Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirects, random restarts after ridding Windows 7 Home Security


  • This topic is locked This topic is locked
30 replies to this topic

#1 virusesmustdie

virusesmustdie

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 06 January 2012 - 10:54 PM

My laptop doesn't restart randomly in safe mode which is what I'm using now.


.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_26
Run by Berns at 18:54:20 on 2012-01-06
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.1983.990 [GMT -8:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe
C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com/?l=dis&o=1587&gct=hp
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =
uURLSearchHooks: ToggleEN Toolbar: {038cb5c7-48ea-4af9-94e0-a1646542e62b} - c:\program files\toggleen\tbTogg.dll
mURLSearchHooks: ToggleEN Toolbar: {038cb5c7-48ea-4af9-94e0-a1646542e62b} - c:\program files\toggleen\tbTogg.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: ToggleEN Toolbar: {038cb5c7-48ea-4af9-94e0-a1646542e62b} - c:\program files\toggleen\tbTogg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: ToggleEN Toolbar: {038cb5c7-48ea-4af9-94e0-a1646542e62b} - c:\program files\toggleen\tbTogg.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\deskto~1.lnk - c:\program files\research in motion\blackberry\DesktopMgr.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: HideSCAHealth = 1 (0x1)
IE: Free YouTube Download - c:\users\berns\appdata\roaming\dvdvideosoftiehelpers\freeyoutubedownload.htm
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{24BB75F3-F5A4-4C88-96D6-72365E61236F} : DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{24BB75F3-F5A4-4C88-96D6-72365E61236F}\2454F445348413 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{24BB75F3-F5A4-4C88-96D6-72365E61236F}\245756E6F6 : DhcpNameServer = 68.87.76.182 68.87.78.134
TCP: Interfaces\{24BB75F3-F5A4-4C88-96D6-72365E61236F}\34963736F6 : DhcpNameServer = 68.87.76.182 68.87.78.134
TCP: Interfaces\{24BB75F3-F5A4-4C88-96D6-72365E61236F}\35A444347457563747 : DhcpNameServer = 198.189.15.2 198.189.15.3
TCP: Interfaces\{24BB75F3-F5A4-4C88-96D6-72365E61236F}\649414C4C4F435 : DhcpNameServer = 68.87.76.182 68.87.78.134
TCP: Interfaces\{24BB75F3-F5A4-4C88-96D6-72365E61236F}\7416D656A702255637964656E63656 : DhcpNameServer = 68.87.76.182 68.87.78.134
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\berns\appdata\roaming\mozilla\firefox\profiles\i1tjk7dw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2077543&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - facebook.com
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
FF - component: c:\users\berns\appdata\roaming\mozilla\firefox\profiles\i1tjk7dw.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.50401.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2011-8-15 1361288]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
S2 FlipShareServer;FlipShare Server;c:\program files\flip video\flipshareserver\FlipShareServer.exe [2011-5-6 1085440]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-21 136176]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-29 652872]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-4-21 136176]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-6-29 20464]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-1-6 40776]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-30 1343400]
.
