BleepingComputer.com: Infected with consrv.dll, Ping.exe*32

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

Infected with consrv.dll, Ping.exe*32 Need help cleaning the remnants.

#1 User is offline   -Piper- 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 15-November 11

Posted 15 November 2011 - 10:49 PM

Alright so a basic rundown here. Windows 7 x64 Ultimate. Checked my running processes a few days ago and saw Ping.exe*32 chewing up my allocated memory and processing time. Did some research, found I was most likely the victim of a botnet. Did a full scan with Malewarebytes, Spybot, and Hijackthis. Nothing particularly noteworthy.

So, I located the offending Ping.exe in C:\Windows\SysWOW64, killed the process, took ownership of the folder, and deleted it. Afterwards I thought it a good idea to download AVG and run a full scan to be sure. Sure enough, consrv.dll comes up as an infection.

Me being a bit impatient at this point, I had AVG immediately quarantine the file, and I deleted it from the vault. Very foolish. Immediately proceeded to uninstall AVG, and restart. Low and behold my computer does not boot. Refuses to boot in safe mode too.

Did some more research and found Cyjon's topic on this lovely forum that confirmed my suspicions that deleting consrv.dll caused this. Proceeded to boot my Hirens Boot CD and try to recover the deleted consrv.dll and restore it, just so I can properly remove the infection while the computer boots up correctly. Unfortunately I could not find the file, even knowing AVG renames it.

Last ditch effort even though a few people said it will not work was I loaded the SYSTEM hive from C:\Windows\System32\config and altered:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SubSystems Windows
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager\SubSystems Windows

Made it so that it would direct to winsrv.dll instead of consrv.dll.

Lo and behold, it worked! Computer booted up fine, but I know there are still lingering pieces of the infection from reading Cyjon's topic. I would GREATLY appreciate it if one of you brilliant people could assist me in removing the stragglers.

Edit: UPDATE - Updated Java to the most recent 7 build and installed Spyware Blaster.

