Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojans !


  • This topic is locked This topic is locked
37 replies to this topic

#1 Menessis

Menessis

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 28 February 2013 - 08:02 PM

I did a scan to see what was going on.   I found Trojan.0access !

 

So here we go again.

 

Need your help Please.

 

Menessis



BC AdBot (Login to Remove)

 


#2 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:06 PM

Posted 01 March 2013 - 07:56 AM

Hi and welcome to Bleeping Computer!  :welcome:  My name is Jeff and I would be more than happy to help you with your malware related problems.

 

 

Please download DDS from either of these links
 
 
and save it to your desktop.
  • Disable any script blocking protection
  • Right-click and Run as Administrator dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
  • ---------------------------------------------------
    Please include the contents of the following in your next reply:
     
    DDS.txt
     
    Attach.txt
    ----------
     

    Please download aswMBR to your desktop.
     
    • Double click the aswMBR icon to run it.
  • Click the Scan button to start scan.
  • If you are asked to update the Avast Virus database please allow it to do so.
  • When it finishes, press the save log button, save the logfile to your desktop and attach its contents in your next reply.
  •  
    Click the image to enlarge it

     


    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #3 Menessis

    Menessis
    • Topic Starter

    • Members
    • 127 posts
    • OFFLINE
    •  
    • Local time:11:06 PM

    Posted 01 March 2013 - 09:27 AM

    Hi Jeffce.

     

    I have ran the scans. I could not run DDS as Administrator.  Right click didn't have that option.

     

    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: 9.0.8112.16447  BrowserJavaVersion: 10.9.2
    Run by owner at 9:05:38 on 2013-03-01
    Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4087.2985 [GMT -5:00]
    .
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files (x86)\Stardock\MyColors\VistaSrv.exe
    C:\Program Files (x86)\Stardock\MyColors\WBVista.exe
    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
    C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Program Files\NetWorx\networx.exe
    C:\Users\owner\AppData\Roaming\Dropbox\bin\Dropbox.exe
    C:\Program Files (x86)\PI Engineering\MacroWorks 3\MacroWorks 3.exe
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Windows\SysWOW64\checkdisku.exe
    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    svchost.exe
    C:\Program Files (x86)\Nero\Update\NASvc.exe
    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
    BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
    TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    uRun: [HOTASMode] "C:\Program Files (x86)\HOTAS\HOTASConfig.exe" /MODE /FOXY /AU /DM /BU "/PC:\Program Files (x86)\HOTAS\Profiles\A_Great_Day.tmc"
    uRun: [NwTray] "C:\Users\owner\AppData\Roaming\torrent\NwTray.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [autoscan] C:\Windows\System32\checkdisku.exe
    uExplorerRun: [Realtek] C:\Users\owner\AppData\Roaming\9ADEC3\9ADEC3.exe
    StartupFolder: C:\Users\owner\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\owner\AppData\Roaming\Dropbox\bin\Dropbox.exe
    StartupFolder: C:\Users\owner\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MACROW~1.LNK - C:\Program Files (x86)\PI Engineering\MacroWorks 3\MacroWorks 3.exe
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    uPolicies-Explorer: NoDrives = dword:0
    mPolicies-Explorer: NoDrives = dword:0
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableLUA = dword:0
    mPolicies-System: EnableUIADesktopToggle = dword:0
    mPolicies-System: PromptOnSecureDesktop = dword:0
    DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    TCP: Interfaces\{8199BD67-9E40-4DC5-9011-7B020B4DC614} : NameServer = 8.8.8.8,8.8.8.8,192.168.0.1
    SSODL: WebCheck - <orphaned>
    x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
    x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
    x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
    x64-Run: [NetWorx] "C:\Program Files\NetWorx\networx.exe" /auto
    x64-DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    x64-Notify: WB - C:\Program Files (x86)\Stardock\MyColors\fast64.dll
    x64-SSODL: WebCheck - <orphaned>
    Hosts: 95.211.0.119 www.google-analytics.com.
    Hosts: 95.211.0.119 ad-emea.doubleclick.net.
    Hosts: 95.211.0.119 www.statcounter.com.
    Hosts: 93.115.241.27 www.google-analytics.com.
    Hosts: 93.115.241.27 ad-emea.doubleclick.net.
    .
    Note: multiple HOSTS entries found. Please refer to Attach.txt
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\e7evqo24.default-1343249736468\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - about:home
    FF - plugin: C:\PROGRA~2\COMMON~1\Nero\BROWSE~1\npBrowserPlugin.dll
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
    FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
    FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_171.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 NBVol;Nero Backup Volume Filter Driver;C:\Windows\System32\drivers\NBVol.sys [2012-7-9 72240]
    R0 NBVolUp;Nero Backup Volume Upper Filter Driver;C:\Windows\System32\drivers\NBVolUp.sys [2012-7-9 15920]
    R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2012-7-27 52856]
    R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-11-26 398184]
    R2 NAUpdate;Nero Update;C:\Program Files (x86)\Nero\Update\NASvc.exe [2011-9-23 641832]
    R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-5-15 382272]
    R2 TeamViewer6;TeamViewer 6;C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2012-7-22 2337144]
    R2 TeamViewer7;TeamViewer 7;C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-7-16 2673064]
    R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-11-26 24176]
    R3 npusbio;npusbio;C:\Windows\System32\drivers\npusbio_x64.sys [2012-7-22 45600]
    R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2010-2-24 78336]
    R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2010-2-24 181248]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]
    R3 STTub203;Thrustmaster HOTAS USB Bulk In;C:\Windows\System32\drivers\STTub203.sys [2012-7-20 33280]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-11-26 682344]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-7-19 59392]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-7-16 1255736]
    S3 WinRing0_1_2_0;WinRing0_1_2_0;C:\Program Files (x86)\IObit\Game Booster 3\Driver\WinRing0x64.sys [2012-11-7 14544]
    .
    =============== File Associations ===============
    .
    FileExt: .scr: AutoCADScriptFile="C:\Windows\SysWOW64\notepad.exe" "%1"
    .
    =============== Created Last 30 ================
    .
    2013-03-01 00:26:40    --------    d-----w-    C:\AV_Customer_Manuals
    2013-02-28 00:09:44    --------    d-----r-    C:\Users\owner\Dropbox
    2013-02-28 00:05:44    --------    d-----w-    C:\Users\owner\AppData\Roaming\Dropbox
    2013-02-26 02:18:12    --------    d-----w-    C:\Program Files (x86)\ESET
    2013-02-25 01:01:07    105472    ----a-w-    C:\Windows\SysWow64\checkdisku.exe
    2013-02-24 02:37:03    --------    d-----w-    C:\Users\owner\AppData\Local\Programs
    2013-02-23 02:42:48    232904    ----a-w-    C:\Windows\SysWow64\poclbm121016GeForce GTX 550 Tigv1w256l4.bin
    2013-02-23 01:55:08    --------    d-----w-    C:\CX500
    2013-02-22 02:44:43    --------    d-sh--w-    C:\Windows\System32\%APPDATA%
    2013-02-22 02:40:41    --------    d-----w-    C:\Users\owner\AppData\Roaming\torrent
    2013-02-08 02:55:26    --------    d-----w-    C:\Nortons
    .
    ==================== Find3M  ====================
    .
    2013-02-27 17:50:40    71024    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-02-27 17:50:40    691568    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-12-14 21:49:28    24176    ----a-w-    C:\Windows\System32\drivers\mbam.sys
    2012-12-10 00:36:48    95208    ----a-w-    C:\Windows\SysWow64\WindowsAccessBridge-32.dll
    2012-12-10 00:36:48    746984    ----a-w-    C:\Windows\SysWow64\deployJava1.dll
    .
    ============= FINISH:  9:05:52.43 ===============
     

    Here is the next one.   Not sure if I should attach or just paste it in.

