Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

# Windows XP - Virus/Malware Rookit.0Access and Trojan.ZAccess

23 replies to this topic

### #1 bltwmayo

bltwmayo

• Members
• 40 posts
• OFFLINE
•
• Local time:12:45 PM

Posted 06 September 2013 - 11:18 AM

Computer is infected with virus/malware.

It is a Dell Optilax320 running WIndows XP Home Edition Version 2001 SP3

I have MalwareBytes logs available for last four scans. I have DDS scan logs and I have HiJackThis logs as well.

### #2 gringo_pr

gringo_pr

Bleepin Gringo

• Malware Response Team
• 136,772 posts
• OFFLINE
•
• Gender:Male
• Location:Puerto rico
• Local time:01:45 PM

Posted 06 September 2013 - 02:08 PM

Hello bltwmayo

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

• Please do not run any tools unless instructed to do so.
• We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
• Please do not attach logs or use code boxes, just copy and paste the text.
• Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
• Please read every post completely before doing anything.
• Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
• Please provide feedback about your experience as we go.
• A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

I would like you to run this program for me.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

### #3 bltwmayo

bltwmayo
• Topic Starter

• Members
• 40 posts
• OFFLINE
•
• Local time:12:45 PM

Posted 09 September 2013 - 08:41 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 09-09-2013
Ran by Main (administrator) on LINDA on 09-09-2013 08:36:27
Running from C:\Documents and Settings\Main\Desktop
Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(ATI Technologies Inc.) C:\WINDOWS\system32\Ati2evxx.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Carbonite, Inc. (www.carbonite.com)) C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jqs.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
(McAfee, Inc.) C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
(McAfee, Inc.) C:\WINDOWS\system32\mfevtps.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe (Yahoo! Inc.) C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe (McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe (Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe (Yahoo! Inc.) C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe () C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe (Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe (McAfee, Inc.) C:\Program Files\McAfee.com\Agent\mcagent.exe (Yahoo!, Inc.) C:\PROGRA~1\Yahoo!\browser\ycommon.exe (Carbonite, Inc.) C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe () C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe (Microsoft Corporation) C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe (Yahoo! Inc.) C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe (McAfee, Inc.) c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe ==================== Registry (Whitelisted) ================== HKLM\...\Run: [SoundMAXPnP] - C:\Program Files\Analog Devices\Core\smax4pnp.exe [843776 2006-04-30] (Analog Devices, Inc.) HKLM\...\Run: [Google Desktop Search] - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-07-01] (Google) HKLM\...\Run: [YBrowser] - C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe [129536 2006-07-21] (Yahoo! Inc.) HKLM\...\Run: [CamMonitor] - C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe [90112 2002-10-07] () HKLM\...\Run: [Share-to-Web Namespace Daemon] - C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [69632 2002-04-17] (Hewlett-Packard) HKLM\...\Run: [mcui_exe] - C:\Program Files\McAfee.com\Agent\mcagent.exe [1278064 2013-03-13] (McAfee, Inc.) HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated) HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\qttask.exe [421888 2010-09-08] (Apple Inc.) HKLM\...\Run: [Carbonite Backup] - C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe [1067016 2013-08-06] (Carbonite, Inc.) Winlogon\Notify\WgaLogon: WgaLogon.dll (Microsoft Corporation) HKLM\...\Policies\Explorer: [NoControlPanel] 0 HKCU\...\Run: [Yahoo! Pager] - C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE [4662776 2006-10-26] (Yahoo! Inc.) HKCU\...\Run: [Weather] - C:\Program Files\AWS\WeatherBug\Weather.exe 1 HKCU\...\Run: [Search Protection] - C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe HKCU\...\Run: [Google Update*] - <===== ATTENTION (ZeroAccess rootkit hidden path) HKCU\...\Winlogon: [Shell] explorer.exe <==== ATTENTION HKCR\...0c966feabec1\InprocServer32: [Default-shell32] ATTENTION! ====> ZeroAccess? HKU\Administrator\...\Run: [DellSupport] - C:\Program Files\Dell Support\DSAgnt.exe [ 2006-08-28] (Gteko Ltd.) HKU\Default User\...\Run: [DellSupport] - C:\Program Files\Dell Support\DSAgnt.exe [ 2006-08-28] (Gteko Ltd.) HKU\Household\...\Run: [DellSupport] - C:\Program Files\Dell Support\DSAgnt.exe [ 2006-08-28] (Gteko Ltd.) HKU\Household\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\qttask.exe [ 2010-09-08] (Apple Inc.) HKU\Household\...\Run: [Yahoo! Pager] - C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE [ 2006-10-26] (Yahoo! Inc.) Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit, Inc.) Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk ShortcutTarget: Service Manager.lnk -> C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe (Microsoft Corporation) ==================== Internet (Whitelisted) ==================== HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8 HKCU\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn11\yt.dll (Yahoo! Inc.) URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.) URLSearchHook: YTNavAssistPlugin Class - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn11\yt.dll (Yahoo! Inc.) SearchScopes: HKLM - DefaultScope {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10042&barid={F5E5E291-CF16-11E2-B76F-00188B7471FC} SearchScopes: HKLM - {443789B7-F39C-4b5c-9287-DA72D38F4FE6} URL = http://slirsredirect.search.aol.com/redirector/sredir?sredir=843&q={searchTerms}&s_it=adknowledgeaol-ie&s_qt=sb&tb_uuid=20130409153310437&tb_oid=09-04-2013 &tb_mrud=09-04-2013 SearchScopes: HKLM - {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10042&barid={F5E5E291-CF16-11E2-B76F-00188B7471FC} SearchScopes: HKCU - DefaultScope {6A03BC85-F4AE-4036-9171-80358B31C8DE} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKCU - {102F8D3D-075E-4FEF-A548-B09732BC3349} URL = http://www.flickr.com/search/?q={searchTerms} SearchScopes: HKCU - {325DE2FB-DFF8-4E15-BC2E-B361466C9D18} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3294791&CUI=UN26862863631976728&UM=2 SearchScopes: HKCU - {443789B7-F39C-4b5c-9287-DA72D38F4FE6} URL = http://slirsredirect.search.aol.com/redirector/sredir?sredir=843&q={searchTerms}&s_it=adknowledgeaol-ie&s_qt=sb&tb_uuid=20130409153310437&tb_oid=09-04-2013 &tb_mrud=09-04-2013 SearchScopes: HKCU - {6A03BC85-F4AE-4036-9171-80358B31C8DE} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = SearchScopes: HKCU - {740104BD-26C0-43DF-8269-134921A852DA} URL = http://delicious.com/search?p={searchTerms} SearchScopes: HKCU - {8362DD64-35EC-41C0-85BC-CA03BF98246C} URL = http://rover.ebay.com/rover/1/711-43047-14818-1/4?satitle={searchTerms} SearchScopes: HKCU - {A5412E64-96B5-40FF-8648-95DDB86A8529} URL = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000031&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=TV&apn_dtid=OSJ000TVUS&apn_uid=87ADAB47-88C8-429D-9F37-BA1364FA4593&apn_sauid=AFB58A41-88DD-4513-BFA0-7AF461D77D80& SearchScopes: HKCU - {BC6C89CF-2EAD-4743-BC0A-AEB771874CBD} URL = http://search.conduit.com/Results.aspx?ctid=CT3300019&SearchSource=45&UM=2&q={searchTerms} SearchScopes: HKCU - {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://start.sweetpacks.com?src=6&q={searchTerms}&barid={F5E5E291-CF16-11E2-B76F-00188B7471FC}&crg=3.5000006.10042&st=23 BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn11\yt.dll (Yahoo! Inc.) BHO: DownloadTerms - {2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3} - C:\Documents and Settings\Main\Local Settings\Application Data\DownloadTerms\temp.dat () BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.) BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20120623122738.dll (McAfee, Inc.) BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (Google Inc.) BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (Google Inc.) BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.) BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.) BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll (Microsoft Corp.) BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.) BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.) BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll (Yahoo! Inc.) BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\YTSingleInstance.dll (Yahoo! Inc) Toolbar: HKLM - &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (Google Inc.) Toolbar: HKLM - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn11\yt.dll (Yahoo! Inc.) Toolbar: HKLM - MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll (Microsoft Corp.) Toolbar: HKLM - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.) Toolbar: HKCU -&Google - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (Google Inc.) Toolbar: HKCU -Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn11\yt.dll (Yahoo! Inc.) Toolbar: HKCU -No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} file:///D:/content/include/XPPatchInstaller.CAB DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} http://www.facebook.com/controls/contactx.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} file:///D:/Content/include/msSecUcd.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.) Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation) Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll (McAfee, Inc.) Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~1\mcafee\msc\mcsniepl.dll (McAfee, Inc.) ShellExecuteHooks: Microsoft AntiMalware ShellExecuteHook - {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\PROGRA~1\WIFD1F~1\MpShHook.dll [83224 2006-11-03] () Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll" Winsock: Catalog5 03 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll" Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.) Winsock: Catalog9 01 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 02 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 03 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 04 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 05 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 06 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 07 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 08 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 09 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 10 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 11 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 12 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 13 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 14 mswsock.dll File Not found (Microsoft Corporation) Winsock: Catalog9 15 mswsock.dll File Not found (Microsoft Corporation) Hosts: 127.0.0.1 localhost Chrome: ======= CHR HomePage: hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10042&barid={F5E5E291-CF16-11E2-B76F-00188B7471FC} CHR RestoreOnStartup: "hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10042&barid={F5E5E291-CF16-11E2-B76F-00188B7471FC}" CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding} CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter} CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\27.0.1453.94\PepperFlash\pepflashplayer.dll No File CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\27.0.1453.94\ppGoogleNaClPluginChrome.dll No File CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\27.0.1453.94\pdf.dll No File CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 11.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.) CHR Plugin: (Java Deployment Toolkit 6.0.300.12) - C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll (Sun Microsystems, Inc.) CHR Plugin: (Java™ Platform SE 6 U30) - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files\QuickTime\plugins\npqtplugin.dll (Apple Inc.) CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files\QuickTime\plugins\npqtplugin2.dll (Apple Inc.) CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files\QuickTime\plugins\npqtplugin3.dll (Apple Inc.) CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files\QuickTime\plugins\npqtplugin4.dll (Apple Inc.) CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files\QuickTime\plugins\npqtplugin5.dll (Apple Inc.) CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll (Apple Inc.) CHR Plugin: (QuickTime Plug-in 7.6.8) - C:\Program Files\QuickTime\plugins\npqtplugin7.dll (Apple Inc.) CHR Plugin: (Microsoft\u00AE DRM) - C:\Program Files\Windows Media Player\npdrmv2.dll (Microsoft Corporation) CHR Plugin: (Windows Media Player Plug-in Dynamic Link Library) - C:\Program Files\Windows Media Player\npdsplay.dll (Microsoft Corporation (written by Digital Renaissance Inc.)) CHR Plugin: (Microsoft\u00AE DRM) - C:\Program Files\Windows Media Player\npwmsdrm.dll (Microsoft Corporation) CHR Plugin: (Move Streaming Media Player) - C:\Documents and Settings\Main\Application Data\Move Networks\plugins\npqmp071505000010.dll (Move Networks) CHR Plugin: (Oberon com adapter) - C:\Program Files\Common Files\Oberon Media\NCAdapter\1.0.0.7\npapicomadapter.dll (Oberon-Media ) CHR Plugin: (Google Earth Plugin) - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google) CHR Plugin: (Google Updater) - C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google) CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File CHR Plugin: (McAfee SiteAdvisor) - C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.) CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll No File CHR Plugin: (McAfee SecurityCenter) - c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL () CHR Plugin: (Windows Presentation Foundation) - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) CHR Extension: (LessTabs) - C:\DOCUME~1\Main\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\cekmkdkefndbeciggfanobcemjnppbbb\1.7.1.0_0 CHR Extension: (SiteAdvisor) - C:\DOCUME~1\Main\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho\3.50.146.2_0 CHR Extension: (DownloadTerms) - C:\DOCUME~1\Main\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\gjkpcnacdgdlpfejlgflolpaigoicibh\1_0 CHR HKLM\...\Chrome\Extension: [cbjibcbpmbcabnfnohhgjjmkgkimajko] - C:\Documents and Settings\Main\Local Settings\Application Data\CRE\cbjibcbpmbcabnfnohhgjjmkgkimajko.crx CHR HKLM\...\Chrome\Extension: [cekmkdkefndbeciggfanobcemjnppbbb] - C:\Program Files\LessTabs\Chrome\cekmkdkefndbeciggfanobcemjnppbbb.crx CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files\McAfee\SiteAdvisor\McChPlg.crx CHR HKLM\...