Here is my DDS.txt log as is necessary, if I missed anything at all I apologize, I am new to this.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by Derek at 22:31:30 on 2011-11-15
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4094.2825 [GMT -5:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
D:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\userinit.exe
C:\Windows\system32\Dwm.exe
D:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\wmiprvse.exe
D:\Program Files\Raxco\PerfectDisk\PDAgentS1.exe
D:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe,
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - D:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 208.67.222.222 208.67.220.220 167.206.254.2
TCP: Interfaces\{0F30D75A-4B2C-4FD9-906F-F4353BDB632F} : DhcpNameServer = 208.67.222.222 208.67.220.220 167.206.254.2
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Derek\AppData\Roaming\Mozilla\Firefox\Profiles\0lunwsnb.default\
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\1.102.0\npesnlaunch.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\1.96.0\npesnlaunch.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - plugin: D:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: D:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: D:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: D:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: D:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 cpuz134;cpuz134;\??\C:\Windows\system32\drivers\cpuz134_x64.sys --> C:\Windows\system32\drivers\cpuz134_x64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 cmudaxp;ASUS Xonar Essence ST Audio Interface;C:\Windows\system32\drivers\cmudaxp.sys --> C:\Windows\system32\drivers\cmudaxp.sys [?]
R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\Windows\system32\DRIVERS\ManyCam_x64.sys --> C:\Windows\system32\DRIVERS\ManyCam_x64.sys [?]
R3 RTCore64;RTCore64;D:\Program Files (x86)\MSI Afterburner\RTCore64.sys [2011-10-2 13368]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-9-3 13592]
S3 AE1000;Linksys AE1000 Driver;C:\Windows\system32\DRIVERS\ae1000w7.sys --> C:\Windows\system32\DRIVERS\ae1000w7.sys [?]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
S3 atillk64;atillk64;E:\Desktop Shortcuts\Overclocking + PC Info\HD 6950 to 6970 Mod\HD_6950_to_HD_6970_mod\winflash\atillk64.sys [2011-3-15 14608]
S3 EyeOneDisplay;EyeOneDisplay;C:\Windows\system32\Drivers\i1display_x64.sys --> C:\Windows\system32\Drivers\i1display_x64.sys [?]
S3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;C:\Program Files (x86)\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe [2011-3-16 129440]
S3 MAUSBMIDI;Service for M-Audio USB MIDI Series;C:\Windows\system32\DRIVERS\MAudioUSBMIDI.sys --> C:\Windows\system32\DRIVERS\MAudioUSBMIDI.sys [?]
S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;C:\Windows\system32\DRIVERS\MijXfilt.sys --> C:\Windows\system32\DRIVERS\MijXfilt.sys [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TomTomHOMEService;TomTomHOMEService;D:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2011-4-22 92592]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S4 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
.
=============== Created Last 30 ================
.
2011-11-16 03:14:54 8006480 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-11-16 03:14:53 8570192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{166B8041-8385-49BE-B497-591C99D0A66B}\mpengine.dll
2011-11-15 09:09:43 -------- d--h--w- C:\$AVG
2011-11-15 08:56:40 -------- d-----w- C:\Users\Derek\AppData\Roaming\AVG
2011-11-15 08:52:34 -------- d--h--w- C:\ProgramData\Common Files
2011-11-15 08:50:50 -------- d-----w- C:\ProgramData\MFAData
2011-11-14 05:46:25 -------- d-----w- C:\Windows\AutoKMS
2011-11-14 05:24:22 -------- d-----w- C:\Program Files (x86)\Microsoft Synchronization Services
2011-11-14 05:24:16 -------- d-----w- C:\Windows\PCHEALTH
2011-11-14 05:24:16 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2011-11-14 05:23:35 -------- d-----w- C:\Program Files (x86)\Microsoft Analysis Services
2011-11-14 04:26:45 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-14 04:12:40 -------- d-----w- C:\Users\Derek\AppData\Local\Mozilla
2011-11-12 18:04:44 -------- d-----w- C:\Users\Derek\AppData\Local\Skyrim
2011-11-12 07:02:01 53248 ----a-r- C:\Users\Derek\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2011-11-12 07:01:54 -------- d-----w- C:\Users\Derek\AppData\Local\Logishrd
2011-11-12 06:55:34 279616 ----a-w- C:\Windows\System32\drivers\dtsoftbus01.sys
2011-11-12 06:31:12 -------- d-----we C:\Windows\system64
2011-11-11 22:32:43 -------- d-----w- C:\ProgramData\MediaMonkey
2011-11-11 22:32:42 -------- d-----w- C:\Users\Derek\AppData\Roaming\MediaMonkey
2011-11-10 03:37:27 -------- d-----w- C:\Users\Derek\AppData\Local\ATI
2011-11-10 03:37:08 0 ----a-w- C:\Windows\ativpsrm.bin
2011-11-10 03:36:07 -------- d-----w- C:\Program Files (x86)\ATI Technologies
2011-11-10 03:35:45 -------- d-----w- C:\Program Files\ATI
2011-11-10 03:35:22 -------- d-----w- C:\Program Files\ATI Technologies
2011-11-10 02:42:31 886784 ----a-w- C:\Program Files\Common Files\System\wab32.dll
2011-11-10 02:42:31 708608 ----a-w- C:\Program Files (x86)\Common Files\System\wab32.dll
2011-11-10 02:42:29 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-11-10 02:42:23 3144704 ----a-w- C:\Windows\System32\win32k.sys
2011-11-10 02:39:09 -------- d-----w- C:\Users\Derek\DxReport
2011-11-10 02:38:43 -------- d-----w- C:\Users\Derek\AppData\Roaming\LaunchPad
2011-10-22 07:45:12 -------- d-----w- C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2011-10-22 07:45:01 -------- d-----w- C:\Program Files\Bonjour
2011-10-22 07:45:01 -------- d-----w- C:\Program Files (x86)\Bonjour
.
==================== Find3M ====================
.
2011-11-14 05:04:26 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-11-12 07:01:50 18960 ----a-w- C:\Windows\System32\drivers\LNonPnP.sys
2011-11-12 06:53:57 530488 ----a-w- C:\Windows\System32\drivers\sptd.sys
2011-11-11 01:32:42 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2011-11-11 01:32:42 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2011-11-11 01:32:09 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2011-11-03 06:58:54 10497024 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2011-11-03 06:15:30 24866816 ----a-w- C:\Windows\System32\atio6axx.dll
2011-11-03 06:06:44 159744 ----a-w- C:\Windows\System32\atiapfxx.exe
2011-11-03 06:06:26 748544 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2011-11-03 06:04:58 892416 ----a-w- C:\Windows\System32\aticfx64.dll
