Trojan - Possibly win32.agent.pz + more

Syrass · Dec 22, 2008

Recently I have noticed small performance issues/freezes while on my machine, decided that it probably just needed a reboot and went to bed. When I woke up the next morning my scheduled scan (AVG) had decided that it was unable to update its definitions.

I had a look at it, ran a Spybot S&D, found some stuff, so ran Ad Aware and a few other programs, scanned using Rootkit Revealer and cleaned off several Trojans and Backdoors.

What I am left with is the following:

SpyBot S&D continues to detect Win32.Agent.pz as registry entries. (sometimes 1 key, sometimes two, it seems to alternate). I appear to be able to clean these correctly, but they will keep comming back, and I even had some appear during a quarantine (disconnect computer from all outside sources, physically) after SB had decided the machine was clear.

As part of the machines symptoms, I can "feel" when the machine has been (re)infected as the taskbar appears to freeze and programs that are started during this time will appear to be prioritised below something else (CPU useage is never at max).

I expect there is somethign that I'm not detecting thats installing win32.agent.pz, but I am unable to detect anything else, nor stop it installing itself once I clean it.

Logfile of HijackThis v1.99.1
Scan saved at 12:00:55 AM, on 23/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\CAP3RSK.EXE
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\verclsid.exe
F:\Program Files\Exterminate It!\ExterminateIt.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\twex.exe,
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [CAP3ON] C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3ONN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - f:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - f:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C926A618-F59D-45D2-90E5-23AAF402BD3C}: NameServer = 203.0.178.191
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Jelly Bean · Dec 22, 2008

Hello and welcome to PCHelpForum.

I wil just move your results to the NEW HJT Section for you ready for our Security Team to help you

JB.

***Moved t HT Section***

Syrass · Dec 22, 2008

Thanks JB.

Just a little more information - all I can see in my scans are the registry keys, but not files for "win32.agent.pz" (appeas to be "Malware.Trace" in Malwarebytes'"
--
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
--

Crush · Dec 22, 2008

These should clean you right up.

Run both these programs.

Please download Malwarebytes' Anti-Malware from one of these places:

http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, navigate to the Update tab and click Check For Updates. It will then download the latest updates for you
* Now navigate back to the Scan tab
* Select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Please Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

=====================================================================================

=====================================================================================

Ok. Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please download from one of these webpages .

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools.

Double-click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Recovery Console can be installed from your disc if you have Vista if you wish.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt and MBAM logs in your next reply.

Syrass · Dec 23, 2008

Malwarebytes' Anti-Malware Log

SB S&D Detects 2 Registry Values for "Win32.Agent.pz" (not cleaned to detect with Malwarebytes).

Exterminate It! detects 1 Resistry value (one of the above: LocalMachine-software-microsoft-windows nt-currentversion-network -> UID) as "Kollah" (not cleaned to detect with Malwarebytes).

Ad Aware dosen't detect anything.

I will try to get a ComboFix report up shortly.

---

Malwarebytes' Anti-Malware 1.31
Database version: 1534
Windows 5.1.2600 Service Pack 3

23/12/2008 2:51:49 PM
mbam-log-2008-12-23 (14-51-49).txt

Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 156322
Time elapsed: 38 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
---

Syrass · Dec 23, 2008

Fast edit of registry

Malwarebytes' Anti-Malware 1.31
Database version: 1534
Windows 5.1.2600 Service Pack 3

23/12/2008 3:02:00 PM
mbam-log-2008-12-23 (15-02-00).txt

Scan type: Quick Scan
Objects scanned: 52686
Time elapsed: 1 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Crush · Dec 23, 2008

Let's see that ComboFix

Syrass · Dec 23, 2008

I have been trying to run the combofix for about the last 30 min.

Basically the combofix process starts - I see a little "bar" under my cursor sometime latter labled "Combofix", then the process appears to disappear from Windows Task Manager, and nothing appears to happen.

When I reboot the machine - I get prompted to go into the restore or start normally - if I start normally - nothing seems to happen. If I go into the Restore, it drops me at a command prompt. I type "Exit" and it reboots.

