Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect malware/virus


  • This topic is locked This topic is locked
23 replies to this topic

#1 jthorp10

jthorp10

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 25 October 2010 - 02:42 AM

I run windows XP with Firefox as my browser and have recently been having trouble getting rid of this nasty problem everyone seems to be getting with the usual rkill/tdsskiller/malware combo i do coming up clean. Hopefully you guys can help me clean up my pc a bit and give me some advice on not being so helpless :P

Anyway, here are the logs requested in the prep guide.


DDS (Ver_10-10-21.02) - NTFSx86
Run by Jon at 2:08:06.76 on Mon 10/25/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3007.2228 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Jon\Desktop\Failsafe\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [Yfiyusaney] rundll32.exe "c:\windows\ndsrasob.dll",Startup
uRun: [Google Update] "c:\documents and settings\jon\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [1A:Stardock TrayMonitor]
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [rxnsomecaw.tmp] "c:\docume~1\jon\locals~1\temp\rxnsomecaw.tmp"
mRun: [Qsetoqul] rundll32.exe "c:\windows\amizefij.dll",Startup
mRunOnce: [*admcenteracl.exe] "c:\windows\system32\config\systemprofile\admcenteracl.exe"
mRunServices: [1A:Stardock TrayMonitor]
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1285799308984
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jon\applic~1\mozilla\firefox\profiles\eti00zm5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\jon\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\jon\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\jon\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {68AFD3D7-63ED-4E22-8516-850BBF0E73FD} - c:\documents and settings\jon\local settings\application data\{68AFD3D7-63ED-4E22-8516-850BBF0E73FD}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-9-29 1691480]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\garena\plugins\ui\safedrv.sys --> c:\program files\garena\plugins\ui\safedrv.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]

