Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess rootkit detected


  • This topic is locked This topic is locked
18 replies to this topic

#1 maryba

maryba

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 09 September 2013 - 06:23 PM

While I'm presently experiencing no apparent computer performance problems, after previous contact with another BleepingComputer helper, I understand that I have the ZeroAccess rootkit on my system. If reference to the earlier complaint and resulting diagnostics would be helpful, please see http://www.bleepingcomputer.com/forums/t/507136/very-slow-iexplorer-and-safari-for-windows/

 

As directed by that helper, I have run DDS and am including its resulting logs here. Attach.txt file is attached.

 

Thanks in advance for any help that can be provided.

 

 

Mike

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702
Run by owner at 18:07:29 on 2013-09-09
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1014.534 [GMT -5:00]
.
AV: Avira Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dexpot\dexpot.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Safari\Apple Application Support\WebKit2WebProcess.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://yahoo.com/
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Dexpot] c:\program files\dexpot\dexpot.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [wmdrad] rundll32.exe ",Restore
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [Ctfmon] wscript.exe "c:\microsoft__sdk\lib\include\cc1xm.js"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\avira\antivir desktop\avsda.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: NameServer = 192.168.15.1
TCP: Interfaces\{18B73CE7-8E05-4763-9F6F-E56028189932} : DHCPNameServer = 192.168.10.1
TCP: Interfaces\{2B3168B4-F4D1-4103-9A26-897BC3479B12} : DHCPNameServer = 192.168.10.1
TCP: Interfaces\{4C86ABC0-DDF5-4171-B7E4-41B9A06076DA} : DHCPNameServer = 207.230.192.254 209.142.136.220
TCP: Interfaces\{8FB3ECE9-34A9-4AC6-A1C7-4F66931F9968} : DHCPNameServer = 192.168.15.1
TCP: Interfaces\{942A16C2-B9FF-4A71-A910-862E3DD77A45} : DHCPNameServer = 192.168.10.1
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\29.0.1547.66\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2013-9-7 37352]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2013-9-7 84024]
R2 AntiVirService;Avira Real-Time Protection;c:\program files\avira\antivir desktop\avguard.exe [2013-9-7 108088]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2013-9-7 88840]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-7-8 32072]
S2 Dataup;Dataup Service;c:\windows\dataup.exe [2013-8-3 73728]
S2 netupdate;Network Update Service;c:\windows\ntrtm.exe -k --> c:\windows\ntrtm.exe -k [?]
S4 AntiVirWebService;Avira Web Protection;c:\program files\avira\antivir desktop\avwebgrd.exe [2013-9-7 815160]
.
=============== Created Last 30 ================
.
2013-09-09 14:46:14 48728 ----a-w- c:\windows\system32\drivers\29BA37CC.sys
2013-09-09 14:45:06 48728 ----a-w- c:\windows\system32\drivers\5A60349D.sys
2013-09-08 03:54:06 -------- d-----w- c:\documents and settings\owner\application data\Avira
2013-09-08 03:47:26 88840 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-09-08 03:47:26 37352 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2013-09-08 03:47:25 -------- d-----w- c:\program files\Avira
2013-09-08 03:47:25 -------- d-----w- c:\documents and settings\all users\application data\Avira
2013-08-31 13:39:27 -------- d-----w- C:\Microsoft__SDK
2013-08-31 13:39:19 -------- d-----w- C:\Microsoft_SDK
2013-08-15 11:55:36 57344 ----a-w- c:\windows\ntrtm.exe
.
==================== Find3M  ====================
.
2013-08-01 01:37:50 73728 ----a-w- c:\windows\dataup.exe
.
============= FINISH: 18:09:00.59 ===============
 

 

 

 

 

 



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:28 AM

Posted 10 September 2013 - 01:05 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Scan with aswMBR

Please download aswMBR ( 4.5MB ) to your desktop.

  • Double click the aswMBR.exe icon, and click Run.
  • There will be a short delay before the next dialog box comes up. Please just wait a minute or two.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
  • Click the Scan button to start the scan once the update has finished downloading
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record).