No log file appears to have been created in c:\

I expect there is some behavior that is interfering with this being run.

Crush · Dec 23, 2008

try renaming it to xxx.exe

Syrass · Dec 23, 2008

I had renamed combofix already, but I tried again as xxx.exe

I may have a popup that refers to combofix (xxx.exe)

-----
Error
-----
Some files could not be created.
Please Close all applications, reboot windows and restart this installation

<OK>
----

Restarting now, but I believe I have already experienced this, and that it will prompts me into normal windows or recovery mode.

I will confirm on my return.

edit: accidentally added an object that was not intended

Crush · Dec 23, 2008

Hmmm. Without combofix we can't really get to the guts of the infection and remove it. I will do some research and get back to you

Syrass · Dec 23, 2008

So I have actually "fluked" a combofix, and it shows some obvious "anomalies"

The fluke happened straight after a reboot, I think I must have started the process and got it in memorg before (whatever it is) memory and processes were being interfered with properly. I havent seen combofix's blue screen before.

Log:

ComboFix 08-12-21.04 - Default 2008-12-23 16:00:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1473 [GMT 11:00]
Running from: c:\documents and settings\Default\Desktop\xxx.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2008-11-23 to 2008-12-23 )))))))))))))))))))))))))))))))
.

2008-12-23 00:27 . 2008-12-23 03:58 <DIR> d-------- C:\SDFix
2008-12-23 00:22 . 2008-12-23 00:22 <DIR> d-------- c:\documents and settings\Default\Application Data\Malwarebytes
2008-12-23 00:16 . 2008-12-03 19:54 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-23 00:15 . 2008-12-23 00:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-23 00:15 . 2008-12-03 19:54 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-22 19:16 . 2008-12-22 19:16 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-22 18:01 . 2008-12-22 18:01 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-12-22 16:14 . 2008-12-22 16:14 <DIR> d-------- c:\documents and settings\Default\Application Data\SUPERAntiSpyware.com
2008-12-22 16:14 . 2008-12-22 16:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-22 13:41 . 2008-12-22 13:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-22 13:03 . 2008-12-22 13:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-22 12:07 . 2008-12-22 12:07 <DIR> d--hs---- c:\documents and settings\NetworkService\Application Data\twain32
2008-12-22 11:37 . 2008-12-22 11:38 3,434,996 --a------ c:\windows\system32\DFIVLTB
2008-12-21 06:12 . 2008-12-21 06:12 263 --a------ C:\avexport.bat
2008-12-21 02:31 . 2008-12-21 02:31 <DIR> d--hs---- c:\documents and settings\LocalService\Application Data\twain32
2008-12-21 02:28 . 2008-12-23 16:02 <DIR> d--hs---- c:\windows\system32\twain32
2008-12-21 01:29 . 2008-12-21 01:29 <DIR> d--h----- c:\windows\PIF
2008-12-11 02:01 . 2008-12-21 01:50 38 --a------ c:\windows\avisplitter.INI
2008-12-10 04:51 . 2008-12-10 04:51 <DIR> d-------- c:\program files\Common Files\Skype
2008-12-10 04:51 . 2008-12-11 05:57 <DIR> d-------- c:\documents and settings\Default\Application Data\skypePM
2008-12-10 04:51 . 2008-12-10 04:51 56 --ah----- c:\windows\system32\ezsidmv.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-22 16:43 --------- d-----w c:\documents and settings\Default\Application Data\uTorrent
2008-12-22 08:16 --------- d-----w c:\program files\Java
2008-12-22 07:14 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2008-12-22 07:14 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2008-12-22 05:12 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-20 18:21 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-16 23:57 --------- d-----w c:\documents and settings\Default\Application Data\mIRC
2008-12-10 19:05 --------- d-----w c:\documents and settings\Default\Application Data\Skype
2008-12-09 17:51 --------- d-----w c:\program files\Skype
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="f:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-04 1809648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-20 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-20 81920]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-22 136600]