=============== Created Last 30 ================
.
2012-01-06 19:49:46 -------- d-----w- c:\users\berns\appdata\local\{74D706BC-F18A-45E5-AF5A-AC0AC1BE9BF4}
2012-01-06 19:49:32 -------- d-----w- c:\users\berns\appdata\local\{5D719824-97D1-4800-A08C-AC6209CF713D}
2012-01-06 19:43:33 -------- d-----w- c:\users\berns\appdata\local\{15297FBE-003E-4BC1-9D4A-6ECBFA4EC33C}
2012-01-06 11:07:04 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-06 11:05:33 -------- d-----w- c:\users\berns\appdata\local\{D295AD39-D540-4B3B-975B-F268A279EF63}
2012-01-06 10:06:45 -------- d-----w- c:\users\berns\appdata\local\SanctionedMedia
2012-01-06 09:57:35 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-06 09:57:35 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-06 09:57:35 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-06 09:57:35 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2012-01-01 09:09:12 -------- d-----w- c:\users\berns\appdata\local\{2EDBA588-4BC2-4F22-920F-3ED1979C4B1A}
2011-12-31 20:48:00 -------- d-----w- c:\users\berns\appdata\local\{B498B948-38BD-463F-ABE2-20D6EB341F43}
2011-12-31 20:47:43 -------- d-----w- c:\users\berns\appdata\local\{C54E3209-43CB-490E-9AA8-A16040304A12}
2011-12-30 00:13:57 55808 ----a-w- c:\windows\system32\zlib1.dll
2011-12-28 19:32:55 -------- d-----w- c:\users\berns\appdata\local\{BE6D36B8-10BC-474F-BA2C-BABD95F20BDB}
2011-12-28 19:32:12 26176 ---ha-w- c:\windows\system32\hamachi.sys
2011-12-28 19:32:07 -------- d-----w- c:\users\berns\appdata\local\{8A1AA2CF-C8E7-4DCA-BCDF-6BCAB674CCA5}
2011-12-28 19:32:07 -------- d-----w- c:\program files\LogMeIn Hamachi
2011-12-28 11:09:44 -------- d-----w- c:\users\berns\appdata\local\{0EA9962F-A52A-480A-A610-C0B1DC76B78D}
2011-12-24 08:39:38 -------- d-----w- c:\users\berns\appdata\local\{673DCC8D-6D26-4CA7-B40F-432D259FB6CE}
2011-12-23 08:06:54 -------- d-----w- c:\users\berns\appdata\local\{DD528564-0F29-4C0C-9C2D-EA13642E7707}
2011-12-23 08:05:46 -------- d-----w- c:\users\berns\appdata\local\{3924F201-59B7-4691-8167-58B5ABF96467}
2011-12-18 05:19:26 -------- d-----w- c:\program files\iPod
2011-12-18 05:19:25 -------- d-----w- c:\program files\iTunes
2011-12-16 09:18:34 -------- d-----w- c:\users\berns\appdata\local\{4126E0F5-EE6D-4DFC-9FF4-1C900182422B}
2011-12-16 00:32:32 -------- d-----w- c:\users\berns\appdata\local\{93A91188-026C-455D-B346-C301D5C74DA4}
2011-12-15 17:46:07 -------- d-----w- c:\users\berns\appdata\local\DirectMouseEnum
2011-12-14 08:25:56 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-12-14 08:25:56 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-12-14 08:25:56 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-12-14 08:25:55 97240 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-12-14 08:25:55 814040 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-12-14 08:25:55 486360 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-12-14 08:25:55 2124760 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-12-14 08:25:55 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
.
==================== Find3M ====================
.
2011-12-10 23:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-07 02:37:02 187904 ------w- c:\windows\system32\drivers\netbt.sys
2011-12-04 01:30:59 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 22:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 22:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
============= FINISH: 18:56:29.20 ===============

