Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Definite TDSS bot on my computer.


  • This topic is locked This topic is locked
29 replies to this topic

#1 sausage

sausage

  • Members
  • 390 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado
  • Local time:08:43 PM

Posted 11 March 2013 - 01:09 PM

DDS Log:

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 8.0.7601.17514  BrowserJavaVersion: 10.9.2
Run by Jimmah Dean at 12:02:51 on 2013-03-11
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.8109.4986 [GMT -6:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\Trend Micro\RUBotted\RUBotSrv.exe
C:\Program Files (x86)\Splashtop\Splashtop Connect\BackService.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files (x86)\Splashtop\Splashtop Connect Firefox Software Updater\WCUService.exe
C:\Program Files (x86)\Splashtop\Splashtop Connect IE Software Updater\WCUService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\IObit\Smart Defrag 2\SmartDefrag.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files (x86)\ManyCam\Bin\ManyCam.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files (x86)\Steam\steam.exe
C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
C:\Program Files (x86)\puush\puush.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files (x86)\98614 Thin-Profile Keyboard & Mouse\Wireless KeyboardKM.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Ask.com\Updater\Updater.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Splashtop\Splashtop Connect\ZyngaGamesAgent.exe
C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe
C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Program Files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Adobe\Elements 10 Organizer\PhotoshopElementsFileAgent.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uProxyOverride = localhost; 127.0.0.1; <local>
uURLSearchHooks: Splashtop Connect SearchHook: {0F3DC9E0-C459-4a40-BCF8-747BD9322E10} - C:\Program Files (x86)\Splashtop\Splashtop Connect IE\AddressBarSearch.dll
mWinlogon: Userinit = userinit.exe,
BHO: Splashtop Connect VisualBookmark: {0E5680D1-BF44-4929-94AF-FD30D784AD1D} - C:\Program Files (x86)\Splashtop\Splashtop Connect IE\STC.dll
BHO: Coupon Companion: {11111111-1111-1111-1111-110011441193} - C:\Program Files (x86)\Coupon Companion\Coupon Companion.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Microsoft Web Test Recorder 10.0 Helper: {876d9f09-c6d6-4324-a2cc-04dd9a4de12f} - C:\Program Files (x86)\Microsoft Visual Studio 11.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - 
BHO: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - 
EB: Web Test Recorder 10.0: {3142c289-f319-47f5-a594-a827028714c9} - 
uRun: [Google Update] "C:\Users\Jimmah Dean\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [ManyCam] "C:\Program Files (x86)\ManyCam\Bin\ManyCam.exe" /silent
uRun: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
uRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
uRun: [dualmonitor] <no file>
mRun: [Super-Charger] C:\Program Files (x86)\MSI\Super-Charger\StartSuperCharger.exe
mRun: [98614 Wireless Keyboard and Mouse Combo] C:\Program Files (x86)\98614 Thin-Profile Keyboard & Mouse\Wireless KeyboardKM.exe
mRun: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [STCAgent] "C:\Program Files (x86)\Splashtop\Splashtop Connect IE\STCAgent.exe"
mRun: [ZyngaGamesAgent] "C:\Program Files (x86)\Splashtop\Splashtop Connect\ZyngaGamesAgent.exe"
mRun: [Dolby Home Theater v4] "C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe" -autostart
mRun: [Razer Synapse] "C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe"
mRun: [Trend Micro RUBotted V2.0 Beta] C:\Program Files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe
StartupFolder: C:\Users\JIMMAH~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
StartupFolder: C:\Users\JIMMAH~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\RAINME~1.LNK - C:\Program Files\Rainmeter\Rainmeter.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\VPNGUI~1.LNK - C:\Windows\Installer\{467D5E81-8349-4892-9E81-C3674ED8E451}\Icon09DB8A851.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: NameServer = 192.168.0.1 205.171.2.25
TCP: Interfaces\{7BD3FD91-41FC-4457-8451-7673C650A9F6} : DHCPNameServer = 192.168.0.1 205.171.2.25
TCP: Interfaces\{7BD3FD91-41FC-4457-8451-7673C650A9F6}\363757D286F6573796E676 : DHCPNameServer = 129.82.103.78 129.82.103.79
TCP: Interfaces\{7BD3FD91-41FC-4457-8451-7673C650A9F6}\E6564776561627D275962756C6563737 : DHCPNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-mStart Page = hxxp://searchfunmoods.com/?f=1&a=download&chnl=download&cd=2XzuyEtN2Y1L1QzuzyyEyEyEyDtB0EtBtD0FyCzz0CzytByBtN0D0Tzu0CtAtAtAtN1L2XzutBtFtBtFtDtFtAyEyE&cr=1402619302
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [RtHDVBg_Dolby] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE4 
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
x64-DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Jimmah Dean\AppData\Roaming\Mozilla\Firefox\Profiles\ysz07c9m.default\
FF - prefs.js: browser.search.selectedEngine - Funmoods
FF - prefs.js: browser.startup.homepage - hxxp://searchfunmoods.com/?f=1&a=download&chnl=download&cd=2XzuyEtN2Y1L1QzuzyyEyEyEyDtB0EtBtD0FyCzz0CzytByBtN0D0Tzu0CtAtAtAtN1L2XzutBtFtBtFtDtFtAyEyE&cr=1402619302
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z192&form=ZGAADF&install_date=20110913&q=
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\1.102.0\npesnlaunch.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\1.96.0\npesnlaunch.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
FF - plugin: C:\Users\Jimmah Dean\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.funmoods.hmpg - true
FF - user.js: extensions.funmoods.hmpgUrl - hxxp://searchfunmoods.com/?f=1&a=download&chnl=download&cd=2XzuyEtN2Y1L1QzuzyyEyEyEyDtB0EtBtD0FyCzz0CzytByBtN0D0Tzu0CtAtAtAtN1L2XzutBtFtBtFtDtFtAyEyE&cr=1402619302
FF - user.js: extensions.funmoods.dfltSrch - true
FF - user.js: extensions.funmoods.srchPrvdr - Search
FF - user.js: extensions.funmoods.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - true
FF - user.js: extensions.funmoods.newTabUrl - hxxp://searchfunmoods.com/?f=2&a=download&chnl=download&cd=2XzuyEtN2Y1L1QzuzyyEyEyEyDtB0EtBtD0FyCzz0CzytByBtN0D0Tzu0CtAtAtAtN1L2XzutBtFtBtFtDtFtAyEyE&cr=1402619302
FF - user.js: extensions.funmoods.tlbrSrchUrl - hxxp://searchfunmoods.com/?f=3&a=download&chnl=download&cd=2XzuyEtN2Y1L1QzuzyyEyEyEyDtB0EtBtD0FyCzz0CzytByBtN0D0Tzu0CtAtAtAtN1L2XzutBtFtBtFtDtFtAyEyE&cr=1402619302&q=
FF - user.js: extensions.funmoods.id - 944452E20F68C927
FF - user.js: extensions.funmoods.instlDay - 15672
FF - user.js: extensions.funmoods.vrsn - 1.5.23.22
FF - user.js: extensions.funmoods.vrsni - 1.5.23.22
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.2223:17:39
FF - user.js: extensions.funmoods.prtnrId - funmoods
FF - user.js: extensions.funmoods.prdct - funmoods
FF - user.js: extensions.funmoods.aflt - download
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods.tlbrId - base
FF - user.js: extensions.funmoods.instlRef - download
FF - user.js: extensions.funmoods.dfltLng - 
FF - user.js: extensions.funmoods.excTlbr - false
FF - user.js: extensions.funmoods.autoRvrt - false
FF - user.js: extensions.funmoods.envrmnt - production
FF - user.js: extensions.funmoods.isdcmntcmplt - true
FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2012-2-26 55856]
R0 SmartDefragDriver;SmartDefragDriver;C:\Windows\System32\drivers\SmartDefragDriver.sys [2013-1-3 17720]
R1 AppleCharger;AppleCharger;C:\Windows\System32\drivers\AppleCharger.sys [2012-12-4 21104]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2013-2-20 283200]
R2 AdobeActiveFileMonitor10.0;Adobe Active File Monitor V10;C:\Program Files (x86)\Adobe\Elements 10 Organizer\PhotoshopElementsFileAgent.exe [2011-9-14 169624]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-8 398184]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-8 682344]
R2 RUBotSrv;Trend Micro RUBotted Service;C:\Program Files (x86)\Trend Micro\RUBotted\RUBotSrv.exe [2013-2-23 439632]
R2 SCBackService;Splashtop Connect Service;C:\Program Files (x86)\Splashtop\Splashtop Connect\BackService.exe [2010-11-15 477000]
R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-1-31 3289208]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-12-29 383416]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-7-28 2656280]
R2 WCUService_STC_FF;Splashtop Connect Firefox Software Updater Service;C:\Program Files (x86)\Splashtop\Splashtop Connect Firefox Software Updater\WCUService.exe [2010-11-29 493384]
R2 WCUService_STC_IE;Splashtop Connect IE Software Updater Service;C:\Program Files (x86)\Splashtop\Splashtop Connect IE Software Updater\WCUService.exe [2011-3-22 497480]
R3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;C:\Windows\System32\drivers\EtronHub3.sys [2011-7-28 56960]
R3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;C:\Windows\System32\drivers\EtronXHCI.sys [2011-7-28 79104]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2012-12-4 317440]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\Windows\System32\drivers\ManyCam_x64.sys [2008-3-13 27136]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-8-6 24176]
R3 nvoclk64;NVIDIA Enthusiasts Platform KDM;C:\Windows\System32\drivers\nvoclk64.sys [2009-9-15 42088]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-12-4 535656]
R3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;C:\Windows\System32\drivers\RTL8192su.sys [2010-1-6 676864]
R3 rzdaendpt;Razer DeathAdder end point;C:\Windows\System32\drivers\rzdaendpt.sys [2012-11-7 25600]
R3 rzudd;Razer Mouse Driver;C:\Windows\System32\drivers\rzudd.sys [2012-11-7 113664]
R3 rzvkeyboard;Razer Virtual Keyboard Driver;C:\Windows\System32\drivers\rzvkeyboard.sys [2012-11-7 23040]
R3 SbieDrv;SbieDrv;C:\Program Files\Sandboxie\SbieDrv.sys [2012-4-10 164528]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2012-7-9 104912]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2012-7-9 123856]
S2 frameworkPostgreSQL;frameworkPostgreSQL;C:/PROGRA~2/Rapid7/FRAMEW~1/POSTGR~1/bin/pg_ctl.exe runservice -N "frameworkPostgreSQL" -D "C:/PROGRA~2/Rapid7/FRAMEW~1/POSTGR~1/data" --> C:/PROGRA~2/Rapid7/FRAMEW~1/POSTGR~1/bin/pg_ctl.exe runservice -N frameworkPostgreSQL [?]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-1-8 161536]
S3 AppleChargerSrv;AppleChargerSrv;system32\AppleChargerSrv.exe --> system32\AppleChargerSrv.exe [?]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-4-1 183560]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;C:\Program Files (x86)\Dragon Age\bin_ship\daupdatersvc.service.exe [2011-9-26 25832]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2012-2-26 48488]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2011-5-13 1492840]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2011-7-28 76912]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2011-7-29 20992]
S3 RTCore64;RTCore64;C:\Program Files (x86)\MSI Afterburner\RTCore64.sys [2010-5-26 14648]
S3 Te.Service;Te.Service;C:\Program Files (x86)\Windows Kits\8.0\Testing\Runtimes\TAEF\Wex.Services.exe [2012-7-25 126976]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-7-29 59392]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2011-5-10 51712]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-7-29 1255736]
S3 WinRing0_1_2_0;WinRing0_1_2_0;C:\Users\Jimmah Dean\Downloads\RealTemp_360\WinRing0x64.sys [2008-7-26 14544]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2013-03-11 09:48:45 9162192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D04B3577-647B-44E9-853D-124FCD5B9F67}\mpengine.dll
2013-03-06 07:11:39 -------- d-----w- C:\Users\Jimmah Dean\AppData\Local\Ntronium_Games
2013-03-06 06:58:18 -------- d-----w- C:\Users\Jimmah Dean\AppData\Local\Armada 2526 Gold
2013-03-05 07:58:15 -------- d-----w- C:\Users\Jimmah Dean\AppData\Local\Sniper Elite Nazi Zombie Army
2013-03-05 04:27:20 -------- d-----w- C:\Program Files (x86)\Warframe
2013-03-05 04:27:14 -------- d-----w- C:\Users\Jimmah Dean\AppData\Local\Warframe
2013-03-02 03:03:52 -------- d-----w- C:\Users\Jimmah Dean\AppData\Roaming\.technic
2013-02-23 17:55:31 -------- d-----w- C:\ProgramData\Trend Micro
2013-02-23 17:45:27 -------- d-----w- C:\Program Files (x86)\Trend Micro
2013-02-21 08:36:57 -------- d-----w- C:\Windows\Crystal
2013-02-21 08:36:51 -------- d-----w- C:\Program Files (x86)\Aurora
2013-02-21 08:36:46 249856 ------w- C:\Windows\Setup1.exe
2013-02-21 08:36:44 73216 ----a-w- C:\Windows\ST6UNST.EXE
2013-02-21 01:59:19 283200 ----a-w- C:\Windows\System32\drivers\dtsoftbus01.sys
2013-02-21 01:59:16 -------- d-----w- C:\Program Files (x86)\DAEMON Tools Lite
2013-02-19 17:43:35 34422 ----a-w- C:\Users\Jimmah Dean\AppData\Roaming\uninstaller.exe
2013-02-16 05:25:37 471040 ----a-w- C:\Windows\SysWow64\SCDialer1.ocx
2013-02-16 05:25:37 323584 ----a-w- C:\Windows\SysWow64\SCDialer2.ocx
2013-02-16 05:25:37 118272 ----a-w- C:\Windows\SysWow64\SX5363S.DLL
2013-02-16 05:25:37 102400 ----a-w- C:\Windows\SysWow64\RV32RTP.dll
2013-02-16 05:21:35 -------- d-----w- C:\Program Files (x86)\SubaGames
2013-02-16 05:21:17 -------- d-----w- C:\Users\Jimmah Dean\AppData\Local\Programs
2013-02-12 17:52:32 -------- d-----w- C:\love
2013-02-10 20:19:06 -------- d-----w- C:\Users\Jimmah Dean\wurm
.
==================== Find3M  ====================
.
2013-02-27 02:16:13 71024 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-27 02:16:13 691568 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-01-17 08:28:58 273840 ------w- C:\Windows\System32\MpSigStub.exe
2012-12-29 09:54:24 550328 ----a-w- C:\Windows\SysWow64\nvStreaming.exe
2012-12-29 08:40:27 6382008 ----a-w- C:\Windows\System32\nvcpl.dll
2012-12-29 08:40:27 3455416 ----a-w- C:\Windows\System32\nvsvc64.dll
2012-12-29 08:40:11 2923201 ----a-w- C:\Windows\System32\nvcoproc.bin
2012-12-29 08:40:09 884152 ----a-w- C:\Windows\System32\nvvsvc.exe
2012-12-29 08:40:09 63928 ----a-w- C:\Windows\System32\nvshext.dll
2012-12-29 08:40:09 118712 ----a-w- C:\Windows\System32\nvmctray.dll
2012-12-16 17:11:22 46080 ----a-w- C:\Windows\System32\atmlib.dll
2012-12-16 14:45:03 367616 ----a-w- C:\Windows\System32\atmfd.dll
2012-12-16 14:13:28 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
2012-12-16 14:13:20 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2012-12-14 23:49:28 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys
.
============= FINISH: 12:03:49.72 ===============
 