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 10 September 2013 - 11:09 AM

Hi Marius, 

 

As you've requested, here's log from aswMBR run on my computer.

 

 

Mike

 

 

 

 

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-09-10 08:37:06
-----------------------------
08:37:06.328    OS Version: Windows 5.1.2600 Service Pack 3
08:37:06.328    Number of processors: 2 586 0x403
08:37:06.328    ComputerName: DELL-GX620  UserName: owner
08:37:06.765    Initialize success
08:39:28.437    AVAST engine defs: 13091000
08:39:48.328    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
08:39:48.328    Disk 0 Vendor: WDC_WD800JD-75MSA3 10.01E04 Size: 76293MB BusType: 3
08:39:48.468    Disk 0 MBR read successfully
08:39:48.468    Disk 0 MBR scan
08:39:48.703    Disk 0 Windows XP default MBR code
08:39:48.703    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS        76285 MB offset 63
08:39:48.734    Disk 0 scanning sectors +156232125
08:39:48.843    Disk 0 scanning C:\WINDOWS\system32\drivers
08:40:13.578    Service scanning
08:40:33.453    Modules scanning
08:40:40.140    Disk 0 trace - called modules:
08:40:40.171    ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS 
08:40:40.171    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86573ab8]
08:40:40.171    3 CLASSPNP.SYS[f75fefd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8658d940]
08:40:40.656    AVAST engine scan C:\WINDOWS
08:40:51.421    AVAST engine scan C:\WINDOWS\system32
08:43:59.328    AVAST engine scan C:\WINDOWS\system32\drivers
08:44:15.859    AVAST engine scan C:\Documents and Settings\owner
09:36:22.875    AVAST engine scan C:\Documents and Settings\All Users
09:36:47.890    Scan finished successfully
10:49:08.921    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\owner\Desktop\virus debug\zeroaccess rootkit fix\MBR.dat"
10:49:08.921    The log file has been saved successfully to "C:\Documents and Settings\owner\Desktop\virus debug\zeroaccess rootkit fix\aswMBR.txt"


#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:28 AM

Posted 10 September 2013 - 11:38 PM

Combofix

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC_update.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


cfRC_screen_2.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 11 September 2013 - 07:39 AM

Hi Marius,

 

Here's ComboFix's log:

 

 