=============== Created Last 30 ================

2010-10-22 11:11:56 -------- d-----w- c:\program files\BitTorrent
2010-10-22 11:10:56 -------- d-----w- c:\docume~1\jon\applic~1\BitTorrent
2010-10-21 05:47:48 -------- d-sh--w- c:\documents and settings\jon\IETldCache
2010-10-21 05:34:19 13312 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-10-21 05:33:59 -------- d-----w- c:\windows\ie8updates
2010-10-21 05:33:52 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-10-21 05:33:52 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-10-21 05:33:52 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-10-21 05:33:52 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-10-21 05:33:52 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-10-21 05:33:52 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-10-21 05:33:52 11080192 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-10-21 05:32:11 -------- dc-h--w- c:\windows\ie8
2010-10-20 05:34:04 -------- d-----w- c:\docume~1\jon\locals~1\applic~1\Temp
2010-10-20 05:34:01 -------- d-----w- c:\docume~1\jon\locals~1\applic~1\Google
2010-10-20 03:58:29 -------- d-----w- C:\TDSSKiller_Quarantine
2010-10-20 02:45:24 -------- d-----w- c:\docume~1\jon\applic~1\Malwarebytes
2010-10-19 04:37:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-19 04:37:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-19 04:37:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-19 04:37:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-19 04:29:02 -------- d-----w- c:\windows\pss
2010-10-19 04:24:14 -------- d-----w- c:\docume~1\jon\locals~1\applic~1\{68AFD3D7-63ED-4E22-8516-850BBF0E73FD}
2010-10-19 04:18:01 0 ----a-w- c:\windows\Orociriqurej.bin
2010-10-19 04:17:23 63488 --sha-r- c:\windows\system32\c_1252Z.dll
2010-10-19 04:16:42 183 ----a-w- c:\docume~1\jon\applic~1\5388.bat
2010-10-19 04:16:21 -------- d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-10-19 04:16:06 -------- d-----w- c:\docume~1\jon\applic~1\Ruifmy
2010-10-19 04:16:06 -------- d-----w- c:\docume~1\jon\applic~1\Ikxai
2010-10-19 04:15:22 -------- d-----w- c:\docume~1\jon\applic~1\C63359555FA374602B5F8E04E72FFB42
2010-10-19 02:28:02 -------- d-----w- c:\program files\Garena
2010-10-18 04:17:48 -------- d-----w- c:\program files\SpeedFan
2010-10-17 04:01:24 -------- d-----w- c:\program files\JRE
2010-10-17 04:01:19 -------- d-----w- c:\program files\OpenOffice.org 3
2010-10-17 04:01:04 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-17 04:01:04 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-17 04:01:04 411368 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-10-14 21:10:33 -------- d-----w- c:\program files\Warcraft III 1.21b ROC Installer enUS
2010-10-14 20:52:49 -------- d-----w- c:\program files\Warcraft III 1.21b TFT Installer enUS
2010-10-13 22:53:00 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 22:53:00 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 22:52:53 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-13 04:03:56 -------- d-----w- c:\program files\Say the Time
2010-10-09 22:08:03 -------- d-----w- c:\docume~1\jon\locals~1\applic~1\CrashRpt
2010-10-09 22:07:52 -------- d-----w- c:\program files\Livestream Procaster
2010-10-09 22:07:52 -------- d-----w- c:\docume~1\jon\locals~1\applic~1\Procaster
2010-10-09 08:03:39 -------- d-----w- c:\windows\system32\XPSViewer
2010-10-09 08:03:16 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-10-09 08:03:10 117760 ------w- c:\windows\system32\prntvpt.dll
2010-10-09 08:03:09 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-10-09 08:03:09 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-10-09 08:03:09 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-10-09 08:03:09 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-10-09 08:03:09 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-10-09 08:03:09 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-10-09 08:03:09 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-10-05 22:19:14 -------- d-----w- c:\program files\DivX
2010-10-05 22:18:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\DivX
2010-10-05 10:22:40 -------- d-----r- c:\program files\Skype
2010-10-05 04:39:58 -------- d-----w- c:\program files\PokerStars
2010-09-30 00:49:58 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2010-09-30 00:20:20 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2010-09-30 00:20:20 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2010-09-30 00:19:46 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2010-09-30 00:19:43 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2010-09-30 00:19:34 -------- d-----w- c:\windows\Logs