 
 
CenturyLink finally sent me their intrusion logs:
 
 
 
Date/Time Seen (GMT)   IP Address        Infection Data (*)
--------------------   ---------------   ------------------------------
date: 2013-03-11  list: bots           IPs: 71.211.181.87
2013-03-10 00:16:24    71.211.181.87     infection => 'bots', subtype => 'tdss', detail => ' '
2013-03-09 02:45:34    71.211.181.87     infection => 'bots', subtype => 'TDSS', cc => 87.255.51.229  , cc_port => '80', url => '/c/getupdate.php?id1=10005&id2=1&guid=50e417e0-e461-474b-96e2-077b80325612&ver=1.0&dom=z6kq50s73kf', count => '1', sourceSummary => 'Drone Report'

date: 2013-03-10  list: bots           IPs: 71.211.181.87, 75.166.158.48
2013-03-09 19:55:45    71.211.181.87     infection => 'bots', subtype => 'tdss', detail => ' '
2013-03-08 00:02:16    75.166.158.48     infection => 'bots', subtype => 'TDSS', cc => 87.255.51.229  , cc_port => '80', url => '/c/getupdate.php?id1=10005&id2=1&guid=50e417e0-e461-474b-96e2-077b80325612&ver=1.0&dom=ivz6k9kr5pqn', count => '1', sourceSummary => 'Drone Report'
2013-03-08 15:21:46    71.211.181.87     infection => 'bots', subtype => 'TDSS', cc => 87.255.51.229  , cc_port => '80', url => '/c/getupdate.php?id1=10005&id2=1&guid=50e417e0-e461-474b-96e2-077b80325612&ver=1.0&dom=yqwtkz7shi1o', count => '1', sourceSummary => 'Drone Report'
2013-03-09 02:45:34    71.211.181.87     infection => 'bots', subtype => 'TDSS', cc => 87.255.51.229  , cc_port => '80', url => '/c/getupdate.php?id1=10005&id2=1&guid=50e417e0-e461-474b-96e2-077b80325612&ver=1.0&dom=z6kq50s73kf', count => '1', sourceSummary => 'Drone Report'

date: 2013-03-09  list: bots           IPs: 71.211.181.87, 75.166.158.48
2013-03-08 23:28:21    71.211.181.87     infection => 'bots', subtype => 'tdss', detail => ' '
2013-03-08 15:05:26    75.166.158.48     infection => 'bots', subtype => 'tdss', detail => ' '
2013-03-07 00:04:25    75.166.158.48     infection => 'bots', subtype => 'TDSS', cc => 87.255.51.229  , cc_port => '80', url => '/c/getupdate.php?id1=10005&id2=1&guid=50e417e0-e461-474b-96e2-077b80325612&ver=1.0&dom=ivz6k9kr5pqn', count => '1', sourceSummary => 'Drone Report'
2013-03-08 00:02:16    75.166.158.48     infection => 'bots', subtype => 'TDSS', cc => 87.255.51.229  , cc_port => '80', url => '/c/getupdate.php?id1=10005&id2=1&guid=50e417e0-e461-474b-96e2-077b80325612&ver=1.0&dom=ivz6k9kr5pqn', count => '1', sourceSummary => 'Drone Report'
2013-03-08 15:21:46    71.211.181.87     infection => 'bots', subtype => 'TDSS', cc => 87.255.51.229  , cc_port => '80', url => '/c/getupdate.php?id1=10005&id2=1&guid=50e417e0-e461-474b-96e2-077b80325612&ver=1.0&dom=yqwtkz7shi1o', count => '1', sourceSummary => 'Drone Report'

date: 2013-03-08  list: bots           IPs: 75.166.158.48
2013-03-07 22:51:47    75.166.158.48     infection => 'bots', subtype => 'tdss', detail => ' '
2013-03-06 00:07:03    75.166.158.48     infection => 'bots', subtype => 'TDSS', cc => 87.255.51.229  , cc_port => '80', url => '/c/getupdate.php?id1=10005&id2=1&guid=50e417e0-e461-474b-96e2-077b80325612&ver=1.0&dom=hqdrsfdv3h', count => '1', sourceSummary => 'Drone Report'
2013-03-07 00:04:25    75.166.158.48     infection => 'bots', subtype => 'TDSS', cc => 87.255.51.229  , cc_port => '80', url => '/c/getupdate.php?id1=10005&id2=1&guid=50e417e0-e461-474b-96e2-077b80325612&ver=1.0&dom=ivz6k9kr5pqn', count => '1', sourceSummary => 'Drone Report'

date: 2013-03-07  list: bots           IPs: 75.166.158.48
2013-03-06 21:40:00    75.166.158.48     infection => 'bots', subtype => 'tdss', detail => ' '
2013-03-05 02:17:21    75.166.158.48     infection => 'bots', subtype => 'TDSS', cc => 87.255.51.229  , cc_port => '80', url => '/c/getupdate.php?id1=10005&id2=1&guid=50e417e0-e461-474b-96e2-077b80325612&ver=1.0&dom=fqv46zcqtkz', count => '1', sourceSummary => 'Drone Report'
2013-03-06 00:07:03    75.166.158.48     infection => 'bots', subtype => 'TDSS', cc => 87.255.51.229  , cc_port => '80', url => '/c/getupdate.php?id1=10005&id2=1&guid=50e417e0-e461-474b-96e2-077b80325612&ver=1.0&dom=hqdrsfdv3h', count => '1', sourceSummary => 'Drone Report'

date: 2013-03-06  list: bots           IPs: 75.166.158.48
2013-03-05 23:31:41    75.166.158.48     infection => 'bots', subtype => 'tdss', detail => ' '
2013-03-05 02:17:21    75.166.158.48     infection => 'bots', subtype => 'TDSS', cc => 87.255.51.229  , cc_port => '80', url => '/c/getupdate.php?id1=10005&id2=1&guid=50e417e0-e461-474b-96e2-077b80325612&ver=1.0&dom=fqv46zcqtkz', count => '1', sourceSummary => 'Drone Report'

date: 2013-03-05  list: bots           IPs: 65.128.26.47
2013-03-03 00:05:57    65.128.26.47      infection => 'bots', subtype => 'TDSS', cc => 87.255.51.229  , cc_port => '80', url => '/c/getupdate.php?id1=10005&id2=1&guid=50e417e0-e461-474b-96e2-077b80325612&ver=1.0&dom=w8ya1tfvu0h', count => '1', sourceSummary => 'Drone Report'

date: 2013-03-04  list: bots           IPs: 65.128.26.47
2013-03-03 09:15:52    65.128.26.47      infection => 'bots', subtype => 'tdss', detail => ' '
2013-03-02 00:13:36    65.128.26.47      infection => 'bots', subtype => 'TDSS', cc => 87.255.51.229  , cc_port => '80', url => '/c/getupdate.php?id1=10005&id2=1&guid=50e417e0-e461-474b-96e2-077b80325612&ver=1.0&dom=ejq4mc346gp', count => '1', sourceSummary => 'Drone Report'
2013-03-03 00:05:57    65.128.26.47      infection => 'bots', subtype => 'TDSS', cc => 87.255.51.229  , cc_port => '80', url => '/c/getupdate.php?id1=10005&id2=1&guid=50e417e0-e461-474b-96e2-077b80325612&ver=1.0&dom=w8ya1tfvu0h', count => '1', sourceSummary => 'Drone Report'
 
 
I have run MBAM, TDSSKiller and TDSSFix, MBAM and TDSSKiller have found nothing, TDSSFix said "Suspicious use of kernel callback detected but MBR seems intact. Repair not done."
 
EDIT: I also ran RUBotted, and it finds nothing.

Edited by sausage, 11 March 2013 - 01:11 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:43 PM

Posted 11 March 2013 - 01:42 PM


Hello sausage

Welcome back to The Forums!!

Around here they call me Gringo and I'll be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.