Attached Files


Edited by virusesmustdie, 06 January 2012 - 11:23 PM.


BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 PM

Posted 07 January 2012 - 02:28 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 virusesmustdie

virusesmustdie
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 07 January 2012 - 02:46 PM

Hi and thanks for the help!

When I ran Combofix, I got a blue screen. Does that have anything to do with me not saving it to the desktop? When I click on download links, they never give me the option of saving to desktop. Do I have to set that up somehow?

And also, I'm in safe mode with networking.

Edited by virusesmustdie, 07 January 2012 - 02:52 PM.


#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 PM

Posted 07 January 2012 - 02:52 PM

It should run from anywhere - it's just easier for us later if it's on your desktop. Were you in the safe mode or normal mode when you ran it?

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 virusesmustdie

virusesmustdie
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 07 January 2012 - 02:59 PM

Safemode with networking. If I don't, my laptop will reboot.

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 PM

Posted 07 January 2012 - 03:02 PM

Give it another run and see what happens.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 virusesmustdie

virusesmustdie
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 07 January 2012 - 04:28 PM

So Combofix ran and it got to the part where it reboot my computer. However, I didn't go to safe mode and instead my computer started up normally. While Combofix was continuing it's stages, my computer restarted (since it wasn't in safe mode).
I went ahead and tried again.

Edited by virusesmustdie, 07 January 2012 - 05:18 PM.


#8 virusesmustdie

virusesmustdie
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 07 January 2012 - 05:19 PM

ComboFix 12-01-07.02 - Berns 01/07/2012 13:51:17.4.2 - x86 NETWORK
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.1983.1710 [GMT -8:00]
Running from: c:\users\Berns\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\eFnStcmpnllsRFa.exe
c:\windows\$NtUninstallKB45579$
c:\windows\$NtUninstallKB45579$\3565381256\cfg.ini
c:\windows\iun6002.exe
c:\windows\system32\logs
c:\windows\system32\logs\log-00001.xml
.
.
((((((((((((((((((((((((( Files Created from 2011-12-07 to 2012-01-07 )))))))))))))))))))))))))))))))
.
.
2012-01-07 22:06 . 2012-01-07 22:10 -------- d-----w- c:\users\Berns\AppData\Local\temp
2012-01-07 22:06 . 2012-01-07 22:06 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-01-07 22:06 . 2012-01-07 22:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-07 22:06 . 2012-01-07 22:06 -------- d-----w- c:\users\Bob\AppData\Local\temp
2012-01-07 21:46 . 2009-07-13 23:11 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-01-07 21:03 . 2009-07-13 23:12 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-01-06 11:07 . 2012-01-06 11:11 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-06 10:06 . 2012-01-06 10:06 -------- d-----w- c:\users\Berns\AppData\Local\SanctionedMedia
2012-01-06 09:57 . 2012-01-06 09:57 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-06 09:57 . 2012-01-06 09:57 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-06 09:57 . 2012-01-06 09:57 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-06 09:57 . 2012-01-06 09:57 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2011-12-30 00:13 . 2011-09-27 13:59 55808 ----a-w- c:\windows\system32\zlib1.dll
2011-12-28 19:32 . 2009-03-19 01:35 26176 ---ha-w- c:\windows\system32\hamachi.sys
2011-12-28 19:32 . 2011-12-28 19:32 -------- d-----w- c:\program files\LogMeIn Hamachi
2011-12-18 05:19 . 2011-12-18 05:19 -------- d-----w- c:\program files\iPod
2011-12-18 05:19 . 2011-12-18 05:20 -------- d-----w- c:\program files\iTunes
2011-12-15 17:46 . 2011-12-16 00:29 -------- d-----w- c:\users\Berns\AppData\Local\DirectMouseEnum