2010-09-30 00:18:53 -------- d-----w- c:\program files\Heroes of Newerth
2010-09-29 23:55:25 -------- d-----w- c:\program files\VideoLAN
2010-09-29 23:46:46 -------- d-----w- c:\program files\Ventrilo
2010-09-29 23:41:14 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2010-09-29 23:30:42 -------- d-----w- c:\program files\StarCraft II
2010-09-29 23:30:42 -------- d-----w- c:\program files\common files\Blizzard Entertainment
2010-09-29 23:30:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\Blizzard Entertainment
2010-09-29 23:30:03 726528 -c--a-w- c:\windows\system32\dllcache\jscript.dll
2010-09-29 23:19:32 -------- d-----w- c:\windows\system32\scripting
2010-09-29 23:19:32 -------- d-----w- c:\windows\system32\en
2010-09-29 23:19:32 -------- d-----w- c:\windows\system32\bits
2010-09-29 23:19:32 -------- d-----w- c:\windows\l2schemas
2010-09-29 23:16:23 -------- d-----w- c:\windows\network diagnostic
2010-09-29 23:15:10 -------- d-----w- c:\windows\system32\ReinstallBackups
2010-09-29 23:13:25 -------- d-----w- c:\windows\EHome
2010-09-29 23:10:31 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2010-09-29 22:49:28 -------- d-----w- c:\windows\ServicePackFiles
2010-09-29 22:47:23 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-09-29 22:44:44 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-09-29 22:44:25 357248 -c----w- c:\windows\system32\dllcache\srv.sys
2010-09-29 22:43:01 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-09-29 22:43:01 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-09-29 22:42:49 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-09-29 22:37:45 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-09-29 22:36:57 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-09-29 22:36:57 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-09-29 22:36:54 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-09-29 22:30:19 -------- d-----w- c:\windows\system32\PreInstall
2010-09-29 22:30:17 -------- d--h--w- c:\windows\$hf_mig$
2010-09-29 22:28:53 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2010-09-29 22:28:52 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2010-09-29 22:28:52 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2010-09-29 22:28:52 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-09-29 22:28:52 -------- d-----w- c:\windows\system32\SoftwareDistribution
2010-09-29 22:27:28 -------- d-----w- c:\windows\system32\Lang
2010-09-29 22:26:22 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-09-29 22:26:21 83072 ----a-w- c:\windows\system32\drivers\wdmaud.sys
2010-09-29 22:26:20 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys
2010-09-29 22:26:16 56576 ----a-w- c:\windows\system32\drivers\swmidi.sys
2010-09-29 22:26:15 142592 -c--a-w- c:\windows\system32\dllcache\aec.sys
2010-09-29 22:26:15 142592 ----a-w- c:\windows\system32\drivers\aec.sys
2010-09-29 22:26:14 2944 ----a-w- c:\windows\system32\drivers\drmkaud.sys
2010-09-29 22:26:14 172416 ----a-w- c:\windows\system32\drivers\kmixer.sys
2010-09-29 22:26:13 60800 ----a-w- c:\windows\system32\drivers\sysaudio.sys
2010-09-29 22:26:11 7552 ----a-w- c:\windows\system32\drivers\mskssrv.sys
2010-09-29 22:26:11 4992 ----a-w- c:\windows\system32\drivers\mspqm.sys
2010-09-29 22:26:09 5376 ----a-w- c:\windows\system32\drivers\mspclock.sys
2010-09-29 22:23:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2010-09-29 17:26:02 -------- d-----w- c:\program files\InterActual
2010-09-28 23:25:30 86016 ----a-w- c:\windows\system32\mdmxsdk.dll
2010-09-28 23:25:30 685056 -c--a-w- c:\windows\system32\dllcache\hsfcxts2.sys
2010-09-28 23:25:30 685056 ----a-w- c:\windows\system32\drivers\HSFCXTS2.sys
2010-09-28 23:25:30 32285 ----a-w- c:\windows\system32\hsfcisp2.dll
2010-09-28 23:25:30 220032 -c--a-w- c:\windows\system32\dllcache\hsfbs2s2.sys
2010-09-28 23:25:30 220032 ----a-w- c:\windows\system32\drivers\HSFBS2S2.sys
2010-09-28 23:25:30 11868 ----a-w- c:\windows\system32\drivers\mdmxsdk.sys
2010-09-28 23:25:29 1041536 -c--a-w- c:\windows\system32\dllcache\hsfdpsp2.sys
2010-09-28 23:25:29 1041536 ----a-w- c:\windows\system32\drivers\HSFDPSP2.sys
2010-09-28 23:19:19 -------- d-s---w- c:\documents and settings\jon\UserData
2010-09-28 22:33:44 -------- d-----w- c:\docume~1\jon\locals~1\applic~1\NVIDIA Corporation
2010-09-28 22:33:41 -------- d-----w- c:\program files\NVIDIA Corporation
2010-09-28 22:32:58 -------- d-----w- c:\program files\NVIDIA nTune Performance Application
2010-09-28 13:16:23 -------- d-s---w- c:\windows\system32\Microsoft