These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-
  • Download Security Check by screen317 from here.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
-AdwCleaner-
  • Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile with your next answer.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.
--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller or from here
    • Quit all programs that you may have started.
    • Please disconnect any USB or external drives from the computer before you run this scan!
    • For Vista or Windows 7, right-click and select "Run as Administrator to start"
    • For Windows XP, double-click to start.
    • Wait until Prescan has finished ...
    • Then Click on "Scan" button
    • Wait until the Status box shows "Scan Finished"
    • click on "delete"
    • Wait until the Status box shows "Deleting Finished"
    • Click on "Report" and copy/paste the content of the Notepad into your next reply.
    • The log should be found in RKreport[1].txt on your Desktop
    • Exit/Close RogueKiller+
  • Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 sausage

sausage
  • Topic Starter

  • Members
  • 390 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado
  • Local time:08:43 PM

Posted 11 March 2013 - 02:51 PM

 checkup.txt
 
Results of screen317's Security Check version 0.99.61  
 Windows 7 Service Pack 1 x64 (UAC is disabled!)  
 Internet Explorer 8 Out of date! 
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
 Windows Firewall Disabled!  
 WMI entry may not exist for antivirus; attempting automatic update. 
`````````Anti-malware/Other Utilities Check:````````` 
 SpyParty version 0.1.2056.0   
 Malwarebytes Anti-Malware version 1.70.0.1100  
 JavaFX 2.1.0    
 Java™ 6 Update 31  
 Java 7 Update 9  
 Java™ SE Development Kit 7 
 Visual Studio Extensions for Windows Library for JavaScript 
 Java version out of Date! 
 Adobe Flash Player 11.6.602.171  
 Mozilla Firefox (for.) 
 Google Chrome 24.0.1312.57  
 Google Chrome 25.0.1364.152  
````````Process Check: objlist.exe by Laurent````````  
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbamgui.exe  
 Malwarebytes' Anti-Malware mbamscheduler.exe   
 Trend Micro RUBotted RUBotSrv.exe  
 Trend Micro RUBotted RUBottedGUI.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 0% 
````````````````````End of Log`````````````````````` 
 
 
AdwCleaner.txt
 
# AdwCleaner v2.114 - Logfile created 03/11/2013 at 13:41:32
# Updated 05/03/2013 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (64 bits)
# User : Jimmah Dean - SUICIDALGENIUS
# Boot Mode : Normal
# Running from : C:\Users\Jimmah Dean\Desktop\adwcleaner.exe
# Option [Delete]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
File Deleted : C:\Users\Jimmah Dean\AppData\Roaming\Mozilla\Firefox\Profiles\ysz07c9m.default\searchplugins\funmoods.xml
Folder Deleted : C:\Program Files (x86)\Ask.com
Folder Deleted : C:\Program Files (x86)\Coupon Companion
Folder Deleted : C:\ProgramData\Ask
Folder Deleted : C:\Users\Jimmah Dean\AppData\Local\APN
Folder Deleted : C:\Users\Jimmah Dean\AppData\Local\Coupon Companion
Folder Deleted : C:\Users\Jimmah Dean\AppData\LocalLow\AskToolbar
Folder Deleted : C:\Users\Jimmah Dean\AppData\Roaming\Mozilla\Firefox\Profiles\ysz07c9m.default\extensions\crossriderapp4493@crossrider.com
Folder Deleted : C:\Users\Jimmah Dean\AppData\Roaming\Mozilla\Firefox\Profiles\ysz07c9m.default\extensions\ffxtlbr@funmoods.com
Folder Deleted : C:\Users\Jimmah Dean\AppData\Roaming\Mozilla\Firefox\Profiles\ysz07c9m.default\extensions\toolbar@ask.com
Folder Deleted : C:\Users\JIMMAH~1\AppData\Local\Temp\AskSearch
Folder Deleted : C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
 
***** [Registry] *****
 
Key Deleted : HKCU\Software\APN
Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar
Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
Key Deleted : HKCU\Software\Ask.com
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Cr_Installer
Key Deleted : HKCU\Software\ilivid
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\InstalledBrowserExtensions
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{0E5680D1-BF44-4929-94AF-FD30D784AD1D}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011441193}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0E5680D1-BF44-4929-94AF-FD30D784AD1D}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011441193}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\Zugo
Key Deleted : HKLM\Software\APN
Key Deleted : HKLM\Software\AskToolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Classes\Applications\ilividsetup.exe
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0004493.BHO
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0004493.BHO.1
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0004493.Sandbox
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0004493.Sandbox.1
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1
Key Deleted : HKLM\Software\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\Software\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440044444493}
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apntoolbarinstaller_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apntoolbarinstaller_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\FunmoodsSetup_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\FunmoodsSetup_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\iLividSetup_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\iLividSetup_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011441193}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{0E5680D1-BF44-4929-94AF-FD30D784AD1D}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{11111111-1111-1111-1111-110011441193}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{22222222-2222-2222-2222-220022442293}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{55555555-5555-5555-5555-550055445593}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{66666666-6666-6666-6666-660066446693}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011441193}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{21111111-1111-1111-1111-110011441193}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0E5680D1-BF44-4929-94AF-FD30D784AD1D}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011441193}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1C888195-0160-4883-91B7-294C0CE2F277}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550055445593}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660066446693}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{99ACA0F7-D864-45CB-8C40-FD42A077E7CA}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{CA17D76B-F91D-4659-A7FD-A9F7ED375CDD}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater]
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v8.0.7601.17514
 
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://searchfunmoods.com/?f=1&a=download&chnl=download&cd=2XzuyEtN2Y1L1QzuzyyEyEyEyDtB0EtBtD0FyCzz0CzytByBtN0D0Tzu0CtAtAtAtN1L2XzutBtFtBtFtDtFtAyEyE&cr=1402619302 --> hxxp://www.google.com
 
-\\ Mozilla Firefox v6.0 (en-US)
 
File : C:\Users\Jimmah Dean\AppData\Roaming\Mozilla\Firefox\Profiles\ysz07c9m.default\prefs.js
 
C:\Users\Jimmah Dean\AppData\Roaming\Mozilla\Firefox\Profiles\ysz07c9m.default\user.js ... Deleted !
 
Deleted : user_pref("browser.search.selectedEngine", "Funmoods");
Deleted : user_pref("browser.startup.homepage", "hxxp://searchfunmoods.com/?f=1&a=download&chnl=download&cd=2X[...]
Deleted : user_pref("extensions.asktb.InstallDir", "C:\\Program Files (x86)\\Ask.com\\");
Deleted : user_pref("extensions.asktb.abar-war-regex", "conduit\\.com");
Deleted : user_pref("extensions.asktb.abar-war-timeout", "4000");
Deleted : user_pref("extensions.asktb.apn_dbr", "cr_14.0.835.202");
Deleted : user_pref("extensions.asktb.autofill-competitor-query-enabled", true);
Deleted : user_pref("extensions.asktb.autofill-text-highlight-enabled", true);
Deleted : user_pref("extensions.asktb.cbid", "5I");
Deleted : user_pref("extensions.asktb.config-updated", false);
Deleted : user_pref("extensions.asktb.cr-o", "102868cr");
Deleted : user_pref("extensions.asktb.crumb", "2011.10.13+21.12.17-toolbar011mwh-US-RnQgQ29sbGlucyxDTyxVbml0ZW[...]
Deleted : user_pref("extensions.asktb.default-channel-url-mask", "hxxp://www.ask.com/web?q={query}&o={o}&l={l}[...]
Deleted : user_pref("extensions.asktb.displaybehavior", "");
Deleted : user_pref("extensions.asktb.displaytext", "");
Deleted : user_pref("extensions.asktb.dtid", "YYYYYYYYUS");
Deleted : user_pref("extensions.asktb.dyn-weather-do-locid-lookup-weatherWidget", false);
Deleted : user_pref("extensions.asktb.dyn-weather-locid-weatherWidget", "USCO0140");
Deleted : user_pref("extensions.asktb.dyn-weather-tempunit-weatherWidget", "F");
Deleted : user_pref("extensions.asktb.first-launch-url", "file:///C:/Program%20Files%20(x86)/Vidalia%20Bundle/[...]
Deleted : user_pref("extensions.asktb.fresh-install", false);
Deleted : user_pref("extensions.asktb.guid", "d4746b75-fd15-49da-b025-6d626df3a24f");
Deleted : user_pref("extensions.asktb.hxxp-header-whitelist-hosts", "[\"static-dev.en.dev.ask.com\", \"ask.com[...]
Deleted : user_pref("extensions.asktb.if", "first");
Deleted : user_pref("extensions.asktb.l", "dis");
Deleted : user_pref("extensions.asktb.last-config-req", "1352684158060");
Deleted : user_pref("extensions.asktb.locale", "en_US");
Deleted : user_pref("extensions.asktb.location", "Ft Collins,CO,United States");
Deleted : user_pref("extensions.asktb.lstation", "");
Deleted : user_pref("extensions.asktb.new-tab-enabled", true);
Deleted : user_pref("extensions.asktb.news-native-on", true);
Deleted : user_pref("extensions.asktb.o", "102868");
Deleted : user_pref("extensions.asktb.overlay-reloaded-using-restart", true);
Deleted : user_pref("extensions.asktb.pstate", "");
Deleted : user_pref("extensions.asktb.qsrc", "2871");
Deleted : user_pref("extensions.asktb.r", "3");
Deleted : user_pref("extensions.asktb.sa", "NO");
Deleted : user_pref("extensions.asktb.search-suggestions-enabled", true);
Deleted : user_pref("extensions.asktb.silent-upgrade", true);
Deleted : user_pref("extensions.asktb.silent-upgrade-from-pre-newtabs-build", false);
Deleted : user_pref("extensions.asktb.socialmini-first", true);
Deleted : user_pref("extensions.asktb.socialmini-interval", "1200000");
Deleted : user_pref("extensions.asktb.socialmini-max-char-ticker", "33");
Deleted : user_pref("extensions.asktb.socialmini-max-items", "30");
Deleted : user_pref("extensions.asktb.socialmini-native-on", true);
Deleted : user_pref("extensions.asktb.socialmini-speed", "10000");
Deleted : user_pref("extensions.asktb.socialmini-transition-first-open", false);
Deleted : user_pref("extensions.asktb.themeid", "");
Deleted : user_pref("extensions.asktb.timeinstalled", "10/13/2011 10:14:44 PM");
Deleted : user_pref("extensions.asktb.to", "");
Deleted : user_pref("extensions.asktb.v", "3.15.4.100013");
Deleted : user_pref("extensions.asktb.version", "5.15.4.23821");
Deleted : user_pref("extensions.asktb.volume", "");
Deleted : user_pref("extensions.enabledAddons", "{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}:6.3.0.11079,toolbar@as[...]
Deleted : user_pref("browser.search.defaultenginename", "Funmoods");
Deleted : user_pref("extensions.crossriderapp4493.adsOldValue", -1);
 
-\\ Google Chrome v25.0.1364.152
 
File : C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\User Data\Default\Preferences
 
Deleted [l.2265] : homepage = "hxxp://searchfunmoods.com/?f=1&a=download&chnl=download&cd=2XzuyEtN2Y1L1QzuzyyEyEyEy[...]
Deleted [l.3142] : urls_to_restore_on_startup = [ "hxxp://searchfunmoods.com/?f=1&a=download&chnl=download&cd=2X[...]
 
*************************
 
AdwCleaner[S1].txt - [14135 octets] - [11/03/2013 13:41:32]
 
########## EOF - C:\AdwCleaner[S1].txt - [14196 octets] ##########
 
RKReport[1].txt
 