ComboFix 13-09-10.03 - owner 09/11/2013   7:19.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1014.665 [GMT -5:00]
Running from: c:\documents and settings\owner\Desktop\ComboFix.exe
AV: Avira Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\TotalRecipeSearch_14EI
c:\program files\TotalRecipeSearch_14EI\Installr\1.bin\14EIPlug.dll
c:\program files\TotalRecipeSearch_14EI\Installr\1.bin\14EZSETP.dll
c:\program files\TotalRecipeSearch_14EI\Installr\1.bin\NP14EISb.dll
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-11 to 2013-09-11  )))))))))))))))))))))))))))))))
.
.
2013-09-09 14:46 . 2013-09-09 14:46 48728 ----a-w- c:\windows\system32\drivers\29BA37CC.sys
2013-09-09 14:45 . 2013-09-09 14:45 48728 ----a-w- c:\windows\system32\drivers\5A60349D.sys
2013-09-08 03:54 . 2013-09-08 03:54 -------- d-----w- c:\documents and settings\owner\Application Data\Avira
2013-09-08 03:47 . 2013-09-08 03:46 88840 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-09-08 03:47 . 2013-09-08 03:46 37352 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2013-09-08 03:47 . 2013-09-08 03:46 136672 ----a-w- c:\windows\system32\drivers\avipbb.sys
2013-09-08 03:47 . 2013-09-08 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2013-09-08 03:47 . 2013-09-08 03:47 -------- d-----w- c:\program files\Avira
2013-08-31 13:39 . 2013-08-31 13:39 -------- d-----w- C:\Microsoft__SDK
2013-08-31 13:39 . 2013-08-31 13:39 -------- d-----w- C:\Microsoft_SDK
2013-08-16 21:02 . 2013-08-16 21:06 -------- d-----w- c:\documents and settings\Guest
2013-08-15 11:55 . 2013-08-20 13:00 57344 ----a-w- c:\windows\ntrtm.exe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-01 01:37 . 2013-08-04 03:45 73728 ----a-w- c:\windows\dataup.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dexpot"="c:\program files\Dexpot\dexpot.exe" [2009-06-04 1286144]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-08-16 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2013-09-08 347192]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Ctfmon"="wscript.exe" [2008-05-08 155648]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE -b -l [1999-2-17 65588]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^owner^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk]
path=c:\documents and settings\owner\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
backup=c:\windows\pss\OpenOffice.org 3.3.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-04-04 05:53 843712 ---ha-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-03-24 04:17 118784 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-03-24 04:17 94208 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ---ha-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2012-08-16 23:16 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [9/7/2013 10:47 PM 37352]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/7/2013 10:47 PM 84024]
R2 Dataup;Dataup Service;c:\windows\dataup.exe [8/3/2013 10:45 PM 73728]
S2 netupdate;Network Update Service;c:\windows\ntrtm.exe -k --> c:\windows\ntrtm.exe -k [?]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [7/8/2012 4:31 PM 32072]
S4 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [9/7/2013 10:47 PM 815160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ    hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-09-05 12:54 1177552 ----a-w- c:\program files\Google\Chrome\Application\29.0.1547.66\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-30 00:14]
.
2013-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-16 23:16]
.
2013-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-16 23:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
TCP: DhcpNameServer = 192.168.15.1
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-wmdrad - (no file)
MSConfigStartUp-aviokvkj - c:\documents and settings\owner\Local Settings\Application Data\dflqsahb.exe
MSConfigStartUp-selpns - c:\documents and settings\owner\Application Data\selpns.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-11 07:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(708)
c:\program files\Avira\AntiVir Desktop\avsda.dll
.
Completion time: 2013-09-11  07:33:25
ComboFix-quarantined-files.txt  2013-09-11 12:33
.
Pre-Run: 20,760,989,696 bytes free
Post-Run: 25,840,017,408 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 764A7F511551A2C02DAF92A0BDBB9851
8F558EB6672622401DA993E1E865C861
 

 

 

 

===================

Mike



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:28 AM

Posted 11 September 2013 - 07:57 AM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 11 September 2013 - 11:00 AM

Help Marius, 

 

There was no attached CFScript.txt in your last email.

 

 

Mike



#8 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 11 September 2013 - 02:37 PM

Wait, I found the attached CFScript.txt. Was looking for it in the email you sent rather than in the post above. Off and running - after I close this browser session.

 

Sorry for any confusion.

 

 

Mike



#9 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 11 September 2013 - 05:31 PM

Hi Marius,

 

Did a ComboFix run with the CFScript.

 

Logs:

 

 