2011-11-03 06:02:10 466944 ----a-w- C:\Windows\System32\ATIDEMGX.dll
2011-11-03 06:01:58 517120 ----a-w- C:\Windows\System32\atieclxx.exe
2011-11-03 06:01:22 204288 ----a-w- C:\Windows\System32\atiesrxx.exe
2011-11-03 06:00:10 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2011-11-03 05:59:50 423424 ----a-w- C:\Windows\System32\atipdl64.dll
2011-11-03 05:59:42 356352 ----a-w- C:\Windows\SysWow64\atipdlxx.dll
2011-11-03 05:59:32 278528 ----a-w- C:\Windows\SysWow64\Oemdspif.dll
2011-11-03 05:59:26 21504 ----a-w- C:\Windows\System32\atimuixx.dll
2011-11-03 05:59:22 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2011-11-03 05:59:16 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2011-11-03 05:58:58 18757120 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2011-11-03 05:57:38 53248 ----a-w- C:\Windows\System32\amdverag.dll
2011-11-03 05:56:06 4292096 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2011-11-03 05:46:10 5041664 ----a-w- C:\Windows\System32\atidxx64.dll
2011-11-03 05:44:48 58880 ----a-w- C:\Windows\System32\coinst.dll
2011-11-03 05:43:50 1113088 ----a-w- C:\Windows\System32\atiumd6v.dll
2011-11-03 05:43:26 1828864 ----a-w- C:\Windows\SysWow64\atiumdmv.dll
2011-11-03 05:43:14 4044288 ----a-w- C:\Windows\System32\atiumd6a.dll
2011-11-03 05:38:28 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2011-11-03 05:38:26 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2011-11-03 05:38:18 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2011-11-03 05:38:14 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2011-11-03 05:38:04 9978880 ----a-w- C:\Windows\System32\aticaldd64.dll
2011-11-03 05:35:16 4353536 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2011-11-03 05:34:48 8449024 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2011-11-03 05:32:40 4189184 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2011-11-03 05:29:04 5510144 ----a-w- C:\Windows\System32\atiumd64.dll
2011-11-03 05:22:20 486912 ----a-w- C:\Windows\System32\atiadlxx.dll
2011-11-03 05:22:08 339968 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2011-11-03 05:21:50 17408 ----a-w- C:\Windows\System32\atig6pxx.dll
2011-11-03 05:21:48 14336 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2011-11-03 05:21:48 14336 ----a-w- C:\Windows\System32\atiglpxx.dll
2011-11-03 05:21:44 39936 ----a-w- C:\Windows\System32\atig6txx.dll
2011-11-03 05:21:36 32768 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2011-11-03 05:21:30 326656 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2011-11-03 05:20:38 40960 ----a-w- C:\Windows\System32\atiuxp64.dll
2011-11-03 05:20:32 31744 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2011-11-03 05:20:24 38912 ----a-w- C:\Windows\System32\atiu9p64.dll
2011-11-03 05:20:18 29184 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2011-11-03 05:19:24 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2011-11-03 05:16:36 54784 ----a-w- C:\Windows\System32\atimpc64.dll
2011-11-03 05:16:36 54784 ----a-w- C:\Windows\System32\amdpcom64.dll
2011-11-03 05:16:20 53760 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2011-11-03 05:16:20 53760 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2011-10-25 04:48:28 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2011-09-26 04:23:13 466520 ----a-w- C:\Windows\System32\wrap_oal.dll
2011-09-26 04:23:13 445016 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2011-09-26 04:23:13 123480 ----a-w- C:\Windows\System32\OpenAL32.dll
2011-09-26 04:23:13 109144 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
2011-09-19 13:03:40 45056 ----a-w- C:\Windows\SysWow64\rtvcvfw32.dll
2011-09-02 06:30:46 55064 ----a-w- C:\Windows\System32\LMouFiltCoInst.dll
2011-09-02 06:30:46 42776 ----a-w- C:\Windows\System32\drivers\LUsbFilt.sys
2011-09-02 06:30:36 60696 ----a-w- C:\Windows\System32\drivers\LMouFilt.Sys
2011-09-02 06:30:36 1845528 ----a-w- C:\Windows\System32\LkmdfCoInst.dll
2011-09-02 06:30:24 66840 ----a-w- C:\Windows\System32\drivers\LHidFilt.Sys
2011-09-01 05:24:07 2309120 ----a-w- C:\Windows\System32\jscript9.dll
2011-09-01 05:17:57 1389056 ----a-w- C:\Windows\System32\wininet.dll
2011-09-01 05:12:04 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-09-01 02:35:59 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-09-01 02:28:15 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-09-01 02:22:54 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-08-31 21:00:50 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-08-31 03:05:32 96104 ----a-w- C:\Windows\System32\dns-sd.exe
2011-08-31 03:05:32 85864 ----a-w- C:\Windows\System32\dnssd.dll
2011-08-31 03:05:32 61288 ----a-w- C:\Windows\System32\jdns_sd.dll
2011-08-31 03:05:32 212840 ----a-w- C:\Windows\System32\dnssdX.dll
2011-08-31 03:05:04 83816 ----a-w- C:\Windows\SysWow64\dns-sd.exe
2011-08-31 03:05:04 73064 ----a-w- C:\Windows\SysWow64\dnssd.dll
2011-08-31 03:05:04 50536 ----a-w- C:\Windows\SysWow64\jdns_sd.dll
2011-08-31 03:05:04 178536 ----a-w- C:\Windows\SysWow64\dnssdX.dll
2011-08-27 05:37:49 861696 ----a-w- C:\Windows\System32\oleaut32.dll
2011-08-27 05:37:48 331776 ----a-w- C:\Windows\System32\oleacc.dll
2011-08-27 04:26:27 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-08-27 04:26:27 233472 ----a-w- C:\Windows\SysWow64\oleacc.dll
2011-08-25 07:43:26 45056 ----a-w- C:\Windows\System32\rtvcvfw32.dll
.
============= FINISH: 22:32:19.42 ===============

Attached File(s)


This post has been edited by -Piper-: 15 November 2011 - 11:31 PM

#2 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,559
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 19 November 2011 - 01:36 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK

    Do not re-enable these drivers until otherwise instructed.


Download DDS:

    Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt

    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply


information and logs:

    In your next post I need the following

    • .logs from DDS
    • let me know of any problems you may have had


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#3 User is offline   -Piper- 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 15-November 11

Posted 19 November 2011 - 05:10 PM

Defogger successfully disabled CD Emulation.

Edit: Sorry, forgot additional info. My computer is now running like the healthy beast it used to. Just concerned I may still have bits of the Zero Access (Max++) bug left over. I've noticed no browser irregularity, no problems booting anymore, and no processes taking up a disproportionate amount of memory or cpu cycles.