RogueKiller V8.5.2 [Mar  9 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Jimmah Dean [Admin rights]
Mode : Scan -- Date : 03/11/2013 13:48:06
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 6 ¤¤¤
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [NOT LOADED] ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
 
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: WDC WD1002FBYS-02A6B0 ATA Device +++++
--- User ---
[MBR] 34d7962f6c77ce48476d99dc8f89e56a
[BSP] 688e17638a53e813ed5b164dcb2f2266 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 953767 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[1]_S_03112013_02d1348.txt >>
RKreport[1]_S_03112013_02d1348.txt
 
 
It should be noted that SpyParty is NOT an AV or a Rogue AV, it is a game. http://www.spyparty.com/


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:43 PM

Posted 11 March 2013 - 03:17 PM


Hello sausage

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

  • Gringo




I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 sausage

sausage
  • Topic Starter

  • Members
  • 390 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado
  • Local time:08:43 PM

Posted 11 March 2013 - 04:17 PM

ComboFix 13-03-11.01 - Jimmah Dean 03/11/2013  14:50:35.1.4 - x64
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.8109.5818 [GMT -6:00]
Running from: c:\users\Jimmah Dean\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\vpngui.exe.lnk
c:\programdata\ntuser.dat
C:\readme.txt
c:\users\Jimmah Dean\AppData\Roaming\Mozilla\Firefox\Profiles\ysz07c9m.default\searchplugins\bing-zugo.xml
c:\users\Jimmah Dean\AppData\Roaming\uninstaller.exe
c:\users\Jimmah Dean\Documents\Downloads\CT2776682_BrotherSoft_Extreme.exe
c:\users\Jimmah Dean\g2ax_customer_downloadhelper_win32_x86.exe
c:\windows\SysWow64\d2d1debug1.dll
c:\windows\SysWow64\Packet.dll
c:\windows\SysWow64\pthreadVC.dll
c:\windows\SysWow64\URTTemp
c:\windows\SysWow64\URTTemp\regtlib.exe
c:\windows\SysWow64\wpcap.dll
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
(((((((((((((((((((((((((   Files Created from 2013-02-11 to 2013-03-11  )))))))))))))))))))))))))))))))
.
.
2013-03-11 21:02 . 2013-03-11 21:02 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2013-03-11 09:48 . 2013-02-08 00:28 9162192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D04B3577-647B-44E9-853D-124FCD5B9F67}\mpengine.dll
2013-03-06 07:11 . 2013-03-06 07:11 -------- d-----w- c:\users\Jimmah Dean\AppData\Local\Ntronium_Games
2013-03-06 06:58 . 2013-03-06 06:58 -------- d-----w- c:\users\Jimmah Dean\AppData\Local\Armada 2526 Gold
2013-03-05 07:58 . 2013-03-05 08:01 -------- d-----w- c:\users\Jimmah Dean\AppData\Local\Sniper Elite Nazi Zombie Army
2013-03-05 04:27 . 2013-03-05 04:35 -------- d-----w- c:\program files (x86)\Warframe
2013-03-05 04:27 . 2013-03-09 03:26 -------- d-----w- c:\users\Jimmah Dean\AppData\Local\Warframe
2013-03-02 03:03 . 2013-03-09 05:54 -------- d-----w- c:\users\Jimmah Dean\AppData\Roaming\.technic
2013-02-23 17:55 . 2013-02-23 17:55 -------- d-----w- c:\programdata\Trend Micro
2013-02-23 17:45 . 2013-02-23 17:45 -------- d-----w- c:\program files (x86)\Trend Micro
2013-02-21 08:36 . 2013-02-21 08:36 -------- d-----w- c:\windows\Crystal
2013-02-21 08:36 . 2013-03-09 22:18 -------- d-----w- c:\program files (x86)\Aurora
2013-02-21 08:36 . 2013-02-21 08:36 249856 ------w- c:\windows\Setup1.exe
2013-02-21 08:36 . 2013-02-21 08:36 73216 ----a-w- c:\windows\ST6UNST.EXE
2013-02-21 01:59 . 2013-02-21 01:59 283200 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2013-02-21 01:59 . 2013-02-21 01:59 -------- d-----w- c:\program files (x86)\DAEMON Tools Lite
2013-02-21 01:57 . 2013-02-21 01:57 -------- d-----w- c:\program files (x86)\Common Files\Skype
2013-02-16 05:25 . 2009-01-22 05:13 323584 ----a-w- c:\windows\SysWow64\SCDialer2.ocx
2013-02-16 05:25 . 2008-10-22 18:08 471040 ----a-w- c:\windows\SysWow64\SCDialer1.ocx
2013-02-16 05:25 . 2004-05-10 06:14 118272 ----a-w- c:\windows\SysWow64\SX5363S.DLL
2013-02-16 05:25 . 2004-05-10 06:14 102400 ----a-w- c:\windows\SysWow64\RV32RTP.dll
2013-02-16 05:21 . 2013-02-16 05:21 -------- d-----w- c:\program files (x86)\SubaGames
2013-02-16 05:21 . 2013-02-16 05:21 -------- d-----w- c:\users\Jimmah Dean\AppData\Local\Programs
2013-02-12 17:52 . 2013-02-13 22:57 -------- d-----w- C:\love
2013-02-10 20:19 . 2013-02-11 05:12 -------- d-----w- c:\users\Jimmah Dean\wurm
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-27 02:16 . 2012-05-18 07:38 691568 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-02-27 02:16 . 2011-07-29 04:27 71024 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-17 08:28 . 2011-07-29 04:30 273840 ------w- c:\windows\system32\MpSigStub.exe
2012-12-29 10:34 . 2013-01-10 05:34 958272 ----a-w- c:\windows\SysWow64\nvumdshim.dll
2012-12-29 10:34 . 2013-01-10 05:34 7565240 ----a-w- c:\windows\system32\nvopencl.dll
2012-12-29 10:34 . 2013-01-10 05:34 6263784 ----a-w- c:\windows\SysWow64\nvopencl.dll
2012-12-29 10:34 . 2013-01-10 05:34 26931128 ----a-w- c:\windows\system32\nvoglv64.dll
2012-12-29 10:34 . 2013-01-10 05:34 12641120 ----a-w- c:\windows\SysWow64\nvwgf2um.dll
2012-12-29 10:34 . 2013-01-10 05:34 10997176 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2012-12-29 10:34 . 2013-01-10 05:34 9389888 ----a-w- c:\windows\system32\nvcuda.dll
2012-12-29 10:34 . 2013-01-10 05:34 7931896 ----a-w- c:\windows\SysWow64\nvcuda.dll
2012-12-29 10:34 . 2013-01-10 05:34 2904504 ----a-w- c:\windows\system32\nvcuvid.dll
2012-12-29 10:34 . 2013-01-10 05:34 2720696 ----a-w- c:\windows\SysWow64\nvcuvid.dll
2012-12-29 10:34 . 2013-01-10 05:34 25256376 ----a-w- c:\windows\system32\nvcompiler.dll
2012-12-29 10:34 . 2013-01-10 05:34 246024 ----a-w- c:\windows\system32\nvinitx.dll
2012-12-29 10:34 . 2013-01-10 05:34 2344888 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-12-29 10:34 . 2013-01-10 05:34 20450232 ----a-w- c:\windows\SysWow64\nvoglv32.dll
2012-12-29 10:34 . 2013-01-10 05:34 201728 ----a-w- c:\windows\SysWow64\nvinit.dll
2012-12-29 10:34 . 2013-01-10 05:34 1985976 ----a-w- c:\windows\SysWow64\nvcuvenc.dll
2012-12-29 10:34 . 2013-01-10 05:34 17560504 ----a-w- c:\windows\SysWow64\nvcompiler.dll
2012-12-29 10:34 . 2012-10-11 04:23 18054312 ----a-w- c:\windows\system32\nvd3dumx.dll
2012-12-29 10:34 . 2012-10-11 04:23 1504696 ----a-w- c:\windows\system32\nvdispgenco64.dll
2012-12-29 10:34 . 2012-10-11 04:23 2824656 ----a-w- c:\windows\system32\nvapi64.dll
2012-12-29 10:34 . 2012-10-11 04:23 1107592 ----a-w- c:\windows\system32\nvumdshimx.dll
2012-12-29 10:34 . 2012-10-11 04:23 15052368 ----a-w- c:\windows\system32\nvwgf2umx.dll
2012-12-29 10:34 . 2012-10-11 04:22 2504248 ----a-w- c:\windows\SysWow64\nvapi.dll
2012-12-29 10:34 . 2012-10-11 04:22 15129064 ----a-w- c:\windows\SysWow64\nvd3dum.dll
2012-12-29 10:34 . 2011-10-25 21:26 1813432 ----a-w- c:\windows\system32\nvdispco64.dll
2012-12-29 09:54 . 2012-12-29 09:54 550328 ----a-w- c:\windows\SysWow64\nvStreaming.exe
2012-12-29 08:40 . 2013-01-03 03:55 6382008 ----a-w- c:\windows\system32\nvcpl.dll
2012-12-29 08:40 . 2013-01-03 03:55 3455416 ----a-w- c:\windows\system32\nvsvc64.dll
2012-12-29 08:40 . 2013-01-03 20:45 2923201 ----a-w- c:\windows\system32\nvcoproc.bin
2012-12-29 08:40 . 2013-01-03 03:55 63928 ----a-w- c:\windows\system32\nvshext.dll
2012-12-29 08:40 . 2013-01-03 03:55 884152 ----a-w- c:\windows\system32\nvvsvc.exe
2012-12-29 08:40 . 2013-01-03 03:55 118712 ----a-w- c:\windows\system32\nvmctray.dll
2012-12-16 17:11 . 2012-12-23 19:30 46080 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 14:45 . 2012-12-23 19:30 367616 ----a-w- c:\windows\system32\atmfd.dll
2012-12-16 14:13 . 2012-12-23 19:30 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
2012-12-16 14:13 . 2012-12-23 19:30 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2012-12-14 23:49 . 2012-08-06 09:40 24176 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-14 07:18 . 2012-12-01 06:00 2562208 ----a-w- c:\programdata\Microsoft\VisualStudio\11.0\1033\ResourceCache.dll
2012-12-14 05:51 . 2011-07-31 05:04 67413224 ----a-w- c:\windows\system32\MRT.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-11-20 . FE70103391A64039A921DBFFF9C7AB1B . 1008128 . . [6.1.7601.17514] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll
[7] 2009-07-14 . 72D7B3EA16946E8F0CF7458150031CC6 . 1008640 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll
[-] 2011-08-09 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7601.17514] .. c:\windows\system32\user32.dll
.
[-] 2011-08-09 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7601.17514] .. c:\windows\SysWOW64\user32.dll
[7] 2010-11-20 . 5E0DB2D8B2750543CD2EBB9EA8E6CDD3 . 833024 . . [6.1.7601.17514] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll
[7] 2009-07-14 . E8B0FFC209E504CB7E79FC24E6C085F0 . 833024 . . [6.1.7600.16385] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0F3DC9E0-C459-4a40-BCF8-747BD9322E10}"= "c:\program files (x86)\Splashtop\Splashtop Connect IE\AddressBarSearch.dll" [2011-03-04 165776]
.
[HKEY_CLASSES_ROOT\clsid\{0f3dc9e0-c459-4a40-bcf8-747bd9322e10}]
[HKEY_CLASSES_ROOT\AddressBarSearch.SearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{4E8E0178-00EF-413d-9324-E7B3E31572E3}]
[HKEY_CLASSES_ROOT\AddressBarSearch.SearchHook]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ManyCam"="c:\program files (x86)\ManyCam\Bin\ManyCam.exe" [2011-09-29 1756232]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2012-04-10 668944]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2013-02-25 1602984]
"Pando Media Booster"="c:\program files (x86)\Pando Networks\Media Booster\PMB.exe" [2012-10-27 3093624]
"puush"="c:\program files (x86)\puush\puush.exe" [2013-01-20 565480]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-01-08 18705664]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2013-01-08 3674320]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"98614 Wireless Keyboard and Mouse Combo"="c:\program files (x86)\98614 Thin-Profile Keyboard & Mouse\Wireless KeyboardKM.exe" [2010-12-16 45056]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"STCAgent"="c:\program files (x86)\Splashtop\Splashtop Connect IE\STCAgent.exe" [2011-03-04 776064]
"ZyngaGamesAgent"="c:\program files (x86)\Splashtop\Splashtop Connect\ZyngaGamesAgent.exe" [2010-11-15 841544]
"Dolby Home Theater v4"="c:\program files (x86)\Dolby Home Theater v4\pcee4.exe" [2011-06-01 506712]
"Razer Synapse"="c:\program files (x86)\Razer\Synapse\RzSynapse.exe" [2012-12-11 338864]
"Trend Micro RUBotted V2.0 Beta"="c:\program files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]
.
c:\users\Jimmah Dean\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2012-11-4 41160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2012-07-09 123856]
R2 frameworkPostgreSQL;frameworkPostgreSQL;C:/PROGRA~2/Rapid7/FRAMEW~1/POSTGR~1/bin/pg_ctl.exe runservice -N frameworkPostgreSQL -D C:/PROGRA~2/Rapid7/FRAMEW~1/POSTGR~1/data [x]
R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files (x86)\Trend Micro\RUBotted\RUBotSrv.exe [2010-12-17 439632]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2013-01-08 161536]
R3 ALSysIO;ALSysIO;c:\users\JIMMAH~1\AppData\Local\Temp\ALSysIO64.sys [x]
R3 AppleChargerSrv;AppleChargerSrv;c:\windows\system32\AppleChargerSrv.exe [2010-04-06 31272]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-04-01 183560]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-07-26 25832]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-07-29 52584]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2010-12-28 76912]
R3 MSICDSetup;MSICDSetup;D:\CDriver64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
R3 RTCore64;RTCore64;c:\program files (x86)\MSI Afterburner\RTCore64.sys [2010-05-27 14648]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 Te.Service;Te.Service;c:\program files (x86)\Windows Kits\8.0\Testing\Runtimes\TAEF\Wex.Services.exe [2012-07-26 126976]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-05-10 51712]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-07-29 1255736]