ComboFix 13-09-10.03 - owner 09/11/2013  15:20:05.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1014.457 [GMT -5:00]
Running from: c:\documents and settings\owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\owner\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
file zipped: c:\windows\dataup.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-11 to 2013-09-11  )))))))))))))))))))))))))))))))
.
.
2013-09-11 18:05 . 2013-09-11 18:05 -------- d-----w- c:\windows\LastGood.Tmp
2013-09-09 14:46 . 2013-09-09 14:46 48728 ----a-w- c:\windows\system32\drivers\29BA37CC.sys
2013-09-09 14:45 . 2013-09-09 14:45 48728 ----a-w- c:\windows\system32\drivers\5A60349D.sys
2013-09-08 03:54 . 2013-09-08 03:54 -------- d-----w- c:\documents and settings\owner\Application Data\Avira
2013-09-08 03:47 . 2013-09-08 03:46 88840 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-09-08 03:47 . 2013-09-08 03:46 37352 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2013-09-08 03:47 . 2013-09-08 03:46 136672 ----a-w- c:\windows\system32\drivers\avipbb.sys
2013-09-08 03:47 . 2013-09-08 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2013-09-08 03:47 . 2013-09-08 03:47 -------- d-----w- c:\program files\Avira
2013-08-31 13:39 . 2013-08-31 13:39 -------- d-----w- C:\Microsoft__SDK
2013-08-31 13:39 . 2013-08-31 13:39 -------- d-----w- C:\Microsoft_SDK
2013-08-16 21:02 . 2013-08-16 21:06 -------- d-----w- c:\documents and settings\Guest
2013-08-15 11:55 . 2013-08-20 13:00 57344 ----a-w- c:\windows\ntrtm.exe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-01 01:37 . 2013-08-04 03:45 73728 ----a-w- c:\windows\dataup.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dexpot"="c:\program files\Dexpot\dexpot.exe" [2009-06-04 1286144]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-08-16 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2013-09-08 347192]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Ctfmon"="wscript.exe" [2008-05-08 155648]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE -b -l [1999-2-17 65588]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^owner^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk]
path=c:\documents and settings\owner\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
backup=c:\windows\pss\OpenOffice.org 3.3.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-04-04 05:53 843712 ---ha-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-03-24 04:17 118784 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-03-24 04:17 94208 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ---ha-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2012-08-16 23:16 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [9/7/2013 10:47 PM 37352]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/7/2013 10:47 PM 84024]
R2 netupdate;Network Update Service;c:\windows\ntrtm.exe -k --> c:\windows\ntrtm.exe -k [?]
S2 Dataup;Dataup Service;c:\windows\dataup.exe [8/3/2013 10:45 PM 73728]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [7/8/2012 4:31 PM 32072]
S4 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [9/7/2013 10:47 PM 815160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ   hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-09-05 12:54 1177552 ----a-w- c:\program files\Google\Chrome\Application\29.0.1547.66\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-30 00:14]
.
2013-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-16 23:16]
.
2013-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-08-16 23:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
TCP: DhcpNameServer = 192.168.15.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-11 15:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(712)
c:\program files\Avira\AntiVir Desktop\avsda.dll
.
- - - - - - - > 'explorer.exe'(3936)
c:\windows\system32\WININET.dll
c:\program files\Dexpot\hooxpot.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\ntrtm.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
.
**************************************************************************
.
Completion time: 2013-09-11  15:35:19 - machine was rebooted
ComboFix-quarantined-files.txt  2013-09-11 20:35
ComboFix2.txt  2013-09-11 12:33
.
Pre-Run: 25,606,651,904 bytes free
Post-Run: 25,611,120,640 bytes free
.
- - End Of File - - 236677DE4D130993EB06DDB841CBB0FB
8F558EB6672622401DA993E1E865C861
Upload was successful 
 

 

 

 

 

 

--- and ----

 

 

 

 

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.09.07.06
 
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
owner :: DELL-GX620 [administrator]
 
9/11/2013 3:44:55 PM
mbam-log-2013-09-11 (15-44-55).txt
 
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 316888
Time elapsed: 40 minute(s), 51 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 3
C:\Documents and Settings\owner\My Documents\program installers\dexpot_165_r2207.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{563AA439-B92E-478A-A734-571E51ADD71A}\RP476\A0024725.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{563AA439-B92E-478A-A734-571E51ADD71A}\RP476\A0024727.exe (Trojan.Agent.IXP) -> Quarantined and deleted successfully.
 
(end)
 

 

 

 

 

Marius, some additional Avira actions:

 

 

Avira
Security Alert
 
Date/Time: 9/11/2013, 4:08:34 PM
Type: Detection
 
Access to file: 'C:\System Volume Information\...\A0023306.vbs' containing the virus or unwanted program 'HTML/Rce.Gen3' was blocked.
 
---- closed alert window - i.e., did not hit Remove button -----
 
 
 
 
--- and then after-MalwareBytes-directed reboot, another Avira Security Alert:
 
Date/Time: 9/11/2013, 4:54:09 PM
Type: Detection
 
Access to file: 'C:\System Volume Information\...\A0024817.dll' containing the virus or unwanted program 'TR/Crypt.ZPACK.Gen7' was blocked.
 
 
---- clicked on Remove button -------
 
 
 

 

 

 

That's all for the moment.