==================== Find3M ====================

2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ------w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 2:08:15.39 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 PM

Posted 25 October 2010 - 10:51 AM

Hello and welcome to the forum. :welcome:

I apologize for the delay in responding to your request for help but it is very busy here and we can get overwhelmed at times.

If you have since resolved the original problem you were having, we would appreciate you letting us know.


Please refrain from running tools or applying updates other than those we suggest while we are cleaning your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please be patient while I analyze your present log and await your next. All of my fixes are checked by higher level forum members before posting.


Thanks.

DR

Edited by rigacci, 25 October 2010 - 10:53 AM.


#3 jthorp10

jthorp10
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 25 October 2010 - 11:42 AM

Hello rigacci, and thank you for taking time to help me with this problem! Unfortunately i still haven't been able to resolve my browser redirects on my own.

But I'll be as patient as it takes and follow any directions you give me as closely as possible.

#4 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 PM

Posted 26 October 2010 - 06:54 AM

I am continuing to analyze your present log and am finding some items that will need to be dealt with. Please be patient while we devise the best plan of attack and remember that all of my fixes are checked by higher level forum members before posting. That can sometimes cause a bit of a delay to get started.

Are you getting any BSODs?

Thanks.

DR

Edited by rigacci, 26 October 2010 - 07:02 AM.


#5 jthorp10

jthorp10
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 26 October 2010 - 10:23 AM


Are you getting any BSODs?



Nope, should i be worried?

#6 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 PM

Posted 26 October 2010 - 11:14 AM

No. I saw a lot of Stop Errors in your GMER log and those are usually followed or preceeded by a BSOD.

DR

#7 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 PM

Posted 27 October 2010 - 08:01 AM

OK, here goes.

Before we start cleaning I need to inform you of what is on your computer and what it could do.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to clean it, let's start with the following.


1. Please download GooredFix and save it to your Desktop.
2. Double Click the file you downloaded and then select "2. Fix Goored" by typing 2 and pressing Enter.
Make sure all instances of Firefox are closed at this point.
Type y at the prompt and press Enter again.

A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.



Now Download ComboFix from one of these locations:

Link 1
Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable Security Programs

•Double click on ComboFix.exe & follow the prompts.

Notes: ComboFix will run without the Recovery Console installed. Skip the Recovery Console part only if you're running Vista or Windows 7. Let it install if you are running XP.

Posted Image


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy/Paste in your next reply.

Notes:

1.Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. ComboFix disconnects your machine from the internet. The connection is automatically restored before ComboFix completes its run.

Give it at least 20-30 minutes to finish if needed.

Please do not attach the scan results from ComboFix. Use copy/paste.

Also please describe how your computer behaves at the moment.

Thanks.

DR


#8 jthorp10

jthorp10
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 27 October 2010 - 09:47 AM

Okay rigacci, I'm shocked to find out i have such dangerous infections. Luckily i don't use this computer for anything other than online gaming and web surfing, so i would like reformatting to be an absolute last resort if possible.

Here are the gooredfix and combofix logs you requested. Combofix appeared to be stuck at step 48 for almost 2 hours, so i ended the task and reran it with no issues.

GooredFix by jpshortstuff (03.07.10.1)
Log created at 08:15 on 27/10/2010 (Jon)
Firefox version 3.6.11 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{68AFD3D7-63ED-4E22-8516-850BBF0E73FD} -> Success!
Deleting C:\Documents and Settings\Jon\Local Settings\Application Data\{68AFD3D7-63ED-4E22-8516-850BBF0E73FD} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [23:33 29/09/2010]
{AB2CE124-6272-4b12-94A9-7303C7397BD1} [10:22 05/10/2010]
{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [04:01 17/10/2010]

C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\eti00zm5.default\extensions\
{9AA46F4F-4DC7-4c06-97AF-5035170633FE} [00:31 30/09/2010]
{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [00:05 30/09/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [08:04 09/10/2010]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [04:00 17/10/2010]

-=E.O.F=-



ComboFix 10-10-26.03 - Jon 10/27/2010 9:27.2.3 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3007.2533 [GMT -5:00]
Running from: c:\documents and settings\Jon\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jon\Application Data\C63359555FA374602B5F8E04E72FFB42
c:\documents and settings\Jon\Application Data\C63359555FA374602B5F8E04E72FFB42\enemies-names.txt
c:\documents and settings\Jon\Application Data\C63359555FA374602B5F8E04E72FFB42\local.ini
c:\documents and settings\Jon\Application Data\C63359555FA374602B5F8E04E72FFB42\lsrslt.ini
c:\program files\Mozilla Firefox\searchplugins\google_search.xml
c:\windows\amizefij.dll

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

.
((((((((((((((((((((((((( Files Created from 2010-09-27 to 2010-10-27 )))))))))))))))))))))))))))))))
.