R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\users\Jimmah Dean\Downloads\RealTemp_360\WinRing0x64.sys [2011-07-29 14544]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856]
S0 SmartDefragDriver;SmartDefragDriver;c:\windows\System32\Drivers\SmartDefragDriver.sys [2010-11-27 17720]
S1 AppleCharger;AppleCharger;c:\windows\system32\DRIVERS\AppleCharger.sys [2011-01-11 21104]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2013-02-21 283200]
S2 AdobeActiveFileMonitor10.0;Adobe Active File Monitor V10;c:\program files (x86)\Adobe\Elements 10 Organizer\PhotoshopElementsFileAgent.exe [2011-09-15 169624]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]
S2 SCBackService;Splashtop Connect Service;c:\program files (x86)\Splashtop\Splashtop Connect\BackService.exe [2010-11-15 477000]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-01-31 3289208]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-12-29 383416]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-02-22 2656280]
S2 WCUService_STC_FF;Splashtop Connect Firefox Software Updater Service;c:\program files (x86)\Splashtop\Splashtop Connect Firefox Software Updater\WCUService.exe [2010-11-30 493384]
S2 WCUService_STC_IE;Splashtop Connect IE Software Updater Service;c:\program files (x86)\Splashtop\Splashtop Connect IE Software Updater\WCUService.exe [2011-03-22 497480]
S3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;c:\windows\system32\Drivers\EtronHub3.sys [2011-07-29 56960]
S3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;c:\windows\system32\Drivers\EtronXHCI.sys [2011-07-29 79104]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-14 317440]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam_x64.sys [2008-03-13 27136]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]
S3 nvoclk64;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\DRIVERS\nvoclk64.sys [2009-09-15 42088]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-01 535656]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\DRIVERS\RTL8192su.sys [2010-01-06 676864]
S3 rzdaendpt;Razer DeathAdder end point;c:\windows\system32\DRIVERS\rzdaendpt.sys [2012-11-07 25600]
S3 rzudd;Razer Mouse Driver;c:\windows\system32\DRIVERS\rzudd.sys [2012-11-07 113664]
S3 rzvkeyboard;Razer Virtual Keyboard Driver;c:\windows\system32\DRIVERS\rzvkeyboard.sys [2012-11-07 23040]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-18 02:16]
.
2013-03-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2167577851-1059981281-1222242143-1000Core.job
- c:\users\Jimmah Dean\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-29 04:25]
.
2013-03-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2167577851-1059981281-1222242143-1000UA.job
- c:\users\Jimmah Dean\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-29 04:25]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-06-16 499608]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-06-17 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-06-17 392472]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-06-17 416024]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-07-21 12632168]
"RtHDVBg_Dolby"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-07-13 2264168]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = localhost; 127.0.0.1; <local>
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.0.1 205.171.2.25
FF - ProfilePath - c:\users\Jimmah Dean\AppData\Roaming\Mozilla\Firefox\Profiles\ysz07c9m.default\
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z192&form=ZGAADF&install_date=20110913&q=
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-dualmonitor - (no file)
Wow6432Node-HKLM-Run-Super-Charger - c:\program files (x86)\MSI\Super-Charger\StartSuperCharger.exe
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
SafeBoot-11481105.sys
AddRemove-Coupon Companion - c:\program files (x86)\Coupon Companion\Uninstall.exe
AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc.exe
AddRemove-{03AFB032-CCC7-4236-A0F8-619C50BB498E}_is1 - c:\program files (x86)\SpyParty\unins000.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\frameworkPostgreSQL]
"ImagePath"="C:/PROGRA~2/Rapid7/FRAMEW~1/POSTGR~1/bin/pg_ctl.exe runservice -N \"frameworkPostgreSQL\" -D \"C:/PROGRA~2/Rapid7/FRAMEW~1/POSTGR~1/data\""
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\frameworkPostgreSQL]
"ImagePath"="C:/PROGRA~2/Rapid7/FRAMEW~1/POSTGR~1/bin/pg_ctl.exe runservice -N \"frameworkPostgreSQL\" -D \"C:/PROGRA~2/Rapid7/FRAMEW~1/POSTGR~1/data\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2167577851-1059981281-1222242143-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-2167577851-1059981281-1222242143-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_USERS\S-1-5-21-2167577851-1059981281-1222242143-1000\Software\SecuROM\License information*]
"datasecu"=hex:78,3b,a6,43,90,62,a4,63,95,96,70,7f,8b,3d,1b,7f,e4,59,bc,fb,a6,
   21,19,5c,37,df,bf,48,0e,c4,3b,88,9e,64,6a,ad,53,a2,ae,e0,0f,f5,c9,c6,ef,f0,\
"rkeysecu"=hex:43,bd,e1,6e,ca,dc,a7,f5,ea,9e,3b,e7,4b,18,31,18
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_171_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_171_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DbgagD\1*]
"value"="?\07\05\1d\04$\08g"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2013-03-11  15:09:07 - machine was rebooted
ComboFix-quarantined-files.txt  2013-03-11 21:09
.
Pre-Run: 68,064,665,600 bytes free
Post-Run: 72,968,044,544 bytes free
.
- - End Of File - - 39D425B33B8C4B74C189D6CC81255654
 
No problems running ComboFix, but after reboot nothing would open, giving me "Illegal operation attempted on a registry key that has been marked for deletion." But a reboot fixed that right up.
 
As far as how the computer is doing now, it wasn't having issues previously, but CenturyLink kept revoking internet access due to malware.  I had to beg them for their security logs which showed a TDSS bot, so I ran TDSSKiller and TDSSFix which hinted that one existed but they couldn't remove it. So how is the computer doing? Seemingly just as well as it was, but I don't know if it's fixed or not, I won't know for a week if centurylink decides to boot me off again.


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:43 PM

Posted 11 March 2013 - 04:50 PM



Hello sausage


I would like you to try and run these next.

TDSSKiller

Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  • Put a checkmark beside loaded modules.
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
  • Click the Start Scan button.
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

    Note** this report can be very long - so if the website gives you an error saying it is to long you may attache it

    If the forum still complains about it being to long send me everything that is at the end of the report after where it says

    ==================
    Scan finished
    ==================
  • and I will see if I want to see the whole report

    Malwarebytes Anti-Rootkit

    1.Download Malwarebytes Anti-Rootkit
    2.Unzip the contents to a folder in a convenient location.
    3.Open the folder where the contents were unzipped and run mbar.exe
    4.Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    5.Click on the Cleanup button to remove any threats and reboot if prompted to do so.
    6.Wait while the system shuts down and the cleanup process is performed.
    7.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    8.If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
    • •Internet access
      •Windows Update
      •Windows Firewall
    9.If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.
    10.Verify that your system is now functioning normally.

    If you have any problems running either one come back and let me know

    please reply with the reports from TDSSKiller and MBAR

    Gringo







I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 sausage

sausage
  • Topic Starter

  • Members
  • 390 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado
  • Local time:08:43 PM

Posted 14 March 2013 - 12:04 AM

I wasn't sure what exactly you needed from mbar, but here's what I think you need:
 
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1021
 
© Malwarebytes Corporation 2011-2012
 
OS version: 6.1.7601 Windows 7 Service Pack 1 x64
 
Account is Administrative
 
Internet Explorer version: 8.0.7601.17514
 
Java version: 1.6.0_31
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.793000 GHz
Memory total: 8503025664, free: 5684396032
 
------------ Kernel report ------------
     03/13/2013 22:38:44
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\16521889.sys
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\pciide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\vmbus.sys
\SystemRoot\system32\drivers\winhv.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\PxHlpa64.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\Drivers\SmartDefragDriver.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\dtsoftbus01.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\??\C:\Windows\system32\Drivers\vmm.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\AppleCharger.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\nvlddmkm.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\system32\DRIVERS\HECIx64.sys
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\1394ohci.sys
\SystemRoot\System32\Drivers\EtronXHCI.sys
\SystemRoot\system32\DRIVERS\Rt64win7.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\VMNetSrv.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\dne64x.sys
\SystemRoot\system32\DRIVERS\ManyCam_x64.sys
\SystemRoot\system32\DRIVERS\STREAM.SYS
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\DRIVERS\nvoclk64.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\EtronHub3.sys
\SystemRoot\System32\Drivers\USBD.SYS
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\drivers\nvhda64v.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\system32\DRIVERS\IntcDAud.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\rzdaendpt.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\rzudd.sys
\SystemRoot\system32\DRIVERS\rzvkeyboard.sys
\SystemRoot\System32\drivers\mshidkmdf.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\xusb21.sys
\SystemRoot\system32\drivers\usbaudio.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\DRIVERS\RTL8192su.sys
\SystemRoot\System32\drivers\vwifibus.sys
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\drivers\luafv.sys
\??\C:\Windows\system32\drivers\mbam.sys
\SystemRoot\system32\drivers\WudfPf.sys
\??\C:\Program Files\Sandboxie\SbieDrv.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\atksgt.sys
\SystemRoot\system32\DRIVERS\lirsgt.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\??\C:\Windows\system32\Drivers\CVPNDRVA.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\kernel32.dll
\Windows\System32\lpk.dll
\Windows\System32\setupapi.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\msvcrt.dll
\Windows\System32\comdlg32.dll
\Windows\System32\msctf.dll
\Windows\System32\oleaut32.dll
\Windows\System32\ws2_32.dll
\Windows\System32\clbcatq.dll
\Windows\System32\wininet.dll
\Windows\System32\urlmon.dll
\Windows\System32\imm32.dll
\Windows\System32\iertutil.dll
\Windows\System32\difxapi.dll
\Windows\System32\usp10.dll
\Windows\System32\gdi32.dll
\Windows\System32\normaliz.dll
\Windows\System32\Wldap32.dll
\Windows\System32\shlwapi.dll
\Windows\System32\ole32.dll
\Windows\System32\psapi.dll
\Windows\System32\user32.dll
\Windows\System32\sechost.dll
\Windows\System32\imagehlp.dll
\Windows\System32\nsi.dll
\Windows\System32\shell32.dll
\Windows\System32\advapi32.dll
\Windows\System32\devobj.dll
\Windows\System32\wintrust.dll
\Windows\System32\crypt32.dll
\Windows\System32\KernelBase.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\comctl32.dll