     

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 7/9/2012 4:02:50 PM
    System Uptime: 3/1/2013 8:59:57 AM (1 hours ago)
    .
    Motherboard: Alienware |  | 0RV30W
    Processor: Intel® Core™ i5 CPU         750  @ 2.67GHz | CPU 1 | 2668/133mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 119 GiB total, 28.916 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP125: 2/10/2013 2:02:08 AM - Scheduled Checkpoint
    RP126: 2/17/2013 11:31:38 PM - Scheduled Checkpoint
    RP127: 2/25/2013 6:18:08 PM - Scheduled Checkpoint
    .
    ==== Hosts File Hijack ======================
    .
    Hosts: 95.211.0.119 www.google-analytics.com.
    Hosts: 95.211.0.119 ad-emea.doubleclick.net.
    Hosts: 95.211.0.119 www.statcounter.com.
    Hosts: 93.115.241.27 www.google-analytics.com.
    Hosts: 93.115.241.27 ad-emea.doubleclick.net.
    Hosts: 93.115.241.27 www.statcounter.com.
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader XI
    AutoCAD 2006 - English
    Autodesk DWF Viewer
    AVG 2012
    BalkansTheater
    CCleaner
    D3DX10
    DCS World
    Dropbox
    EAGLE 6.3.0
    ESET Online Scanner v3
    EVEREST Home Edition v2.20
    Falcon BMS 4.32
    Falcon BMS 4.33 (Internal)
    Falcon BMS Battle For Sinai 2.0
    Falcon BMS Redflag Realism Patch 6 3.0
    ffdshow v1.1.3984 [2011-09-22]
    Foxy OF KeyFile Analyser
    Game Booster 3
    Google Toolbar for Internet Explorer
    Google Update Helper
    High-Definition Video Playback
    Java 7 Update 9
    Java Auto Updater
    MacroWorks 3
    Malwarebytes Anti-Malware version 1.70.0.1100
    Media Plugin
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Application Error Reporting
    Microsoft Office 97, Professional Edition
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Silverlight
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219
    Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
    Mozilla Firefox 14.0.1 (x86 en-US)
    Mozilla Maintenance Service
    MSVCRT
    NEC Electronics USB 3.0 Host Controller Driver
    Nero 11
    Nero 11 Disc Menus Basic
    Nero 11 Effects Basic
    Nero 11 Image Samples
    Nero 11 Kwik Themes Basic
    Nero 11 PiP Effects Basic
    Nero Audio Pack 1
    Nero BackItUp 11
    Nero BackItUp 11 Help (CHM)
    Nero Backup Drivers
    Nero Burning ROM 11
    Nero Burning ROM 11 Help (CHM)
    Nero ControlCenter 11
    Nero ControlCenter 11 Help (CHM)
    Nero Core Components 11
    Nero CoverDesigner 11
    Nero CoverDesigner 11 Help (CHM)
    Nero Express 11
    Nero Express 11 Help (CHM)
    Nero Kwik Media
    Nero Kwik Media Help (CHM)
    Nero Recode 11
    Nero Recode 11 Help (CHM)
    Nero RescueAgent 11
    Nero RescueAgent 11 Help (CHM)
    Nero SoundTrax 11
    Nero SoundTrax 11 Help (CHM)
    Nero Update
    Nero Video 11
    Nero Video 11 Help (CHM)
    Nero WaveEditor 11
    Nero WaveEditor 11 Help (CHM)
    nero.prerequisites.msi
    NetWorx 5.2.4
    Novarm DipTrace
    NVIDIA 3D Vision Controller Driver 301.42
    NVIDIA 3D Vision Driver 301.42
    NVIDIA Control Panel 301.42
    NVIDIA Graphics Driver 301.42
    NVIDIA HD Audio Driver 1.3.16.0
    NVIDIA Install Application
    NVIDIA PhysX
    NVIDIA PhysX System Software 9.12.0213
    NVIDIA Stereoscopic 3D Driver
    NVIDIA Update 1.8.15
    NVIDIA Update Components
    Online Squadron Collection
    PFPortChecker 1.0.39
    Portforward Static IP Address 1.0.47
    Realtek High Definition Audio Driver
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Stardock MyColors
    Tacview 1.2
    TeamSpeak 3 Client
    TeamViewer 6
    TeamViewer 7
    The Extractor
    Thrustmaster Hotas Cougar Drivers
    TrackIR5
    Tweaking.com - Windows Repair (All in One)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Visual Studio 2008 x64 Redistributables
    Weapon Delivery Planner 3.4.8
    welcome
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Language Selector
    Windows Live Messenger
    Windows Live Photo Common
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    WinRAR 4.20 (64-bit)
    Your Uninstaller! 7
    .
    ==== Event Viewer Messages From Past Week ========
    .
    3/1/2013 9:00:07 AM, Error: Service Control Manager [7023]  - The Function Discovery Resource Publication service terminated with the following error:  %%-2147014847
    3/1/2013 9:00:07 AM, Error: Service Control Manager [7003]  - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    3/1/2013 9:00:06 AM, Error: Service Control Manager [7023]  - The Computer Browser service terminated with the following error:  The specified service does not exist as an installed service.
    3/1/2013 9:00:06 AM, Error: Service Control Manager [7003]  - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    2/25/2013 9:12:49 PM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Multimedia Class Scheduler service, but this action failed with the following error:  An instance of the service is already running.
    2/25/2013 9:12:49 PM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Extensible Authentication Protocol service, but this action failed with the following error:  An instance of the service is already running.
    2/25/2013 9:11:49 PM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error:  An instance of the service is already running.
    2/25/2013 9:10:54 PM, Error: Service Control Manager [7031]  - The Workstation service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/25/2013 9:10:54 PM, Error: Service Control Manager [7031]  - The Network Location Awareness service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 100 milliseconds: Restart the service.
    2/25/2013 9:10:54 PM, Error: Service Control Manager [7031]  - The DNS Client service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/25/2013 9:10:49 PM, Error: Service Control Manager [7031]  - The Windows Update service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/25/2013 9:10:49 PM, Error: Service Control Manager [7031]  - The Windows Management Instrumentation service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/25/2013 9:10:49 PM, Error: Service Control Manager [7031]  - The User Profile Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/25/2013 9:10:49 PM, Error: Service Control Manager [7031]  - The Themes service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/25/2013 9:10:49 PM, Error: Service Control Manager [7031]  - The Task Scheduler service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/25/2013 9:10:49 PM, Error: Service Control Manager [7031]  - The System Event Notification Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/25/2013 9:10:49 PM, Error: Service Control Manager [7031]  - The Shell Hardware Detection service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/25/2013 9:10:49 PM, Error: Service Control Manager [7031]  - The Server service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/25/2013 9:10:49 PM, Error: Service Control Manager [7031]  - The Secondary Logon service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/25/2013 9:10:49 PM, Error: Service Control Manager [7031]  - The Multimedia Class Scheduler service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/25/2013 9:10:49 PM, Error: Service Control Manager [7031]  - The Group Policy Client service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/25/2013 9:10:49 PM, Error: Service Control Manager [7031]  - The Extensible Authentication Protocol service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/25/2013 9:10:49 PM, Error: Service Control Manager [7031]  - The Background Intelligent Transfer Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/25/2013 9:10:18 PM, Error: Service Control Manager [7031]  - The TeamViewer 7 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 2000 milliseconds: Restart the service.
    2/25/2013 9:10:14 PM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Program Compatibility Assistant Service service, but this action failed with the following error:  An instance of the service is already running.
    2/25/2013 9:10:11 PM, Error: Service Control Manager [7031]  - The TeamViewer 6 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/25/2013 9:09:14 PM, Error: Service Control Manager [7031]  - The WLAN AutoConfig service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/25/2013 9:09:14 PM, Error: Service Control Manager [7031]  - The Windows Driver Foundation - User-mode Driver Framework service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/25/2013 9:09:14 PM, Error: Service Control Manager [7031]  - The Windows Audio Endpoint Builder service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/25/2013 9:09:14 PM, Error: Service Control Manager [7031]  - The Superfetch service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/25/2013 9:09:14 PM, Error: Service Control Manager [7031]  - The Program Compatibility Assistant Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/25/2013 9:09:14 PM, Error: Service Control Manager [7031]  - The Portable Device Enumerator Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/25/2013 9:09:14 PM, Error: Service Control Manager [7031]  - The Network Connections service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 100 milliseconds: Restart the service.
    2/25/2013 9:09:14 PM, Error: Service Control Manager [7031]  - The Human Interface Device Access service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/25/2013 9:09:14 PM, Error: Service Control Manager [7031]  - The Distributed Link Tracking Client service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/25/2013 9:09:14 PM, Error: Service Control Manager [7031]  - The Desktop Window Manager Session Manager service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
    .
    ==== End Of File ===========================
     

