transfering the log file back to the healthy computer? And if Trend detected the autorun, does that mean it has infected the healthy computer, or was it just on the stick?

PENGUINKK
Novice
Novice

Posts Posts : 42
Joined Joined : 2009-02-03
OS OS : Windows Vista 32 bit Home Edition
Points Points : 28753
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Bankerfox.a, win32/nuqel.e, and other issues

Post by Belahzur on Thu Feb 05, 2009 1:08 am

It was just the stick.
The other machine should be fine, but we'll check once were done here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Bankerfox.a, win32/nuqel.e, and other issues

Post by PENGUINKK on Thu Feb 05, 2009 1:13 am

ComboFix 09-01-10.01 - Kevin Kaminski 2009-02-04 20:03:04.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.129 [GMT -5:00]
Running from: c:\documents and settings\Kevin Kaminski\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Kevin Kaminski\Desktop\CFscript.txt
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *disabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
c:\documents and settings\Kevin Kaminski\vopxq.exe
c:\windows\sysguard.exe
c:\windows\system32\_hs78k4rgf4d.dll
c:\windows\system32\37.tmp
c:\windows\system32\3A.tmp
c:\windows\system32\8.tmp
c:\windows\system32\drivers\epzinkyu.sys
c:\windows\system32\drivers\ndisio.sys
c:\windows\system32\drivers\Winko72.sys
c:\windows\system32\iehelper.dll
c:\windows\system32\secupdat.dat
c:\windows\system32\WinCtrl32.dll
c:\windows\Tasks\tezxinug.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\_OTMoveIt
c:\_otmoveit\MovedFiles\02032009_215117\2097053319
c:\_otmoveit\MovedFiles\02032009_215117\autorun.inf
c:\_otmoveit\MovedFiles\02032009_215117\btuplu.exe
c:\_otmoveit\MovedFiles\02032009_215117\bukcdll.exe
c:\_otmoveit\MovedFiles\02032009_215117\dnwqxus.exe
c:\_otmoveit\MovedFiles\02032009_215117\docume~1\kevink~1\LOCALS~1\Temp\inC.tmp
c:\_otmoveit\MovedFiles\02032009_215117\docume~1\kevink~1\LOCALS~1\Temp\tmp22.tmp
c:\_otmoveit\MovedFiles\02032009_215117\docume~1\kevink~1\LOCALS~1\Temp\tmp23.tmp
c:\_otmoveit\MovedFiles\02032009_215117\iwvrf.exe
c:\_otmoveit\MovedFiles\02032009_215117\jlpooc.exe
c:\_otmoveit\MovedFiles\02032009_215117\mlevsfdk.exe
c:\_otmoveit\MovedFiles\02032009_215117\program files\src.zip
c:\_otmoveit\MovedFiles\02032009_215117\program files\system\smss.exe
c:\_otmoveit\MovedFiles\02032009_215117\program files\system\smss.exe.assembly
c:\_otmoveit\MovedFiles\02032009_215117\pyvtw.exe
c:\_otmoveit\MovedFiles\02032009_215117\windows\mqcd.dbt
c:\_otmoveit\MovedFiles\02032009_215117\windows\pp1.exe
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\azton.mt
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\dedwf.lp
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\do8d.sr
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\drivers\0.exe
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\drivers\nfr.sys
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\eaaivdtc.ini
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\htbnrm
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\jvtkml.dll
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\kukezifu.dll
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\mmmlujlu.dll
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\ncatng.dll
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\qzhr1.ant
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\re3d.pf
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\rer.wa
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\TDSSlonv.dat
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\twain32\local.ds
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\twain32\user.ds
c:\_otmoveit\MovedFiles\02032009_215117\windows\system32\WinCtrl32.dll
c:\_otmoveit\MovedFiles\02032009_215117\windows\temp\576718.tmp
c:\_otmoveit\MovedFiles\02032009_215117\windows\ynh.dx
c:\_otmoveit\MovedFiles\02032009_215321.log
c:\_otmoveit\MovedFiles\02032009_215321.res
c:\_otmoveit\MovedFiles\02032009_215321\autorun.inf
c:\windows\sysguard.exe
c:\windows\system32\_hs78k4rgf4d.dll
c:\windows\system32\37.tmp
c:\windows\system32\3A.tmp
c:\windows\system32\8.tmp
c:\windows\system32\drivers\epzinkyu.sys
c:\windows\system32\drivers\ndisio.sys
c:\windows\system32\drivers\Winko72.sys
c:\windows\system32\secupdat.dat
c:\windows\Tasks\tezxinug.job

.
((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))
.