\Windows\System32\msasn1.dll
\Windows\SysWOW64\normaliz.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa8007e02060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP3T0L0-3\
Lower Device Object: 0xfffffa8007b57060
Lower Device Driver Name: \Driver\atapi\
Device already Exists: 0xfffffa800ba94e40
Downloaded database version: v2013.03.14.03
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa8007e02060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8007e02b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8007e02060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8007b46580, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa8007b57060, DeviceName: \Device\Ide\IdeDeviceP3T0L0-3\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0xfffff8a00fadfe20, 0xfffffa8007e02060, 0xfffffa80088f7090
Lower DeviceData: 0xfffff8a00f14f140, 0xfffffa8007b57060, 0xfffffa800ba94e40
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: A032B0CE
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 204800
    Partition file system is NTFS
    Partition is bootable
 
    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 206848  Numsec = 1953314816
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 1000204886016 bytes
Sector size: 512 bytes
 
Scanning physical sectors of unpartitioned space on drive 0 (1-2047-1953505168-1953525168)...
Done!
Performing system, memory and registry scan...
Read File:  File "c:\Users\Jimmah Dean\Desktop\LeagueOfLegends\layout.bin" is sparse (flags = 32768)
Done!
Scan finished
 
EDIT: the TDSS log was too big to attach, here's the end of the file:
 
22:35:27.0292 4704  ============================================================
22:35:27.0292 4704  Scan finished
22:35:27.0292 4704  ============================================================
22:35:27.0292 4696  Detected object count: 3
22:35:27.0292 4696  Actual detected object count: 3
22:35:57.0702 4696  fussvc ( UnsignedFile.Multi.Generic ) - skipped by user
22:35:57.0702 4696  fussvc ( UnsignedFile.Multi.Generic ) - User select action: Skip 
22:35:57.0702 4696  Te.Service ( UnsignedFile.Multi.Generic ) - skipped by user
22:35:57.0702 4696  Te.Service ( UnsignedFile.Multi.Generic ) - User select action: Skip 
22:35:57.0702 4696  USBAAPL64 ( UnsignedFile.Multi.Generic ) - skipped by user
22:35:57.0702 4696  USBAAPL64 ( UnsignedFile.Multi.Generic ) - User select action: Skip 
22:38:26.0984 3788  Deinitialize success

Edited by sausage, 14 March 2013 - 12:06 AM.


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:43 PM

Posted 14 March 2013 - 12:39 AM


Hello sausage

I would like to see a report that combofix makes.

extra combofix report
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok
copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 sausage

sausage
  • Topic Starter

  • Members
  • 390 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado
  • Local time:08:43 PM

Posted 14 March 2013 - 02:34 AM

 Tools for .Net 3.5
7-Zip 9.20
98614 Thin-Profile Keyboard & Mouse
ACE Online EP4
Adobe AIR
Adobe Community Help
Adobe Download Assistant
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Photoshop.com Inspiration Browser
Apple Application Support
Apple Software Update
Assassin's Creed II
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver
Audiosurf
Aurora
AutoHotkey 1.0.48.05
Battle.net
Battlefield 3™
Battlefield 3™ Open Beta
Battlelog Web Plugins
Belkin F7D1101 Basic Wireless USB Adapter
Ben There, Dan That!
Bing Bar
BIT.TRIP BEAT
BIT.TRIP RUNNER
Blend for Visual Studio 2012
Blend for Visual Studio 2012 ENU resources
C9
Call of Duty: Black Ops II
Call of Duty: Black Ops II - Multiplayer
Call of Duty: Black Ops II - Zombies
Call of Duty: Modern Warfare 3
Call of Duty: Modern Warfare 3 - Multiplayer
ClaDun x2
CodeBlocks
Counter-Strike: Global Offensive
Counter-Strike: Source
Counter-Strike: Source Beta
Coupon Companion
Crysis 2 Maximum Edition
Crysis® 2
Cubemen
D3DX10
DAEMON Tools Lite
Dark Souls: Prepare to Die Edition
DarksidersInstaller
Darwinia
DEFCON
Deus Ex - Human Revolution version 1.0
Dev-C++ 5 beta 9 release (4.9.9.2)
Diablo
Diablo II
Diablo III
Dishonored
Divine Divinity
Divinity 2: Developer's Cut
Dolby Home Theater v4
Don't Starve
Dota 2
Dotfuscator and Analytics Community Edition
Dragon Age: Origins
Dual Monitor 1.21
Dungeon Crawl Stone Soup
Dungeon Siege 2
DUNGEONS - The Dark Lord
Elements 10 Organizer
Entity Framework Designer for Visual Studio 2012 - enu
ESN Sonar
Etron USB3.0 Host Controller
Eufloria
EVE Isk per Hour 2.2
EVE Online (remove only)
EveHQ
EVEMon
Fable III
Fallen Enchantress
Fallout
Fallout 3
Fallout 3 - Game of the Year Edition
Fallout New Vegas
Fallout: New Vegas
FileZilla Client 3.5.3
FINAL FANTASY VII
Fraps (remove only)
From Dust
FTL: Faster Than Light
GameMaker 8.1
GameSpy Comrade
Geometry Wars: Retro Evolved
Google Chrome
GPGNet
Gratuitous Space Battles
HD Tune 2.55
Hitman 2: Silent Assassin
Hitman Blood Money
Hitman: Blood Money
Hitman: Codename 47
Hitman: Sniper Challenge
Homefront
IceChat 9 RC2 (Build 20110814)
Intel® Control Center
Intel® Management Engine Components
Intel® Processor Graphics
ISO to USB
Java 7 Update 9
Java Auto Updater
Java™ 6 Update 31
Java™ SE Development Kit 7
JavaFX 2.1.0
Junk Mail filter update
Krater
L.A. Noire
Launchpad Enhanced
League of Legends
Legend of Grimrock
LEGO Island
LiveUSB Creator (remove only)
LocalESPC
LocalESPCui for en-us
Mabinogi
Malwarebytes Anti-Malware version 1.70.0.1100
ManyCam 2.6.60 (remove only)
Maple 13
MapleStory
Mass Effect
Mass Effect 2
Mass Effect™ 3
Mass Effect™ 3 Demo
Medieval II Total War
Mesh Runtime
Messenger Companion
Metasploit
Metro 2033
Microsoft .NET Framework 1.1
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft .NET Framework 4.5 Multi-Targeting Pack
Microsoft .NET Framework 4.5 SDK
Microsoft ASP.NET MVC 3
Microsoft ASP.NET MVC 3 - Visual Studio 2012 Tools Update
Microsoft ASP.NET MVC 4 - Visual Studio 2012 Tools
Microsoft ASP.NET MVC 4 Runtime
Microsoft ASP.NET Web Pages
Microsoft ASP.NET Web Pages - Visual Studio 2012 Tools
Microsoft ASP.NET Web Pages 2 - Visual Studio 2012 Tools
Microsoft ASP.NET Web Pages 2 Runtime
Microsoft DirectX SDK (June 2010)
Microsoft Games for Windows - LIVE Redistributable
Microsoft Games for Windows Marketplace
Microsoft Help Viewer 2.0
Microsoft LightSwitch for Visual Studio 2012 Core
Microsoft LightSwitch for Visual Studio 2012 CoreRes - ENU
Microsoft NuGet - Visual Studio 2012
Microsoft Portable Library Multi-Targeting Pack
Microsoft Portable Library Multi-Targeting Pack Language Pack - enu
Microsoft Report Viewer Add-On for Visual Studio 2012
Microsoft Silverlight
Microsoft Silverlight 4 SDK
Microsoft Silverlight 5 SDK
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2012 Data-Tier App Framework 
Microsoft SQL Server 2012 Management Objects 
Microsoft SQL Server 2012 T-SQL Language Service 
Microsoft SQL Server Data Tools - enu (11.1.20627.00)
Microsoft SQL Server Data Tools Build Utilities - enu (11.1.20627.00)
Microsoft SQL Server System CLR Types
Microsoft System CLR Types for SQL Server 2012
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft Visual C++ 2012 Compilers
Microsoft Visual C++ 2012 Compilers - ENU Resources
Microsoft Visual C++ 2012 Core Libraries
Microsoft Visual C++ 2012 Extended Libraries
Microsoft Visual C++ 2012 Microsoft Foundation Class Libraries
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.50727
Microsoft Visual C++ 2012 x86 Debug Runtime - 11.0.50727
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.50727
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual Studio 2012 Devenv
Microsoft Visual Studio 2012 Devenv Resources
Microsoft Visual Studio 2012 IntelliTrace Core x86
Microsoft Visual Studio 2012 IntelliTrace Front End x86
Microsoft Visual Studio 2012 Preparation
Microsoft Visual Studio 2012 SharePoint Developer Tools
Microsoft Visual Studio 2012 SharePoint Developer Tools ENU Language Pack
Microsoft Visual Studio 2012 Shell (Minimum)
Microsoft Visual Studio 2012 Shell (Minimum) Interop Assemblies
Microsoft Visual Studio 2012 Shell (Minimum) Resources
Microsoft Visual Studio 2012 Tools for SQL Server Compact 4.0 SP1 ENU
Microsoft Visual Studio Premium 2012
Microsoft Visual Studio Premium 2012 - ENU
Microsoft Visual Studio Professional 2012
Microsoft Visual Studio Professional 2012 - ENU
Microsoft Visual Studio Team Foundation Server 2012 Team Explorer
Microsoft Visual Studio Team Foundation Server 2012 Team Explorer Language Pack - ENU
Microsoft Visual Studio Ultimate 2012
Microsoft Visual Studio Ultimate 2012 - ENU
Microsoft Visual Studio Ultimate 2012 XAML UI Designer Core
Microsoft Visual Studio Ultimate 2012 XAML UI Designer enu Resources
Microsoft Web Deploy dbSqlPackage Provider - enu
Microsoft Web Developer Tools - Visual Studio 2012
Microsoft XNA Framework Redistributable 3.1
Microsoft XNA Framework Redistributable 4.0
mIRC
Mirror's Edge
Monkey's Audio
Moraff's Escapade 3.01 Free
Mount&Blade
Mozilla Firefox 6.0 (x86 en-US)
MSI Afterburner 2.1.0
MSVCRT
MSVCRT_amd64
Mumble 1.2.3
Nation Red
Nexon Game Manager
Nmap 5.51
Notepad++
NVIDIA PhysX
NVIDIA Stereoscopic 3D Driver
NVIDIA System Monitor
ON_OFF Charge B11.0110.1
OpenAL
OpenOffice.org 3.3
Origin
Pando Media Booster
Path of Exile
PCSX2 - Playstation 2 Emulator
Pidgin
PlanetSide 2 Beta
PRE10STI64Installer
PreEmptive Analytics Visual Studio Components
Prerequisites for SSDT 
Project64 1.6
PunkBuster Services
puush
QuickTime
Rainmeter
Razer Synapse 2.0
Realtek Ethernet Controller Driver
Realtek High Definition Audio Driver
Recettear: An Item Shop's Tale
Revenge of the Titans
Rockstar Games Social Club
RuneScape Launcher 1.2
S.T.A.L.K.E.R.: Call of Pripyat
S.T.A.L.K.E.R.: Shadow of Chernobyl
Saints Row: The Third
Security Update for Microsoft .NET Framework 4.5 (KB2729460)
Security Update for Microsoft .NET Framework 4.5 (KB2737083)
SequoiaView
Sins of a Solar Empire: Rebellion
Skype Click to Call
Skype™ 6.1
Smart Defrag 2
SmartSound Common Data
SmartSound Sonicfire Pro 5
Sniper Elite V2
Sniper Elite: Nazi Zombie Army
Sniper: Ghost Warrior
Space Empires V
Spec Ops: The Line
Spectraball
Splashtop Connect for Firefox
Splashtop Connect IE
Splice
SpyParty version 0.1.2056.0
Star Wars Galactic Battlegrounds: Saga
Star Wars Galaxies
Star Wars: Knights of the Old Republic
Star Wars: The Force Unleashed
Star Wars: The Old Republic
Stealth Bastard Deluxe
Steam
Super Meat Boy
Sword of the Stars Complete Collection
Sword of the Stars II
Terraria
The Binding of Isaac
The Elder Scrolls V: Skyrim
The Guild 2 - Renaissance
The Incredible Machine Series
The KMPlayer 3.0.0.1441R2
The Ship
The Ship Single Player
The Ship Tutorial
The Walking Dead
Thief 2
Thief Gold
Thief: Deadly Shadows
Time Gentlemen, Please!
Titan Quest
Titan Quest: Immortal Throne
Tom Clancy's Splinter Cell Conviction
Torchlight
Towns
Trend Micro RUBotted 2.0 Beta
Triangle Wizard
UBCD4Win 3.60
Ubisoft Game Launcher
UE3Redist
Unity
Unity Web Player
Update for  (KB2504637)
Update for Microsoft Visual Studio 2012 (KB2781514)
Uplink
Ventrilo Client
Visual Studio 2008 x64 Redistributables
Visual Studio Extensions for Windows Library for JavaScript
Vuze
Warframe
WCF Data Services 5.0 (for OData v3) Primary Components
WCF Data Services Tools for Microsoft Visual Studio 2012
WCF RIA Services V1.0 SP2
Windows App Certification Kit x64
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Media Player Firefox Plugin
Windows Runtime Intellisense Content - en-us
Windows Software Development Kit
Windows Software Development Kit DirectX x86 Remote
Windows Software Development Kit for Windows Store Apps
Windows Software Development Kit for Windows Store Apps DirectX x86 Remote
WinFF 1.4.2
WinPcap 4.1.2
WinRAR 4.01 (32-bit)
Wireshark 1.8.3 (64-bit)
World of Tanks
X3 Terran Conflict v1.0.1


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:43 PM

Posted 14 March 2013 - 01:00 PM


Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)
  • Programs to remove

    • Coupon Companion