2010-10-20 03:58 . 2010-10-20 03:58 -------- d-----w- C:\TDSSKiller_Quarantine

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 17:23 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2004-08-04 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-04 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-04 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-04 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-23 16:12 . 2004-08-04 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-08-04 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
"Google Update"="c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-20 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"RTHDCPL"="RTHDCPL.EXE" [2010-07-06 19556968]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*admcenteracl.exe"="c:\windows\system32\config\systemprofile\admcenteracl.exe" [2010-10-20 151552]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base16605\\SC2.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Heroes of Newerth\\hon.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base16755\\SC2.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Documents and Settings\\Jon\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/29/2010 5:25 PM 1691480]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\Garena\plugins\UI\safedrv.sys --> c:\program files\Garena\plugins\UI\safedrv.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-10-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1957994488-839522115-1004Core.job
- c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-20 05:34]

2010-10-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1957994488-839522115-1004UA.job
- c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-20 05:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\eti00zm5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\Jon\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Jon\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Yfiyusaney - c:\windows\ndsrasob.dll
HKLM-Run-nwiz - c:\program files\NVIDIA Corporation\nView\nwiz.exe
HKLM-Run-1A:Stardock TrayMonitor - (no file)
HKLM-Run-Qsetoqul - c:\windows\amizefij.dll
SafeBoot-klmdb.sys
AddRemove-NVIDIA nView Desktop Manager - c:\program files\NVIDIA Corporation\nView\nViewSetup.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3856)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
.
**************************************************************************
.
Completion time: 2010-10-27 09:32:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-27 14:32

Pre-Run: 58,727,239,680 bytes free
Post-Run: 58,927,370,240 bytes free

- - End Of File - - 3F5C454DBCF31FCE405488BFDE9DB8AD


As for how my computer is behaving, nothing seems to be out of the ordinary both before and after the scans aside from the search engine redirect issue, which is why I can't believe i have such dangerous infections. I'll edit my post to let you know if the redirect is still happening.

#9 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 PM

Posted 27 October 2010 - 10:25 AM

Yes, let me know ASAP if the redirects are still happening. :thumbup2:

Thanks.

DR :whistle:

#10 jthorp10

jthorp10
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 27 October 2010 - 10:38 AM

Yes, let me know ASAP if the redirects are still happening. :thumbup2:

Thanks.

DR :whistle:


Okay, the redirects are definitely still happening :(

#11 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 PM

Posted 27 October 2010 - 11:05 AM

Ugh! :angry:

OK, I will get back to you as soon as we check out these new logs.

DR

#12 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 PM

Posted 29 October 2010 - 10:44 AM

OK, sorry it has taken so long to get back to you. BTW, you anywhere near Jim Thorpe or is that part of your name?

First, please:

Go to Start>Run and type cmd and hit OK. Your command box should open.

Type in ipconfig /flushdns and hit the Enter button.

Close the command box.

Next:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad and copy/paste the text in the codebox below into it:

FILE::
c:\windows\system32\config\systemprofile\admcenteracl.exe

Save this as CFScript.txt, on your Desktop.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Thanks.

DR

#13 jthorp10

jthorp10
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 29 October 2010 - 11:28 AM

No problem, and I wish I could say I had any kind of relation to Jim Thorpe :P

Here is the log after i did a dnsflush and opened combofix through cfscript.

ComboFix 10-10-28.09 - Jon 10/29/2010 11:07:04.3.3 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3007.2714 [GMT -5:00]
Running from: c:\documents and settings\Jon\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jon\Desktop\CFScript.txt.txt

FILE ::
"c:\windows\system32\config\systemprofile\admcenteracl.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\config\systemprofile\admcenteracl.exe

.
((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-29 )))))))))))))))))))))))))))))))
.