2009-02-04 18:46 . 2008-04-13 19:11 96,256 --a------ c:\windows\system32\ati2cqa.dll
2009-02-04 18:46 . 2009-02-04 18:46 32,768 --ah----- c:\documents and settings\Kevin Kaminski\vopxq.exe
2009-02-03 16:44 . 2009-02-03 16:44 d-------- c:\windows\system32\CatRoot2-Old
2009-02-02 22:27 . 2009-02-02 22:27 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-02 22:26 . 2009-02-02 22:26 d-------- c:\program files\SUPERAntiSpyware
2009-02-02 22:26 . 2009-02-02 22:26 d-------- c:\documents and settings\Kevin Kaminski\Application Data\SUPERAntiSpyware.com
2009-02-02 22:25 . 2009-02-02 22:25 d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-02 22:07 . 2009-02-02 22:07 d-------- c:\program files\Trend Micro
2009-02-02 21:01 . 2009-02-02 21:01 d-------- c:\program files\Prevx
2009-02-02 21:01 . 2009-02-02 21:01 d-------- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-02-02 21:01 . 2009-02-02 21:01 21,512 --a------ c:\windows\system32\drivers\pxscan.sys
2009-02-02 21:01 . 2009-02-02 21:01 67 --a------ c:\windows\wininit.ini
2009-02-02 17:15 . 2009-02-02 17:15 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2009-02-02 16:31 . 2009-02-02 16:31 75,264 --a------ c:\windows\system32\drivers\gaopdxraehxued.sys
2009-02-02 16:31 . 2009-02-04 19:12 4 --a------ c:\windows\system32\gaopdxcounter
2009-02-01 20:49 . 2008-04-13 19:12 43,520 --a------ c:\windows\system32\stu2.exe
2009-01-28 18:54 . 2009-01-28 18:54 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-28 18:54 . 2009-01-28 18:54 1,409 --a------ c:\windows\QTFont.for
2009-01-26 16:57 . 2009-01-26 16:57 d-------- c:\documents and settings\Kevin Kaminski\Application Data\Malwarebytes
2009-01-26 16:57 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-26 16:56 . 2009-02-02 22:09 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-26 16:56 . 2009-01-26 16:56 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-26 16:56 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-20 17:38 . 2009-01-20 17:38 d-------- c:\program files\about_files
2009-01-20 17:18 . 2009-01-20 17:47 d-------- c:\documents and settings\Kevin Kaminski\workspace
2009-01-20 17:15 . 2009-01-20 17:17 d-------- c:\program files\eclipse
2009-01-18 16:08 . 2009-01-18 16:08 d-------- c:\program files\BitZipper
2009-01-18 16:08 . 2009-01-18 16:08 d-------- c:\documents and settings\Kevin Kaminski\Application Data\BitZipper