    And then this one.

     

    aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
    Run date: 2013-03-01 09:11:42
    -----------------------------
    09:11:42.925    OS Version: Windows x64 6.1.7601 Service Pack 1
    09:11:42.925    Number of processors: 4 586 0x1E05
    09:11:42.925    ComputerName: ALIENI5  UserName: owner
    09:11:43.164    Initialize success
    09:15:37.072    AVAST engine defs: 13030100
    09:15:59.842    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4
    09:15:59.846    Disk 0 Vendor: SAMSUNG_MMCRE28G8MXP-0VBL1 VBM1EL1Q Size: 122104MB BusType: 11
    09:15:59.851    Disk 0 MBR read successfully
    09:15:59.854    Disk 0 MBR scan
    09:15:59.860    Disk 0 Windows 7 default MBR code
    09:15:59.865    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
    09:15:59.872    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       122002 MB offset 206848
    09:15:59.885    Disk 0 scanning C:\Windows\system32\drivers
    09:16:02.329    Service scanning
    09:16:09.819    Modules scanning
    09:16:09.831    Disk 0 trace - called modules:
    09:16:09.841    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
    09:16:09.848    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004d9c060]
    09:16:09.855    3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> [0xfffffa8004ab21e0]
    09:16:09.860    5 ACPI.sys[fffff88000fa27a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-4[0xfffffa8004a89060]
    09:16:10.132    AVAST engine scan C:\Windows
    09:16:11.410    AVAST engine scan C:\Windows\system32
    09:17:11.261    AVAST engine scan C:\Windows\system32\drivers
    09:17:14.068    AVAST engine scan C:\Users\owner
    09:17:24.573    File: C:\Users\owner\AppData\Roaming\9ADEC3\9ADEC3.exe  **INFECTED** Win32:Rootkit-gen [Rtk]
    09:17:53.427    AVAST engine scan C:\ProgramData
    09:17:58.151    Scan finished successfully
    09:18:29.907    Disk 0 MBR has been saved successfully to "C:\Users\owner\Desktop\MBR.dat"
    09:18:29.913    The log file has been saved successfully to "C:\Users\owner\Desktop\aswMBR.txt"


    Ok there it is.  I am here today and will be checking back every once in a while.

     

    Thanks

    Menessis



    Hi Jeffce.

     

    I have ran the scans. I could not run DDS as Administrator.  Right click didn't have that option.

     