Updated DDS.txt logs as follows:


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.1.0
Run by Derek at 17:06:26 on 2011-11-19
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4094.2612 [GMT -5:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
D:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
D:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
D:\Program Files\Raxco\PerfectDisk\PDAgentS1.exe
D:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
D:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wbem\wmiprvse.exe
D:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = www.google.com
uStart Page = www.google.com
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe,
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - D:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
TCP: DhcpNameServer = 208.67.222.222 208.67.220.220 167.206.254.2
TCP: Interfaces\{0F30D75A-4B2C-4FD9-906F-F4353BDB632F} : DhcpNameServer = 208.67.222.222 208.67.220.220 167.206.254.2
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Derek\AppData\Roaming\Mozilla\Firefox\Profiles\0lunwsnb.default\
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\1.102.0\npesnlaunch.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\1.96.0\npesnlaunch.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - plugin: D:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: D:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: D:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: D:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: D:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 cpuz134;cpuz134;\??\C:\Windows\system32\drivers\cpuz134_x64.sys --> C:\Windows\system32\drivers\cpuz134_x64.sys [?]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-9-3 13592]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 cmudaxp;ASUS Xonar Essence ST Audio Interface;C:\Windows\system32\drivers\cmudaxp.sys --> C:\Windows\system32\drivers\cmudaxp.sys [?]
R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\Windows\system32\DRIVERS\ManyCam_x64.sys --> C:\Windows\system32\DRIVERS\ManyCam_x64.sys [?]
R3 RTCore64;RTCore64;D:\Program Files (x86)\MSI Afterburner\RTCore64.sys [2011-10-2 13368]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AE1000;Linksys AE1000 Driver;C:\Windows\system32\DRIVERS\ae1000w7.sys --> C:\Windows\system32\DRIVERS\ae1000w7.sys [?]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
S3 atillk64;atillk64;E:\Desktop Shortcuts\Overclocking + PC Info\HD 6950 to 6970 Mod\HD_6950_to_HD_6970_mod\winflash\atillk64.sys [2011-3-15 14608]
S3 EyeOneDisplay;EyeOneDisplay;C:\Windows\system32\Drivers\i1display_x64.sys --> C:\Windows\system32\Drivers\i1display_x64.sys [?]
S3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;C:\Program Files (x86)\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe [2011-3-16 129440]
S3 MAUSBMIDI;Service for M-Audio USB MIDI Series;C:\Windows\system32\DRIVERS\MAudioUSBMIDI.sys --> C:\Windows\system32\DRIVERS\MAudioUSBMIDI.sys [?]
S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;C:\Windows\system32\DRIVERS\MijXfilt.sys --> C:\Windows\system32\DRIVERS\MijXfilt.sys [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TomTomHOMEService;TomTomHOMEService;D:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2011-4-22 92592]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S4 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
.
=============== Created Last 30 ================
.
2011-11-19 22:00:21 8570192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B8DAB6F0-22F6-4785-A49B-1C852649E28F}\mpengine.dll
2011-11-19 22:00:21 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B8DAB6F0-22F6-4785-A49B-1C852649E28F}\offreg.dll
2011-11-16 04:23:08 118784 ----a-w- C:\Windows\SysWow64\MSSTDFMT.DLL
2011-11-16 04:15:59 627600 ----a-w- C:\Windows\System32\deployJava1.dll
2011-11-16 03:14:54 8570192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-11-15 09:09:43 -------- d--h--w- C:\$AVG
2011-11-15 08:56:40 -------- d-----w- C:\Users\Derek\AppData\Roaming\AVG
2011-11-15 08:52:34 -------- d--h--w- C:\ProgramData\Common Files
2011-11-15 08:50:50 -------- d-----w- C:\ProgramData\MFAData
2011-11-14 05:46:25 -------- d-----w- C:\Windows\AutoKMS
2011-11-14 05:24:22 -------- d-----w- C:\Program Files (x86)\Microsoft Synchronization Services
2011-11-14 05:24:16 -------- d-----w- C:\Windows\PCHEALTH
2011-11-14 05:24:16 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2011-11-14 05:23:35 -------- d-----w- C:\Program Files (x86)\Microsoft Analysis Services
2011-11-14 04:26:45 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-14 04:12:40 -------- d-----w- C:\Users\Derek\AppData\Local\Mozilla
2011-11-12 18:04:44 -------- d-----w- C:\Users\Derek\AppData\Local\Skyrim
2011-11-12 07:02:01 53248 ----a-r- C:\Users\Derek\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2011-11-12 07:01:54 -------- d-----w- C:\Users\Derek\AppData\Local\Logishrd
2011-11-12 06:55:34 279616 ----a-w- C:\Windows\System32\drivers\dtsoftbus01.sys
2011-11-12 06:31:12 -------- d-----we C:\Windows\system64
2011-11-11 22:32:43 -------- d-----w- C:\ProgramData\MediaMonkey
2011-11-11 22:32:42 -------- d-----w- C:\Users\Derek\AppData\Roaming\MediaMonkey
2011-11-10 03:37:27 -------- d-----w- C:\Users\Derek\AppData\Local\ATI
2011-11-10 03:37:08 0 ----a-w- C:\Windows\ativpsrm.bin
2011-11-10 03:36:07 -------- d-----w- C:\Program Files (x86)\ATI Technologies
2011-11-10 03:35:45 -------- d-----w- C:\Program Files\ATI
2011-11-10 03:35:22 -------- d-----w- C:\Program Files\ATI Technologies
2011-11-10 02:42:31 886784 ----a-w- C:\Program Files\Common Files\System\wab32.dll
2011-11-10 02:42:31 708608 ----a-w- C:\Program Files (x86)\Common Files\System\wab32.dll
2011-11-10 02:42:29 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-11-10 02:42:23 3144704 ----a-w- C:\Windows\System32\win32k.sys
2011-11-10 02:39:09 -------- d-----w- C:\Users\Derek\DxReport
2011-11-10 02:38:43 -------- d-----w- C:\Users\Derek\AppData\Roaming\LaunchPad
2011-10-22 07:45:12 -------- d-----w- C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2011-10-22 07:45:01 -------- d-----w- C:\Program Files\Bonjour
2011-10-22 07:45:01 -------- d-----w- C:\Program Files (x86)\Bonjour
.
==================== Find3M ====================
.
2011-11-16 04:20:49 544656 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-11-12 07:01:50 18960 ----a-w- C:\Windows\System32\drivers\LNonPnP.sys
2011-11-12 06:53:57 530488 ----a-w- C:\Windows\System32\drivers\sptd.sys
2011-11-11 01:32:42 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2011-11-11 01:32:42 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2011-11-11 01:32:09 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2011-11-03 06:58:54 10497024 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2011-11-03 06:15:30 24866816 ----a-w- C:\Windows\System32\atio6axx.dll
2011-11-03 06:06:44 159744 ----a-w- C:\Windows\System32\atiapfxx.exe
2011-11-03 06:06:26 748544 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2011-11-03 06:04:58 892416 ----a-w- C:\Windows\System32\aticfx64.dll
2011-11-03 06:02:10 466944 ----a-w- C:\Windows\System32\ATIDEMGX.dll
2011-11-03 06:01:58 517120 ----a-w- C:\Windows\System32\atieclxx.exe
2011-11-03 06:01:22 204288 ----a-w- C:\Windows\System32\atiesrxx.exe
2011-11-03 06:00:10 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2011-11-03 05:59:50 423424 ----a-w- C:\Windows\System32\atipdl64.dll
2011-11-03 05:59:42 356352 ----a-w- C:\Windows\SysWow64\atipdlxx.dll
2011-11-03 05:59:32 278528 ----a-w- C:\Windows\SysWow64\Oemdspif.dll
2011-11-03 05:59:26 21504 ----a-w- C:\Windows\System32\atimuixx.dll
2011-11-03 05:59:22 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2011-11-03 05:59:16 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2011-11-03 05:58:58 18757120 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2011-11-03 05:57:38 53248 ----a-w- C:\Windows\System32\amdverag.dll
2011-11-03 05:56:06 4292096 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2011-11-03 05:46:10 5041664 ----a-w- C:\Windows\System32\atidxx64.dll
2011-11-03 05:44:48 58880 ----a-w- C:\Windows\System32\coinst.dll
2011-11-03 05:43:50 1113088 ----a-w- C:\Windows\System32\atiumd6v.dll
2011-11-03 05:43:26 1828864 ----a-w- C:\Windows\SysWow64\atiumdmv.dll
2011-11-03 05:43:14 4044288 ----a-w- C:\Windows\System32\atiumd6a.dll
2011-11-03 05:38:28 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2011-11-03 05:38:26 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2011-11-03 05:38:18 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2011-11-03 05:38:14 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2011-11-03 05:38:04 9978880 ----a-w- C:\Windows\System32\aticaldd64.dll
2011-11-03 05:35:16 4353536 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2011-11-03 05:34:48 8449024 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2011-11-03 05:32:40 4189184 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2011-11-03 05:29:04 5510144 ----a-w- C:\Windows\System32\atiumd64.dll
2011-11-03 05:22:20 486912 ----a-w- C:\Windows\System32\atiadlxx.dll
2011-11-03 05:22:08 339968 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2011-11-03 05:21:50 17408 ----a-w- C:\Windows\System32\atig6pxx.dll
2011-11-03 05:21:48 14336 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2011-11-03 05:21:48 14336 ----a-w- C:\Windows\System32\atiglpxx.dll
2011-11-03 05:21:44 39936 ----a-w- C:\Windows\System32\atig6txx.dll
2011-11-03 05:21:36 32768 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2011-11-03 05:21:30 326656 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2011-11-03 05:20:38 40960 ----a-w- C:\Windows\System32\atiuxp64.dll
2011-11-03 05:20:32 31744 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2011-11-03 05:20:24 38912 ----a-w- C:\Windows\System32\atiu9p64.dll
2011-11-03 05:20:18 29184 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2011-11-03 05:19:24 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2011-11-03 05:16:36 54784 ----a-w- C:\Windows\System32\atimpc64.dll
2011-11-03 05:16:36 54784 ----a-w- C:\Windows\System32\amdpcom64.dll
2011-11-03 05:16:20 53760 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2011-11-03 05:16:20 53760 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2011-10-25 04:48:28 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2011-09-26 04:23:13 466520 ----a-w- C:\Windows\System32\wrap_oal.dll
2011-09-26 04:23:13 445016 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2011-09-26 04:23:13 123480 ----a-w- C:\Windows\System32\OpenAL32.dll
2011-09-26 04:23:13 109144 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
2011-09-19 13:03:40 45056 ----a-w- C:\Windows\SysWow64\rtvcvfw32.dll
2011-09-02 06:30:46 55064 ----a-w- C:\Windows\System32\LMouFiltCoInst.dll
2011-09-02 06:30:46 42776 ----a-w- C:\Windows\System32\drivers\LUsbFilt.sys
2011-09-02 06:30:36 60696 ----a-w- C:\Windows\System32\drivers\LMouFilt.Sys
2011-09-02 06:30:36 1845528 ----a-w- C:\Windows\System32\LkmdfCoInst.dll
2011-09-02 06:30:24 66840 ----a-w- C:\Windows\System32\drivers\LHidFilt.Sys
2011-09-01 05:24:07 2309120 ----a-w- C:\Windows\System32\jscript9.dll
2011-09-01 05:17:57 1389056 ----a-w- C:\Windows\System32\wininet.dll
2011-09-01 05:12:04 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-09-01 02:35:59 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-09-01 02:28:15 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-09-01 02:22:54 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-08-31 21:00:50 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-08-31 03:05:32 96104 ----a-w- C:\Windows\System32\dns-sd.exe
2011-08-31 03:05:32 85864 ----a-w- C:\Windows\System32\dnssd.dll
2011-08-31 03:05:32 61288 ----a-w- C:\Windows\System32\jdns_sd.dll
2011-08-31 03:05:32 212840 ----a-w- C:\Windows\System32\dnssdX.dll
2011-08-31 03:05:04 83816 ----a-w- C:\Windows\SysWow64\dns-sd.exe
2011-08-31 03:05:04 73064 ----a-w- C:\Windows\SysWow64\dnssd.dll
2011-08-31 03:05:04 50536 ----a-w- C:\Windows\SysWow64\jdns_sd.dll
2011-08-31 03:05:04 178536 ----a-w- C:\Windows\SysWow64\dnssdX.dll
2011-08-27 05:37:49 861696 ----a-w- C:\Windows\System32\oleaut32.dll
2011-08-27 05:37:48 331776 ----a-w- C:\Windows\System32\oleacc.dll
2011-08-27 04:26:27 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-08-27 04:26:27 233472 ----a-w- C:\Windows\SysWow64\oleacc.dll
2011-08-25 07:43:26 45056 ----a-w- C:\Windows\System32\rtvcvfw32.dll
.
============= FINISH: 17:07:00.00 ===============