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-05 01:06 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-02 22:45 806 -c--a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-02-02 22:45 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-02 22:45 10,635 -c--a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-02 22:45 --------- d-----w c:\program files\Symantec
2009-01-23 02:31 139,152 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-19 19:49 --------- d-----w c:\documents and settings\Kevin Kaminski\Application Data\PLT Scheme
2008-12-08 21:49 --------- d-----w c:\program files\Synthesia
2008-12-08 21:49 --------- d-----w c:\documents and settings\Kevin Kaminski\Application Data\Synthesia
2008-12-06 21:59 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-06 21:58 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-06 21:57 --------- d-----w c:\program files\TabPlayer
2008-12-06 21:55 --------- d-----w c:\program files\Real
2008-12-06 21:43 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2008-12-06 21:42 --------- d-----w c:\program files\Punch! Super Home
2008-12-06 21:40 --------- d-----w c:\program files\EA GAMES
2008-12-06 19:04 --------- d-----w c:\documents and settings\All Users\Application Data\2DBoy
2008-12-06 19:03 --------- d-----w c:\program files\WorldOfGooDemo
2008-09-06 22:19 22,328 -c--a-w c:\documents and settings\Kevin Kaminski\Application Data\PnkBstrK.sys
2008-06-18 13:54 7,959 ----a-w c:\program files\about.html
2008-06-18 13:54 589 ----a-w c:\program files\.classpath
2008-06-18 13:54 373 ----a-w c:\program files\.project
2008-06-18 13:54 2,073,870 ----a-w c:\program files\swt-debug.jar
2008-06-18 13:54 1,488,516 ----a-w c:\program files\swt.jar
2000-09-18 22:07 2,285,568 ----a-w c:\program files\Power Tab Editor.exe
2008-05-18 22:36 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051820080519\index.dat
.
c:\windows\system32\user32.dll ... is infected !!
577,024 2005-03-02 18:19:56 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
578,048 2007-03-08 15:48:36 c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
577,536 2007-03-08 15:36:28 c:\windows\$NtServicePackUninstall$\user32.dll
577,024 2004-08-04 08:00:00 c:\windows\$NtUninstallKB890859$\user32.dll
577,024 2005-03-02 18:09:30 c:\windows\$NtUninstallKB925902$\user32.dll
578,560 2008-04-14 00:12:08 c:\windows\ServicePackFiles\i386\user32.dll
578,560 2009-02-02 22:15:51 c:\windows\system32\user32.DLL
578,560 2009-02-02 22:15:51 c:\windows\system32\dllcache\user32.dll


((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-05 00:12:50 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-05 01:05:49 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-05 00:12:50 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-05 01:05:49 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-05 00:12:50 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-05 01:05:49 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NCLaunch"="c:\windows\NCLAUNCH.EXe" [2008-01-14 86016]
"PhanTim30"="c:\program files\PhanTim3\PhanTim3.exe" [2004-06-14 1229312]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 32768]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1850608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 118874]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 708698]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-11-05 254014]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 192512]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 84640]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2006-09-05 26248]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 583048]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 274432]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 69632]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 262144]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 139264]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-05 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-05-12 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

PENGUINKK
Novice
Novice

Posts Posts : 42
Joined Joined : 2009-02-03
OS OS : Windows Vista 32 bit Home Edition
Points Points : 28753
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Bankerfox.a, win32/nuqel.e, and other issues

Post by PENGUINKK on Thu Feb 05, 2009 1:13 am

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\documents and settings\Kevin Kaminski\vopxq.exe \s"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin Kaminski^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
backup=c:\windows\pss\GameSpot Download Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2005-08-05 15:08 67160 c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 32768 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2008-04-13 19:12 1712640 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2005-05-12 06:02 118784 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-05-12 05:33 57452 c:\program files\Java\jre1.5.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-05 20:41 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\WINDOWS\\system32\\logonui.exe"=
"c:\\Program Files\\Prevx\\prevx.exe"=

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-02-02 21512]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-08-26 99376]
R3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [2008-04-16 894216]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
R4 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2009-02-02 4107832]
R4 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [2008-04-16 689416]
S0 epzinkyu;epzinkyu;c:\windows\system32\Drivers\epzinkyu.sys --> c:\windows\system32\Drivers\epzinkyu.sys [?]
S0 Winko72;Winko72;c:\windows\system32\Drivers\Winko72.sys --> c:\windows\system32\Drivers\Winko72.sys [?]
S1 nfr.sys;nfr.sys;\??\c:\windows\system32\drivers\nfr.sys --> c:\windows\system32\drivers\nfr.sys [?]
S4 DNADownloader;DNADownloader;c:\program files\GameSpot\DownloadManager_Win32.exe --> c:\program files\GameSpot\DownloadManager_Win32.exe [?]
S4 Logical Disk Manager (NDIS);Logical Disk Manager (NDIS);c:\program files\system\smss.exe --> c:\program files\system\smss.exe [?]
S4 ws2_32sik;ws2_32sik;c:\windows\system32\drivers\ws2_32sik.sys [2004-08-04 22784]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-01-17 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Dad.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2006-09-07 01:38]