    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: 9.0.8112.16447  BrowserJavaVersion: 10.9.2
    Run by owner at 9:05:38 on 2013-03-01
    Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4087.2985 [GMT -5:00]
    .
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files (x86)\Stardock\MyColors\VistaSrv.exe
    C:\Program Files (x86)\Stardock\MyColors\WBVista.exe
    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
    C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Program Files\NetWorx\networx.exe
    C:\Users\owner\AppData\Roaming\Dropbox\bin\Dropbox.exe
    C:\Program Files (x86)\PI Engineering\MacroWorks 3\MacroWorks 3.exe
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Windows\SysWOW64\checkdisku.exe
    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    svchost.exe
    C:\Program Files (x86)\Nero\Update\NASvc.exe
    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
    BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
    TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    uRun: [HOTASMode] "C:\Program Files (x86)\HOTAS\HOTASConfig.exe" /MODE /FOXY /AU /DM /BU "/PC:\Program Files (x86)\HOTAS\Profiles\A_Great_Day.tmc"
    uRun: [NwTray] "C:\Users\owner\AppData\Roaming\torrent\NwTray.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [autoscan] C:\Windows\System32\checkdisku.exe
    uExplorerRun: [Realtek] C:\Users\owner\AppData\Roaming\9ADEC3\9ADEC3.exe
    StartupFolder: C:\Users\owner\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\owner\AppData\Roaming\Dropbox\bin\Dropbox.exe
    StartupFolder: C:\Users\owner\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MACROW~1.LNK - C:\Program Files (x86)\PI Engineering\MacroWorks 3\MacroWorks 3.exe
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    uPolicies-Explorer: NoDrives = dword:0
    mPolicies-Explorer: NoDrives = dword:0
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableLUA = dword:0
    mPolicies-System: EnableUIADesktopToggle = dword:0
    mPolicies-System: PromptOnSecureDesktop = dword:0
    DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    TCP: Interfaces\{8199BD67-9E40-4DC5-9011-7B020B4DC614} : NameServer = 8.8.8.8,8.8.8.8,192.168.0.1
    SSODL: WebCheck - <orphaned>
    x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
    x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
    x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
    x64-Run: [NetWorx] "C:\Program Files\NetWorx\networx.exe" /auto
    x64-DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    x64-Notify: WB - C:\Program Files (x86)\Stardock\MyColors\fast64.dll
    x64-SSODL: WebCheck - <orphaned>
    Hosts: 95.211.0.119 www.google-analytics.com.
    Hosts: 95.211.0.119 ad-emea.doubleclick.net.
    Hosts: 95.211.0.119 www.statcounter.com.
    Hosts: 93.115.241.27 www.google-analytics.com.
    Hosts: 93.115.241.27 ad-emea.doubleclick.net.
    .
    Note: multiple HOSTS entries found. Please refer to Attach.txt
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\e7evqo24.default-1343249736468\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - about:home
    FF - plugin: C:\PROGRA~2\COMMON~1\Nero\BROWSE~1\npBrowserPlugin.dll
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
    FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
    FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_171.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 NBVol;Nero Backup Volume Filter Driver;C:\Windows\System32\drivers\NBVol.sys [2012-7-9 72240]
    R0 NBVolUp;Nero Backup Volume Upper Filter Driver;C:\Windows\System32\drivers\NBVolUp.sys [2012-7-9 15920]
    R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2012-7-27 52856]
    R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-11-26 398184]
    R2 NAUpdate;Nero Update;C:\Program Files (x86)\Nero\Update\NASvc.exe [2011-9-23 641832]
    R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-5-15 382272]
    R2 TeamViewer6;TeamViewer 6;C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2012-7-22 2337144]
    R2 TeamViewer7;TeamViewer 7;C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-7-16 2673064]
    R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-11-26 24176]
    R3 npusbio;npusbio;C:\Windows\System32\drivers\npusbio_x64.sys [2012-7-22 45600]
    R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2010-2-24 78336]
    R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2010-2-24 181248]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]
    R3 STTub203;Thrustmaster HOTAS USB Bulk In;C:\Windows\System32\drivers\STTub203.sys [2012-7-20 33280]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-11-26 682344]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-7-19 59392]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-7-16 1255736]
    S3 WinRing0_1_2_0;WinRing0_1_2_0;C:\Program Files (x86)\IObit\Game Booster 3\Driver\WinRing0x64.sys [2012-11-7 14544]
    .
    =============== File Associations ===============
    .
    FileExt: .scr: AutoCADScriptFile="C:\Windows\SysWOW64\notepad.exe" "%1"
    .
    =============== Created Last 30 ================
    .
    2013-03-01 00:26:40    --------    d-----w-    C:\AV_Customer_Manuals
    2013-02-28 00:09:44    --------    d-----r-    C:\Users\owner\Dropbox
    2013-02-28 00:05:44    --------    d-----w-    C:\Users\owner\AppData\Roaming\Dropbox
    2013-02-26 02:18:12    --------    d-----w-    C:\Program Files (x86)\ESET
    2013-02-25 01:01:07    105472    ----a-w-    C:\Windows\SysWow64\checkdisku.exe
    2013-02-24 02:37:03    --------    d-----w-    C:\Users\owner\AppData\Local\Programs
    2013-02-23 02:42:48    232904    ----a-w-    C:\Windows\SysWow64\poclbm121016GeForce GTX 550 Tigv1w256l4.bin
    2013-02-23 01:55:08    --------    d-----w-    C:\CX500
    2013-02-22 02:44:43    --------    d-sh--w-    C:\Windows\System32\%APPDATA%
    2013-02-22 02:40:41    --------    d-----w-    C:\Users\owner\AppData\Roaming\torrent
    2013-02-08 02:55:26    --------    d-----w-    C:\Nortons
    .
    ==================== Find3M  ====================
    .
    2013-02-27 17:50:40    71024    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-02-27 17:50:40    691568    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-12-14 21:49:28    24176    ----a-w-    C:\Windows\System32\drivers\mbam.sys
    2012-12-10 00:36:48    95208    ----a-w-    C:\Windows\SysWow64\WindowsAccessBridge-32.dll
    2012-12-10 00:36:48    746984    ----a-w-    C:\Windows\SysWow64\deployJava1.dll
    .
    ============= FINISH:  9:05:52.43 ===============
     

    Here is the next one.   Not sure if I should attach or just paste it in.

     