\Chrome\Extension: [pnjnnnhampgflieglcelomcofocioegp] - C:\Documents and Settings\Main\Local Settings\Application Data\CRE\pnjnnnhampgflieglcelomcofocioegp.crx ========================== Services (Whitelisted) ================= R2 CarboniteService; C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe [5043208 2013-08-06] (Carbonite, Inc. (www.carbonite.com)) S3 GoogleDesktopManager-051210-111108; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-07-01] (Google) R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation) R2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation) R2 McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [101552 2013-05-22] (McAfee, Inc.) R2 McMPFSvc; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.) R2 mcmscsvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.) R2 McNaiAnn; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.) R2 McNASvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.) S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [279048 2012-11-16] (McAfee, Inc.) R2 McProxy; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.) R2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [203840 2013-02-19] (McAfee, Inc.) R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [169320 2013-02-19] (McAfee, Inc.) R2 mfevtp; C:\WINDOWS\system32\mfevtps.exe [172416 2013-02-19] (McAfee, Inc.) R2 MSSQL$MICROSOFTSMLBIZ; C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe [9150464 2005-05-04] (Microsoft Corporation) S3 MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [73728 2005-05-03] (Microsoft Corporation) S3 SQLAgent$MICROSOFTSMLBIZ; C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE [323584 2005-05-03] (Microsoft Corporation) R2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" [x] U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{995d8e30-b299-af30-71de-5e75d4f7f382}\ \ \???\{995d8e30-b299-af30-71de-5e75d4f7f382}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess) ==================== Drivers (Whitelisted) ==================== R1 AFS2K; C:\Windows\System32\Drivers\AFS2K.sys [35840 2004-10-07] (Oak Technology Inc.) R0 atiide; C:\Windows\System32\DRIVERS\atiide.sys [3456 2006-09-13] (ATI Technologies Inc.) R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [60920 2013-02-19] (McAfee, Inc.) S3 DSproct; C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys [4864 2006-01-10] (GTek Technologies Ltd.) S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [146872 2012-04-20] (McAfee, Inc.) S3 hitmanpro37; C:\WINDOWS\system32\drivers\hitmanpro37.sys [30616 2013-06-06] () R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation) R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\mbamswissarmy.sys [40776 2013-09-06] (Malwarebytes Corporation) R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [133416 2013-02-19] (McAfee, Inc.) R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [235264 2013-02-19] (McAfee, Inc.) S3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [65928 2013-02-19] (McAfee, Inc.) R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [363080 2013-02-19] (McAfee, Inc.) R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [565888 2013-02-19] (McAfee, Inc.) S3 mfendisk; C:\Windows\System32\DRIVERS\mfendisk.sys [84904 2013-02-19] (McAfee, Inc.) R3 mfendiskmp; C:\Windows\System32\DRIVERS\mfendisk.sys [84904 2013-02-19] (McAfee, Inc.) S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [92632 2013-02-19] (McAfee, Inc.) R1 mfetdi2k; C:\Windows\System32\drivers\mfetdi2k.sys [91640 2013-02-19] (McAfee, Inc.) R3 SenFiltService; C:\Windows\System32\drivers\Senfilt.sys [392960 2006-03-17] (Sensaura) U3 mfeavfk01; No ImagePath U5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation) U3 TrueSight; \??\C:\WINDOWS\system32\TrueSight.sys [x] U1 WS2IFSL; U3 mbr; \??\C:\DOCUME~1\Main\LOCALS~1\Temp\mbr.sys [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-09-09 08:35 - 2013-09-09 08:32 - 01082207 _____ (Farbar) C:\Documents and Settings\Main\Desktop\FRST.exe 2013-09-06 09:04 - 2013-09-06 11:12 - 00040776 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys 2013-09-06 09:01 - 2013-09-06 09:01 - 00021751 _____ C:\Documents and Settings\Main\Desktop\attach.txt 2013-09-06 09:01 - 2013-09-06 09:01 - 00016887 _____ C:\Documents and Settings\Main\Desktop\dds.txt 2013-09-06 08:59 - 2013-09-06 08:56 - 00688992 ____R (Swearware) C:\Documents and Settings\Main\Desktop\dds.com 2013-09-06 08:29 - 2013-09-06 08:29 - 00013872 _____ C:\Documents and Settings\Main\Desktop\hijackthis.log 2013-09-06 08:28 - 2013-09-06 08:26 - 00388608 _____ (Trend Micro Inc.) C:\Documents and Settings\Main\Desktop\HijackThis.exe 2013-09-04 10:32 - 2013-09-04 10:32 - 00001873 _____ C:\Documents and Settings\All Users\Desktop\Carbonite InfoCenter.lnk 2013-09-04 10:31 - 2013-09-04 10:33 - 00000952 _____ C:\Documents and Settings\All Users\Desktop\Carbonite Setup.log 2013-09-04 10:31 - 2013-09-04 10:31 - 00000000 ____D C:\Program Files\Carbonite 2013-09-04 10:31 - 2013-09-04 10:31 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Carbonite 2013-09-02 22:24 - 2013-09-04 09:58 - 287465380 _____ C:\avenger.txt 2013-09-02 22:24 - 2013-09-02 22:24 - 00000000 ____D C:\Avenger ==================== One Month Modified Files and Folders ======= 2013-09-09 08:37 - 2012-01-10 01:13 - 00000420 ____H C:\WINDOWS\Tasks\User_Feed_Synchronization-{6AEB4B14-30B2-4188-8593-65A96633CD3F}.job 2013-09-09 08:36 - 2013-09-09 08:36 - 00000000 ____D C:\FRST 2013-09-09 08:32 - 2013-09-09 08:35 - 01082207 _____ (Farbar) C:\Documents and Settings\Main\Desktop\FRST.exe 2013-09-09 08:32 - 2004-08-10 14:08 - 00031986 _____ C:\WINDOWS\SchedLgU.Txt 2013-09-09 08:28 - 2012-03-29 20:22 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job 2013-09-09 08:00 - 2013-04-09 14:40 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job 2013-09-09 07:22 - 2012-03-12 21:38 - 00000000 ____D C:\Documents and Settings\Main\Local Settings\Application Data\visi_coupon 2013-09-06 11:35 - 2009-03-24 08:22 - 00000820 _____ C:\WINDOWS\Tasks\Google Software Updater.job 2013-09-06 11:12 - 2013-09-06 09:04 - 00040776 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys 2013-09-06 09:01 - 2013-09-06 09:01 - 00021751 _____ C:\Documents and Settings\Main\Desktop\attach.txt 2013-09-06 09:01 - 2013-09-06 09:01 - 00016887 _____ C:\Documents and Settings\Main\Desktop\dds.txt 2013-09-06 08:56 - 2013-09-06 08:59 - 00688992 ____R (Swearware) C:\Documents and Settings\Main\Desktop\dds.com 2013-09-06 08:31 - 2011-12-15 00:34 - 00001595 _____ C:\Documents and Settings\All Users\Desktop\McAfee Security Center.lnk 2013-09-06 08:29 - 2013-09-06 08:29 - 00013872 _____ C:\Documents and Settings\Main\Desktop\hijackthis.log 2013-09-06 08:28 - 2009-02-11 23:02 - 00907801 _____ C:\WINDOWS\setupapi.log 2013-09-06 08:26 - 2013-09-06 08:28 - 00388608 _____ (Trend Micro Inc.) C:\Documents and Settings\Main\Desktop\HijackThis.exe 2013-09-06 08:26 - 2013-04-09 14:40 - 00000878 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job 2013-09-06 08:26 - 2004-08-10 13:51 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl 2013-09-06 08:13 - 2006-11-29 16:51 - 00001523 _____ C:\WINDOWS\setupact.log 2013-09-06 08:13 - 2004-08-10 14:08 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT 2013-09-06 08:13 - 2004-08-10 13:59 - 00000159 _____ C:\WINDOWS\wiadebug.log 2013-09-06 08:13 - 2004-08-10 13:59 - 00000048 _____ C:\WINDOWS\wiaservc.log 2013-09-04 11:38 - 2007-01-05 22:52 - 00000278 ___SH C:\Documents and Settings\Main\ntuser.ini 2013-09-04 11:38 - 2004-08-10 14:02 - 01213565 _____ C:\WINDOWS\WindowsUpdate.log 2013-09-04 10:36 - 2004-08-10 14:02 - 00000000 ____D C:\WINDOWS\Registration 2013-09-04 10:33 - 2013-09-04 10:31 - 00000952 _____ C:\Documents and Settings\All Users\Desktop\Carbonite Setup.log 2013-09-04 10:32 - 2013-09-04 10:32 - 00001873 _____ C:\Documents and