Updated Attach.txt logs as follows:


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 11/10/2010 12:09:13 PM
System Uptime: 11/19/2011 4:56:07 PM (1 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | EP45-UD3R
Processor: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 3600/400mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 60 GiB total, 32.79 GiB free.
D: is FIXED (NTFS) - 300 GiB total, 63.998 GiB free.
E: is FIXED (NTFS) - 832 GiB total, 497.261 GiB free.
F: is CDROM ()
H: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
.
3DMark 11
Active@ KillDisk FREE Suite
Adobe Photoshop CS5
AIDA64 Extreme Edition v1.50
AIM 7
Amnesia - The Dark Descent
ASIO4ALL
Audacity 1.3.12 (Unicode)
Battlefield 3™
Battlefield: Bad Company™ 2
Battlelog Web Plugins
Catalyst Control Center
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Localization All
Catalyst Control Center Profiles Desktop
Catalyst Control Center Profiles Mobile
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Combined Community Codec Pack 2010-10-10
Counter-Strike: Source
Crysis®
Crysis® 2
Curse Client
D3DX10
DAEMON Tools Lite
Definition update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Deus Ex - Human Revolution version 1.0
Diablo II
Dragon Age II
Driver Sweeper version 3.2.0
DVD Flick 1.3.0.7
eReg
Exact Audio Copy 1.0beta2
Eye-One Match 3.6.2
Fallout: New Vegas
FL Studio 10
FLAC 1.2.1b (remove only)
foobar2000 v1.1.7
Foxit Reader 5.1
Fraps (remove only)
Futuremark SystemInfo
Half-Life 2
Half-Life 2: Episode One
Half-Life 2: Episode Two
HD Tune 2.55
High-Definition Video Playback 10
HiJackThis
i1_driver_installer_utility_i1Match version 1.0
i1ColorPoint 1.0
IL Download Manager
Impulse
Intel® Rapid Storage Technology
IrfanView (remove only)
Java Auto Updater
Java™ 7 Update 1
LAME v3.98.3 for Audacity
Left 4 Dead 2
Malwarebytes' Anti-Malware version 1.51.2.1300
ManyCam 2.6.55 (remove only)
Media Player Classic - Home Cinema v1.5.0.2827
MediaMonkey 4.0
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Primary Interoperability Assemblies 2005
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Mozilla Firefox 9.0 (x86 en-US)
MSI Afterburner 2.2.0 Beta 8
MSVCRT
Nero 10 Menu TemplatePack Basic
Nero 10 Movie ThemePack Basic
Nero Burning ROM 10
Nero Control Center 10
Nero Core Components 10
Nero Dolby Files 10
Nero Multimedia Suite 10
OCCT Perestroika 3.1.0
OpenAL
Origin
PCSX2 - Playstation 2 Emulator
PDF Settings CS5
Portal
Portal 2
PowerXpressHybrid
PunkBuster Services
Rage
Realtek Ethernet Controller Driver
ReNamer
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Sid Meier's Civilization V
SpeedFan (remove only)
Spotify
Spybot - Search & Destroy
SpywareBlaster 4.4
StarCraft
StarCraft II
Steam
Team Fortress 2
The Witcher 2
TomTom HOME 2.8.2.2264
TomTom HOME Visual Studio Merge Modules
TurboTax 2010
TurboTax 2010 WinPerFedFormset
TurboTax 2010 WinPerReleaseEngine
TurboTax 2010 WinPerTaxSupport
TurboTax 2010 wnyiper
TurboTax 2010 wrapper
UltraISO Premium V9.36
Unigine Heaven DX11 Benchmark 2.5 version 2.5
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553092)
Visual Studio 2008 x64 Redistributables
Vuze
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Messenger
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Media Player Firefox Plugin
World of Logs Client
World of Logs Client (4.2)
World of Warcraft
World of Warcraft Public Test
Yahoo! Detect
.
==== Event Viewer Messages From Past Week ========
.
11/19/2011 4:56:17 PM, Error: Service Control Manager [7000] - The PDIHWCTL service failed to start due to the following error: The system cannot find the file specified.
11/18/2011 3:25:31 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error: An instance of the service is already running.
11/18/2011 3:25:01 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
11/18/2011 3:25:01 PM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error %%-1073473535.
11/16/2011 7:11:01 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
11/16/2011 7:11:01 PM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/16/2011 7:11:01 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
11/15/2011 4:43:23 AM, Error: sptd [4] - Driver detected an internal error in its data structures for .
11/15/2011 10:31:23 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
11/15/2011 1:24:37 AM, Error: Service Control Manager [7034] - The Office Software Protection Platform service terminated unexpectedly. It has done this 1 time(s).
11/12/2011 5:13:58 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk2\DR2.
.
==== End Of File ===========================