2011-12-14 08:25 . 2012-01-06 09:57 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-12-14 08:25 . 2012-01-06 09:57 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-12-14 08:25 . 2012-01-06 09:57 121816 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-12-14 08:25 . 2012-01-06 09:57 97240 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-12-14 08:25 . 2012-01-06 09:57 814040 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-12-14 08:25 . 2012-01-06 09:57 486360 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-12-14 08:25 . 2012-01-06 09:57 2124760 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-12-14 08:25 . 2012-01-06 09:57 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 23:24 . 2011-06-29 23:42 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-04 01:30 . 2011-12-03 01:37 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 22:29 . 2011-10-24 22:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 22:29 . 2011-10-24 22:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2012-01-06 09:57 . 2011-12-14 08:25 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{038cb5c7-48ea-4af9-94e0-a1646542e62b}"= "c:\program files\ToggleEN\tbTogg.dll" [2010-09-12 3863136]
.
[HKEY_CLASSES_ROOT\clsid\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]
2010-09-12 23:02 3863136 ----a-w- c:\program files\ToggleEN\tbTogg.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-09-12 23:02 3863136 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{038cb5c7-48ea-4af9-94e0-a1646542e62b}"= "c:\program files\ToggleEN\tbTogg.dll" [2010-09-12 3863136]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-09-12 3863136]
.
[HKEY_CLASSES_ROOT\clsid\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{038CB5C7-48EA-4AF9-94E0-A1646542E62B}"= "c:\program files\ToggleEN\tbTogg.dll" [2010-09-12 3863136]
.
[HKEY_CLASSES_ROOT\clsid\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Berns\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Berns\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Berns\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"Steam"="c:\program files\Steam\Steam.exe" [2011-08-02 1242448]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 17351304]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-10-16 3077528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-06 13605408]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-06 92704]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-23 150528]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-12-25 981680]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-25 460872]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-08-16 1955208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NetBT"="c:\windows\Regedit.exe" [2009-07-14 398336]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2009-07-14 8704]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-11-19 1807704]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R0 imuu;imuu;c:\windows\System32\drivers\dsvssqri.sys [x]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
R2 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [2011-05-06 1085440]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-21 136176]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-25 652872]
R3 BlackBox;BlackBox SR2; [x]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-21 136176]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-01-06 40776]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-30 1343400]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2011-08-16 1361288]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-21 22:09]
.
2012-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-21 22:09]
.
2012-01-06 c:\windows\Tasks\Norton Security Scan for Berns.job
- c:\progra~1\NORTON~2\Engine\300~1.103\Nss.exe [2011-02-21 07:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?l=dis&o=1587&gct=hp
uInternet Settings,ProxyOverride = *.local
IE: Free YouTube Download - c:\users\Berns\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
FF - ProfilePath - c:\users\Berns\AppData\Roaming\Mozilla\Firefox\Profiles\i1tjk7dw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2077543&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - facebook.com
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-eFnStcmpnllsRFa.exe - c:\programdata\eFnStcmpnllsRFa.exe
SafeBoot-14491262.sys
AddRemove-Blues for Piano and Keyboards Ch. 1 through 9 - Full Version4.0 - c:\windows\iun6002.exe
AddRemove-Blues for Piano and Keyboards Chapter 10 - Full Version4.0 - c:\windows\iun6002.exe
AddRemove-Pattern Piano and Keyboard 4.0 - Full Version4.0 - c:\windows\iun6002.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1100)
c:\users\Berns\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\conhost.exe
.
**************************************************************************
.
Completion time: 2012-01-07 14:13:46 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-07 22:13
ComboFix2.txt 2011-07-13 20:13
.
Pre-Run: 126,411,149,312 bytes free
Post-Run: 126,422,446,080 bytes free
.
- - End Of File - - 342AA03F88A2CEBF85AB7FB0D87B72CF