2010-10-27 13:08 . 2010-10-27 13:08 -------- d-----w- c:\documents and settings\Jon\Application Data\OpenOffice.org
2010-10-22 11:11 . 2010-10-22 11:11 -------- d-----w- c:\program files\BitTorrent
2010-10-22 11:10 . 2010-10-23 08:39 -------- d-----w- c:\documents and settings\Jon\Application Data\BitTorrent
2010-10-21 06:08 . 2010-10-21 06:08 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-10-21 05:49 . 2010-10-21 05:49 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-10-21 05:47 . 2010-10-21 05:47 -------- d-sh--w- c:\documents and settings\Jon\IETldCache
2010-10-21 05:34 . 2010-08-26 11:08 13312 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-10-21 05:33 . 2010-09-10 05:58 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-10-21 05:33 . 2010-09-10 05:58 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-10-21 05:33 . 2010-09-10 05:58 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-10-21 05:33 . 2010-09-10 05:58 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-10-21 05:33 . 2010-09-10 05:58 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-10-21 05:33 . 2010-09-10 05:58 11080192 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-10-21 05:33 . 2010-09-10 05:58 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-10-21 05:32 . 2010-10-21 05:33 -------- dc-h--w- c:\windows\ie8
2010-10-20 05:34 . 2010-10-20 05:34 -------- d-----w- c:\documents and settings\Jon\Local Settings\Application Data\Temp
2010-10-20 05:34 . 2010-10-20 05:34 -------- d-----w- c:\documents and settings\Jon\Local Settings\Application Data\Google
2010-10-20 03:58 . 2010-10-20 03:58 -------- d-----w- C:\TDSSKiller_Quarantine
2010-10-20 02:45 . 2010-10-20 02:45 -------- d-----w- c:\documents and settings\Jon\Application Data\Malwarebytes
2010-10-19 04:37 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-19 04:37 . 2010-10-20 03:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-19 04:37 . 2010-10-19 04:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-19 04:37 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-19 04:35 . 2010-10-19 04:35 -------- d-----w- c:\documents and settings\Administrator
2010-10-19 04:18 . 2010-10-25 04:58 0 ----a-w- c:\windows\Orociriqurej.bin
2010-10-19 04:17 . 2010-10-19 04:17 63488 --sha-r- c:\windows\system32\c_1252Z.dll
2010-10-19 04:16 . 2010-10-19 04:16 183 ----a-w- c:\documents and settings\Jon\Application Data\5388.bat
2010-10-19 04:16 . 2010-10-19 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-10-19 04:16 . 2010-10-20 04:33 -------- d-----w- c:\documents and settings\Jon\Application Data\Ikxai
2010-10-19 04:16 . 2010-10-20 02:46 -------- d-----w- c:\documents and settings\Jon\Application Data\Ruifmy
2010-10-19 04:03 . 2010-10-19 04:03 -------- d-----w- c:\windows\Sun
2010-10-19 02:28 . 2010-10-19 04:12 -------- d-----w- c:\program files\Garena
2010-10-18 04:17 . 2010-10-24 13:42 -------- d-----w- c:\program files\SpeedFan
2010-10-17 04:01 . 2010-10-17 04:01 -------- d-----w- c:\program files\JRE
2010-10-17 04:01 . 2010-10-17 04:01 -------- d-----w- c:\program files\OpenOffice.org 3
2010-10-17 04:01 . 2010-10-17 04:01 -------- d-----w- c:\program files\Common Files\Java
2010-10-17 04:01 . 2010-10-17 04:00 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-17 04:01 . 2010-10-17 04:00 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-17 04:00 . 2010-10-17 04:00 -------- d-----w- c:\program files\Java
2010-10-14 21:26 . 2010-10-19 04:19 -------- d-----w- c:\program files\Warcraft III
2010-10-14 21:10 . 2010-10-14 21:25 -------- d-----w- c:\program files\Warcraft III 1.21b ROC Installer enUS
2010-10-14 20:52 . 2010-10-14 21:09 -------- d-----w- c:\program files\Warcraft III 1.21b TFT Installer enUS
2010-10-13 22:53 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 22:53 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 22:52 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-13 04:03 . 2010-10-20 21:49 -------- d-----w- c:\program files\Say the Time
2010-10-09 22:08 . 2010-10-09 22:08 -------- d-----w- c:\documents and settings\Jon\Local Settings\Application Data\CrashRpt
2010-10-09 22:07 . 2010-10-09 22:37 -------- d-----w- c:\program files\Livestream Procaster
2010-10-09 22:07 . 2010-10-09 22:08 -------- d-----w- c:\documents and settings\Jon\Local Settings\Application Data\Procaster
2010-10-09 08:03 . 2010-10-09 08:03 -------- d-----w- c:\windows\system32\XPSViewer
2010-10-09 08:03 . 2010-10-09 08:03 -------- d-----w- c:\program files\MSBuild
2010-10-09 08:03 . 2010-10-09 08:03 -------- d-----w- c:\program files\Reference Assemblies
2010-10-09 08:03 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-10-09 08:03 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-10-09 08:03 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-10-09 08:03 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-10-09 08:03 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-10-09 08:03 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-10-09 08:03 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-10-09 08:03 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-10-09 08:03 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-10-08 11:35 . 2010-10-08 11:35 -------- d-----w- c:\program files\7-Zip
2010-10-05 22:22 . 2010-10-05 22:22 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-10-05 22:19 . 2010-10-24 18:54 -------- d-----w- c:\program files\DivX
2010-10-05 22:18 . 2010-10-24 18:55 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-10-05 10:23 . 2010-10-10 16:06 -------- d-----w- c:\documents and settings\Jon\Application Data\skypePM
2010-10-05 10:23 . 2010-10-10 18:57 -------- d-----w- c:\documents and settings\Jon\Application Data\Skype
2010-10-05 10:22 . 2010-10-05 10:22 -------- d-----r- c:\program files\Skype
2010-10-05 10:22 . 2010-10-05 10:22 -------- d-----w- c:\program files\Common Files\Skype
2010-10-05 10:22 . 2010-10-05 10:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-10-05 04:39 . 2010-10-09 20:44 -------- d-----w- c:\program files\PokerStars
2010-09-30 00:49 . 2007-03-12 21:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2010-09-30 00:20 . 2008-10-10 09:52 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2010-09-30 00:20 . 2008-10-10 09:52 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2010-09-30 00:19 . 2008-10-10 09:52 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2010-09-30 00:19 . 2007-04-04 23:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2010-09-30 00:19 . 2010-09-30 00:19 -------- d-----w- c:\windows\Logs
2010-09-30 00:18 . 2010-10-22 02:32 -------- d-----w- c:\program files\Heroes of Newerth
2010-09-29 23:58 . 2010-09-29 23:58 -------- d-----w- c:\documents and settings\Jon\Application Data\vlc
2010-09-29 23:55 . 2010-09-29 23:55 -------- d-----w- c:\program files\VideoLAN
2010-09-29 23:49 . 2010-09-30 00:26 -------- d-----w- c:\documents and settings\Jon\Application Data\Ventrilo
2010-09-29 23:46 . 2010-09-29 23:46 -------- d-----w- c:\program files\Ventrilo
2010-09-29 23:41 . 2010-09-29 23:41 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-09-29 23:33 . 2010-09-29 23:33 -------- d-----w- c:\documents and settings\Jon\Local Settings\Application Data\Mozilla
2010-09-29 23:30 . 2010-10-15 00:13 -------- d-----w- c:\program files\StarCraft II
2010-09-29 23:30 . 2010-10-14 21:26 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-09-29 23:30 . 2010-09-30 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-09-29 23:30 . 2009-12-09 05:53 726528 -c--a-w- c:\windows\system32\dllcache\jscript.dll
2010-09-29 23:19 . 2010-09-29 23:19 -------- d-----w- c:\windows\system32\scripting
2010-09-29 23:19 . 2010-09-29 23:19 -------- d-----w- c:\windows\system32\en
2010-09-29 23:19 . 2010-09-29 23:19 -------- d-----w- c:\windows\system32\bits
2010-09-29 23:19 . 2010-09-29 23:19 -------- d-----w- c:\windows\l2schemas
2010-09-29 23:13 . 2010-09-29 23:13 -------- d-----w- c:\windows\EHome
2010-09-29 23:10 . 2004-08-04 03:29 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2010-09-29 22:49 . 2010-09-29 23:18 -------- d-----w- c:\windows\ServicePackFiles
2010-09-29 22:47 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-09-29 22:44 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-09-29 22:44 . 2010-08-26 13:39 357248 -c----w- c:\windows\system32\dllcache\srv.sys
2010-09-29 22:43 . 2010-08-27 08:02 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-09-29 22:43 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-09-29 22:42 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-09-29 22:37 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-09-29 22:36 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-09-29 22:36 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-09-29 22:36 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-09-29 22:30 . 2010-10-22 08:00 -------- d--h--w- c:\windows\$hf_mig$
2010-09-29 22:28 . 2009-08-07 00:24 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2010-09-29 22:28 . 2009-08-07 00:24 44768 ----a-w- c:\windows\system32\wups2.dll
2010-09-29 22:28 . 2009-08-07 00:24 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2010-09-29 22:28 . 2009-08-07 00:24 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-09-29 22:28 . 2009-08-07 00:24 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2010-09-29 22:27 . 2010-09-29 22:27 -------- d-----w- c:\windows\system32\Lang