"Launch LCDMon"="c:\program files\Common Files\Logitech\LCD Manager\lcdmon.exe" [2007-04-26 774168]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2007-04-26 1132056]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 49152]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-19 868352]
"CAP3ON"="c:\windows\system32\spool\drivers\w32x86\3\CAP3ONN.EXE" [2002-07-19 22528]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-05 185896]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-28 1261336]
"nwiz"="nwiz.exe" [2007-04-20 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Canon LASER SHOT LBP-1120 Status Window.LNK - c:\windows\system32\spool\drivers\w32x86\3\CAP3LAK.EXE [2004-08-07 30720]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "f:\eudora\EuShlExt.dll" [2006-08-17 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "f:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 f:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"f:\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"f:\\World of Warcraft\\BackgroundDownloader.exe"=
"f:\\mIRC\\mirc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"f:\\Program Files\\keyclone\\keyclone.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-07-22 97928]
R1 SASDIFSV;SASDIFSV;\??\f:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;\??\f:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-22 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-22 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-07-22 76040]
R3 SASENUM;SASENUM;\??\f:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
S3 AWG;AWG;c:\docume~1\Default\LOCALS~1\Temp\AWG.exe []
S3 EV;EV;c:\docume~1\Default\LOCALS~1\Temp\EV.exe []
S3 HVKOWF;HVKOWF;c:\docume~1\Default\LOCALS~1\Temp\HVKOWF.exe []
S3 JLXUJHEGUGGVNZ;JLXUJHEGUGGVNZ;c:\docume~1\Default\LOCALS~1\Temp\JLXUJHEGUGGVNZ.exe []
S3 KYEYVQPO;KYEYVQPO;c:\docume~1\Default\LOCALS~1\Temp\KYEYVQPO.exe []
S3 PFSB;PFSB;c:\docume~1\Default\LOCALS~1\Temp\PFSB.exe []
S3 QGZUAZE;QGZUAZE;c:\docume~1\Default\LOCALS~1\Temp\QGZUAZE.exe []
S3 TCXDJQQVN;TCXDJQQVN;c:\docume~1\Default\LOCALS~1\Temp\TCXDJQQVN.exe []
S3 TIKWBNCXT;TIKWBNCXT;c:\docume~1\Default\LOCALS~1\Temp\TIKWBNCXT.exe []
S3 UEHM;UEHM;c:\docume~1\Default\LOCALS~1\Temp\UEHM.exe []
S3 ZRIHZ;ZRIHZ;c:\docume~1\Default\LOCALS~1\Temp\ZRIHZ.exe []
S4 JYNOKOYAI;JYNOKOYAI;c:\docume~1\Default\LOCALS~1\Temp\JYNOKOYAI.exe []
S4 R;R;c:\docume~1\Default\LOCALS~1\Temp\R.exe []
S4 SYGQUNXLWOQ;SYGQUNXLWOQ;c:\docume~1\Default\LOCALS~1\Temp\SYGQUNXLWOQ.exe []
S4 XUBM;XUBM;c:\docume~1\Default\LOCALS~1\Temp\XUBM.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50089dc0-39c7-11dd-a098-001bfcb2c14f}]
\Shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50089dc1-39c7-11dd-a098-001bfcb2c14f}]
\Shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{69d86aa9-3aaa-11dd-a09b-001bfcb2c14f}]
\Shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{69d86aaa-3aaa-11dd-a09b-001bfcb2c14f}]
\Shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa460b41-5ae5-11dc-bfde-806d6172696f}]
\Shell\AutoRun\command - d:\.\Bin\ASSETUP.exe
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: {C926A618-F59D-45D2-90E5-23AAF402BD3C} = 203.0.178.191
FF - ProfilePath - c:\documents and settings\Default\Application Data\Mozilla\Firefox\Profiles\hwvoygw3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\Default\Application Data\Mozilla\Firefox\Profiles\hwvoygw3.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: f:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: f:\program files\DivX\DivX Web Player\npdivx32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-23 16:04:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
f:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
f:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\twex.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\CAP3RSK.EXE
c:\windows\system32\rundll32.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\spool\drivers\w32x86\3\CAP3SWK.EXE
c:\windows\system32\spool\drivers\w32x86\3\CAP3SWK.EXE
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wscntfy.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-12-23 16:06:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-23 05:06:30