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 7/9/2012 4:02:50 PM
    System Uptime: 3/1/2013 8:59:57 AM (1 hours ago)
    .
    Motherboard: Alienware |  | 0RV30W
    Processor: Intel® Core™ i5 CPU         750  @ 2.67GHz | CPU 1 | 2668/133mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 119 GiB total, 28.916 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP125: 2/10/2013 2:02:08 AM - Scheduled Checkpoint
    RP126: 2/17/2013 11:31:38 PM - Scheduled Checkpoint
    RP127: 2/25/2013 6:18:08 PM - Scheduled Checkpoint
    .
    ==== Hosts File Hijack ======================
    .
    Hosts: 95.211.0.119 www.google-analytics.com.
    Hosts: 95.211.0.119 ad-emea.doubleclick.net.
    Hosts: 95.211.0.119 www.statcounter.com.
    Hosts: 93.115.241.27 www.google-analytics.com.
    Hosts: 93.115.241.27 ad-emea.doubleclick.net.
    Hosts: 93.115.241.27 www.statcounter.com.
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader XI
    AutoCAD 2006 - English
    Autodesk DWF Viewer
    AVG 2012
    BalkansTheater
    CCleaner
    D3DX10
    DCS World
    Dropbox
    EAGLE 6.3.0
    ESET Online Scanner v3
    EVEREST Home Edition v2.20
    Falcon BMS 4.32
    Falcon BMS 4.33 (Internal)
    Falcon BMS Battle For Sinai 2.0
    Falcon BMS Redflag Realism Patch 6 3.0
    ffdshow v1.1.3984 [2011-09-22]
    Foxy OF KeyFile Analyser
    Game Booster 3
    Google Toolbar for Internet Explorer
    Google Update Helper
    High-Definition Video Playback
    Java 7 Update 9
    Java Auto Updater
    MacroWorks 3
    Malwarebytes Anti-Malware version 1.70.0.1100
    Media Plugin
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Application Error Reporting
    Microsoft Office 97, Professional Edition
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Silverlight
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219
    Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
    Mozilla Firefox 14.0.1 (x86 en-US)
    Mozilla Maintenance Service
    MSVCRT
    NEC Electronics USB 3.0 Host Controller Driver
    Nero 11
    Nero 11 Disc Menus Basic
    Nero 11 Effects Basic
    Nero 11 Image Samples
    Nero 11 Kwik Themes Basic
    Nero 11 PiP Effects Basic
    Nero Audio Pack 1
    Nero BackItUp 11
    Nero BackItUp 11 Help (CHM)
    Nero Backup Drivers
    Nero Burning ROM 11
    Nero Burning ROM 11 Help (CHM)
    Nero ControlCenter 11
    Nero ControlCenter 11 Help (CHM)
    Nero Core Components 11
    Nero CoverDesigner 11
    Nero CoverDesigner 11 Help (CHM)
    Nero Express 11
    Nero Express 11 Help (CHM)
    Nero Kwik Media
    Nero Kwik Media Help (CHM)
    Nero Recode 11
    Nero Recode 11 Help (CHM)
    Nero RescueAgent 11
    Nero RescueAgent 11 Help (CHM)
    Nero SoundTrax 11
    Nero SoundTrax 11 Help (CHM)
    Nero Update
    Nero Video 11
    Nero Video 11 Help (CHM)
    Nero WaveEditor 11
    Nero WaveEditor 11 Help (CHM)
    nero.prerequisites.msi
    NetWorx 5.2.4
    Novarm DipTrace
    NVIDIA 3D Vision Controller Driver 301.42
    NVIDIA 3D Vision Driver 301.42
    NVIDIA Control Panel 301.42
    NVIDIA Graphics Driver 301.42
    NVIDIA HD Audio Driver 1.3.16.0
    NVIDIA Install Application
    NVIDIA PhysX
    NVIDIA PhysX System Software 9.12.0213
    NVIDIA Stereoscopic 3D Driver
    NVIDIA Update 1.8.15
    NVIDIA Update Components
    Online Squadron Collection
    PFPortChecker 1.0.39
    Portforward Static IP Address 1.0.47
    Realtek High Definition Audio Driver
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Stardock MyColors
    Tacview 1.2
    TeamSpeak 3 Client
    TeamViewer 6
    TeamViewer 7
    The Extractor
    Thrustmaster Hotas Cougar Drivers
    TrackIR5
    Tweaking.com - Windows Repair (All in One)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Visual Studio 2008 x64 Redistributables
    Weapon Delivery Planner 3.4.8
    welcome
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Language Selector
    Windows Live Messenger
    Windows Live Photo Common
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    WinRAR 4.20 (64-bit)
    Your Uninstaller! 7
    .
    ==== Event Viewer Messages From Past Week ========
    .
    3/1/2013 9:00:07 AM, Error: Service Control Manager [7023]  - The Function Discovery Resource Publication service terminated with the following error:  %%-2147014847
    3/1/2013 9:00:07 AM, Error: Service Control Manager [7003]  - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    3/1/2013 9:00:06 AM, Error: Service Control Manager [7023]  - The Computer Browser service terminated with the following error:  The specified service does not exist as an installed service.
    3/1/2013 9:00:06 AM, Error: Service Control Manager [7003]  - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    2/25/2013 9:12:49 PM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Multimedia Class Scheduler service, but this action failed with the following error:  An instance of the service is already running.
    2/25/2013 9:12:49 PM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Extensible Authentication Protocol service, but this action failed with the following error:  An instance of the service is already running.
    2/25/2013 9:11:49 PM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error:  An instance of the service is already running.
    2/25/2013 9:10:54 PM, Error: Service Control Manager [7031]  - The Workstation service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/25/2013 9:10:54 PM, Error: Service Control Manager [7031]  - The Network Location Awareness service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 100 milliseconds: Restart the service.
    2/25/2013 9:10:54 PM, Error: Service Control Manager [7031]  - The DNS Client service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/25/2013 9:10:49 PM, Error: Service Control Manager [7031]  - The Windows Update service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/25/2013 9:10:49 PM, Error: Service Control Manager [7031]  - The Windows Management Instrumentation service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/25/2013 9:10:49 PM, Error: Service Control Manager [7031]  - The User Profile Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/25/2013 9:10:49 PM, Error: Service Control Manager [7031]  - The Themes service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/25/2013 9:10:49 PM, Error: Service Control Manager [7031]  - The Task Scheduler service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/25/2013 9:10:49 PM, Error: Service Control Manager [7031]  - The System Event Notification Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/25/2013 9:10:49 PM, Error: Service Control Manager [7031]  - The Shell Hardware Detection service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/25/2013 9:10:49 PM, Error: Service Control Manager [7031]  - The Server service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/25/2013 9:10:49 PM, Error: Service Control Manager [7031]  - The Secondary Logon service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/25/2013 9:10:49 PM, Error: Service Control Manager [7031]  - The Multimedia Class Scheduler service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/25/2013 9:10:49 PM, Error: Service Control Manager [7031]  - The Group Policy Client service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/25/2013 9:10:49 PM, Error: Service Control Manager [7031]  - The Extensible Authentication Protocol service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/25/2013 9:10:49 PM, Error: Service Control Manager [7031]  - The Background Intelligent Transfer Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/25/2013 9:10:18 PM, Error: Service Control Manager [7031]  - The TeamViewer 7 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 2000 milliseconds: Restart the service.
    2/25/2013 9:10:14 PM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Program Compatibility Assistant Service service, but this action failed with the following error:  An instance of the service is already running.
    2/25/2013 9:10:11 PM, Error: Service Control Manager [7031]  - The TeamViewer 6 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/25/2013 9:09:14 PM, Error: Service Control Manager [7031]  - The WLAN AutoConfig service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/25/2013 9:09:14 PM, Error: Service Control Manager [7031]  - The Windows Driver Foundation - User-mode Driver Framework service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/25/2013 9:09:14 PM, Error: Service Control Manager [7031]  - The Windows Audio Endpoint Builder service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/25/2013 9:09:14 PM, Error: Service Control Manager [7031]  - The Superfetch service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/25/2013 9:09:14 PM, Error: Service Control Manager [7031]  - The Program Compatibility Assistant Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/25/2013 9:09:14 PM, Error: Service Control Manager [7031]  - The Portable Device Enumerator Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/25/2013 9:09:14 PM, Error: Service Control Manager [7031]  - The Network Connections service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 100 milliseconds: Restart the service.
    2/25/2013 9:09:14 PM, Error: Service Control Manager [7031]  - The Human Interface Device Access service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/25/2013 9:09:14 PM, Error: Service Control Manager [7031]  - The Distributed Link Tracking Client service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/25/2013 9:09:14 PM, Error: Service Control Manager [7031]  - The Desktop Window Manager Session Manager service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
    .
    ==== End Of File ===========================
     

    And then this one.

     

    aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
    Run date: 2013-03-01 09:11:42
    -----------------------------
    09:11:42.925    OS Version: Windows x64 6.1.7601 Service Pack 1
    09:11:42.925    Number of processors: 4 586 0x1E05
    09:11:42.925    ComputerName: ALIENI5  UserName: owner
    09:11:43.164    Initialize success
    09:15:37.072    AVAST engine defs: 13030100
    09:15:59.842    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4
    09:15:59.846    Disk 0 Vendor: SAMSUNG_MMCRE28G8MXP-0VBL1 VBM1EL1Q Size: 122104MB BusType: 11
    09:15:59.851    Disk 0 MBR read successfully
    09:15:59.854    Disk 0 MBR scan
    09:15:59.860    Disk 0 Windows 7 default MBR code
    09:15:59.865    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
    09:15:59.872    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       122002 MB offset 206848
    09:15:59.885    Disk 0 scanning C:\Windows\system32\drivers
    09:16:02.329    Service scanning
    09:16:09.819    Modules scanning
    09:16:09.831    Disk 0 trace - called modules:
    09:16:09.841    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
    09:16:09.848    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004d9c060]
    09:16:09.855    3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> [0xfffffa8004ab21e0]
    09:16:09.860    5 ACPI.sys[fffff88000fa27a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-4[0xfffffa8004a89060]
    09:16:10.132    AVAST engine scan C:\Windows
    09:16:11.410    AVAST engine scan C:\Windows\system32
    09:17:11.261    AVAST engine scan C:\Windows\system32\drivers
    09:17:14.068    AVAST engine scan C:\Users\owner
    09:17:24.573    File: C:\Users\owner\AppData\Roaming\9ADEC3\9ADEC3.exe  **INFECTED** Win32:Rootkit-gen [Rtk]
    09:17:53.427    AVAST engine scan C:\ProgramData
    09:17:58.151    Scan finished successfully
    09:18:29.907    Disk 0 MBR has been saved successfully to "C:\Users\owner\Desktop\MBR.dat"
    09:18:29.913    The log file has been saved successfully to "C:\Users\owner\Desktop\aswMBR.txt"


    Ok there it is.  I am here today and will be checking back every once in a while.

     

    Thanks

    Menessis



    #4 Menessis

    Menessis
    • Topic Starter

    • Members
    • 127 posts
    • OFFLINE
    •  
    • Local time:11:06 PM

    Posted 01 March 2013 - 09:29 AM

    Sorry.  I didn't want to go the first time.  Pressed Esc and tried a second time.  :(

     

    Menessis



    #5 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:11:06 PM

    Posted 01 March 2013 - 02:53 PM

    TDSK.jpg Please download TDSSKiller
    • Double click TDSSKiller.exe
    • Press Start Scan but do nothing else as we are just looking for what is there.
    • If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.
    • Attach the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #6 Menessis

    Menessis
    • Topic Starter

    • Members
    • 127 posts
    • OFFLINE
    •  
    • Local time:11:06 PM

    Posted 01 March 2013 - 04:56 PM

    It took me a while to find the way to attach these files.