      Java 7 Update 9
      Java™ 6 Update 31
      Java™ SE Development Kit 7
      JavaFX 2.1.0
      Vuze


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
  • .



    Clean Out Temp Files
    • This small application you may want to keep and use once a week to keep the computer clean.

      Download CCleaner from here http://www.ccleaner.com/
      • Run the installer to install the application.
      • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
      • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
      • Click Run Cleaner.
      • Close CCleaner.
: Malwarebytes' Anti-Malware :


I see You have MBAM installed on the computer - that is great!! it is a very good program! I would like you to run a quick scan for me now
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidentally close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
    Click OK to either and let MBAM proceed with the disinfection process.
    If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


    Download HijackThis
    • Go Here to download HijackThis program
    • Save HijackThis to your desktop.
    • Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
    • Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
    • copy and paste hijackthis report into the topic
    "information and logs"
    • In your next post I need the following
      • Log From MBAM
      • report from Hijackthis
      • let me know of any problems you may have had
      • How is the computer doing now?
    Gringo









I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 sausage

sausage
  • Topic Starter

  • Members
  • 390 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado
  • Local time:08:43 PM

Posted 14 March 2013 - 02:34 PM

MBAM Log:

 

Malwarebytes Anti-Malware 1.70.0.1100

www.malwarebytes.org
 
Database version: v2013.03.14.09
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Jimmah Dean :: SUICIDALGENIUS [administrator]
 
3/14/2013 1:27:50 PM
mbam-log-2013-03-14 (13-27-50).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 250182
Time elapsed: 3 minute(s), 21 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)
 
HijackThis Log:
 
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:32:34 PM, on 3/14/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal
 
Running processes:
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\IObit\Smart Defrag 2\SmartDefrag.exe
C:\Program Files (x86)\ManyCam\Bin\ManyCam.exe
C:\Program Files (x86)\Steam\steam.exe
C:\Program Files (x86)\puush\puush.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
C:\Program Files (x86)\98614 Thin-Profile Keyboard & Mouse\Wireless KeyboardKM.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\Splashtop\Splashtop Connect\ZyngaGamesAgent.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe
C:\Program Files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe
C:\Program Files (x86)\EVEMon\EVEMon.exe
C:\Program Files (x86)\CCP\EVE\launcher\launcher.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jimmah Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jimmah Dean\Downloads\HijackThis.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost; 127.0.0.1; <local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: Splashtop Connect SearchHook - {0F3DC9E0-C459-4a40-BCF8-747BD9322E10} - C:\Program Files (x86)\Splashtop\Splashtop Connect IE\AddressBarSearch.dll
O2 - BHO: Microsoft Web Test Recorder 10.0 Helper - {876d9f09-c6d6-4324-a2cc-04dd9a4de12f} - C:\Program Files (x86)\Microsoft Visual Studio 11.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" (file missing)
O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" (file missing)
O4 - HKLM\..\Run: [98614 Wireless Keyboard and Mouse Combo] C:\Program Files (x86)\98614 Thin-Profile Keyboard & Mouse\Wireless KeyboardKM.exe
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [STCAgent] "C:\Program Files (x86)\Splashtop\Splashtop Connect IE\STCAgent.exe"
O4 - HKLM\..\Run: [ZyngaGamesAgent] "C:\Program Files (x86)\Splashtop\Splashtop Connect\ZyngaGamesAgent.exe"
O4 - HKLM\..\Run: [Dolby Home Theater v4] "C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe" -autostart
O4 - HKLM\..\Run: [Razer Synapse] "C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe"
O4 - HKLM\..\Run: [Trend Micro RUBotted V2.0 Beta] C:\Program Files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe
O4 - HKLM\..\RunOnce: [Z1] cmd /c "C:\Users\Jimmah Dean\Downloads\mbar-1.01.0.1021\mbar\mbar.exe" /cleanup /s
O4 - HKCU\..\Run: [ManyCam] "C:\Program Files (x86)\ManyCam\Bin\ManyCam.exe" /silent
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
O4 - HKCU\..\Run: [puush] C:\Program Files (x86)\puush\puush.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - Startup: OpenOffice.org 3.3.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
O4 - Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O15 - Trusted Zone: *.clonewarsadventures.com
O15 - Trusted Zone: *.freerealms.com
O15 - Trusted Zone: *.soe.com
O15 - Trusted Zone: *.sony.com
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe Active File Monitor V10 (AdobeActiveFileMonitor10.0) - Adobe Systems Incorporated - C:\Program Files (x86)\Adobe\Elements 10 Organizer\PhotoshopElementsFileAgent.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AppleChargerSrv - Unknown owner - C:\Windows\system32\AppleChargerSrv.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: frameworkPostgreSQL - PostgreSQL Global Development Group - C:/PROGRA~2/Rapid7/FRAMEW~1/POSTGR~1/bin/pg_ctl.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files (x86)\WinPcap\rpcapd.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: Trend Micro RUBotted Service (RUBotSrv) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\RUBotted\RUBotSrv.exe
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Sandboxie Service (SbieSvc) - SANDBOXIE L.T.D - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: Splashtop Connect Service (SCBackService) - Splashtop Inc. - C:\Program Files (x86)\Splashtop\Splashtop Connect\BackService.exe
O23 - Service: Skype C2C Service - Skype Technologies S.A. - C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Intel® Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: Splashtop Connect Firefox Software Updater Service (WCUService_STC_FF) - Splashtop Inc. - C:\Program Files (x86)\Splashtop\Splashtop Connect Firefox Software Updater\WCUService.exe
O23 - Service: Splashtop Connect IE Software Updater Service (WCUService_STC_IE) - Splashtop Inc. - C:\Program Files (x86)\Splashtop\Splashtop Connect IE Software Updater\WCUService.exe
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
 
--
End of file - 13723 bytes
 
 
No problems during any of these steps.
 
The computer is doing the same as before, no signs at all that a bot exists, only that centurylink keeps revoking internet access from me and TDSSFix found a "suspicious use of the kernel callback." (I don't know if it finds on now, only that that it did before I started this thread.)


#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:43 PM

Posted 14 March 2013 - 08:08 PM


Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.
  • Run HijackThis (rightclick and run as admin)
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [STCAgent] "C:\Program Files (x86)\Splashtop\Splashtop Connect IE\STCAgent.exe"
      O4 - HKLM\..\Run: [ZyngaGamesAgent] "C:\Program Files (x86)\Splashtop\Splashtop Connect\ZyngaGamesAgent.exe"
      O4 - HKLM\..\Run: [Dolby Home Theater v4] "C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe" -autostart
      O4 - HKCU\..\Run: [ManyCam] "C:\Program Files (x86)\ManyCam\Bin\ManyCam.exe" /silent
      O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
      O4 - HKCU\..\Run: [puush] C:\Program Files (x86)\puush\puush.exe
      O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
      O4 - Startup: OpenOffice.org 3.3.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
      O4 - Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe


  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.
    • NOTE**You can research each of those lines >here< and see if you want to keep them or not
      just copy the name between the brackets and paste into the search space
      O4 - HKLM\..\Run: [IntelliPoint]

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.

  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish
  • When the scan is complete
    • If no threats were found
      • put a checkmark in "Uninstall application on close"
      • close program
      • report to me that nothing was found
    • If threats were found
      • click on "list of threats found"
      • click on "export to text file" and save it as ESET SCAN and save to the desktop
      • Click on back
      • put a checkmark in "Uninstall application on close"
      • click on finish
      • close program
      • copy and paste the report here
    Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:43 PM

Posted 17 March 2013 - 12:56 AM


Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 sausage

sausage
  • Topic Starter

  • Members
  • 390 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado
  • Local time:08:43 PM

Posted 17 March 2013 - 11:47 PM

C:\metasploit\apps\pro\msf3\data\exploits\CVE-2011-0257.mov MOV/Exploit.CVE-2011-0257.A trojan
C:\metasploit\apps\pro\msf3\data\exploits\CVE-2011-0609.swf SWF/Exploit.CVE-2011-0609.D trojan
C:\metasploit\apps\pro\msf3\data\exploits\shockwave_rcsl.dir Win32/Exploit.CVE-2010-3653.A trojan
C:\metasploit\apps\pro\msf3\data\exploits\cve-2010-0094\Exploit$2.class Java/Exploit.CVE-2010-0094.O trojan
C:\metasploit\apps\pro\msf3\data\exploits\cve-2010-0094\Exploit.class probably a variant of Java/Exploit.CVE-2010-0094.B trojan
C:\metasploit\apps\pro\msf3\data\exploits\cve-2010-0094\PayloadCreater.class a variant of Java/Exploit.CVE-2010-0094.O trojan
C:\metasploit\apps\pro\msf3\data\exploits\cve-2010-0840\vuln\Exploit$1.class Java/Exploit.CVE-2010-0840.AA trojan
C:\metasploit\apps\pro\msf3\data\exploits\cve-2010-0840\vuln\Link.class Java/Agent.AA trojan
C:\metasploit\apps\pro\msf3\data\exploits\cve-2010-3563\BasicServiceExploit.class a variant of Java/Exploit.CVE-2010-3563.A trojan
C:\metasploit\apps\pro\msf3\data\exploits\cve-2010-3563\Exploit.class Java/Exploit.CVE-2010-3563.A trojan
C:\metasploit\apps\pro\msf3\data\exploits\cve-2010-4452\AppletX.class a variant of Java/Exploit.CVE-2010-4452.D trojan
C:\metasploit\apps\pro\msf3\data\java\metasploit\Payload.class a variant of Java/Exploit.Agent.NAQ trojan
C:\metasploit\apps\pro\msf3\data\meterpreter\ext_server_incognito.dll a variant of Win32/NetTool.Incognito.A application
C:\metasploit\apps\pro\msf3\data\meterpreter\metsvc-server.exe Win32/Meterpreter.A application
C:\metasploit\apps\pro\msf3\lib\rex\exploitation\heaplib.js.b64 JS/TrojanDownloader.Agent.GJ trojan
C:\metasploit\apps\pro\msf3\modules\exploits\windows\browser\ie_createobject.rb JS/TrojanDownloader.Psyme.NCX trojan
C:\metasploit\apps\pro\msf3\modules\exploits\windows\browser\ms10_002_aurora.rb JS/Exploit.CVE-2010-0249 trojan
C:\metasploit\apps\pro\msf3\modules\exploits\windows\browser\ms10_018_ie_behaviors.rb JS/Exploit.CVE-2010-0806.NAH trojan
C:\metasploit\apps\pro\msf3\modules\exploits\windows\browser\ms10_042_helpctr_xss_cmd_exec.rb HTML/Exploit.CVE-2010-1885.A trojan
C:\metasploit\msf3\external\source\vncdll\output\vncdll.dll Win32/Gimmiv.AA trojan
C:\metasploit\msf3\external\source\vncdll\output\.svn\text-base\vncdll.dll.svn-base Win32/Gimmiv.AA trojan
C:\metasploit\msf3\lib\rex\exploitation\heaplib.js.b64 JS/TrojanDownloader.Agent.GJ trojan
C:\metasploit\msf3\lib\rex\exploitation\.svn\text-base\heaplib.js.b64.svn-base JS/TrojanDownloader.Agent.GJ trojan
C:\metasploit\msf3\modules\exploits\windows\browser\ie_createobject.rb JS/TrojanDownloader.Psyme.NCX trojan
C:\metasploit\msf3\modules\exploits\windows\browser\ms10_002_aurora.rb JS/Exploit.CVE-2010-0249 trojan