 

 

Mike

 

 

 



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:28 AM

Posted 12 September 2013 - 12:06 AM

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 12 September 2013 - 10:10 AM

Hi Marius, 

 

ESET results below. For your information, I wasn't given the opportunity to click on Advanced Settings - or I missed seeing the option.

 

 

C:\System Volume Information\_restore{563AA439-B92E-478A-A734-571E51ADD71A}\RP421\A0021344.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{563AA439-B92E-478A-A734-571E51ADD71A}\RP421\A0021354.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{563AA439-B92E-478A-A734-571E51ADD71A}\RP422\A0021360.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{563AA439-B92E-478A-A734-571E51ADD71A}\RP422\A0021376.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{563AA439-B92E-478A-A734-571E51ADD71A}\RP458\A0023306.vbs JS/TrojanDownloader.Psyme.NEV trojan
 

 

 

Mike



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:28 AM

Posted 12 September 2013 - 11:53 PM

These detections will be taken out soon.

 

 

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe.
  • Hit delete.
  • When the run is finished, it will open up a text file.
  • Please post its contents within your next reply.
  • You´ll find the log file at C:\AdwCleaner[S1].txt also.


SecurityCheck

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 13 September 2013 - 09:32 AM

Marius,

 

Have started AdwCleaner but did not see an immediate 'Delete' option to hit, as per your instruction. Clicked on 'Scan' and got a pretty fast progress bar which then went gray and displayed the phrase 'Pending. Please uncheck elements you don't want to remove.'

 

'Scan' button is grayed out with only 'Clean, Report, Uninstall, and Donate" buttons seemingly available. Have been in pending state for at least 10 minutes and no apparent further activity. Have not pressed any of the buttons  The dropdown menus in the Results section are clickable and do display some content, specifically the Folders and Registry tabs.

 

Have not run SecurityCheck yet. Guidance, please.

 

 

Mike



#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:28 AM

Posted 15 September 2013 - 06:32 AM

OK, the software has been changed.

Don´t uncheck anything - hit clean and post up the log the software provides.


Edited by TB-Psychotic, 15 September 2013 - 06:32 AM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 15 September 2013 - 11:52 AM

The requested log:

 

# AdwCleaner v3.003 - Report created 15/09/2013 at 11:43:24
# Updated 07/09/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : owner - DELL-GX620
# Running from : C:\Documents and Settings\owner\Desktop\virus debug\zeroaccess rootkit fix\adwcleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Documents and Settings\owner\IECompatCache
Folder Deleted : C:\Documents and Settings\owner\Local Settings\Application Data\iac
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\TotalRecipeSearch_14Installer.Start
Key Deleted : HKLM\SOFTWARE\Classes\TotalRecipeSearch_14Installer.Start.1
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@ei.TotalRecipeSearch_14.com/Plugin
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{13119113-0854-469D-807A-171568457991}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{33119133-0854-469D-807A-171568457991}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FD79F359-E577-46DB-AA74-D6E6B8B45BA8}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23119123-0854-469D-807A-171568457991}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3B181CF2-878B-4758-8FBD-59D8AC5AB12D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{490A5A0F-1471-47FF-8BB5-719F1F5238AD}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{03119103-0854-469D-807A-171568457991}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{8E5B29C2-BC6E-40BE-B881-AEE35B1F4035}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD79F359-E577-46DB-AA74-D6E6B8B45BA8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{FD79F359-E577-46DB-AA74-D6E6B8B45BA8}
Key Deleted : HKLM\Software\InstallIQ
Key Deleted : HKLM\Software\TotalRecipeSearch_14EI
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v8.0.6001.18702
 
 
-\\ Google Chrome v29.0.1547.66
 
[ File : C:\Documents and Settings\owner\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [2179 octets] - [13/09/2013 09:15:08]
AdwCleaner[R1].txt - [2204 octets] - [13/09/2013 09:51:32]
AdwCleaner[R2].txt - [2299 octets] - [15/09/2013 11:42:17]
AdwCleaner[S0].txt - [2258 octets] - [15/09/2013 11:43:24]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2318 octets] ##########
 

 

 

Mike






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users