     

    Thanks

     

    Menessis

    Attached Files



    #7 Menessis

    Menessis
    • Topic Starter

    • Members
    • 127 posts
    • OFFLINE
    •  
    • Local time:11:06 PM

    Posted 01 March 2013 - 07:48 PM

    Hi Jeffce.

     

    I was just using FireFox when it locked up and closed.  I reopened FireFox for a minute then the system just shut itself down.   When I restarted it, it would not restart.   Forced a reboot, and used the restore function.  That got it up and running again.  This is creepy.

     

    Menessis



    #8 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:11:06 PM

    Posted 01 March 2013 - 11:07 PM

    Hi,  

     

    Thanks for letting me know what is going on.  :)

     

     

    ComboFix
     
    Download Combofix from the link below, and save it to your desktop.  
     
    **Note:  It is important that it is saved directly to your desktop**
     If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.
     
    --------------------------------------------------------------------
     
    IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
     
    --------------------------------------------------------------------
     
    Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
    • When finished, it will produce a report for you.  
  • Please post the C:\ComboFix.txt for further review.
  • ----------

    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #9 Menessis

    Menessis
    • Topic Starter

    • Members
    • 127 posts
    • OFFLINE
    •  
    • Local time:11:06 PM

    Posted 02 March 2013 - 12:11 PM

    OMG this is going from bad to worse.  I ran the combofix but didn't realize it hadn't finished.  It takes a long time to write the log!  Had to run it a second time.  So I wonder if this log is valid?   When it rebooted the first time it said it was shutting down 6 or 8 things but the second time only 1.   Also at one point I got a blue screen that said it was shutting down to protect the computer.  A lot of things happening and then I couldn't get back online to post!   I ended up resetting my modem to get it going.   Don't know if that is related or not.

     

    I also did this scan after I did the system restore just to see what if anything is going on. BTW I am only doing what you tell me and anything else is because the system left me no choice.  Here is the other scan first.

     

    Malwarebytes Anti-Malware 1.70.0.1100
    www.malwarebytes.org

    Database version: v2013.02.24.01

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    owner :: ALIENI5 [administrator]

    3/1/2013 7:46:17 PM
    mbam-log-2013-03-01 (19-46-17).txt

    Scan type: Full scan (C:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 458139
    Time elapsed: 13 minute(s), 34 second(s)

    Memory Processes Detected: 1
    C:\Windows\svchost.exe (Trojan.Agent) -> 4084 -> Delete on reboot.

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 1
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|NwTray (Backdoor.Bot) -> Data: "C:\Users\owner\AppData\Roaming\torrent\NwTray.exe" -> Quarantined and deleted successfully.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 12
    C:\Users\owner\AppData\Roaming\torrent\NwTray.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\$RECYCLE.BIN\S-1-5-18\$e294b41f36d84a3fa3ee69d5d4e792f1\n (Trojan.0Access) -> Delete on reboot.
    C:\$RECYCLE.BIN\S-1-5-18\$e294b41f36d84a3fa3ee69d5d4e792f1\U\00000004.@ (Trojan.0Access) -> Quarantined and deleted successfully.
    C:\$RECYCLE.BIN\S-1-5-18\$e294b41f36d84a3fa3ee69d5d4e792f1\U\00000008.@ (Trojan.0Access) -> Quarantined and deleted successfully.
    C:\$RECYCLE.BIN\S-1-5-18\$e294b41f36d84a3fa3ee69d5d4e792f1\U\000000cb.@ (Trojan.0Access) -> Quarantined and deleted successfully.
    C:\$RECYCLE.BIN\S-1-5-18\$e294b41f36d84a3fa3ee69d5d4e792f1\U\80000000.@ (Trojan.0Access) -> Quarantined and deleted successfully.
    C:\$RECYCLE.BIN\S-1-5-18\$e294b41f36d84a3fa3ee69d5d4e792f1\U\80000032.@ (Trojan.0Access) -> Quarantined and deleted successfully.
    C:\$RECYCLE.BIN\S-1-5-18\$e294b41f36d84a3fa3ee69d5d4e792f1\U\80000064.@ (Trojan.0Access) -> Quarantined and deleted successfully.
    C:\$RECYCLE.BIN\S-1-5-21-1889143696-757944529-1089859472-1001\$e294b41f36d84a3fa3ee69d5d4e792f1\n (Trojan.0Access) -> Delete on reboot.
    C:\Users\owner\AppData\Local\Temp\~!#ED09.tmp (Backdoor.Agent.RS) -> Quarantined and deleted successfully.
    C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.
    C:\Users\owner\AppData\Roaming\torrent\alcc.exe (Trojan.Bitminer) -> Quarantined and deleted successfully.

    (end)
     

     