Settings\All Users\Desktop\Carbonite InfoCenter.lnk 2013-09-04 10:31 - 2013-09-04 10:31 - 00000000 ____D C:\Program Files\Carbonite 2013-09-04 10:31 - 2013-09-04 10:31 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Carbonite 2013-09-04 09:58 - 2013-09-02 22:24 - 287465380 _____ C:\avenger.txt 2013-09-04 09:26 - 2008-06-10 21:00 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB951376_0$2013-09-03 02:26 - 2009-02-08 01:18 - 00000330 ____H C:\WINDOWS\Tasks\MP Scheduled Scan.job 2013-09-02 22:24 - 2013-09-02 22:24 - 00000000 ____D C:\Avenger 2013-09-02 22:24 - 2011-04-12 22:11 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2491683$2013-09-02 22:18 - 2013-05-17 19:51 - 00000000 ____D C:\Documents and Settings\Main\Application Data\DefaultTab 2013-08-14 11:37 - 2010-02-13 18:44 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB978251$Files to move or delete: ==================== ZeroAccess: C:\DOCUME~1\Main\LOCALS~1\Application Data\Google\Desktop\Install\{995d8e30-b299-af30-71de-5e75d4f7f382} ZeroAccess: C:\Program Files\Google\Desktop\Install\{995d8e30-b299-af30-71de-5e75d4f7f382} C:\Documents and Settings\Main\acrobat62772.exe C:\Documents and Settings\Main\acrobatreader.exe C:\Documents and Settings\Main\acrobatreader394683.exe C:\Documents and Settings\Main\acrobatreader548959.exe C:\Documents and Settings\Main\alg874377.exe C:\Documents and Settings\Main\csrss390884.exe C:\Documents and Settings\Main\flashplayer.exe C:\Documents and Settings\Main\googleupdate.exe C:\Documents and Settings\Main\icq.exe C:\Documents and Settings\Main\icq528732.exe C:\Documents and Settings\Main\icq754879.exe C:\Documents and Settings\Main\iexplore993059.exe C:\Documents and Settings\Main\jqs527104.exe C:\Documents and Settings\Main\jqs866546.exe C:\Documents and Settings\Main\jucheck258518.exe C:\Documents and Settings\Main\msconfig.exe C:\Documents and Settings\Main\msconfig300683.exe C:\Documents and Settings\Main\mstsc.exe C:\Documents and Settings\Main\mstsc777991.exe C:\Documents and Settings\Main\opera.exe C:\Documents and Settings\Main\rundll32403567.exe C:\Documents and Settings\Main\skype.exe C:\Documents and Settings\Main\skype255054.exe C:\Documents and Settings\Main\skype302461.exe C:\Documents and Settings\Main\spoolsv793453.exe C:\Documents and Settings\Main\vlcplayer.exe C:\Documents and Settings\Main\vlcplayer368908.exe C:\Documents and Settings\Main\vlcplayer827639.exe C:\Documents and Settings\Main\windowsupdate681992.exe C:\Documents and Settings\Household\Local Settings\Temp\5.2.30.7-EasyShrx.Dll C:\DOCUME~1\Main\LOCALS~1\Temp\120_FPPSetup.exe C:\DOCUME~1\Main\LOCALS~1\Temp\air11F.exe C:\DOCUME~1\Main\LOCALS~1\Temp\air123.exe C:\DOCUME~1\Main\LOCALS~1\Temp\air171.exe C:\DOCUME~1\Main\LOCALS~1\Temp\air174.exe C:\DOCUME~1\Main\LOCALS~1\Temp\BackupSetup.exe C:\DOCUME~1\Main\LOCALS~1\Temp\chUninstaller.exe C:\DOCUME~1\Main\LOCALS~1\Temp\GenericUninstall.exe C:\DOCUME~1\Main\LOCALS~1\Temp\nsf155.exe C:\DOCUME~1\Main\LOCALS~1\Temp\nsl5A.exe C:\DOCUME~1\Main\LOCALS~1\Temp\nsr14C.exe C:\DOCUME~1\Main\LOCALS~1\Temp\nsr2A.exe C:\DOCUME~1\Main\LOCALS~1\Temp\nsu67.exe C:\DOCUME~1\Main\LOCALS~1\Temp\setup.exe C:\DOCUME~1\Main\LOCALS~1\Temp\System.Data.SQLite.dll C:\DOCUME~1\Main\LOCALS~1\Temp\tbVaf0.dll C:\DOCUME~1\Main\LOCALS~1\Temp\uninstaller.exe C:\DOCUME~1\Main\LOCALS~1\Temp\vcredist_x86.exe C:\DOCUME~1\Main\LOCALS~1\Temp\WSSetup.exe ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender ==================== End Of Log ============================ Addition file attached as instructed ### #4 bltwmayo bltwmayo • Topic Starter • Members • 40 posts • OFFLINE • • Local time:12:45 PM Posted 09 September 2013 - 11:14 AM now attached. Sorry, must have missed a step there the first attempt. #### Attached Files ### #5 gringo_pr gringo_pr Bleepin Gringo • Malware Response Team • 136,772 posts • OFFLINE • • Gender:Male • Location:Puerto rico • Local time:01:45 PM Posted 09 September 2013 - 08:31 PM Hello bltwmayo I need you to download this script I have made for you --> fixlist.txt 3.2KB 1 downloads It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow) Run FRST again but this time press the Fix button just once and wait. When finished, it will make a log (fixlog.txt) next to FRST. Please copy and paste the content of this file to your reply. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Gringo I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps. Proud Graduate Of Malware Removal University ### #6 bltwmayo bltwmayo • Topic Starter • Members • 40 posts • OFFLINE • • Local time:12:45 PM Posted 10 September 2013 - 11:07 AM Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 09-09-2013 Ran by Main at 2013-09-10 11:05:55 Run:1 Running from C:\Documents and Settings\Main\Desktop Boot Mode: Normal ============================================== Content of fixlist: ***************** HKCU\...\Run: [Google Update*] - <===== ATTENTION (ZeroAccess rootkit hidden path) HKCU\...\Winlogon: [Shell] explorer.exe <==== ATTENTION HKCR\...0c966feabec1\InprocServer32: [Default-shell32] ATTENTION! ====> ZeroAccess? Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll" Winsock: Catalog5 03 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll" C:\DOCUME~1\Main\LOCALS~1\Application Data\Google\Desktop\Install\{995d8e30-b299-af30-71de-5e75d4f7f382} C:\Program Files\Google\Desktop\Install\{995d8e30-b299-af30-71de-5e75d4f7f382} C:\Documents and Settings\Main\acrobat62772.exe C:\Documents and Settings\Main\acrobatreader.exe C:\Documents and Settings\Main\acrobatreader394683.exe C:\Documents and Settings\Main\acrobatreader548959.exe C:\Documents and Settings\Main\alg874377.exe C:\Documents and Settings\Main\csrss390884.exe C:\Documents and Settings\Main\flashplayer.exe C:\Documents and Settings\Main\googleupdate.exe C:\Documents and Settings\Main\icq.exe C:\Documents and Settings\Main\icq528732.exe C:\Documents and Settings\Main\icq754879.exe C:\Documents and Settings\Main\iexplore993059.exe C:\Documents and Settings\Main\jqs527104.exe C:\Documents and Settings\Main\jqs866546.exe C:\Documents and Settings\Main\jucheck258518.exe C:\Documents and Settings\Main\msconfig.exe C:\Documents and Settings\Main\msconfig300683.exe C:\Documents and Settings\Main\mstsc.exe C:\Documents and Settings\Main\mstsc777991.exe C:\Documents and Settings\Main\opera.exe C:\Documents and Settings\Main\rundll32403567.exe C:\Documents and Settings\Main\skype.exe C:\Documents and Settings\Main\skype255054.exe C:\Documents and Settings\Main\skype302461.exe C:\Documents and Settings\Main\spoolsv793453.exe C:\Documents and Settings\Main\vlcplayer.exe C:\Documents and Settings\Main\vlcplayer368908.exe C:\Documents and Settings\Main\vlcplayer827639.exe C:\Documents and Settings\Main\windowsupdate681992.exe C:\Documents and Settings\Household\Local Settings\Temp\5.2.30.7-EasyShrx.Dll C:\DOCUME~1\Main\LOCALS~1\Temp\120_FPPSetup.exe C:\DOCUME~1\Main\LOCALS~1\Temp\air11F.exe C:\DOCUME~1\Main\LOCALS~1\Temp\air123.exe C:\DOCUME~1\Main\LOCALS~1\Temp\air171.exe C:\DOCUME~1\Main\LOCALS~1\Temp\air174.exe C:\DOCUME~1\Main\LOCALS~1\Temp\BackupSetup.exe C:\DOCUME~1\Main\LOCALS~1\Temp\chUninstaller.exe C:\DOCUME~1\Main\LOCALS~1\Temp\GenericUninstall.exe C:\DOCUME~1\Main\LOCALS~1\Temp\nsf155.exe C:\DOCUME~1\Main\LOCALS~1\Temp\nsl5A.exe C:\DOCUME~1\Main\LOCALS~1\Temp\nsr14C.exe C:\DOCUME~1\Main\LOCALS~1\Temp\nsr2A.exe C:\DOCUME~1\Main\LOCALS~1\Temp\nsu67.exe C:\DOCUME~1\Main\LOCALS~1\Temp\setup.exe C:\DOCUME~1\Main\LOCALS~1\Temp\System.Data.SQLite.dll C:\DOCUME~1\Main\LOCALS~1\Temp\tbVaf0.dll C:\DOCUME~1\Main\LOCALS~1\Temp\uninstaller.exe C:\DOCUME~1\Main\LOCALS~1\Temp\vcredist_x86.exe