#9 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 PM

Posted 07 January 2012 - 07:51 PM

Hi,

Please do this next:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

File::
c:\windows\System32\drivers\dsvssqri.sys
Driver::
imuu
BlackBox

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • ComboFix log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#10 virusesmustdie

virusesmustdie
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 07 January 2012 - 10:50 PM

ComboFix 12-01-07.03 - Berns 01/07/2012 18:26:12.5.2 - x86 NETWORK
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.1983.240 [GMT -8:00]
Running from: c:\users\Berns\Downloads\ComboFix.exe
Command switches used :: c:\users\Berns\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\windows\System32\drivers\dsvssqri.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_BLACKBOX
-------\Service_BlackBox
-------\Service_imuu
.
.
((((((((((((((((((((((((( Files Created from 2011-12-08 to 2012-01-08 )))))))))))))))))))))))))))))))
.
.
2012-01-08 02:41 . 2012-01-08 02:41 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-01-08 02:41 . 2012-01-08 02:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-08 02:41 . 2012-01-08 02:41 -------- d-----w- c:\users\Bob\AppData\Local\temp
2012-01-07 22:06 . 2012-01-08 02:45 -------- d-----w- c:\users\Berns\AppData\Local\temp
2012-01-07 21:46 . 2009-07-13 23:11 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-01-07 21:03 . 2009-07-13 23:12 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-01-06 11:07 . 2012-01-06 11:11 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-06 10:06 . 2012-01-06 10:06 -------- d-----w- c:\users\Berns\AppData\Local\SanctionedMedia
2012-01-06 09:57 . 2012-01-06 09:57 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-06 09:57 . 2012-01-06 09:57 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-06 09:57 . 2012-01-06 09:57 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-06 09:57 . 2012-01-06 09:57 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2011-12-30 00:13 . 2011-09-27 13:59 55808 ----a-w- c:\windows\system32\zlib1.dll
2011-12-28 19:32 . 2009-03-19 01:35 26176 ---ha-w- c:\windows\system32\hamachi.sys
2011-12-28 19:32 . 2011-12-28 19:32 -------- d-----w- c:\program files\LogMeIn Hamachi
2011-12-18 05:19 . 2011-12-18 05:19 -------- d-----w- c:\program files\iPod
2011-12-18 05:19 . 2011-12-18 05:20 -------- d-----w- c:\program files\iTunes
2011-12-15 17:46 . 2011-12-16 00:29 -------- d-----w- c:\users\Berns\AppData\Local\DirectMouseEnum
2011-12-14 08:25 . 2012-01-06 09:57 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-12-14 08:25 . 2012-01-06 09:57 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-12-14 08:25 . 2012-01-06 09:57 121816 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-12-14 08:25 . 2012-01-06 09:57 97240 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-12-14 08:25 . 2012-01-06 09:57 814040 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-12-14 08:25 . 2012-01-06 09:57 486360 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-12-14 08:25 . 2012-01-06 09:57 2124760 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-12-14 08:25 . 2012-01-06 09:57 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 23:24 . 2011-06-29 23:42 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-04 01:30 . 2011-12-03 01:37 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 22:29 . 2011-10-24 22:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 22:29 . 2011-10-24 22:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2012-01-06 09:57 . 2011-12-14 08:25 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-07_22.10.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-07 22:17 . 2012-01-08 02:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-01-07 21:49 . 2012-01-07 22:09 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-07 22:17 . 2012-01-08 02:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-01-07 21:49 . 2012-01-07 22:09 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-12-28 21:03 . 2012-01-08 02:44 278528 c:\windows\temp\History\History.IE5\index.dat
+ 2011-12-28 21:03 . 2012-01-08 02:44 114688 c:\windows\temp\Cookies\index.dat
+ 2011-12-28 21:03 . 2012-01-08 02:44 1785856 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{038cb5c7-48ea-4af9-94e0-a1646542e62b}"= "c:\program files\ToggleEN\tbTogg.dll" [2010-09-12 3863136]
.
[HKEY_CLASSES_ROOT\clsid\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]
2010-09-12 23:02 3863136 ----a-w- c:\program files\ToggleEN\tbTogg.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-09-12 23:02 3863136 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{038cb5c7-48ea-4af9-94e0-a1646542e62b}"= "c:\program files\ToggleEN\tbTogg.dll" [2010-09-12 3863136]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-09-12 3863136]
.
[HKEY_CLASSES_ROOT\clsid\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{038CB5C7-48EA-4AF9-94E0-A1646542E62B}"= "c:\program files\ToggleEN\tbTogg.dll" [2010-09-12 3863136]
.
[HKEY_CLASSES_ROOT\clsid\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Berns\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Berns\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Berns\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"Steam"="c:\program files\Steam\Steam.exe" [2011-08-02 1242448]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 17351304]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-10-16 3077528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-06 13605408]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-06 92704]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-23 150528]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-12-25 981680]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-25 460872]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-08-16 1955208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NetBT"="c:\windows\Regedit.exe" [2009-07-14 398336]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2009-07-14 8704]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2009-11-19 1807704]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
R2 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [2011-05-06 1085440]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-21 136176]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-25 652872]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-21 136176]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-01-06 40776]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-30 1343400]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2011-08-16 1361288]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-21 22:09]
.
2012-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-21 22:09]
.
2012-01-06 c:\windows\Tasks\Norton Security Scan for Berns.job
- c:\progra~1\NORTON~2\Engine\300~1.103\Nss.exe [2011-02-21 07:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?l=dis&o=1587&gct=hp
uInternet Settings,ProxyOverride = *.local
IE: Free YouTube Download - c:\users\Berns\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
FF - ProfilePath - c:\users\Berns\AppData\Roaming\Mozilla\Firefox\Profiles\i1tjk7dw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2077543&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - facebook.com
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1676)
c:\users\Berns\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\conhost.exe
.
**************************************************************************
.
Completion time: 2012-01-07 18:48:38 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-08 02:48
ComboFix2.txt 2012-01-07 22:13
ComboFix3.txt 2011-07-13 20:13
.
Pre-Run: 126,342,103,040 bytes free
Post-Run: 126,360,670,208 bytes free
.
- - End Of File - - 55D7CA9D59DE5E5C820F3AE29E18137E