    ComboFix 13-03-01.01 - owner 03/02/2013  11:06:22.3.4 - x64
    Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4087.2841 [GMT -5:00]
    Running from: c:\users\owner\Desktop\ComboFix.exe
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\owner\AppData\Local\Temp\wg0vnry6.dll
    c:\windows\svchost.exe
    .
    ---- Previous Run -------
    .
    c:\users\owner\AppData\Local\Temp\hllnk-nd.dll
    c:\users\owner\AppData\Roaming\Coisyv\hiek.fir
    c:\users\owner\AppData\Roaming\torrent\libcurl.dll
    c:\users\owner\AppData\Roaming\torrent\libeay32.dll
    c:\users\owner\AppData\Roaming\torrent\libidn-11.dll
    c:\users\owner\AppData\Roaming\torrent\libusb-1.0.dll
    c:\windows\assembly\GAC_32\Desktop.ini
    c:\windows\assembly\GAC_64\Desktop.ini
    c:\windows\offitems.log
    c:\windows\svchost.exe
    .
    .
    (((((((((((((((((((((((((   Files Created from 2013-02-02 to 2013-03-02  )))))))))))))))))))))))))))))))
    .
    .
    2013-03-02 16:10 . 2013-03-02 16:10    --------    d-----w-    c:\users\UpdatusUser\AppData\Local\temp
    2013-03-02 16:10 . 2013-03-02 16:10    --------    d-----w-    c:\users\Public\AppData\Local\temp
    2013-03-02 16:10 . 2013-03-02 16:10    --------    d-----w-    c:\users\MyOtherAccount\AppData\Local\temp
    2013-03-02 16:10 . 2013-03-02 16:10    --------    d-----w-    c:\users\Default\AppData\Local\temp
    2013-03-02 00:38 . 2013-03-02 00:38    --------    d-----w-    c:\users\owner\AppData\Roaming\Taaqa
    2013-03-01 00:26 . 2013-03-01 00:27    --------    d-----w-    C:\AV_Customer_Manuals
    2013-02-28 00:09 . 2013-03-02 03:43    --------    d-----r-    c:\users\owner\Dropbox
    2013-02-28 00:05 . 2013-03-01 14:00    --------    d-----w-    c:\users\owner\AppData\Roaming\Dropbox
    2013-02-26 02:18 . 2013-02-26 02:18    --------    d-----w-    c:\program files (x86)\ESET
    2013-02-25 01:01 . 2013-02-25 01:01    105472    ----a-w-    c:\windows\SysWow64\checkdisku.exe
    2013-02-24 02:37 . 2013-02-24 02:37    --------    d-----w-    c:\users\owner\AppData\Local\Programs
    2013-02-23 02:42 . 2013-02-23 02:42    232904    ----a-w-    c:\windows\SysWow64\poclbm121016GeForce GTX 550 Tigv1w256l4.bin
    2013-02-23 01:55 . 2013-02-26 23:03    --------    d-----w-    C:\CX500
    2013-02-22 02:44 . 2013-02-22 02:44    --------    d-sh--w-    c:\windows\system32\%APPDATA%
    2013-02-22 02:40 . 2013-03-02 15:51    --------    d-----w-    c:\users\owner\AppData\Roaming\torrent
    2013-02-08 02:55 . 2013-03-01 02:41    --------    d-----w-    C:\Nortons
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-02-08 04:49 . 2012-07-09 20:35    74096    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-02-08 04:49 . 2012-07-09 20:35    697712    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
    2013-01-10 00:56 . 2012-10-29 00:23    737072    ----a-w-    c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
    2013-01-10 00:56 . 2012-10-29 00:23    2876528    ----a-w-    c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
    2013-01-10 00:56 . 2012-10-29 00:22    42776    ----a-w-    c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
    2013-01-10 00:56 . 2012-10-30 23:38    539984    ----a-w-    c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
    2013-01-05 01:30 . 2012-10-22 23:03    737072    ----a-w-    c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
    2013-01-05 01:30 . 2012-10-22 23:03    2876528    ----a-w-    c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
    2013-01-05 01:30 . 2012-10-22 23:02    42776    ----a-w-    c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
    2013-01-05 01:30 . 2012-10-22 23:02    539984    ----a-w-    c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2012-12-14 21:49 . 2012-11-26 23:11    24176    ----a-w-    c:\windows\system32\drivers\mbam.sys
    2012-12-10 00:36 . 2012-12-10 00:36    95208    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
    2012-12-10 00:36 . 2012-07-29 06:16    746984    ----a-w-    c:\windows\SysWow64\deployJava1.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HOTASMode"="c:\program files (x86)\HOTAS\HOTASConfig.exe" [2007-06-12 495616]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-09-24 926896]
    "autoscan"="c:\windows\system32\checkdisku.exe" [2013-02-25 105472]
    .
    c:\users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    MacroWorks 3.lnk - c:\program files (x86)\PI Engineering\MacroWorks 3\MacroWorks 3.exe [2010-8-30 605184]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    IconPackager.lnk - c:\program files (x86)\Stardock\MyColors\IconPackager.exe [2009-12-16 1387688]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    "EnableLinkedConnections"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "mixer3"=wdmaud.drv
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]
    R2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2011-09-23 641832]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-07-16 1255736]
    R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files (x86)\IObit\Game Booster 3\Driver\WinRing0x64.sys [2010-11-01 14544]
    S0 NBVol;Nero Backup Volume Filter Driver;c:\windows\system32\DRIVERS\NBVol.sys [2011-07-13 72240]
    S0 NBVolUp;Nero Backup Volume Upper Filter Driver;c:\windows\system32\DRIVERS\NBVolUp.sys [2011-07-13 15920]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2012-07-27 52856]
    S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-05-15 382272]
    S2 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-06-01 2337144]
    S2 TeamViewer7;TeamViewer 7;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-07-16 2673064]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]
    S3 npusbio;npusbio;c:\windows\system32\Drivers\npusbio_x64.sys [2009-12-17 45600]
    S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2010-02-24 78336]
    S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2010-02-24 181248]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]
    S3 STTub203;Thrustmaster HOTAS USB Bulk In;c:\windows\system32\Drivers\STTub203.sys [2007-05-02 33280]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-03-02 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-09 04:49]
    .
    2013-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-23 22:35]
    .
    2013-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-23 22:35]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-02-02 10038304]
    "NetWorx"="c:\program files\NetWorx\networx.exe" [2012-09-09 4730448]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.google.com
    mLocal Page = c:\windows\SysWOW64\blank.htm
    TCP: Interfaces\{8199BD67-9E40-4DC5-9011-7B020B4DC614}: NameServer = 8.8.8.8,8.8.8.8,192.168.0.1
    FF - ProfilePath - c:\users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\e7evqo24.default-1343249736468\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - about:home
    FF - ExtSQL: 2013-03-01 19:34; {2bef8a50-48d1-4a04-b907-6ed2c302b7f2}; c:\users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\e7evqo24.default-1343249736468\extensions\{2bef8a50-48d1-4a04-b907-6ed2c302b7f2}.xpi
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_149_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_149_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_149.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    c:\windows\SysWOW64\checkdisku.exe
    c:\\.\globalroot\systemroot\svchost.exe
    c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
    .
    **************************************************************************
    .
    Completion time: 2013-03-02  11:23:14 - machine was rebooted
    ComboFix-quarantined-files.txt  2013-03-02 16:23
    .
    Pre-Run: 32,895,238,144 bytes free
    Post-Run: 32,571,310,080 bytes free
    .
    - - End Of File - - 8F51F0CA467AF0C385A9563A501629A6

     

    Sure hope we can get this cleaned up quick!

     

    Thanks

    One stressed out Menessis
     



    #10 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:11:06 PM

    Posted 02 March 2013 - 05:01 PM

    Please download SystemLook from one of the links below and save it to your Desktop.
     
  • Right-click and Run as Administrator SystemLook.exe to run it.
  • Copy the content within the following codebox into the main textfield:
  • :dir
    c:\users\owner\AppData\Roaming\Taaqa /s
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt

    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #11 Menessis

    Menessis
    • Topic Starter

    • Members
    • 127 posts
    • OFFLINE
    •  
    • Local time:11:06 PM

    Posted 02 March 2013 - 06:37 PM

    OK here is that report Jeff.

     

    SystemLook 30.07.11 by jpshortstuff
    Log created at 18:35 on 02/03/2013 by owner
    Administrator - Elevation successful

    ========== dir ==========

    c:\users\owner\AppData\Roaming\Taaqa - Parameters: "/s"

    ---Files---
    wayga.ubx    --a---- 8612 bytes    [11:59 05/11/2012]    [00:38 02/03/2013]

    No folders found.

    -= EOF =-

     

    Thanks

    Menessis



    #12 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:11:06 PM

    Posted 02 March 2013 - 10:30 PM

    ComboFix
    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the box below:
    ClearJavaCache::
    
    Folder::
    c:\users\owner\AppData\Roaming\Taaqa
    
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
    CFScriptB-4.gif
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix may request an update; please allow it.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Post the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    Post the new log and let me know how your system is running now. :)

    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #13 Menessis

    Menessis
    • Topic Starter

    • Members
    • 127 posts
    • OFFLINE
    •  
    • Local time:11:06 PM

    Posted 02 March 2013 - 11:06 PM

    Hi Jeff, Thanks for staying on this.

     

    Here is the next log.