This post has been edited by -Piper-: 19 November 2011 - 05:21 PM

#4 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,559
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 19 November 2011 - 09:04 PM

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

    In your next post I need the following

  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#5 User is offline   -Piper- 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 15-November 11

Posted 20 November 2011 - 01:49 PM

Ran Combofix as directed. No problems or errors, only thing I've noticed so far is Firefox told me it is not my default browser anymore. Other than that nothing funky happening that I see so far. Here are the Combofix logs.


ComboFix 11-11-20.01 - Derek 11/20/2011 13:38:42.1.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4094.2791 [GMT -5:00]
Running from: c:\users\Derek\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Derek\AppData\Roaming\Start
c:\users\Derek\AppData\Roaming\Start\temp_CCDE3245\flash.10.0.32.18.ocx
c:\windows\AutoRun.ini
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_COMSysApp
.
.
((((((((((((((((((((((((( Files Created from 2011-10-20 to 2011-11-20 )))))))))))))))))))))))))))))))
.
.
2011-11-20 18:42 . 2011-11-20 18:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-19 22:00 . 2011-10-18 06:27 8570192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B8DAB6F0-22F6-4785-A49B-1C852649E28F}\mpengine.dll
2011-11-16 04:23 . 2010-01-11 00:40 118784 ----a-w- c:\windows\SysWow64\MSSTDFMT.DLL
2011-11-16 04:20 . 2011-11-16 04:20 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-11-16 04:15 . 2011-11-16 04:15 627600 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-15 09:09 . 2011-11-15 09:09 -------- d-----w- C:\$AVG
2011-11-15 08:56 . 2011-11-15 08:56 -------- d-----w- c:\users\Derek\AppData\Roaming\AVG
2011-11-15 08:52 . 2011-11-15 08:52 -------- d--h--w- c:\programdata\Common Files
2011-11-15 08:50 . 2011-11-15 09:27 -------- d-----w- c:\programdata\MFAData
2011-11-14 05:46 . 2011-11-15 09:26 -------- d-----w- c:\windows\AutoKMS
2011-11-14 04:26 . 2011-11-14 04:29 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-14 04:12 . 2011-11-14 04:12 -------- d-----w- c:\users\Derek\AppData\Local\Mozilla
2011-11-12 18:04 . 2011-11-12 18:04 -------- d-----w- c:\users\Derek\AppData\Local\Skyrim
2011-11-12 07:04 . 2011-11-12 07:04 -------- d-----w- c:\windows\system32\Macromed
2011-11-12 07:02 . 2011-11-12 07:02 53248 ----a-r- c:\users\Derek\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2011-11-12 07:01 . 2011-11-12 07:01 -------- d-----w- c:\users\Derek\AppData\Local\Logishrd
2011-11-12 06:55 . 2011-11-12 06:55 279616 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2011-11-12 06:31 . 2011-11-12 06:31 -------- d-----we c:\windows\system64
2011-11-11 22:32 . 2011-11-11 22:32 -------- d-----w- c:\programdata\MediaMonkey
2011-11-11 22:32 . 2011-11-20 00:50 -------- d-----w- c:\users\Derek\AppData\Roaming\MediaMonkey
2011-11-10 03:37 . 2011-11-10 03:37 -------- d-----w- c:\users\Derek\AppData\Roaming\ATI
2011-11-10 03:37 . 2011-11-10 03:37 -------- d-----w- c:\users\Derek\AppData\Local\ATI
2011-11-10 03:37 . 2011-11-10 03:37 -------- d-----w- c:\programdata\ATI
2011-11-10 03:37 . 2011-11-10 03:37 0 ----a-w- c:\windows\ativpsrm.bin
2011-11-10 03:36 . 2011-11-19 23:42 -------- d-----w- c:\program files (x86)\ATI Technologies
2011-11-10 03:35 . 2011-11-10 03:35 -------- d-----w- c:\program files\ATI
2011-11-10 03:35 . 2011-11-10 03:36 -------- d-----w- c:\program files\ATI Technologies
2011-11-10 02:42 . 2011-10-01 05:45 886784 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-11-10 02:42 . 2011-10-01 04:37 708608 ----a-w- c:\program files (x86)\Common Files\System\wab32.dll
2011-11-10 02:42 . 2011-09-29 16:29 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-10 02:42 . 2011-09-29 04:03 3144704 ----a-w- c:\windows\system32\win32k.sys
2011-11-10 02:39 . 2011-11-10 02:39 -------- d-----w- c:\users\Derek\DxReport
2011-11-10 02:38 . 2011-11-10 02:38 -------- d-----w- c:\users\Derek\AppData\Roaming\LaunchPad
2011-10-22 07:45 . 2011-10-22 07:47 -------- d-----w- c:\users\Derek\AppData\Roaming\Apple Computer
2011-10-22 07:45 . 2011-10-22 08:08 -------- dc----w- c:\windows\system32\DRVSTORE
2011-10-22 07:45 . 2011-10-22 08:08 -------- d-----w- c:\programdata\Apple Computer
2011-10-22 07:45 . 2011-10-22 07:45 -------- d-----w- c:\programdata\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2011-10-22 07:45 . 2011-10-22 07:45 -------- d-----w- c:\program files\Bonjour
2011-10-22 07:45 . 2011-10-22 07:45 -------- d-----w- c:\program files (x86)\Bonjour
2011-10-22 07:44 . 2011-10-22 07:45 -------- d-----w- c:\programdata\Apple
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-16 04:20 . 2010-11-11 00:25 544656 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-11-12 07:01 . 2010-11-11 00:26 18960 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2011-11-12 06:53 . 2010-11-11 05:30 530488 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-11-11 01:32 . 2010-11-12 07:06 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2011-11-11 01:32 . 2010-11-12 06:51 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2011-11-11 01:32 . 2010-11-12 06:51 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2011-10-25 04:48 . 2010-11-12 06:50 75136 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2011-09-26 04:23 . 2010-12-23 06:25 466520 ----a-w- c:\windows\system32\wrap_oal.dll
2011-09-26 04:23 . 2010-12-23 06:25 445016 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2011-09-26 04:23 . 2010-12-23 06:25 123480 ----a-w- c:\windows\system32\OpenAL32.dll
2011-09-26 04:23 . 2010-12-23 06:25 109144 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2011-09-19 13:03 . 2011-09-19 13:03 45056 ----a-w- c:\windows\SysWow64\rtvcvfw32.dll
2011-09-02 06:30 . 2011-09-02 06:30 55064 ----a-w- c:\windows\system32\LMouFiltCoInst.dll
2011-09-02 06:30 . 2011-09-02 06:30 42776 ----a-w- c:\windows\system32\drivers\LUsbFilt.sys
2011-09-02 06:30 . 2011-09-02 06:30 60696 ----a-w- c:\windows\system32\drivers\LMouFilt.Sys
2011-09-02 06:30 . 2011-09-02 06:30 1845528 ----a-w- c:\windows\system32\LkmdfCoInst.dll
2011-09-02 06:30 . 2011-09-02 06:30 66840 ----a-w- c:\windows\system32\drivers\LHidFilt.Sys
2011-09-01 05:24 . 2011-10-12 07:00 2309120 ----a-w- c:\windows\system32\jscript9.dll
2011-09-01 05:17 . 2011-10-12 07:00 1389056 ----a-w- c:\windows\system32\wininet.dll
2011-09-01 05:12 . 2011-10-12 07:00 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-01 02:35 . 2011-10-12 07:00 1798144 ----a-w- c:\windows\SysWow64\jscript9.dll
2011-09-01 02:28 . 2011-10-12 07:00 1126912 ----a-w- c:\windows\SysWow64\wininet.dll
2011-09-01 02:22 . 2011-10-12 07:00 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-08-31 21:00 . 2010-11-11 05:22 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-31 03:05 . 2011-08-31 03:05 96104 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 03:05 . 2011-08-31 03:05 85864 ----a-w- c:\windows\system32\dnssd.dll
2011-08-31 03:05 . 2011-08-31 03:05 61288 ----a-w- c:\windows\system32\jdns_sd.dll
2011-08-31 03:05 . 2011-08-31 03:05 212840 ----a-w- c:\windows\system32\dnssdX.dll
2011-08-31 03:05 . 2011-08-31 03:05 83816 ----a-w- c:\windows\SysWow64\dns-sd.exe
2011-08-31 03:05 . 2011-08-31 03:05 73064 ----a-w- c:\windows\SysWow64\dnssd.dll
2011-08-31 03:05 . 2011-08-31 03:05 50536 ----a-w- c:\windows\SysWow64\jdns_sd.dll
2011-08-31 03:05 . 2011-08-31 03:05 178536 ----a-w- c:\windows\SysWow64\dnssdX.dll
2011-08-27 05:37 . 2011-10-12 03:46 861696 ----a-w- c:\windows\system32\oleaut32.dll
2011-08-27 05:37 . 2011-10-12 03:46 331776 ----a-w- c:\windows\system32\oleacc.dll
2011-08-27 04:26 . 2011-10-12 03:46 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
2011-08-27 04:26 . 2011-10-12 03:46 233472 ----a-w- c:\windows\SysWow64\oleacc.dll
2011-08-25 07:43 . 2011-03-16 00:56 45056 ----a-w- c:\windows\system32\rtvcvfw32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-05-20 284440]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-11-04 343168]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-05-20 13592]
R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [x]
R3 AE1000;Linksys AE1000 Driver;c:\windows\system32\DRIVERS\ae1000w7.sys [x]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
R3 atillk64;atillk64;e:\desktop shortcuts\Overclocking + PC Info\HD 6950 to 6970 Mod\HD_6950_to_HD_6970_mod\winflash\atillk64.sys [2006-07-19 14608]
R3 cpudrv64;cpudrv64;c:\program files (x86)\SystemRequirementsLab\cpudrv64.sys [x]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [x]
R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [x]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [x]
R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [x]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [x]
R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [x]
R3 EyeOneDisplay;EyeOneDisplay;c:\windows\system32\Drivers\i1display_x64.sys [x]
R3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files (x86)\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe [2011-01-13 129440]
R3 MAUSBMIDI;Service for M-Audio USB MIDI Series;c:\windows\system32\DRIVERS\MAudioUSBMIDI.sys [x]
R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TomTomHOMEService;TomTomHOMEService;d:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2011-04-22 92592]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R4 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 cmudaxp;ASUS Xonar Essence ST Audio Interface;c:\windows\system32\drivers\cmudaxp.sys [x]
S3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam_x64.sys [x]
S3 RTCore64;RTCore64;d:\program files (x86)\MSI Afterburner\RTCore64.sys [2011-10-02 13368]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-20 c:\windows\Tasks\AutoKMS.job
- c:\windows\AutoKMS\AutoKMS.exe [2011-11-15 09:26]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EvtMgr6"="d:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1744152]
"combofix"="c:\combofix\CF26181.3XE" [2010-11-20 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 208.67.222.222 208.67.220.220 167.206.254.2
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\shell32.dll
FF - ProfilePath - c:\users\Derek\AppData\Roaming\Mozilla\Firefox\Profiles\0lunwsnb.default\
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-World of Logs Client - c:\windows\system32\javaws.exe
AddRemove-World of Logs Client (4.2) - c:\windows\system32\javaws.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2646931542-3794985555-239293760-1000\Software\SecuROM\License information*]
"datasecu"=hex:67,96,60,7e,bb,0c,f3,c0,47,d1,83,c0,4f,ca,b8,fb,21,66,46,ef,f0,
bd,7d,12,fb,b1,ab,2d,21,31,b6,15,63,4e,a2,40,c4,6a,17,c0,1f,94,49,73,03,47,\
"rkeysecu"=hex:04,9f,9c,af,03,4a,e0,53,0b,9c,ea,6c,56,36,ec,37
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DbgagD\1*]
"value"="?\09\01\1a\15\01%?"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MediaPlayer\PREFERENCES\HME\S-1-5-21-2646931542-3794985555-239293760-1000]
@DACL=(02 0000)
@SACL=
"RemoteSharingEnabled"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SysWOW64\PnkBstrA.exe
d:\program files (x86)\MSI Afterburner\MSIAfterburner.exe
.
**************************************************************************
.
Completion time: 2011-11-20 13:45:20 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-20 18:45
.
Pre-Run: 35,402,096,640 bytes free
Post-Run: 35,038,810,112 bytes free
.
- - End Of File - - 4FDD12E9298ED99AF3550F3FBDDC9FAA

#6 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,559
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 20 November 2011 - 05:11 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

    In your next post I need the following

    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#7 User is offline   -Piper- 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 15-November 11

Posted 20 November 2011 - 06:11 PM

Ran Combofix as instructed. Prompted me to update, I did. Ran the script with the updated combofix. No changes in system activity that I noticed.

Edit: Update, Ran World of Warcraft, the launcher normally has a news section that comes up. It is no longer connecting to that after having run combofix. Also looks like the background downloader for patches is not working properly either. Looks like I can upload but not download via the downloader client. Not noticing any other internet connection issues.