C:\DOCUME~1\Main\LOCALS~1\Temp\WSSetup.exe DeleteJunctionsInDirectory: C:\Program Files\Windows Defender DeleteJunctionsInDirectory: C:\Program Files\Microsoft Security Client DeleteJunctionsIndirectory: C:\Windows\system64 cmd: Dir /b /a:l "C:\Program Files" /s ***************** HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully. HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully. HKCU\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} => Key not found. Winsock: Catalog5 entry 000000000001\\LibraryPath was set successfully to %SystemRoot%\System32\mswsock.dll Winsock: Catalog5 entry 000000000003\\LibraryPath was set successfully to %SystemRoot%\System32\mswsock.dll C:\DOCUME~1\Main\LOCALS~1\Application Data\Google\Desktop\Install\{995d8e30-b299-af30-71de-5e75d4f7f382} => Moved successfully. C:\Program Files\Google\Desktop\Install\{995d8e30-b299-af30-71de-5e75d4f7f382} => Moved successfully. C:\Documents and Settings\Main\acrobat62772.exe => Moved successfully. C:\Documents and Settings\Main\acrobatreader.exe => Moved successfully. C:\Documents and Settings\Main\acrobatreader394683.exe => Moved successfully. C:\Documents and Settings\Main\acrobatreader548959.exe => Moved successfully. C:\Documents and Settings\Main\alg874377.exe => Moved successfully. C:\Documents and Settings\Main\csrss390884.exe => Moved successfully. C:\Documents and Settings\Main\flashplayer.exe => Moved successfully. C:\Documents and Settings\Main\googleupdate.exe => Moved successfully. C:\Documents and Settings\Main\icq.exe => Moved successfully. C:\Documents and Settings\Main\icq528732.exe => Moved successfully. C:\Documents and Settings\Main\icq754879.exe => Moved successfully. C:\Documents and Settings\Main\iexplore993059.exe => Moved successfully. C:\Documents and Settings\Main\jqs527104.exe => Moved successfully. C:\Documents and Settings\Main\jqs866546.exe => Moved successfully. C:\Documents and Settings\Main\jucheck258518.exe => Moved successfully. C:\Documents and Settings\Main\msconfig.exe => Moved successfully. C:\Documents and Settings\Main\msconfig300683.exe => Moved successfully. C:\Documents and Settings\Main\mstsc.exe => Moved successfully. C:\Documents and Settings\Main\mstsc777991.exe => Moved successfully. C:\Documents and Settings\Main\opera.exe => Moved successfully. C:\Documents and Settings\Main\rundll32403567.exe => Moved successfully. C:\Documents and Settings\Main\skype.exe => Moved successfully. C:\Documents and Settings\Main\skype255054.exe => Moved successfully. C:\Documents and Settings\Main\skype302461.exe => Moved successfully. C:\Documents and Settings\Main\spoolsv793453.exe => Moved successfully. C:\Documents and Settings\Main\vlcplayer.exe => Moved successfully. C:\Documents and Settings\Main\vlcplayer368908.exe => Moved successfully. C:\Documents and Settings\Main\vlcplayer827639.exe => Moved successfully. C:\Documents and Settings\Main\windowsupdate681992.exe => Moved successfully. C:\Documents and Settings\Household\Local Settings\Temp\5.2.30.7-EasyShrx.Dll => Moved successfully. C:\DOCUME~1\Main\LOCALS~1\Temp\120_FPPSetup.exe => Moved successfully. C:\DOCUME~1\Main\LOCALS~1\Temp\air11F.exe => Moved successfully. C:\DOCUME~1\Main\LOCALS~1\Temp\air123.exe => Moved successfully. C:\DOCUME~1\Main\LOCALS~1\Temp\air171.exe => Moved successfully. C:\DOCUME~1\Main\LOCALS~1\Temp\air174.exe => Moved successfully. C:\DOCUME~1\Main\LOCALS~1\Temp\BackupSetup.exe => Moved successfully. C:\DOCUME~1\Main\LOCALS~1\Temp\chUninstaller.exe => Moved successfully. C:\DOCUME~1\Main\LOCALS~1\Temp\GenericUninstall.exe => Moved successfully. C:\DOCUME~1\Main\LOCALS~1\Temp\nsf155.exe => Moved successfully. C:\DOCUME~1\Main\LOCALS~1\Temp\nsl5A.exe => Moved successfully. C:\DOCUME~1\Main\LOCALS~1\Temp\nsr14C.exe => Moved successfully. C:\DOCUME~1\Main\LOCALS~1\Temp\nsr2A.exe => Moved successfully. C:\DOCUME~1\Main\LOCALS~1\Temp\nsu67.exe => Moved successfully. C:\DOCUME~1\Main\LOCALS~1\Temp\setup.exe => Moved successfully. C:\DOCUME~1\Main\LOCALS~1\Temp\System.Data.SQLite.dll => Moved successfully. C:\DOCUME~1\Main\LOCALS~1\Temp\tbVaf0.dll => Moved successfully. C:\DOCUME~1\Main\LOCALS~1\Temp\uninstaller.exe => Moved successfully. C:\DOCUME~1\Main\LOCALS~1\Temp\vcredist_x86.exe => Moved successfully. C:\DOCUME~1\Main\LOCALS~1\Temp\WSSetup.exe => Moved successfully. "C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started. "C:\Program Files\Windows Defender\LegitLib.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MpAsDesc.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MpClient.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MpCmdRun.exe" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\mpevmsg.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MpOAv.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MpRtMon.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MpRtPlug.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MpShHook.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MpSigDwn.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MpSoftEx.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MpSvc.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MSASCui.exe" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MsMpCom.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MsMpEng.exe" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MsMpLics.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MsMpRes.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\wgadef.chm" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed. "C:\Program Files\Microsoft Security Client" => Not Found "C:\Windows\system64" => Not Found ========= Dir /b /a:l "C:\Program Files" /s ========= File Not Found ========= End of CMD: ========= ==== End of Fixlog ==== ### #7 gringo_pr gringo_pr Bleepin Gringo • Malware Response Team • 136,772 posts • OFFLINE • • Gender:Male • Location:Puerto rico • Local time:01:45 PM Posted 10 September 2013 - 09:00 PM Hello bltwmayo These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one. -AdwCleaner- Please download AdwCleaner by Xplode onto your desktop. • Close all open programs and internet browsers. • Double click on AdwCleaner.exe to run the tool. • Click on Scan. • After the scan is complete click on "Clean" • Confirm each time with Ok. • Your computer will be rebooted automatically. A text file will open after the restart. • Please post the content of that logfile with your next answer. • You can find the logfile at C:\AdwCleaner[S1].txt as well. -Junkware-Removal-Tool- Please download Junkware Removal Tool to your desktop. • Shut down your protection software now to avoid potential conflicts. • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator". • The tool will open and start scanning your system. • Please be patient as this can take a while to complete depending on your system's specifications. • On completion, a log (JRT.txt) is saved to your desktop and will automatically open. • Post the contents of JRT.txt into your next message. When they are complete let me have the two reports and let me know how things are running. Gringo I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps. Proud Graduate Of Malware Removal University ### #8 bltwmayo bltwmayo • Topic Starter • Members • 40 posts • OFFLINE • • Local time:12:45 PM Posted 12 September 2013 - 12:23 PM ADWCleaner results: # AdwCleaner v3.003 - Report created 12/09/2013 at 12:01:20 # Updated 07/09/2013 by Xplode # Operating System : Microsoft Windows XP Service Pack 3 (32 bits) # Username : Main - LINDA # Running from : E:\AdwCleaner.exe # Option : Clean ***** [ Services ] ***** ***** [ Files / Folders ] ***** Folder Deleted : C:\Documents and Settings\All Users\Application Data\Ask Folder Deleted : C:\Documents and Settings\All Users\Application Data\SweetIM Folder Deleted : C:\Documents and Settings\All Users\Application Data\Trymedia Folder Deleted : C:\Program Files\Conduit Folder Deleted : C:\Program Files\MyPC Backup Folder Deleted : C:\Program Files\SweetIM Folder Deleted : C:\Program Files\Common Files\Software Update Utility Folder Deleted : C:\Documents and Settings\Main\IECompatCache Folder Deleted : C:\Documents and Settings\Main\Local Settings\Application Data\Conduit Folder Deleted : C:\Documents and Settings\Main\Local Settings\Application Data\cre Folder Deleted : C:\Documents and Settings\Main\Local Settings\Application Data\DownloadTerms Folder Deleted : C:\Documents and Settings\Main\Local Settings\Application Data\visi_coupon Folder Deleted : C:\DOCUME~1\Main\LOCALS~1\Temp\AirInstaller Folder Deleted : C:\Documents and Settings\Main\Application Data\Conduit Folder Deleted : C:\Documents and Settings\Main\Application Data\DefaultTab Folder Deleted : C:\Documents and Settings\Main\Application Data\Systweak Folder Deleted : C:\Documents and Settings\Household\IECompatCache Folder Deleted : C:\Documents and Settings\Household\Local Settings\Application Data\visi_coupon [!] Folder Deleted : C:\Documents and Settings\Main\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gjkpcnacdgdlpfejlgflolpaigoicibh File Deleted : C:\END ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Deleted : HKLM\SOFTWARE\Classes\AppID\dnu.EXE Key Deleted : HKLM\SOFTWARE\Classes\AppID\Extension.DLL Key Deleted : HKLM\SOFTWARE\Classes\dnUpdate Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1 Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1 Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3294791 Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1} Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B302A1BD-0157-49FA-90F1-4E94F22C7B4B} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C359-6118-11DC-9C72-001320C79847} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6C9-189F-421A-88CD-07CFE51CFF10} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EEE6C367-6118-11DC-9C72-001320C79847} Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{443789B7-F39C-4B5C-9287-DA72D38F4FE6} Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{443789B7-F39C-4B5C-9287-DA72D38F4FE6} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847} Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}] Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}] Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EF99BD32-C1FB-11D2-892F-0090271D4F88}] Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{EF99BD32-C1FB-11D2-892F-0090271D4F88}] Key Deleted : HKCU\Software\Conduit Key Deleted : HKCU\Software\ConduitSearchScopes Key Deleted : HKCU\Software\DefaultTab Key Deleted : HKCU\Software\IM Key Deleted : HKCU\Software\ImInstaller Key Deleted : HKCU\Software\PriceGong Key Deleted : HKCU\Software\SmartBar Key Deleted : HKCU\Software\Softonic Key Deleted : HKCU\Software\YahooPartnerToolbar Key Deleted : HKLM\Software\Conduit Key Deleted : HKLM\Software\GamesBarSetup Key Deleted : HKLM\Software\systweak Key Deleted : HKLM\Software\Tarma Installer Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DD85D6BF-4787-4A93-99A5-3F0CF0AE8834} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{DD85D6BF-4787-4A93-99A5-3F0CF0AE8834} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\DefaultTab Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SoftwareUpdUtility ***** [ Browsers ] ***** -\\ Internet Explorer v8.0.6001.18702 -\\ Google Chrome v28.0.1500.95 [ File : C:\Documents and Settings\Main\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ] Deleted : homepage Deleted : urls_to_restore_on_startup ************************* AdwCleaner[R0].txt - [7426 octets] - [12/09/2013 09:18:15] AdwCleaner[S0].txt - [7512 octets] - [12/09/2013 12:01:20] ########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [7572 octets] ########## JRT Removal Results: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Thisisu Version: 6.0.0 (09.12.2013:1) OS: Microsoft Windows XP x86 Ran by Main on Thu 09/12/2013 at 12:09:04.60 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Services ~~~ Registry Values ~~~ Registry Keys Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\protector_dll.protectorbho Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\protector_dll.protectorbho.1 Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\yt.ytnavassistplugin Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\yt.ytnavassistplugin.1 Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339} Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\updater by sweetpacks Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\firstsearch Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\updater by sweetpacks Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{325DE2FB-DFF8-4E15-BC2E-B361466C9D18} Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A5412E64-96B5-40FF-8648-95DDB86A8529} Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{BC6C89CF-2EAD-4743-BC0A-AEB771874CBD} ~~~ Files ~~~ Folders Successfully deleted: [Folder] "C:\Documents and Settings\Main\Application Data\big fish games" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on Thu 09/12/2013 at 12:22:26.95 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ### #9 bltwmayo bltwmayo • Topic Starter • Members • 40 posts • OFFLINE • • Local time:12:45 PM Posted 12 September 2013 - 12:31 PM The computer is still very slow, but that could just be a horsepower issue. For instance, it takes minutes for IE to load up to start page. ### #10 bltwmayo bltwmayo • Topic Starter • Members • 40 posts • OFFLINE • • Local time:12:45 PM Posted 12 September 2013 - 12:35 PM Actually now that IE has loaded, it is actually quite improved within browser. I think the OS is still sluggish overall. I don't know if that implies additional malware or just OS issues. ### #11 gringo_pr gringo_pr Bleepin Gringo • Malware Response Team • 136,772 posts • OFFLINE • • Gender:Male • Location:Puerto rico • Local time:01:45 PM Posted 12 September 2013 - 06:24 PM Hello bltwmayo I Would like you to do the following. Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them. Run Combofix: You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this) Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here< Combofix may need to reboot your computer more than once to do its job this is normal. You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer "information and logs" • In your next post I need the following • Log from Combofix • let me know of any problems you may have had • How is the computer doing now? Gringo I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps. Proud Graduate Of Malware Removal University ### #12 bltwmayo bltwmayo • Topic Starter • Members • 40 posts • OFFLINE • • Local time:12:45 PM Posted 13 September 2013 - 10:06 AM I doubleclicked on ComboFix and it indicated it was backing up registry (something about 11 files) and then it showed an error about a .dll. Then the error disappeared and ti continued in this blue window as it was doing it's thing. Combofix did have to download and install the recovery console, apparently it was not already installed. Question: Adobe Reader and WIndows are trying to install some updates. Would you like me to go ahead with those or hold off? ComboFix 13-09-13.01 - Main 09/13/2013 9:12.1.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.990.550 [GMT -5:00] Running from: E:\ComboFix.exe AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . C:\data c:\data\b2eh18d@i126be10b^d4j_o\feed4.data c:\data\b2eh18d@i126be10b^d4j_o\us_sres.data c:\documents and settings\All Users\Application Data\TEMP c:\documents and settings\All Users\Application Data\TEMP\A360D1FA.TMP c:\documents and settings\All Users\Application Data\TEMP\CFE0B346.TMP c:\documents and settings\Main\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences c:\documents and settings\Main\WINDOWS c:\windows\system32\SET39.tmp c:\windows\system32\SET3E.tmp . . ((((((((((((((((((((((((( Files Created from 2013-08-13 to 2013-09-13 ))))))))))))))))))))))))))))))) . . 2013-09-12 17:28 . 2013-09-12 17:28 -------- d-sh--w- c:\documents and settings\Main\IECompatCache 2013-09-12 17:08 . 2013-09-12 17:08 -------- d-----w- c:\windows\ERUNT 2013-09-12 14:18 . 2013-09-12 17:01 -------- d-----w- C:\AdwCleaner 2013-09-09 13:36 . 2013-09-09 13:36 -------- d-----w- C:\FRST 2013-09-04 15:31 . 2013-09-04 15:31 -------- d-----w- c:\program files\Carbonite 2013-09-04 15:31 . 2013-09-04 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Carbonite . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn11\yt.dll" [2013-07-10 1508120] . [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}] [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1] [HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}] [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green] @="{95A27763-F62A-4114-9072-E81D87DE3B68}" [HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}] 2013-08-06 16:07 1021448 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial] @="{E300CD91-100F-4E67-9AF3-1384A6124015}" [HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}] 2013-08-06 16:07 1021448 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow] @="{5E529433-B50E-4bef-A63B-16A6B71B071A}" [HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}] 2013-08-06 16:07 1021448 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-02 30192] "YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536] "CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [2002-10-07 90112] "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632] "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-03-13 1278064] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888] "Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2013-08-06 1067016] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-12-16 806912] Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe /n [2005-5-3 81920] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux2"=wdmaud.sys . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= . R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [11/29/2006 4:46 PM 3456] R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [3/7/2011 2:05 AM 91640] R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/23/2012 1:37 PM 13672] R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [6/6/2013 4:50 PM 418376] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/6/2013 4:50 PM 701512] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [1/15/2009 8:23 PM 101552] R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/7/2011 2:05 AM 167784] R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [3/7/2011 2:05 AM 167784] R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [3/7/2011 2:06 AM 169320] R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [3/7/2011 2:06 AM 172416] R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [3/7/2011 2:05 AM 60920] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/6/2013 4:50 PM 22856] R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [3/7/2011 2:05 AM 363080] R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [12/25/2012 10:46 PM 84904] S2 0186821379007839mcinstcleanup;McAfee Application Installer Cleanup (0186821379007839);c:\windows\TEMP\018682~1.EXE -cleanup -nolog --> c:\windows\TEMP\018682~1.EXE -cleanup -nolog [?] S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/29/2006 5:15 PM 30192] S3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [11/18/2012 11:13 PM 146872] S3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys [6/6/2013 9:07 PM 30616] S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [12/25/2012 10:46 PM 84904] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [3/7/2011 2:05 AM 92632] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - 0186821379007839MCINSTCLEANUP *NewlyCreated* - BITS *NewlyCreated* - WS2IFSL *NewlyCreated* - WUAUSERV *Deregistered* - mfeavfk01 . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}] 2013-09-12 18:00 1177552 ----a-w- c:\program files\Google\Chrome\Application\29.0.1547.66\Installer\chrmstp.exe . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}] 2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll . Contents of the 'Scheduled Tasks' folder . 2013-09-13 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 14:56] . 2013-09-12 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-28 22:23] . 2013-09-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2013-04-09 19:40] . 2013-09-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2013-04-09 19:40] . 2013-09-03 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20] . 2013-09-13 c:\windows\Tasks\User_Feed_Synchronization-{6AEB4B14-30B2-4188-8593-65A96633CD3F}.job - c:\windows\system32\msfeedssync.exe [2007-08-14 10:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mStart Page = hxxp://www.google.com mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html uInternet Connection Wizard,ShellNext = iexplore uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: aol.com\free Trusted Zone: turbotax.com Trusted Zone: yahoo.com\login Trusted Zone: yahoo.com\www TCP: DhcpNameServer = 10.10.1.155 10.11.0.17 DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} - file:///D:/content/include/XPPatchInstaller.CAB DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} - file:///D:/Content/include/msSecUcd.cab . - - - - ORPHANS REMOVED - - - - . SafeBoot-WinDefend MSConfigStartUp-CTFMON - (no file) AddRemove-InternetHelper3 Chrome Toolbar - c:\documents and settings\Main\Application Data\Conduit\Uninstaller\CT3277370\CT3277370.chrome.uninstall.exe AddRemove-DownloadTerms - c:\documents and settings\Main\Local Settings\Application Data\DownloadTerms\uninst.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-09-13 09:38 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-2768159740-785074510-197258759-1007\Software\Creative Tech\Component Installed\{B17F00C9-19EC-43A2-BD81-44D8E5D4D994}\Object\{00000000-0000-0000-0000-000000000000}\User Settings\t*-*0 ] "AlwaysCovertFormat"=dword:00000000 "Format"=dword:00000000 "Format_Channel"=dword:00000002 "Format_Value"=dword:00000000 "Format_Quality"=dword:0001f400 "Encoding Language"=dword:00000000 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(344) c:\windows\system32\WININET.dll c:\progra~1\mcafee\SITEAD~1\saHook.dll c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\mshtml.dll c:\windows\system32\msls31.dll c:\windows\IME\SPGRMR.DLL c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Google\Update\1.3.21.153\GoogleCrashHandler.exe c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
.
**************************************************************************
.
Completion time: 2013-09-13  09:46:29 - machine was rebooted
ComboFix-quarantined-files.txt  2013-09-13 14:46
.
Pre-Run: 533,647,360 bytes free
Post-Run: 1,812,217,856 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 0CAB2C23A3ADC5627833A23EA19AB80A
8F558EB6672622401DA993E1E865C861