     

    ComboFix 13-03-02.01 - owner 03/02/2013  22:53:54.4.4 - x64
    Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4087.2899 [GMT -5:00]
    Running from: c:\users\owner\Desktop\ComboFix.exe
    Command switches used :: c:\users\owner\Desktop\cfscript.txt
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\owner\AppData\Local\Temp\g15ezyvl.dll
    c:\users\owner\AppData\Roaming\Taaqa
    c:\users\owner\AppData\Roaming\Taaqa\wayga.ubx
    c:\windows\svchost.exe
    .
    .
    (((((((((((((((((((((((((   Files Created from 2013-02-03 to 2013-03-03  )))))))))))))))))))))))))))))))
    .
    .
    2013-03-03 03:57 . 2013-03-03 03:57    --------    d-----w-    c:\users\UpdatusUser\AppData\Local\temp
    2013-03-03 03:57 . 2013-03-03 03:57    --------    d-----w-    c:\users\Public\AppData\Local\temp
    2013-03-03 03:57 . 2013-03-03 03:57    --------    d-----w-    c:\users\MyOtherAccount\AppData\Local\temp
    2013-03-03 03:57 . 2013-03-03 03:57    --------    d-----w-    c:\users\Default\AppData\Local\temp
    2013-03-02 16:53 . 2013-03-02 16:53    --------    d-----w-    c:\users\owner\AppData\Local\ElevatedDiagnostics
    2013-03-01 00:26 . 2013-03-01 00:27    --------    d-----w-    C:\AV_Customer_Manuals
    2013-02-28 00:09 . 2013-03-02 03:43    --------    d-----r-    c:\users\owner\Dropbox
    2013-02-28 00:05 . 2013-03-01 14:00    --------    d-----w-    c:\users\owner\AppData\Roaming\Dropbox
    2013-02-26 02:18 . 2013-02-26 02:18    --------    d-----w-    c:\program files (x86)\ESET
    2013-02-25 01:01 . 2013-02-25 01:01    105472    ----a-w-    c:\windows\SysWow64\checkdisku.exe
    2013-02-24 02:37 . 2013-02-24 02:37    --------    d-----w-    c:\users\owner\AppData\Local\Programs
    2013-02-23 02:42 . 2013-02-23 02:42    232904    ----a-w-    c:\windows\SysWow64\poclbm121016GeForce GTX 550 Tigv1w256l4.bin
    2013-02-23 01:55 . 2013-02-26 23:03    --------    d-----w-    C:\CX500
    2013-02-22 02:44 . 2013-02-22 02:44    --------    d-sh--w-    c:\windows\system32\%APPDATA%
    2013-02-22 02:40 . 2013-03-02 15:51    --------    d-----w-    c:\users\owner\AppData\Roaming\torrent
    2013-02-08 02:55 . 2013-03-01 02:41    --------    d-----w-    C:\Nortons
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-03-03 03:49 . 2012-07-09 20:35    71024    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-03-03 03:49 . 2012-07-09 20:35    691568    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
    2013-01-10 00:56 . 2012-10-29 00:23    737072    ----a-w-    c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
    2013-01-10 00:56 . 2012-10-29 00:23    2876528    ----a-w-    c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
    2013-01-10 00:56 . 2012-10-29 00:22    42776    ----a-w-    c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
    2013-01-10 00:56 . 2012-10-30 23:38    539984    ----a-w-    c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
    2013-01-05 01:30 . 2012-10-22 23:03    737072    ----a-w-    c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
    2013-01-05 01:30 . 2012-10-22 23:03    2876528    ----a-w-    c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
    2013-01-05 01:30 . 2012-10-22 23:02    42776    ----a-w-    c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
    2013-01-05 01:30 . 2012-10-22 23:02    539984    ----a-w-    c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2012-12-14 21:49 . 2012-11-26 23:11    24176    ----a-w-    c:\windows\system32\drivers\mbam.sys
    2012-12-10 00:36 . 2012-12-10 00:36    95208    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
    2012-12-10 00:36 . 2012-07-29 06:16    746984    ----a-w-    c:\windows\SysWow64\deployJava1.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HOTASMode"="c:\program files (x86)\HOTAS\HOTASConfig.exe" [2007-06-12 495616]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-09-24 926896]
    "autoscan"="c:\windows\system32\checkdisku.exe" [2013-02-25 105472]
    .
    c:\users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    MacroWorks 3.lnk - c:\program files (x86)\PI Engineering\MacroWorks 3\MacroWorks 3.exe [2010-8-30 605184]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    IconPackager.lnk - c:\program files (x86)\Stardock\MyColors\IconPackager.exe [2009-12-16 1387688]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    "EnableLinkedConnections"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "mixer3"=wdmaud.drv
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]
    R2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2011-09-23 641832]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-07-16 1255736]
    R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files (x86)\IObit\Game Booster 3\Driver\WinRing0x64.sys [2010-11-01 14544]
    S0 NBVol;Nero Backup Volume Filter Driver;c:\windows\system32\DRIVERS\NBVol.sys [2011-07-13 72240]
    S0 NBVolUp;Nero Backup Volume Upper Filter Driver;c:\windows\system32\DRIVERS\NBVolUp.sys [2011-07-13 15920]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2012-07-27 52856]
    S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-05-15 382272]
    S2 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-06-01 2337144]
    S2 TeamViewer7;TeamViewer 7;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-07-16 2673064]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]
    S3 npusbio;npusbio;c:\windows\system32\Drivers\npusbio_x64.sys [2009-12-17 45600]
    S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2010-02-24 78336]
    S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2010-02-24 181248]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]
    S3 STTub203;Thrustmaster HOTAS USB Bulk In;c:\windows\system32\Drivers\STTub203.sys [2007-05-02 33280]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-03-03 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-09 03:49]
    .
    2013-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-23 22:35]
    .
    2013-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-23 22:35]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-02-02 10038304]
    "NetWorx"="c:\program files\NetWorx\networx.exe" [2012-09-09 4730448]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.google.com
    mLocal Page = c:\windows\SysWOW64\blank.htm
    TCP: Interfaces\{8199BD67-9E40-4DC5-9011-7B020B4DC614}: NameServer = 8.8.8.8,8.8.8.8,192.168.0.1
    FF - ProfilePath - c:\users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\e7evqo24.default-1343249736468\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - about:home
    FF - ExtSQL: 2013-03-01 19:34; {2bef8a50-48d1-4a04-b907-6ed2c302b7f2}; c:\users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\e7evqo24.default-1343249736468\extensions\{2bef8a50-48d1-4a04-b907-6ed2c302b7f2}.xpi
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_171_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_171_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    c:\windows\SysWOW64\checkdisku.exe
    c:\\.\globalroot\systemroot\svchost.exe
    c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
    .
    **************************************************************************
    .
    Completion time: 2013-03-02  23:04:09 - machine was rebooted
    ComboFix-quarantined-files.txt  2013-03-03 04:04
    ComboFix2.txt  2013-03-02 16:23
    .
    Pre-Run: 32,431,075,328 bytes free
    Post-Run: 32,351,186,944 bytes free
    .
    - - End Of File - - 2962254AC654B69FA9CC9ED20C5D9E4F
     

    Menessis



    #14 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:11:06 PM

    Posted 03 March 2013 - 11:38 AM

    and let me know how your system is running now.

    :)


    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #15 Menessis

    Menessis
    • Topic Starter

    • Members
    • 127 posts
    • OFFLINE
    •  
    • Local time:11:06 PM

    Posted 03 March 2013 - 11:44 AM

    Well I have not been using it!  Just turn it on do what you tell me and shut it off!........LOL  I'm a big chicken I guess.

     

    I will start using it.

     

    Thanks

    Menessis






    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users