ComboFix 11-11-20.02 - Derek 11/20/2011 17:54:13.2.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4094.2279 [GMT -5:00]
Running from: c:\users\Derek\Desktop\ComboFix.exe
Command switches used :: c:\users\Derek\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-10-20 to 2011-11-20 )))))))))))))))))))))))))))))))
.
.
2011-11-20 22:57 . 2011-11-20 22:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-19 22:00 . 2011-10-18 06:27 8570192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B8DAB6F0-22F6-4785-A49B-1C852649E28F}\mpengine.dll
2011-11-16 04:23 . 2010-01-11 00:40 118784 ----a-w- c:\windows\SysWow64\MSSTDFMT.DLL
2011-11-16 04:20 . 2011-11-16 04:20 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-11-16 04:15 . 2011-11-16 04:15 627600 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-15 09:09 . 2011-11-15 09:09 -------- d-----w- C:\$AVG
2011-11-15 08:56 . 2011-11-15 08:56 -------- d-----w- c:\users\Derek\AppData\Roaming\AVG
2011-11-15 08:52 . 2011-11-15 08:52 -------- d--h--w- c:\programdata\Common Files
2011-11-15 08:50 . 2011-11-15 09:27 -------- d-----w- c:\programdata\MFAData
2011-11-14 05:46 . 2011-11-15 09:26 -------- d-----w- c:\windows\AutoKMS
2011-11-14 04:26 . 2011-11-14 04:29 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-14 04:12 . 2011-11-14 04:12 -------- d-----w- c:\users\Derek\AppData\Local\Mozilla
2011-11-12 18:04 . 2011-11-12 18:04 -------- d-----w- c:\users\Derek\AppData\Local\Skyrim
2011-11-12 07:04 . 2011-11-12 07:04 -------- d-----w- c:\windows\system32\Macromed
2011-11-12 07:02 . 2011-11-12 07:02 53248 ----a-r- c:\users\Derek\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2011-11-12 07:01 . 2011-11-12 07:01 -------- d-----w- c:\users\Derek\AppData\Local\Logishrd
2011-11-12 06:55 . 2011-11-12 06:55 279616 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2011-11-12 06:31 . 2011-11-12 06:31 -------- d-----we c:\windows\system64
2011-11-11 22:32 . 2011-11-11 22:32 -------- d-----w- c:\programdata\MediaMonkey
2011-11-11 22:32 . 2011-11-20 00:50 -------- d-----w- c:\users\Derek\AppData\Roaming\MediaMonkey
2011-11-10 03:37 . 2011-11-10 03:37 -------- d-----w- c:\users\Derek\AppData\Roaming\ATI
2011-11-10 03:37 . 2011-11-10 03:37 -------- d-----w- c:\users\Derek\AppData\Local\ATI
2011-11-10 03:37 . 2011-11-10 03:37 -------- d-----w- c:\programdata\ATI
2011-11-10 03:37 . 2011-11-10 03:37 0 ----a-w- c:\windows\ativpsrm.bin
2011-11-10 03:36 . 2011-11-19 23:42 -------- d-----w- c:\program files (x86)\ATI Technologies
2011-11-10 03:35 . 2011-11-10 03:35 -------- d-----w- c:\program files\ATI
2011-11-10 03:35 . 2011-11-10 03:36 -------- d-----w- c:\program files\ATI Technologies
2011-11-10 02:42 . 2011-10-01 05:45 886784 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-11-10 02:42 . 2011-10-01 04:37 708608 ----a-w- c:\program files (x86)\Common Files\System\wab32.dll
2011-11-10 02:42 . 2011-09-29 16:29 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-10 02:42 . 2011-09-29 04:03 3144704 ----a-w- c:\windows\system32\win32k.sys
2011-11-10 02:39 . 2011-11-10 02:39 -------- d-----w- c:\users\Derek\DxReport
2011-11-10 02:38 . 2011-11-10 02:38 -------- d-----w- c:\users\Derek\AppData\Roaming\LaunchPad
2011-10-22 07:45 . 2011-10-22 07:47 -------- d-----w- c:\users\Derek\AppData\Roaming\Apple Computer
2011-10-22 07:45 . 2011-10-22 08:08 -------- dc----w- c:\windows\system32\DRVSTORE
2011-10-22 07:45 . 2011-10-22 08:08 -------- d-----w- c:\programdata\Apple Computer
2011-10-22 07:45 . 2011-10-22 07:45 -------- d-----w- c:\programdata\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2011-10-22 07:45 . 2011-10-22 07:45 -------- d-----w- c:\program files\Bonjour
2011-10-22 07:45 . 2011-10-22 07:45 -------- d-----w- c:\program files (x86)\Bonjour
2011-10-22 07:44 . 2011-10-22 07:45 -------- d-----w- c:\programdata\Apple
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-16 04:20 . 2010-11-11 00:25 544656 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-11-12 07:01 . 2010-11-11 00:26 18960 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2011-11-12 06:53 . 2010-11-11 05:30 530488 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-11-11 01:32 . 2010-11-12 07:06 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2011-11-11 01:32 . 2010-11-12 06:51 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2011-11-11 01:32 . 2010-11-12 06:51 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2011-10-25 04:48 . 2010-11-12 06:50 75136 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2011-09-26 04:23 . 2010-12-23 06:25 466520 ----a-w- c:\windows\system32\wrap_oal.dll
2011-09-26 04:23 . 2010-12-23 06:25 445016 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2011-09-26 04:23 . 2010-12-23 06:25 123480 ----a-w- c:\windows\system32\OpenAL32.dll
2011-09-26 04:23 . 2010-12-23 06:25 109144 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2011-09-19 13:03 . 2011-09-19 13:03 45056 ----a-w- c:\windows\SysWow64\rtvcvfw32.dll
2011-09-02 06:30 . 2011-09-02 06:30 55064 ----a-w- c:\windows\system32\LMouFiltCoInst.dll
2011-09-02 06:30 . 2011-09-02 06:30 42776 ----a-w- c:\windows\system32\drivers\LUsbFilt.sys
2011-09-02 06:30 . 2011-09-02 06:30 60696 ----a-w- c:\windows\system32\drivers\LMouFilt.Sys
2011-09-02 06:30 . 2011-09-02 06:30 1845528 ----a-w- c:\windows\system32\LkmdfCoInst.dll
2011-09-02 06:30 . 2011-09-02 06:30 66840 ----a-w- c:\windows\system32\drivers\LHidFilt.Sys
2011-09-01 05:24 . 2011-10-12 07:00 2309120 ----a-w- c:\windows\system32\jscript9.dll
2011-09-01 05:17 . 2011-10-12 07:00 1389056 ----a-w- c:\windows\system32\wininet.dll
2011-09-01 05:12 . 2011-10-12 07:00 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-01 02:35 . 2011-10-12 07:00 1798144 ----a-w- c:\windows\SysWow64\jscript9.dll
2011-09-01 02:28 . 2011-10-12 07:00 1126912 ----a-w- c:\windows\SysWow64\wininet.dll
2011-09-01 02:22 . 2011-10-12 07:00 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-08-31 21:00 . 2010-11-11 05:22 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-31 03:05 . 2011-08-31 03:05 96104 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 03:05 . 2011-08-31 03:05 85864 ----a-w- c:\windows\system32\dnssd.dll
2011-08-31 03:05 . 2011-08-31 03:05 61288 ----a-w- c:\windows\system32\jdns_sd.dll
2011-08-31 03:05 . 2011-08-31 03:05 212840 ----a-w- c:\windows\system32\dnssdX.dll
2011-08-31 03:05 . 2011-08-31 03:05 83816 ----a-w- c:\windows\SysWow64\dns-sd.exe
2011-08-31 03:05 . 2011-08-31 03:05 73064 ----a-w- c:\windows\SysWow64\dnssd.dll
2011-08-31 03:05 . 2011-08-31 03:05 50536 ----a-w- c:\windows\SysWow64\jdns_sd.dll
2011-08-31 03:05 . 2011-08-31 03:05 178536 ----a-w- c:\windows\SysWow64\dnssdX.dll
2011-08-27 05:37 . 2011-10-12 03:46 861696 ----a-w- c:\windows\system32\oleaut32.dll
2011-08-27 05:37 . 2011-10-12 03:46 331776 ----a-w- c:\windows\system32\oleacc.dll
2011-08-27 04:26 . 2011-10-12 03:46 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
2011-08-27 04:26 . 2011-10-12 03:46 233472 ----a-w- c:\windows\SysWow64\oleacc.dll
2011-08-25 07:43 . 2011-03-16 00:56 45056 ----a-w- c:\windows\system32\rtvcvfw32.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-20_18.43.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 05:10 . 2011-11-20 18:44 23786 c:\windows\system64\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2011-11-20 17:09 23786 c:\windows\system64\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-11-10 14:23 . 2011-11-20 18:44 17562 c:\windows\system64\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2646931542-3794985555-239293760-1000_UserData.bin
- 2009-07-14 05:10 . 2011-11-20 17:09 23786 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-11-20 18:44 23786 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-11-10 14:23 . 2011-11-20 18:44 17562 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2646931542-3794985555-239293760-1000_UserData.bin
+ 2011-11-20 22:58 . 2011-11-20 22:58 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-11-20 18:42 . 2011-11-20 18:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 02:36 . 2011-11-20 18:47 660280 c:\windows\system64\perfh009.dat
- 2009-07-14 02:36 . 2011-11-20 17:12 660280 c:\windows\system64\perfh009.dat
- 2009-07-14 02:36 . 2011-11-20 17:12 121208 c:\windows\system64\perfc009.dat
+ 2009-07-14 02:36 . 2011-11-20 18:47 121208 c:\windows\system64\perfc009.dat
+ 2009-07-14 02:36 . 2011-11-20 18:47 660280 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2011-11-20 17:12 660280 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-11-20 18:47 121208 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2011-11-20 17:12 121208 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2011-11-20 18:42 362688 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-11-20 22:57 362688 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2010-11-14 04:41 . 2011-11-20 22:57 6575028 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2646931542-3794985555-239293760-1000-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-05-20 284440]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-11-04 343168]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-05-20 13592]
R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [x]
R3 AE1000;Linksys AE1000 Driver;c:\windows\system32\DRIVERS\ae1000w7.sys [x]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
R3 atillk64;atillk64;e:\desktop shortcuts\Overclocking + PC Info\HD 6950 to 6970 Mod\HD_6950_to_HD_6970_mod\winflash\atillk64.sys [2006-07-19 14608]
R3 cpudrv64;cpudrv64;c:\program files (x86)\SystemRequirementsLab\cpudrv64.sys [x]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [x]
R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [x]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [x]
R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [x]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [x]
R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [x]
R3 EyeOneDisplay;EyeOneDisplay;c:\windows\system32\Drivers\i1display_x64.sys [x]
R3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files (x86)\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe [2011-01-13 129440]
R3 MAUSBMIDI;Service for M-Audio USB MIDI Series;c:\windows\system32\DRIVERS\MAudioUSBMIDI.sys [x]
R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TomTomHOMEService;TomTomHOMEService;d:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2011-04-22 92592]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R4 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 cmudaxp;ASUS Xonar Essence ST Audio Interface;c:\windows\system32\drivers\cmudaxp.sys [x]
S3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam_x64.sys [x]
S3 RTCore64;RTCore64;d:\program files (x86)\MSI Afterburner\RTCore64.sys [2011-10-02 13368]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-20 c:\windows\Tasks\AutoKMS.job
- c:\windows\AutoKMS\AutoKMS.exe [2011-11-15 09:26]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EvtMgr6"="d:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1744152]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 208.67.222.222 208.67.220.220 167.206.254.2
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\shell32.dll
FF - ProfilePath - c:\users\Derek\AppData\Roaming\Mozilla\Firefox\Profiles\0lunwsnb.default\
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2646931542-3794985555-239293760-1000\Software\SecuROM\License information*]
"datasecu"=hex:67,96,60,7e,bb,0c,f3,c0,47,d1,83,c0,4f,ca,b8,fb,21,66,46,ef,f0,
bd,7d,12,fb,b1,ab,2d,21,31,b6,15,63,4e,a2,40,c4,6a,17,c0,1f,94,49,73,03,47,\
"rkeysecu"=hex:04,9f,9c,af,03,4a,e0,53,0b,9c,ea,6c,56,36,ec,37
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DbgagD\1*]
"value"="?\09\01\1a\15\01%?"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MediaPlayer\PREFERENCES\HME\S-1-5-21-2646931542-3794985555-239293760-1000]
@DACL=(02 0000)
@SACL=
"RemoteSharingEnabled"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SysWOW64\PnkBstrA.exe
d:\program files (x86)\MSI Afterburner\MSIAfterburner.exe
.
**************************************************************************
.
Completion time: 2011-11-20 18:00:27 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-20 23:00
ComboFix2.txt 2011-11-20 18:45
.
Pre-Run: 35,116,122,112 bytes free
Post-Run: 35,050,508,288 bytes free
.
- - End Of File - - BE7D6DBE861747E0933CEF096B342C24