### #13 gringo_pr

gringo_pr

Bleepin Gringo

• Malware Response Team
• 136,772 posts
• OFFLINE
•
• Gender:Male
• Location:Puerto rico
• Local time:01:45 PM

Posted 13 September 2013 - 10:36 AM

Hello bltwmayo

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
• In your next post I need the following
• report from Combofix
• let me know of any problems you may have had
• How is the computer doing now after running the script?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

### #14 bltwmayo

bltwmayo
• Topic Starter

• Members
• 40 posts
• OFFLINE
•
• Local time:12:45 PM

Posted 13 September 2013 - 11:59 AM

ComboFix 13-09-13.01 - Main 09/13/2013  11:17:57.2.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.990.498 [GMT -5:00]
Running from: c:\documents and settings\Main\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Main\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\avbase.dat
c:\windows\dasetup.log
c:\windows\system32\bszip.dll
c:\windows\system32\drivers\etc\hosts.ics
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-13 to 2013-09-13  )))))))))))))))))))))))))))))))
.
.
2013-09-13 14:40 . 2013-09-13 14:40 -------- d-----w- c:\windows\LastGood
2013-09-12 17:28 . 2013-09-12 17:28 -------- d-sh--w- c:\documents and settings\Main\IECompatCache
2013-09-12 17:08 . 2013-09-12 17:08 -------- d-----w- c:\windows\ERUNT
2013-09-12 14:18 . 2013-09-12 17:01 -------- d-----w- C:\AdwCleaner
2013-09-09 13:36 . 2013-09-09 13:36 -------- d-----w- C:\FRST
2013-09-04 15:31 . 2013-09-04 15:31 -------- d-----w- c:\program files\Carbonite
2013-09-04 15:31 . 2013-09-04 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Carbonite
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn11\yt.dll" [2013-07-10 1508120]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2013-08-06 16:07 1021448 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2013-08-06 16:07 1021448 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2013-08-06 16:07 1021448 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [2002-10-07 90112]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-03-13 1278064]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2013-08-06 1067016]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-12-16 806912]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe /n [2005-5-3 81920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.sys
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
@=""
.
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [11/29/2006 4:46 PM 3456]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [3/7/2011 2:05 AM 91640]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/23/2012 1:37 PM 13672]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [6/6/2013 4:50 PM 418376]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/6/2013 4:50 PM 701512]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [1/15/2009 8:23 PM 101552]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/7/2011 2:05 AM 167784]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [3/7/2011 2:05 AM 167784]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [3/7/2011 2:06 AM 169320]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [3/7/2011 2:06 AM 172416]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [3/7/2011 2:05 AM 60920]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/6/2013 4:50 PM 22856]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [3/7/2011 2:05 AM 363080]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [12/25/2012 10:46 PM 84904]
S2 0186821379007839mcinstcleanup;McAfee Application Installer Cleanup (0186821379007839);c:\windows\TEMP\018682~1.EXE -cleanup -nolog --> c:\windows\TEMP\018682~1.EXE -cleanup -nolog [?]
S3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [11/18/2012 11:13 PM 146872]
S3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys [6/6/2013 9:07 PM 30616]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [12/25/2012 10:46 PM 84904]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [3/7/2011 2:05 AM 92632]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 0186821379007839MCINSTCLEANUP
*NewlyCreated* - BITS
*NewlyCreated* - WS2IFSL
*NewlyCreated* - WUAUSERV
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-09-12 18:00 1177552 ----a-w- c:\program files\Google\Chrome\Application\29.0.1547.66\Installer\chrmstp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 14:56]
.
.
.
.
2013-09-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
- c:\windows\system32\msfeedssync.exe [2007-08-14 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Trusted Zone: turbotax.com
Trusted Zone: yahoo.com\www
TCP: DhcpNameServer = 10.10.1.155 10.11.0.17
DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} - file:///D:/content/include/XPPatchInstaller.CAB
DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} - file:///D:/Content/include/msSecUcd.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-13 11:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2768159740-785074510-197258759-1007\Software\Creative Tech\Component Installed\{B17F00C9-19EC-43A2-BD81-44D8E5D4D994}\Object\{00000000-0000-0000-0000-000000000000}\User Settings\t*-*0 ]
"AlwaysCovertFormat"=dword:00000000
"Format"=dword:00000000
"Format_Channel"=dword:00000002
"Format_Value"=dword:00000000
"Format_Quality"=dword:0001f400
"Encoding Language"=dword:00000000
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2013-09-13  11:34:25
ComboFix-quarantined-files.txt  2013-09-13 16:34
ComboFix2.txt  2013-09-13 14:46
.
Pre-Run: 1,759,498,240 bytes free
Post-Run: 1,751,511,040 bytes free
.
- - End Of File - - B693CC1D2D58FADFD2BBC45365431694
8F558EB6672622401DA993E1E865C861

The computer is running pretty good, but it is asking to run a lot of updates (Windows and Adobe). I still have McAfee disabled as well.

### #15 gringo_pr

gringo_pr

Bleepin Gringo

• Malware Response Team
• 136,772 posts
• OFFLINE
•
• Gender:Male
• Location:Puerto rico
• Local time:01:45 PM

Posted 13 September 2013 - 08:50 PM

Hello

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)
• Programs to remove

• Internet Explorer Toolbar 4.8 by SweetPacks
InternetHelper3 Chrome Toolbar
Java™ 6 Update 30
Java™ SE Runtime Environment 6 Update 1
WeatherBug

• Double click Revo Uninstaller to run it.
• From the list of programs double click on The Program to remove
• When prompted if you want to uninstall click Yes.
• Be sure the Moderate option is selected then click Next.
• The program will run, If prompted again click Yes
• when the built-in uninstaller is finished click on Next.
• Once the program has searched for leftovers click Next.
• Check/tick the bolded items only on the list then click Delete
• when prompted click on Yes and then on next.
• put a check on any folders that are found and select delete
• when prompted select yes then on next
• Once done click Finish.
.

Install Java:

Please go here to install Java
• click on the Free Java Download Button
• click on Agree and start Free download
• click on Run
• click on run again
• click on install
• when install is complete click on close
Clean Out Temp Files
• This small application you may want to keep and use once a week to keep the computer clean.

• Run the installer to install the application.
• When it gives you the option to install Yahoo toolbar uncheck the box next to it.
• Run CCleaner. default settings are fine
• Click Run Cleaner.
• Close CCleaner.
: Malwarebytes' Anti-Malware :

I see that you have MBAM installed - That is great!! and at this time I would like you to update it and run me a quick scan
• Double-click mbam icon
• go to the update tab at the top
• click on check for updates
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
• If you accidentally close it, the log file is saved here and will be named like this:
• C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

• Go Here to download HijackThis program
• Save HijackThis to your desktop.
• Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
• Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
• copy and paste hijackthis report into the topic
"information and logs"
• In your next post I need the following
• Log From MBAM
• report from Hijackthis
• let me know of any problems you may have had
• How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#### 0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users