C:\metasploit\msf3\modules\exploits\windows\browser\ms10_018_ie_behaviors.rb JS/Exploit.CVE-2010-0806.NAH trojan
C:\metasploit\msf3\modules\exploits\windows\browser\ms10_042_helpctr_xss_cmd_exec.rb HTML/Exploit.CVE-2010-1885.A trojan
C:\metasploit\msf3\modules\exploits\windows\browser\.svn\text-base\ie_createobject.rb.svn-base JS/TrojanDownloader.Psyme.NCX trojan
C:\metasploit\msf3\modules\exploits\windows\browser\.svn\text-base\ms10_002_aurora.rb.svn-base JS/Exploit.CVE-2010-0249 trojan
C:\metasploit\msf3\modules\exploits\windows\browser\.svn\text-base\ms10_018_ie_behaviors.rb.svn-base JS/Exploit.CVE-2010-0806.NAH trojan
C:\metasploit\msf3\modules\exploits\windows\browser\.svn\text-base\ms10_042_helpctr_xss_cmd_exec.rb.svn-base HTML/Exploit.CVE-2010-1885.A trojan
C:\UBCD4Win\plugin\Cleanup Tools\SDFix\SDFix.exe Win32/PrcView application
C:\Users\Jimmah Dean\Downloads\cbsidlm-tr1_10a-JoyToKey-ORG-75220348 (1).exe Win32/DownloadAdmin.G application
C:\Users\Jimmah Dean\Downloads\cbsidlm-tr1_10a-JoyToKey-ORG-75220348.exe Win32/DownloadAdmin.G application
C:\Users\Jimmah Dean\Downloads\cbsidlm-tr1_10a-KoshyJohn_Memory_Cleaner-ORG-75176624.exe Win32/DownloadAdmin.G application
C:\Users\Jimmah Dean\Downloads\cbsidlm-tr1_8-AIDA32-SEO2-10129233.exe Win32/DownloadAdmin.E application
C:\Users\Jimmah Dean\Downloads\cnet_createt_zip.exe a variant of Win32/InstallCore.D application
C:\Users\Jimmah Dean\Downloads\cnet_pmagic-usb-3_0_zip.exe a variant of Win32/InstallCore.D application
C:\Users\Jimmah Dean\Downloads\coretemp_1236.exe probably a variant of Win32/InstallIQ application
C:\Users\Jimmah Dean\Downloads\defragsetup.exe a variant of Win32/ELEX application
C:\Users\Jimmah Dean\Downloads\iLividSetup.exe Win32/Toolbar.SearchSuite application
C:\Users\Jimmah Dean\Downloads\ManyCam.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\Users\Jimmah Dean\Downloads\sd2-setup220.exe a variant of Win32/Toolbar.Widgi application
C:\Users\Jimmah Dean\Downloads\Softonic-Downloader17558.exe a variant of Win32/SoftonicDownloader.A application
C:\Users\Jimmah Dean\Downloads\SoftonicDownloader_for_kmplayer.exe a variant of Win32/SoftonicDownloader.A application
C:\Users\Jimmah Dean\Downloads\SoftonicDownloader_for_sequoiaview.exe a variant of Win32/SoftonicDownloader.E application
C:\Users\Jimmah Dean\Downloads\UBCD4WinV360.exe Win32/PrcView application
C:\Users\Jimmah Dean\Downloads\VDownloaderSetup.exe multiple threats
 
 
Sorry about the delay, work kicked up something fierce.


#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:43 PM

Posted 18 March 2013 - 12:18 AM


Hello sausage

There are some minor things in your online scan that should be removed.


delete files
  • Copy all text in the code box (below)...to Notepad.
    @echo off
    del /f /s /q "C:\UBCD4Win\plugin\Cleanup Tools\SDFix\SDFix.exe"
    del /f /s /q "C:\Users\Jimmah Dean\Downloads\ManyCam.exe"
    del /f /s /q "C:\Users\Jimmah Dean\Downloads\Softonic-Downloader17558.exe"
    del /f /s /q "C:\Users\Jimmah Dean\Downloads\SoftonicDownloader_for_kmplayer.exe"
    del /f /s /q "C:\Users\Jimmah Dean\Downloads\SoftonicDownloader_for_sequoiaview.exe"
    del /f /s /q "C:\Users\Jimmah Dean\Downloads\UBCD4WinV360.exe"
    del /f /s /q "C:\Users\Jimmah Dean\Downloads\VDownloaderSetup.exe"
    del /f /s /q "C:\Users\Jimmah Dean\Downloads\cbsidlm-tr1_10a-JoyToKey-ORG-75220348 (1).exe"
    del /f /s /q "C:\Users\Jimmah Dean\Downloads\cbsidlm-tr1_10a-JoyToKey-ORG-75220348.exe"
    del /f /s /q "C:\Users\Jimmah Dean\Downloads\cbsidlm-tr1_10a-KoshyJohn_Memory_Cleaner-ORG-75176624.exe"
    del /f /s /q "C:\Users\Jimmah Dean\Downloads\cbsidlm-tr1_8-AIDA32-SEO2-10129233.exe"
    del /f /s /q "C:\Users\Jimmah Dean\Downloads\cnet_createt_zip.exe"
    del /f /s /q "C:\Users\Jimmah Dean\Downloads\cnet_pmagic-usb-3_0_zip.exe"
    del /f /s /q "C:\Users\Jimmah Dean\Downloads\coretemp_1236.exe"
    del /f /s /q "C:\Users\Jimmah Dean\Downloads\defragsetup.exe"
    del /f /s /q "C:\Users\Jimmah Dean\Downloads\iLividSetup.exe"
    del /f /s /q "C:\Users\Jimmah Dean\Downloads\sd2-setup220.exe"
    del /f /s /q "C:\metasploit\apps\pro\msf3\data\exploits\CVE-2011-0257.mov"
    del /f /s /q "C:\metasploit\apps\pro\msf3\data\exploits\CVE-2011-0609.swf"
    del /f /s /q "C:\metasploit\apps\pro\msf3\data\exploits\cve-2010-0094\Exploit$2.class"
    del /f /s /q "C:\metasploit\apps\pro\msf3\data\exploits\cve-2010-0094\Exploit.class"
    del /f /s /q "C:\metasploit\apps\pro\msf3\data\exploits\cve-2010-0094\PayloadCreater.class"
    del /f /s /q "C:\metasploit\apps\pro\msf3\data\exploits\cve-2010-0840\vuln\Exploit$1.class"
    del /f /s /q "C:\metasploit\apps\pro\msf3\data\exploits\cve-2010-0840\vuln\Link.class"
    del /f /s /q "C:\metasploit\apps\pro\msf3\data\exploits\cve-2010-3563\BasicServiceExploit.class"
    del /f /s /q "C:\metasploit\apps\pro\msf3\data\exploits\cve-2010-3563\Exploit.class"
    del /f /s /q "C:\metasploit\apps\pro\msf3\data\exploits\cve-2010-4452\AppletX.class"
    del /f /s /q "C:\metasploit\apps\pro\msf3\data\exploits\shockwave_rcsl.dir"
    del /f /s /q "C:\metasploit\apps\pro\msf3\data\java\metasploit\Payload.class"
    del /f /s /q "C:\metasploit\apps\pro\msf3\data\meterpreter\ext_server_incognito.dll"
    del /f /s /q "C:\metasploit\apps\pro\msf3\data\meterpreter\metsvc-server.exe"
    del /f /s /q "C:\metasploit\apps\pro\msf3\lib\rex\exploitation\heaplib.js.b64"
    del /f /s /q "C:\metasploit\apps\pro\msf3\modules\exploits\windows\browser\ie_createobject.rb"
    del /f /s /q "C:\metasploit\apps\pro\msf3\modules\exploits\windows\browser\ms10_002_aurora.rb"
    del /f /s /q "C:\metasploit\apps\pro\msf3\modules\exploits\windows\browser\ms10_018_ie_behaviors.rb"
    del /f /s /q "C:\metasploit\apps\pro\msf3\modules\exploits\windows\browser\ms10_042_helpctr_xss_cmd_exec.rb"
    del /f /s /q "C:\metasploit\msf3\external\source\vncdll\output\.svn\text-base\vncdll.dll"
    del /f /s /q "C:\metasploit\msf3\external\source\vncdll\output\vncdll.dll"
    del /f /s /q "C:\metasploit\msf3\lib\rex\exploitation\.svn\text-base\heaplib.js.b64"
    del /f /s /q "C:\metasploit\msf3\lib\rex\exploitation\heaplib.js.b64"
    del /f /s /q "C:\metasploit\msf3\modules\exploits\windows\browser\.svn\text-base\ie_createobject.rb"
    del /f /s /q "C:\metasploit\msf3\modules\exploits\windows\browser\.svn\text-base\ms10_002_aurora.rb"
    del /f /s /q "C:\metasploit\msf3\modules\exploits\windows\browser\.svn\text-base\ms10_018_ie_behaviors.rb"
    del /f /s /q "C:\metasploit\msf3\modules\exploits\windows\browser\.svn\text-base\ms10_042_helpctr_xss_cmd_exec.rb"
    del /f /s /q "C:\metasploit\msf3\modules\exploits\windows\browser\ie_createobject.rb"
    del /f /s /q "C:\metasploit\msf3\modules\exploits\windows\browser\ms10_002_aurora.rb"
    del /f /s /q "C:\metasploit\msf3\modules\exploits\windows\browser\ms10_018_ie_behaviors.rb"
    del /f /s /q "C:\metasploit\msf3\modules\exploits\windows\browser\ms10_042_helpctr_xss_cmd_exec.rb"
    del %0
  • Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
    It should look like this: batfileicon.gif<--XPvista_bat_icon.png<--vista
  • Double click on delfile.bat to execute it.
    A black CMD window will flash, then disappear...this is normal.
  • The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.
  • The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.




    Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


    :Why we need to remove some of our tools:
    • Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wronge time can make the computer an expensive paper weight.
      They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.

      The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.
    :DeFogger:

    Note** Defogger only needs to be run if it was run when we first started. If you have not already run it then skip this.
    • To re-enable your Emulation drivers, double click DeFogger to run the tool.
      • The application window will appear
      • Click the Re-enable button to re-enable your CD Emulation drivers
      • Click Yes to continue
      • A 'Finished!' message will appear
      • Click OK
      • DeFogger will now ask to reboot the machine - click OK.
      Your Emulation drivers are now re-enabled.

    :Uninstall ComboFix:
    • turn off all active protection software
    • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
    • please copy and past the following into the box ComboFix /Uninstall and click OK.
    • Note the space between the X and the /Uninstall, it needs to be there.
    • CF-Uninstall.png
    :Remove the rest of our tools:

    Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
    • Double-click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes, if not delete it by yourself.
    • If asked to restart the computer, please do so
    Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

    About Java
    • During the cleaning process if I found that Java was installed I asked for it to be uninstalled, Many home users will not miss it. If you use OpenOffice, play online games or use business applications which require Java, Then you need to install the latest version and make sure to disable it in your web browsers.

      If an application or website requires it, you should receive a notification indicating that when you attempt to launch that application or access that website.

      Link to download latest version. - install Java

      How to disable java in your web browsers - Disable Java

    :The programs you can keep:

    Some of the programs that we have used would be a good idea to keep and used often in helping to keep the computer clean. I use these programs on my computer.
    • Revo Uninstaller Free - this is the uninstaller that I had you download and works allot better than add/remove in windows and has saved me more than once from corrupted installs and uninstalls

      CCleaner - This is a good program to clean out temp files, I would use this once a week or before any malware scan to remove unwanted temp files - It has a built in registry cleaner but I would leave that alone and not use any registry cleaner

      Malwarebytes' Anti-Malware The Gold standerd today in antimalware scanners

    :Security programs:

    One of the questions I am asked all the time is "What programs do you use" I have at this time 4 computers in my home and I have this setup on all 4 of them.
    • Microsoft Security Essentials - provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
    • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
    • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
      totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often. (I have upgraded to the paid version of MBAM and I am glad I did)


      Note** If you decide to install MSE you will need to uninstall your present Antivirus
:Security awareness:


It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
Strong passwords: How to create and use them Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.


The other question I am asked all the time is "How can I prevent this from happening again." and the short answer to that is to be aware of what is out there and how to start spotting dangers.

Here are some articles that are must reads and should be read by everybody in your household that uses the internetHere is some more reading for you from some of my collegesquoted from Tech Support Forum

Conclusion

There is no such thing as 'perfect security'. This applies to many things, not just computer systems. Using the above guide you should be able to take all the reasonable steps you can to prevent infection. However, the most important part of all this is you, the user. Surf sensibly and think before you download a file or click on a link. Take a few moments to assess the possible risks and you should be able to enjoy all the internet has to offer.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users