This post has been edited by -Piper-: 20 November 2011 - 06:31 PM

#8 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,559
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 20 November 2011 - 08:38 PM

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

    I would like you to rerun MBAM

  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

    In your next post I need the following

    • Log From MBAM
    • report from Hijackthis
    • let me know of any problems you may have had
    • How is the computer doing now?


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#9 User is offline   -Piper- 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 15-November 11

Posted 20 November 2011 - 09:11 PM

Ran TFC as instructed. MBAM ran with no results, so no log file to post. Hijackthis logs are as follows:


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:10:14 PM, on 11/20/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
D:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
D:\Program Files (x86)\Mozilla Firefox\firefox.exe
D:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\SysWOW64\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Futuremark SystemInfo Service - Futuremark Corporation - C:\Program Files (x86)\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe
O23 - Service: Intel® Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: PDAgent - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: TomTomHOMEService - TomTom - D:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

--
End of file - 5787 bytes

#10 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,559
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 20 November 2011 - 09:20 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

      O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"


  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

      NOTE**You can research each of those lines >here< and see if you want to keep them or not
      just copy the name between the brakets and paste into the search space
      O4 - HKLM\..\Run: [IntelliPoint]



If you have any problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
      Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt

Copy and paste that log as a reply to this topic

Gringo

This post has been edited by gringo_pr: 20 November 2011 - 09:21 PM

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#11 User is offline   -Piper- 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 15-November 11

Posted 20 November 2011 - 09:36 PM

While I'm running this ESET scanner I had a question. I noticed in the topic http://www.bleepingcomputer.com/forums/topic417190.html/page__st__30 that there were problems with the Winsock entries too. I'm sure I had the same infection that he did, is there any way we could check to see if those are as they should be?

#12 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,559
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 20 November 2011 - 09:53 PM

you are only having problems with one program so my thoughts are if it don't clear up by the time we finish is to reinstall that one program


gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#13 User is offline   -Piper- 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 15-November 11

Posted 20 November 2011 - 11:33 PM

Looks like ESET was pulling false positives here. All of these were present for months now, so I don't think they are involved. Here is the log:


C:\Windows\AutoKMS\AutoKMS.exe probably a variant of Win32/HackKMS.B application
D:\Games\Electronic Arts\Crytek\Crysis\Game\Levels\RealLifesis_Blink2.exe a variant of Win32/Packed.ExeScript.F trojan
D:\Games\Electronic Arts\Crytek\Crysis\Game\Levels\RealLifesis_FG1.exe a variant of Win32/Packed.ExeScript.F trojan
D:\Games\Electronic Arts\Crytek\Crysis\Game\Levels\RealLifesis_FG2.exe a variant of Win32/Packed.ExeScript.F trojan
D:\Games\Electronic Arts\Crytek\Crysis\Game\Levels\RealLifesis_ToD1.exe a variant of Win32/Packed.ExeScript.F trojan
D:\Games\Electronic Arts\Crytek\Crysis\Game\Levels\Uninstall.exe a variant of Win32/Packed.ExeScript.F trojan
D:\Games\The Witcher 2\bin\paul.dll a variant of Win32/Packed.VMProtect.AAA trojan

#14 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,559
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 20 November 2011 - 11:51 PM

ok uninstall the program that is giving problems and reinstall it


let me know if this worked



gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#15 User is offline   -Piper- 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 15-November 11

Posted 21 November 2011 - 12:02 AM

Actually upon further inspection of the downloader, I was not actually downloading anything at the time. The download rate re-enabling it seems fine, just constantly showing a "It appears that your computer is behind a firewall" error. Does combofix enable a firewall that I can configure?

Edit: Found the issue. Appears that combofix or one of the tools must have altered Internet options in the control panel. Reset them to default values and the downloader is no longer throwing the error.

This post has been edited by -Piper-: 21 November 2011 - 12:13 AM

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users