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.08.01

Windows 7 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.7600.16385
Berns :: BERNS-LAPTOP [administrator]

1/7/2012 6:54:00 PM
mbam-log-2012-01-07 (18-54-00).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 315580
Time elapsed: 32 minute(s), 28 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Qoobox\Quarantine\C\ProgramData\eFnStcmpnllsRFa.exe.vir (Rogue.FakeHDD) -> Quarantined and deleted successfully.

(end)

#11 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 PM

Posted 07 January 2012 - 11:47 PM

How is your computer running now? Please do this next:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Go to Start > Control Panel > Programs > Uninstall a program, and remove all older versions of Java.
  • Click (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name and select "uninstall".
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Go to this page to download the latest version. Press the download button under JRE and follow the prompts. Accept the agreement and choose the Windows x86 offline option.
  • Run the insatller you just downloaded
Posted Image Please go to here to run an online scan with ESET.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
    • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
Please include the following in your next post:
  • How is the computer running now?
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#12 virusesmustdie

virusesmustdie
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 07 January 2012 - 11:57 PM

Hmm, it's still resetting randomly but I think the redirects are gone. I tried uninstalling java but it said "The Windows Installer Service could not be accessed." I well proceed to the eset scan

#13 virusesmustdie

virusesmustdie
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 08 January 2012 - 01:11 AM

C:\Qoobox\Quarantine\C\Windows\system32\Drivers\netbt.sys.vir a variant of Win32/Rootkit.Kryptik.HD trojan
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\netbt.sys.vir_ a variant of Win32/Rootkit.Kryptik.HD trojan

#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 PM

Posted 08 January 2012 - 12:06 PM

Those ESET detections are already in quarantine and will be removed when we uninstall ComboFix. Are these restarts you are having blue screen of deaths or is something else occuring? Please do this next:

Posted Image Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start > Run or press the Windows key + r Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt
  • A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.
Posted Image Please follow these instructions to run System File Checker:
  • Click the Windows button>> All Programs>> Accessories.
  • Right click the Command Prompt option and then select "Run as administrator" from the resulting menu.
  • With the Command Prompt window showing, type in: sfc /scannow and press <Enter> (See the quote box below for the location of the spaces which are very important)
  • You will now receive a message that states the scan will now begin. If SFC should find any rogue files that need to be replaced, you may be asked to insert your Windows CD. If the SFC scans without finding any problems, you will receive the following message: "Windows resource protection did not find any integrity violations".
  • Close the command prompt window.

sfc<space>/scannow

Please include the following in your next post:
  • Junction log
  • Let me know is sfc turns anything up

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 virusesmustdie

virusesmustdie
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 08 January 2012 - 04:23 PM

No blue screen, it's just whenever I start my laptop normally, it will get to the desktop but after a few minutes, it will restart.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users