2009-02-05 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:7070
uInternet Settings,ProxyOverride = *.local;
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-02-04 20:06:40
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????1?5?7?9??????? ?,?B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys]
"imagepath"="\systemroot\system32\drivers\gaopdxjvnqiidl.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-529307107-3761115793-1089377387-1006\Software\id\Doom95\Config\ (* *]
"mouse_sensitivity"=dword:00000009
"sfx_volume"=dword:00000008
"music_volume"=dword:00000003
"show_messages"=dword:00000001
"key_right"=dword:0000004d
"key_left"=dword:0000004b
"key_up"=dword:00000048
"key_down"=dword:00000050
"key_strafeleft"=dword:00000033
"key_straferight"=dword:00000034
"key_fire"=dword:0000001d
"key_use"=dword:00000039
"key_strafe"=dword:00000038
"key_speed"=dword:00000036
"use_mouse"=dword:00000000
"full_screen"=dword:00000000
"full_keyboard"=dword:00000000
"mouseb_fire"=dword:00000000
"mouseb_strafe"=dword:00000001
"mouseb_forward"=dword:00000002
"use_joystick"=dword:00000000
"joyb_fire"=dword:00000000
"joyb_strafe"=dword:00000001
"joyb_use"=dword:00000003
"joyb_speed"=dword:00000002
"joy_id"=dword:00000000
"joy_axis_map"="yx "
"joy_feedback_DLL"=""
"joy_move_threshold"=dword:00000800
"joy_move_sensitivity"=dword:00000250
"joy_turn_threshold"=dword:00001000
"joy_turn_sensitivity"=dword:00000020
"joyb_fist_saw"=dword:ffffffff
"joyb_pistol"=dword:ffffffff
"joyb_shotgun"=dword:ffffffff
"joyb_chaingun"=dword:ffffffff
"joyb_missile"=dword:ffffffff
"joyb_plasma"=dword:ffffffff
"joyb_bfg"=dword:ffffffff
"joyb_inc"=dword:ffffffff
"joyb_dec"=dword:ffffffff
"screenblocks"=dword:00000008
"detaillevel"=dword:00000000
"snd_channels"=dword:00000003
"usegamma"=dword:00000000
"chatmacro0"="No"
"chatmacro1"="I'm ready to kick butt!"
"chatmacro2"="I'm OK."
"chatmacro3"="I'm not looking too good!"
"chatmacro4"="Help!"
"chatmacro5"="You suck!"
"chatmacro6"="Next time, scumbag..."
"chatmacro7"="Come here!"
"chatmacro8"="I'll take care of it."
"chatmacro9"="Yes"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\gaopdxjvnqiidl.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(376)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PnkBstrA.exe
c:\program files\Hp\hpcoretech\comp\hptskmgr.exe
.
**************************************************************************
.
Completion time: 2009-02-04 20:11:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-05 01:10:27
ComboFix2.txt 2009-02-05 00:20:05

Pre-Run: 34,054,430,720 bytes free
Post-Run: 34,052,333,568 bytes free

363 --- E O F --- 2008-07-08 22:03:01

PENGUINKK
Novice
Novice

Posts Posts : 42
Joined Joined : 2009-02-03
OS OS : Windows Vista 32 bit Home Edition
Points Points : 28753
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Bankerfox.a, win32/nuqel.e, and other issues

Post by PENGUINKK on Thu Feb 05, 2009 1:15 am

Should I go ahead and reformat now?

PENGUINKK
Novice
Novice

Posts Posts : 42
Joined Joined : 2009-02-03
OS OS : Windows Vista 32 bit Home Edition
Points Points : 28753
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Bankerfox.a, win32/nuqel.e, and other issues

Post by Belahzur on Thu Feb 05, 2009 1:29 am

Not yet, need to make sure you stick is clean.

Was the stick plugged in when you ran CF?

  1. Open My Computer.
  2. Go to Tools > Folder Options.
  3. Select the View tab.
  4. Scroll down to Hidden files and folders.
  5. Select Show hidden files and folders.
  6. Uncheck (untick) Hide extensions of known file types.
  7. Uncheck (untick) Hide protected operating system files (Recommended).
  8. Click Yes when prompted.
  9. Click OK.
  10. Close My Computer.