2010-09-29 22:26 . 2008-04-13 18:45 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-09-29 22:26 . 2008-04-13 19:17 83072 ----a-w- c:\windows\system32\drivers\wdmaud.sys
2010-09-29 22:26 . 2008-04-13 18:45 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys
2010-09-29 22:26 . 2008-04-13 18:45 56576 ----a-w- c:\windows\system32\drivers\swmidi.sys
2010-09-29 22:26 . 2008-04-13 16:39 142592 -c--a-w- c:\windows\system32\dllcache\aec.sys
2010-09-29 22:26 . 2008-04-13 16:39 142592 ----a-w- c:\windows\system32\drivers\aec.sys
2010-09-29 22:26 . 2008-04-13 18:45 2944 ----a-w- c:\windows\system32\drivers\drmkaud.sys
2010-09-29 22:26 . 2008-04-13 18:45 172416 ----a-w- c:\windows\system32\drivers\kmixer.sys
2010-09-29 22:26 . 2008-04-13 19:15 60800 ----a-w- c:\windows\system32\drivers\sysaudio.sys
2010-09-29 22:26 . 2008-04-13 18:39 7552 ----a-w- c:\windows\system32\drivers\mskssrv.sys
2010-09-29 22:26 . 2008-04-13 18:39 4992 ----a-w- c:\windows\system32\drivers\mspqm.sys
2010-09-29 22:26 . 2008-04-13 18:39 5376 ----a-w- c:\windows\system32\drivers\mspclock.sys
2010-09-29 22:23 . 2010-09-29 22:23 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 17:23 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2004-08-04 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-04 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-04 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-04 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-23 16:12 . 2004-08-04 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-08-04 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-10-27_14.30.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-29 16:06 . 2010-10-29 16:06 16384 c:\windows\Temp\Perflib_Perfdata_3ac.dat
+ 2010-10-29 16:06 . 2010-10-29 16:06 16384 c:\windows\Temp\Perflib_Perfdata_2c8.dat
+ 2004-08-04 12:00 . 2010-10-29 16:10 67312 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2010-10-27 12:17 67312 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-10-29 16:10 432356 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-10-27 12:17 432356 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
"Google Update"="c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-20 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"RTHDCPL"="RTHDCPL.EXE" [2010-07-06 19556968]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base16605\\SC2.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Heroes of Newerth\\hon.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base16755\\SC2.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Documents and Settings\\Jon\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/29/2010 5:25 PM 1691480]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\Garena\plugins\UI\safedrv.sys --> c:\program files\Garena\plugins\UI\safedrv.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-10-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1957994488-839522115-1004Core.job
- c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-20 05:34]

2010-10-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1957994488-839522115-1004UA.job
- c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-20 05:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\eti00zm5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\Jon\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Jon\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-29 11:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-10-29 11:11:55
ComboFix-quarantined-files.txt 2010-10-29 16:11
ComboFix2.txt 2010-10-27 14:32

Pre-Run: 58,898,644,992 bytes free
Post-Run: 58,893,631,488 bytes free

- - End Of File - - AFFF6CCE73CF6ED35C0D2C7D234B4171


EDIT: the redirects seem to have stopped! i'll update you tomorrow morning and let you know if there are any more issues

Edited by jthorp10, 29 October 2010 - 12:33 PM.


#14 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 PM

Posted 29 October 2010 - 12:55 PM

That is good news. :thumbsup:

Let me check this out and I will let you know what the next step is.

DR

#15 jthorp10

jthorp10
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 31 October 2010 - 01:32 PM

As far as i can tell my system looks completely clean now, I can't thank you enough :heart:

But before you close my thread is there any links you could give me where i could read up about computers a bit and become more knowledgeable? Being helpless is just no fun but i don't know where to learn

oh and what can you tell me about that backdoor trojan i had, should i just keep any bank accounts i have off this computer or what


thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users