Pre-Run: 50,412,732,416 bytes free
Post-Run: 51,304,517,632 bytes free

191 --- E O F --- 2008-12-18 04:41:52

Syrass · Dec 23, 2008

TDSSSERV (listed above) is one of the infections that I had (thought) I removed. Others included CSRSSC or something, something like "Microsoft antivirus 2009" and I'm fairly sure there were at least another two (it was a couple of sleeps ago now).

There are a number of files in "Temp" directories, I assume we need to remove all of these as startups.

I have used ATF-Cleaner a numebr of times, but this is obviusly not reporting failed removal of these files, or is not "cleaning them" as such (it is jsut a tremp file removal tool after all.

thoughts on how to proceed?

Crush · Dec 23, 2008

Killing off those temp files is a good way to kill off possible reinfection ports. How are you running after that ComboFix?

Looks like it killed off some Malware

Syrass · Dec 23, 2008

Running better, I'm fairly sure there are still issues.

New Mal and HJT below.

Ill now try to run Combofix and post.

Malwarebytes' Anti-Malware 1.31
Database version: 1534
Windows 5.1.2600 Service Pack 3

23/12/2008 4:35:49 PM
mbam-log-2008-12-23 (16-35-49).txt

Scan type: Quick Scan
Objects scanned: 51435
Time elapsed: 2 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

----------------

Logfile of HijackThis v1.99.1
Scan saved at 4:38:32 PM, on 23/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\CAP3RSK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
F:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [CAP3ON] C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3ONN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - f:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - f:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C926A618-F59D-45D2-90E5-23AAF402BD3C}: NameServer = 203.0.178.191
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AWG - Unknown owner - C:\DOCUME~1\Default\LOCALS~1\Temp\AWG.exe (file missing)
O23 - Service: EV - Unknown owner - C:\DOCUME~1\Default\LOCALS~1\Temp\EV.exe (file missing)
O23 - Service: HVKOWF - Unknown owner - C:\DOCUME~1\Default\LOCALS~1\Temp\HVKOWF.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: JLXUJHEGUGGVNZ - Unknown owner - C:\DOCUME~1\Default\LOCALS~1\Temp\JLXUJHEGUGGVNZ.exe (file missing)
O23 - Service: KYEYVQPO - Unknown owner - C:\DOCUME~1\Default\LOCALS~1\Temp\KYEYVQPO.exe (file missing)
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Log in or Join Us

Trojan - Possibly win32.agent.pz + more

Syrass Bronze Member

Jelly Bean Local PC Noobie....

Syrass Bronze Member

Google Advertisement

Crush Administrator & Security Team Leader

Syrass Bronze Member

Syrass Bronze Member

Crush Administrator & Security Team Leader

Syrass Bronze Member

Crush Administrator & Security Team Leader

Syrass Bronze Member

Crush Administrator & Security Team Leader

Syrass Bronze Member

Syrass Bronze Member

Crush Administrator & Security Team Leader

Syrass Bronze Member

Trojan - Possibly win32.agent.pz + more

Log in or Join Us

Trojan - Possibly win32.agent.pz + more

Syrass Bronze Member

Jelly Bean Local PC Noobie....

Syrass Bronze Member

Google Advertisement

Crush Administrator & Security Team Leader

Syrass Bronze Member

Syrass Bronze Member

Crush Administrator & Security Team Leader

Syrass Bronze Member

Crush Administrator & Security Team Leader

Syrass Bronze Member

Crush Administrator & Security Team Leader

Syrass Bronze Member

Syrass Bronze Member

Crush Administrator & Security Team Leader

Syrass Bronze Member

Trojan - Possibly win32.agent.pz + more

Useful Searches