Now open you E drive (the stick) by right clicking the drive > Explore
Now hidden files are shown, is there an autorun.inf there?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Bankerfox.a, win32/nuqel.e, and other issues

Post by PENGUINKK on Thu Feb 05, 2009 1:34 am

Indeed, it is.

And yes, I left the stick in while running the program.

PENGUINKK
Novice
Novice

Posts Posts : 42
Joined Joined : 2009-02-03
OS OS : Windows Vista 32 bit Home Edition
Points Points : 28753
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Bankerfox.a, win32/nuqel.e, and other issues

Post by Belahzur on Thu Feb 05, 2009 1:35 am

Is it a folder icon or a file?
If it's a folder, it's the dummy F_D made, if it's a file, delete it.

Let me know if it won't delete it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Bankerfox.a, win32/nuqel.e, and other issues

Post by PENGUINKK on Thu Feb 05, 2009 1:37 am

It it tinted a lighter color and is a folder.

PENGUINKK
Novice
Novice

Posts Posts : 42
Joined Joined : 2009-02-03
OS OS : Windows Vista 32 bit Home Edition
Points Points : 28753
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Bankerfox.a, win32/nuqel.e, and other issues

Post by Belahzur on Thu Feb 05, 2009 1:46 am

Ah.
Inside the folder, there should be a "this folder was created by flash disinfecter"

if there is, memory stick is clean.
The machine can be formatted now.

[edit]
Going to bed now.
Once the machine is formatted, install an AV ASAP.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Bankerfox.a, win32/nuqel.e, and other issues

Post by PENGUINKK on Thu Feb 05, 2009 2:01 am

Yeah, that's in the folder.

Edit: Alright, so it turns out my laptop wasn't installed with a recovery program. I'm going to try and find an XP CD and install it tomorrow. Do you want any scans of the clean OS or anything?

PENGUINKK
Novice
Novice

Posts Posts : 42
Joined Joined : 2009-02-03
OS OS : Windows Vista 32 bit Home Edition
Points Points : 28753
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Bankerfox.a, win32/nuqel.e, and other issues

Post by Belahzur on Thu Feb 05, 2009 9:12 am

No. But once you do get that clean install over with, run F_D again, turn off autorun on your machine.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Bankerfox.a, win32/nuqel.e, and other issues

Post by PENGUINKK on Thu Feb 05, 2009 10:24 pm

Should I download Service Pack 2 or 3? Automatic Updates is prompting me to download 3, and I had tried to download 2 previously, but it said it "did not find the expected version" and didn't install.

PENGUINKK
Novice
Novice

Posts Posts : 42
Joined Joined : 2009-02-03
OS OS : Windows Vista 32 bit Home Edition
Points Points : 28753
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Bankerfox.a, win32/nuqel.e, and other issues

Post by Belahzur on Thu Feb 05, 2009 10:52 pm

Download SP3. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Bankerfox.a, win32/nuqel.e, and other issues

Post by PENGUINKK on Fri Feb 06, 2009 12:35 am

Alright, I got SP3 installed, Trend Micro Internet Security installed, and Opera installed. I'm also going to download the Malwarebytes later.

I want to thank you greatly for your timely help and effort. It's amazing that this site is free because it's the best tech support I have come across. I don't know how you guys do it. I will definitely recommend this site and use it again in the future if I have any problems. Thanks again.

-PENGUINKK

PENGUINKK
Novice
Novice

Posts Posts : 42
Joined Joined : 2009-02-03
OS OS : Windows Vista 32 bit Home Edition
Points Points : 28753
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Bankerfox.a, win32/nuqel.e, and other issues

Post by Belahzur on Fri Feb 06, 2009 12:40 am

Hello.
I do it because I can, it's my way of fighting back. I was in your shoes once ya know. LMBO or ROFL

Please read below to keep yourself safe.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Bankerfox.a, win32/nuqel.e, and other issues

Post by Doctor Inferno on Sat May 09, 2009 10:18 am

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a [You must be registered and logged in to see this link.] for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104600
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum