Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

zero access malware


  • This topic is locked This topic is locked
27 replies to this topic

#1 amiri baraka

amiri baraka

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 26 January 2014 - 08:45 PM

hi,

 

i am posting this as a new topic as i was asked to do.  i had previously followed instructions from this thread

 

 

http://www.bleepingcomputer.com/forums/t/521131/visualbee-mysearch-and-possibly-others/

 

 

and i had success seemingly removing most or all of this virus.  but i want to make sure it's dead. here is the log info...

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16526  BrowserJavaVersion: 1.6.0_33
Run by Brendan at 20:32:14 on 2014-01-26
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3006.1163 [GMT -5:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Hp\Common\HPSupportSolutionsFrameworkService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\real\realplayer\Update\realsched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_43.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_43.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k swprv
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uURLSearchHooks: YTNavAssistPlugin Class: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\programdata\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autorun=AUTORUN
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [23C3F5C0] c:\users\brendan\downlo~1\speedu~1.exe  /m="c:\users\brendan\downlo~1\SPEEDU~1.EXE" /k=""
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe"  -osboot
dRunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f
dRunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:153
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:153
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{6B3CCD0D-9E77-49D7-B17B-B448692F936E} : DHCPNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\32.0.1700.76\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\brendan\appdata\roaming\mozilla\firefox\profiles\v1gm7te1.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?p={searchTerms}&ei=UTF-8&fr=w3i&type=W3i_DS,157,0_0,Search,20140105,20030,0,85,0
FF - plugin: c:\program files\google\update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\programdata\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlchromebrowserrecordext.dll
FF - plugin: c:\programdata\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlhtml5videoshim.dll
FF - plugin: c:\programdata\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlpepperflashvideoshim.dll
FF - plugin: c:\programdata\realnetworks\realdownloader\browserplugins\npdlplugin.dll
FF - plugin: c:\users\brendan\appdata\roaming\mozilla\plugins\npatgpc.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1167637.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_12_0_0_43.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - ExtSQL: !HIDDEN! 2009-08-19 10:27; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2011-8-11 116608]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-1-16 161064]
R2 HPSupportSolutionsFrameworkService;HP Support Solutions Framework Service;c:\program files\hp\common\HPSupportSolutionsFrameworkService.exe [2013-12-17 46904]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\realnetworks\realdownloader\rndlresolversvc.exe [2013-4-16 39056]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2012-3-30 1295416]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2012-3-30 681016]
R3 HSXHWBS3;HSXHWBS3;c:\windows\system32\drivers\HSXHWBS3.sys [2008-8-4 207360]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2011-12-16 15544]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 LiveUpdateSvc;LiveUpdate;c:\program files\iobit\liveupdate\LiveUpdate.exe [2014-1-25 2151200]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 eRootDrv;eRootDrv;c:\windows\system32\drivers\eRootDrv.sys [2012-9-1 23976]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
.
=============== Created Last 30 ================
.
2014-01-27 01:24:12    7760024    ----a-w-    c:\programdata\microsoft\windows defender\definition updates\{8a051b2d-2803-4255-b6bc-946eeb4c1b1b}\mpengine.dll
2014-01-27 01:06:44    2422272    ----a-w-    c:\windows\system32\wucltux.dll
2014-01-27 01:05:42    33792    ----a-w-    c:\windows\system32\wuapp.exe
2014-01-27 01:05:42    171904    ----a-w-    c:\windows\system32\wuwebv.dll
2014-01-26 22:07:33    --------    d-----w-    c:\users\brendan\appdata\local\temp
2014-01-26 22:00:32    --------    d-sh--w-    C:\$RECYCLE.BIN
2014-01-26 21:58:05    16896    ----a-w-    c:\windows\system32\grpconv.exe
2014-01-26 21:47:57    98816    ----a-w-    c:\windows\sed.exe
2014-01-26 21:47:57    256000    ----a-w-    c:\windows\PEV.exe
2014-01-26 21:47:57    208896    ----a-w-    c:\windows\MBR.exe
2014-01-26 16:57:44    107224    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-01-26 16:57:44    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-01-26 16:57:09    75480    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-01-26 14:02:49    --------    d-----w-    c:\program files\ESET
2014-01-26 13:11:39    --------    d-----w-    c:\windows\ERUNT
2014-01-26 12:29:11    --------    d-----w-    C:\AdwCleaner
2014-01-26 12:25:53    835656    ----a-w-    c:\windows\system32\WINCTL5.OCX
2014-01-26 12:25:53    499785    ----a-w-    c:\windows\system32\WINUTIL8.DLL
2014-01-26 12:25:53    425984    ----a-w-    c:\windows\system32\WinCMR.dll
2014-01-26 12:25:53    393216    ----a-w-    c:\windows\system32\WINLCTL6.DLL
2014-01-26 12:25:52    --------    d-----w-    c:\program files\Winferno
2014-01-26 12:25:38    --------    d-----w-    c:\users\brendan\appdata\local\ArcadeParlor
2014-01-26 09:21:28    --------    d-----w-    c:\program files\Windows Portable Devices
2014-01-26 08:47:18    92672    ----a-w-    c:\windows\system32\UIAnimation.dll
2014-01-26 08:47:17    3023360    ----a-w-    c:\windows\system32\UIRibbon.dll
2014-01-26 08:47:17    1164800    ----a-w-    c:\windows\system32\UIRibbonRes.dll
2014-01-26 08:28:32    974848    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2014-01-26 08:28:32    519680    ----a-w-    c:\windows\system32\d3d11.dll
2014-01-26 08:28:32    369664    ----a-w-    c:\windows\system32\WMPhoto.dll
2014-01-26 08:28:32    321024    ----a-w-    c:\windows\system32\PhotoMetadataHandler.dll
2014-01-26 08:28:32    252928    ----a-w-    c:\windows\system32\dxdiag.exe
2014-01-26 08:28:32    195584    ----a-w-    c:\windows\system32\dxdiagn.dll
2014-01-26 08:28:32    189440    ----a-w-    c:\windows\system32\WindowsCodecsExt.dll
2014-01-26 08:11:52    9728    ----a-w-    c:\windows\system32\Wdfres.dll
2014-01-26 08:11:50    66560    ----a-w-    c:\windows\system32\drivers\WUDFPf.sys
2014-01-26 08:11:50    16896    ----a-w-    c:\windows\system32\winusb.dll
2014-01-26 08:11:50    155136    ----a-w-    c:\windows\system32\drivers\WUDFRd.sys
2014-01-26 08:11:49    73216    ----a-w-    c:\windows\system32\WUDFSvc.dll
2014-01-26 08:11:49    172032    ----a-w-    c:\windows\system32\WUDFPlatform.dll
2014-01-26 08:11:48    47720    ----a-w-    c:\windows\system32\drivers\WdfLdr.sys
2014-01-26 08:11:47    613888    ----a-w-    c:\windows\system32\WUDFx.dll
2014-01-26 08:11:47    38912    ----a-w-    c:\windows\system32\WUDFCoinstaller.dll
2014-01-26 08:11:47    196608    ----a-w-    c:\windows\system32\WUDFHost.exe
2014-01-25 18:50:56    75776    ----a-w-    c:\windows\system32\synceng.dll
2014-01-25 18:49:52    204288    ----a-w-    c:\windows\system32\ncrypt.dll
2014-01-25 18:48:59    615936    ----a-w-    c:\windows\system32\themeui.dll
2014-01-25 18:47:50    98304    ----a-w-    c:\windows\system32\cryptnet.dll
2014-01-25 18:47:50    172544    ----a-w-    c:\windows\system32\wintrust.dll
2014-01-25 18:47:50    133120    ----a-w-    c:\windows\system32\cryptsvc.dll
2014-01-25 18:28:50    613376    ----a-w-    c:\windows\system32\rdpencom.dll
2014-01-25 18:02:38    --------    d-----w-    c:\windows\system32\vi-VN
2014-01-25 18:02:38    --------    d-----w-    c:\windows\system32\eu-ES
2014-01-25 18:02:38    --------    d-----w-    c:\windows\system32\ca-ES
2014-01-25 17:40:44    --------    d-----w-    c:\users\brendan\appdata\local\DHAgent
2014-01-25 16:29:58    --------    d-----w-    c:\programdata\{3C5CBD7B-3D1D-411E-96C2-513FFCA84D2D}
2014-01-25 16:29:57    --------    d-----w-    c:\programdata\ProductData
2014-01-25 16:29:53    --------    d-----w-    c:\programdata\IObit
2014-01-25 16:29:40    --------    d-----w-    c:\program files\IObit
2014-01-25 16:29:16    --------    d-----w-    c:\users\brendan\appdata\roaming\IObit
.
==================== Find3M  ====================
.
2014-01-26 08:28:33    4096    ----a-w-    c:\windows\system32\drivers\en-us\dxgkrnl.sys.mui
2014-01-18 09:02:55    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-01-18 09:02:55    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-12-18 11:13:56    231584    ------w-    c:\windows\system32\MpSigStub.exe
2013-10-30 02:13:01    1304064    ----a-w-    c:\windows\system32\WMALFXGFXDSP.dll
2013-10-30 02:12:54    335360    ----a-w-    c:\windows\system32\SysFxUI.dll
2013-10-30 01:43:04    130048    ----a-w-    c:\windows\system32\drivers\drmk.sys
2013-10-30 00:43:06    167936    ----a-w-    c:\windows\system32\drivers\portcls.sys
2013-10-30 00:35:24    2050560    ----a-w-    c:\windows\system32\win32k.sys
.
============= FINISH: 20:33:25.54 ===============


.
DDS (Ver_2012-11-20.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 8/15/2008 6:29:31 AM
System Uptime: 1/26/2014 7:58:06 PM (1 hours ago)
.
Motherboard: ECS  |  | Iris8
Processor: AMD Athlon™ 64 X2 Dual Core Processor 4800+ | Socket AM2  | 2200/201mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 287 GiB total, 136.647 GiB free.
D: is FIXED (NTFS) - 11 GiB total, 1.541 GiB free.
E: is CDROM ()
G: is FIXED (NTFS) - 466 GiB total, 257.038 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
 Update for Microsoft Office 2007 (KB2508958)
7-Zip 9.20
Adobe AIR
Adobe Download Assistant
Adobe Flash Player 11 ActiveX
Adobe Flash Player 12 Plugin
Adobe Help Manager
Adobe Shockwave Player 11.6
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcadeParlor
ArcSoft MediaImpression for Kodak
AVS Audio Converter version 5.1
AVS Update Manager 1.0
Cards_Calendar_OrderGift_DoMorePlugout
Compatibility Pack for the 2007 Office system
CyberLink DVD Suite Deluxe
Driver Detective
ESET Online Scanner v3
Google Chrome
Google Update Helper
Hardware Diagnostic Tools
Hewlett-Packard Active Check for Health Check
Hewlett-Packard Asset Agent for Health Check
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Customer Experience Enhancements
HP Customer Feedback
HP Demo
HP Photosmart Essential 2.5
HP Photosmart Essential 3.0
HP Recovery Manager RSS
HP Support Solutions Framework



BC AdBot (Login to Remove)

 


m

#2 amiri baraka

amiri baraka
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 27 January 2014 - 04:30 PM

hi,

 

i'm able to wrok on thjis right now if anyone is available.  thanks...



#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:27 PM

Posted 31 January 2014 - 02:29 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: Turorial
Link 1
Link 2

IMPORTANT !!! Save ComboFix.exe to your Desktop

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe and follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Please paste the logs in your next reply DO NOT ATTACH THEM.

Let me know what problem persists.

#4 amiri baraka

amiri baraka
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 01 February 2014 - 03:55 AM

hi there,

 

thank you very much.  i can't tell right now what problems persist.  there is nothing obvious, but there was nothing obvious before after i ran some various ant-virus programs from bleepingcomputer, and rkill would tell me that there was still something malicious running on my computer.  i will say this: before there were pop-ads coming up on certain websites and i am not seeing those at this momnent, so that is a good sign.

 

  at any rate, here are the results...

 

combofix...

 

ComboFix 14-02-01.01 - Brendan 02/01/2014   3:40.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3006.2141 [GMT -5:00]
Running from: c:\users\Brendan\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2014-01-01 to 2014-02-01  )))))))))))))))))))))))))))))))
.
.
2014-02-01 08:46 . 2014-02-01 08:46    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-01-31 21:54 . 2014-01-31 21:54    62576    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{85BAD157-731B-4A5E-B57D-3BB4BFE0EBF7}\offreg.dll
2014-01-31 21:36 . 2013-12-16 06:54    7760024    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{85BAD157-731B-4A5E-B57D-3BB4BFE0EBF7}\mpengine.dll
2014-01-27 01:27 . 2013-08-27 02:47    219648    ----a-w-    c:\windows\system32\d3d10_1core.dll
2014-01-27 01:27 . 2013-08-27 02:47    189952    ----a-w-    c:\windows\system32\d3d10core.dll
2014-01-27 01:27 . 2013-08-27 02:47    160768    ----a-w-    c:\windows\system32\d3d10_1.dll
2014-01-27 01:27 . 2013-08-27 02:47    1029120    ----a-w-    c:\windows\system32\d3d10.dll
2014-01-27 01:27 . 2013-08-27 01:52    1172480    ----a-w-    c:\windows\system32\d3d10warp.dll
2014-01-27 01:27 . 2013-08-27 01:50    486400    ----a-w-    c:\windows\system32\d3d10level9.dll
2014-01-27 01:27 . 2013-08-27 01:32    683008    ----a-w-    c:\windows\system32\d2d1.dll
2014-01-27 01:27 . 2013-08-27 01:28    1069056    ----a-w-    c:\windows\system32\DWrite.dll
2014-01-27 01:27 . 2013-08-27 01:28    798208    ----a-w-    c:\windows\system32\FntCache.dll
2014-01-27 01:27 . 2011-03-12 21:55    876032    ----a-w-    c:\windows\system32\XpsPrint.dll
2014-01-27 01:06 . 2012-06-02 22:19    53784    ----a-w-    c:\windows\system32\wuauclt.exe
2014-01-27 01:06 . 2012-06-02 22:19    45080    ----a-w-    c:\windows\system32\wups2.dll
2014-01-27 01:06 . 2012-06-02 22:19    1933848    ----a-w-    c:\windows\system32\wuaueng.dll
2014-01-27 01:06 . 2012-06-02 22:12    2422272    ----a-w-    c:\windows\system32\wucltux.dll
2014-01-27 01:05 . 2012-06-02 22:19    35864    ----a-w-    c:\windows\system32\wups.dll
2014-01-27 01:05 . 2012-06-02 22:19    577048    ----a-w-    c:\windows\system32\wuapi.dll
2014-01-27 01:05 . 2012-06-02 22:12    88576    ----a-w-    c:\windows\system32\wudriver.dll
2014-01-27 01:05 . 2012-06-02 20:19    171904    ----a-w-    c:\windows\system32\wuwebv.dll
2014-01-27 01:05 . 2012-06-02 20:12    33792    ----a-w-    c:\windows\system32\wuapp.exe
2014-01-26 22:07 . 2014-02-01 08:46    --------    d-----w-    c:\users\Brendan\AppData\Local\temp
2014-01-26 21:58 . 2006-11-02 09:45    16896    ----a-w-    c:\windows\system32\grpconv.exe
2014-01-26 16:57 . 2014-01-26 16:57    75480    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-01-26 14:02 . 2014-01-26 14:02    --------    d-----w-    c:\program files\ESET
2014-01-26 13:11 . 2014-01-26 13:11    --------    d-----w-    c:\windows\ERUNT
2014-01-26 12:31 . 2014-01-26 12:31    --------    d-----w-    c:\programdata\Winferno
2014-01-26 12:29 . 2014-01-26 22:39    --------    d-----w-    C:\AdwCleaner
2014-01-26 12:25 . 2014-01-26 12:25    --------    d-----w-    c:\program files\7-Zip
2014-01-26 12:25 . 2010-10-26 16:07    499785    ----a-w-    c:\windows\system32\WINUTIL8.DLL
2014-01-26 12:25 . 2010-09-01 20:59    835656    ----a-w-    c:\windows\system32\WINCTL5.OCX
2014-01-26 12:25 . 2010-01-14 15:31    425984    ----a-w-    c:\windows\system32\WinCMR.dll
2014-01-26 12:25 . 2009-06-05 16:04    393216    ----a-w-    c:\windows\system32\WINLCTL6.DLL
2014-01-26 12:25 . 2014-01-26 13:12    --------    d-----w-    c:\program files\Winferno
2014-01-26 12:25 . 2014-01-26 12:25    --------    d-----w-    c:\programdata\Yahoo! Companion
2014-01-26 12:25 . 2014-01-26 12:25    --------    d-----w-    c:\programdata\Yahoo!
2014-01-26 09:21 . 2014-01-26 09:21    --------    d-----w-    c:\program files\Windows Portable Devices
2014-01-26 08:47 . 2009-09-10 02:00    92672    ----a-w-    c:\windows\system32\UIAnimation.dll
2014-01-26 08:47 . 2009-09-10 02:01    3023360    ----a-w-    c:\windows\system32\UIRibbon.dll
2014-01-26 08:47 . 2009-09-10 02:00    1164800    ----a-w-    c:\windows\system32\UIRibbonRes.dll
2014-01-26 08:28 . 2014-01-26 08:28    974848    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2014-01-26 08:28 . 2014-01-26 08:28    519680    ----a-w-    c:\windows\system32\d3d11.dll
2014-01-26 08:28 . 2014-01-26 08:28    369664    ----a-w-    c:\windows\system32\WMPhoto.dll
2014-01-26 08:28 . 2014-01-26 08:28    321024    ----a-w-    c:\windows\system32\PhotoMetadataHandler.dll
2014-01-26 08:28 . 2014-01-26 08:28    252928    ----a-w-    c:\windows\system32\dxdiag.exe
2014-01-26 08:28 . 2014-01-26 08:28    195584    ----a-w-    c:\windows\system32\dxdiagn.dll
2014-01-26 08:28 . 2014-01-26 08:28    189440    ----a-w-    c:\windows\system32\WindowsCodecsExt.dll
2014-01-26 08:11 . 2012-07-26 02:46    9728    ----a-w-    c:\windows\system32\Wdfres.dll
2014-01-26 08:11 . 2012-07-26 02:33    66560    ----a-w-    c:\windows\system32\drivers\WUDFPf.sys
2014-01-26 08:11 . 2012-07-26 02:32    155136    ----a-w-    c:\windows\system32\drivers\WUDFRd.sys
2014-01-26 08:11 . 2009-07-14 12:12    16896    ----a-w-    c:\windows\system32\winusb.dll
2014-01-26 08:11 . 2012-07-26 03:20    73216    ----a-w-    c:\windows\system32\WUDFSvc.dll
2014-01-26 08:11 . 2012-07-26 03:20    172032    ----a-w-    c:\windows\system32\WUDFPlatform.dll
2014-01-26 08:11 . 2012-07-26 03:39    47720    ----a-w-    c:\windows\system32\drivers\WdfLdr.sys
2014-01-26 08:11 . 2012-07-26 03:21    196608    ----a-w-    c:\windows\system32\WUDFHost.exe
2014-01-26 08:11 . 2012-07-26 03:20    613888    ----a-w-    c:\windows\system32\WUDFx.dll
2014-01-26 08:11 . 2012-07-26 03:20    38912    ----a-w-    c:\windows\system32\WUDFCoinstaller.dll
2014-01-25 18:50 . 2012-09-25 16:19    75776    ----a-w-    c:\windows\system32\synceng.dll
2014-01-25 18:49 . 2012-11-20 04:22    204288    ----a-w-    c:\windows\system32\ncrypt.dll
2014-01-25 18:48 . 2013-07-16 04:35    615936    ----a-w-    c:\windows\system32\themeui.dll
2014-01-25 18:47 . 2013-07-08 04:20    172544    ----a-w-    c:\windows\system32\wintrust.dll
2014-01-25 18:47 . 2013-07-08 04:16    98304    ----a-w-    c:\windows\system32\cryptnet.dll
2014-01-25 18:47 . 2013-07-08 04:16    133120    ----a-w-    c:\windows\system32\cryptsvc.dll
2014-01-25 18:28 . 2012-01-09 15:54    613376    ----a-w-    c:\windows\system32\rdpencom.dll
2014-01-25 18:02 . 2014-01-25 18:03    --------    d-----w-    c:\windows\system32\ca-ES
2014-01-25 18:02 . 2014-01-25 18:03    --------    d-----w-    c:\windows\system32\eu-ES
2014-01-25 18:02 . 2014-01-25 18:03    --------    d-----w-    c:\windows\system32\vi-VN
2014-01-25 17:40 . 2014-01-25 17:40    --------    d-----w-    c:\users\Brendan\AppData\Local\DHAgent
2014-01-25 16:29 . 2014-01-25 16:29    --------    d-----w-    c:\programdata\{3C5CBD7B-3D1D-411E-96C2-513FFCA84D2D}
2014-01-25 16:29 . 2014-01-25 18:16    --------    d-----w-    c:\programdata\ProductData
2014-01-25 16:29 . 2014-01-25 16:34    --------    d-----w-    c:\programdata\IObit
2014-01-25 16:29 . 2014-01-25 18:32    --------    d-----w-    c:\program files\IObit
2014-01-25 16:29 . 2014-01-25 16:30    --------    d-----w-    c:\users\Brendan\AppData\Roaming\IObit
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-01-26 08:28 . 2014-01-26 08:28    4096    ----a-w-    c:\windows\system32\drivers\en-US\dxgkrnl.sys.mui
2014-01-18 09:02 . 2012-03-30 01:51    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-01-18 09:02 . 2012-01-29 02:07    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-18 11:13 . 2010-09-16 20:46    231584    ------w-    c:\windows\system32\MpSigStub.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn0\yt.dll" [2013-08-07 1561880]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-01-12 972344]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2013-10-05 5706480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-02 75008]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-01-16 181544]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2011-12-09 74752]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2013-07-21 295512]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"adaware"="reg.exe delete HKCU\Software\AppDataLow\Software\adaware" [X]
"adaware_XP"="reg.exe delete HKCU\Software\adaware" [X]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2012-3-30 562232]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54    551296    ----a-w-    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^PictureMover.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\PictureMover.lnk
backup=c:\windows\pss\PictureMover.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 23:24    54840    ----a-w-    c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 19:28    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2013-07-21 19:50    295512    ----a-w-    c:\program files\real\realplayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2012-09-09 116608]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - TRUESIGHT
*Deregistered* - TrueSight
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation    REG_MULTI_SZ       FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-01-29 21:21    1211672    ----a-w-    c:\program files\Google\Chrome\Application\32.0.1700.102\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-02-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 09:02]
.
2014-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-09-29 13:33]
.
2014-02-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-09-29 13:33]
.
2009-08-29 c:\windows\Tasks\HPCeeScheduleForBrendan.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-08-04 03:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Brendan\AppData\Roaming\Mozilla\Firefox\Profiles\v1gm7te1.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?p={searchTerms}&ei=UTF-8&fr=w3i&type=W3i_DS,157,0_0,Search,20140105,20030,0,85,0
FF - ExtSQL: !HIDDEN! 2009-08-19 10:27; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-02-01 03:46
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2014-02-01  03:49:22
ComboFix-quarantined-files.txt  2014-02-01 08:49
ComboFix2.txt  2014-01-26 22:07
.
Pre-Run: 149,335,941,120 bytes free
Post-Run: 149,323,583,488 bytes free
.
- - End Of File - - E60C8CEF493AD186093B0C407FDB3E40
03BA8F890B47C0BE359A4D5A636D214D

 

 

here is the rogue killer report...

 

 

[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1)
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowHelp (0) -> REPLACED (1)
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowRun (0) -> REPLACED (1)
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> REPLACED (1)
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_TrackProgs (0) -> REPLACED (1)
[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V2][SUSP PATH] Seagate 2GEVXDQ6 Product Registration (Brendan) : C:\Users\Brendan\AppData\Roaming\Leadertech\PowerRegister\Seagate 2GEVXDQ6 Product Registration.exe - /remind /language=ENU  /loadsrnm="2GEVXDQ6" /SRNM="2GEVXDQ6" /BRND="Seagate" /BDSR="Seagate 2GEVXDQ6" [x][x][x][x][x] -> DELETED

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][File] @ : C:\Users\Brendan\AppData\Local\{38cfd70e-b927-f32d-0109-97da5a527e0d}\@ [-] --> DELETED
[ZeroAccess][Folder] U : C:\Users\Brendan\AppData\Local\{38cfd70e-b927-f32d-0109-97da5a527e0d}\U [-] --> DELETED
[ZeroAccess][Folder] L : C:\Users\Brendan\AppData\Local\{38cfd70e-b927-f32d-0109-97da5a527e0d}\L [-] --> DELETED

¤¤¤ Driver : [LOADED] ¤¤¤
[Inline] EAT @explorer.exe (FwDoNothingOnObject) : FirewallAPI.dll -> HOOKED (Unknown @ 0x364D0466)
[Inline] EAT @explorer.exe (FwEnableMemTracing) : FirewallAPI.dll -> HOOKED (Unknown @ 0x364D0466)
[Inline] EAT @explorer.exe (FwSetMemLeakPolicy) : FirewallAPI.dll -> HOOKED (Unknown @ 0x364D0466)
[Inline] EAT @firefox.exe (?UndefinedHandleValue@JS@@3V?$Handle@VValue@JS@@@1@B) : mozjs.dll -> HOOKED (Unknown @ 0x654490B1)
[Inline] EAT @firefox.exe (?singleton@CrossCompartmentWrapper@js@@2V12@A) : mozjs.dll -> HOOKED (Unknown @ 0x4D4455CC)
[Inline] EAT @firefox.exe (?singleton@Wrapper@js@@2V12@A) : mozjs.dll -> HOOKED (Unknown @ 0x65445ADC)
[Inline] EAT @firefox.exe (?singletonWithPrototype@Wrapper@js@@2V12@A) : mozjs.dll -> HOOKED (Unknown @ 0x66445AF0)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) SAMSUNG HD320KJ SCSI Disk Device +++++
--- User ---
[MBR] b8358d4340f1e8d94b279953b40548a7
[BSP] 309fdfd200901d3359dd1e035123a213 : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 293829 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 601762770 | Size: 11413 Mo
User = LL1 ... OK!
Error reading LL2 MBR! ([0x1] Incorrect function. )

Finished : << RKreport[0]_D_02012014_032727.txt >>
RKreport[0]_S_02012014_032650.txt


 



#5 amiri baraka

amiri baraka
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 01 February 2014 - 11:10 AM

after restarting my computer, the pop-us seem to be occurring again...



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:27 PM

Posted 01 February 2014 - 02:30 PM

Run this tool.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Uncheck the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).


#7 amiri baraka

amiri baraka
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 01 February 2014 - 07:39 PM

hi,

 

when i hit the "scan" button it kept saying "pending" but never seemed to actually launch.  however, when i eventually clicked on "report" this is what came up...

 

# AdwCleaner v3.018 - Report created 01/02/2014 at 19:17:25
# Updated 28/01/2014 by Xplode
# Operating System : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# Username : Brendan - PC
# Running from : C:\Users\Brendan\Desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MySearchDial
Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UpdaterEX

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16526


-\\ Mozilla Firefox v26.0 (en-US)

[ File : C:\Users\Brendan\AppData\Roaming\Mozilla\Firefox\Profiles\v1gm7te1.default\prefs.js ]


-\\ Google Chrome v32.0.1700.102

[ File : C:\Users\Brendan\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [16958 octets] - [26/01/2014 07:29:30]
AdwCleaner[R1].txt - [1211 octets] - [26/01/2014 07:58:52]
AdwCleaner[R2].txt - [1153 octets] - [26/01/2014 08:25:14]
AdwCleaner[R3].txt - [1339 octets] - [26/01/2014 17:38:31]
AdwCleaner[R4].txt - [1589 octets] - [01/02/2014 19:07:24]
AdwCleaner[R5].txt - [1266 octets] - [01/02/2014 19:17:25]
AdwCleaner[S0].txt - [17495 octets] - [26/01/2014 07:33:22]
AdwCleaner[S1].txt - [1240 octets] - [26/01/2014 08:02:21]
AdwCleaner[S2].txt - [1215 octets] - [26/01/2014 08:56:08]
AdwCleaner[S3].txt - [1400 octets] - [26/01/2014 17:39:40]

########## EOF - C:\AdwCleaner\AdwCleaner[R5].txt - [1567 octets] ##########
 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:27 PM

Posted 02 February 2014 - 08:59 AM

Run it one more time and let it run for awhile and the hit the Clean button.

How is the computer running now.

#9 amiri baraka

amiri baraka
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 02 February 2014 - 11:21 AM

it runs fine for the mot part, but i am still receiving video and web page pop ups that i wouldn't normally get (in fact, one just popped up on this site right now)...



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:27 PM

Posted 02 February 2014 - 11:49 AM


Which browser were you using the you go the video and popup?
===

Click the StartBtn.gif button. In the Search box, type Command Prompt, and then, in the list of results, double-click Command Prompt.

at the cursor type:
ipconfig /flushdns <-- (A space between g and / is needed)

repeat with
ipconfig /renew

Then hit Enter, type Exit, hit the Enter key.

You may need to run CMD - Command Prompt on Vista - Windows 7/8 with Elevated Privilege
http://www.mydigitallife.info/2007/02/17/how-to-open-elevated-command-prompt-with-administrator-privileges-in-windows-vista/
<<<>>>

#11 amiri baraka

amiri baraka
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 02 February 2014 - 12:45 PM

hi again,

 

i was able to get the command prompt to "flush dns" but it seemed to have difficulty with the next step.  it said "no local operation can be performed on local area connection while it has its media disconnected" 

 

oh, and i'm using firefox, which was the browser i was using that caused this mess in the first place...


Edited by amiri baraka, 02 February 2014 - 12:45 PM.


#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:27 PM

Posted 02 February 2014 - 01:25 PM

Please download MiniToolBox to Desktop and run it.

Check mark the following boxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List last 10 Event Viewer log
  • List content of Hosts
  • List IP Configuration
  • List Winsock Entries
  • Click Go and copy/paste the log (Result.txt) into your next post.
  • Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
Disable all your Firefox Extension / Plugins.
Restart the computer normally.

Any more popups?

#13 amiri baraka

amiri baraka
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 02 February 2014 - 01:36 PM

here is the log.  now i'm going to disable the extensions and restart so we'll see...

 

 MiniToolBox by Farbar  Version: 18-01-2012
Ran by Brendan (administrator) on 02-02-2014 at 13:35:04
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

127.0.0.1       localhost

========================= IP Configuration: ================================

Broadcom 802.11g Network Adapter = Wireless Network Connection (Connected)
NVIDIA nForce 10/100 Mbps Ethernet  = Local Area Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled taskoffload=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Broadcast
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : home

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : home
   Description . . . . . . . . . . . : Broadcom 802.11g Network Adapter
   Physical Address. . . . . . . . . : 00-0F-66-1E-83-4A
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::7446:68b9:8163:cd5%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.4(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Sunday, February 02, 2014 11:09:55 AM
   Lease Expires . . . . . . . . . . : Monday, February 03, 2014 12:43:03 PM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 201330534
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-10-37-12-92-00-1E-90-4B-EB-C3
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : NVIDIA nForce 10/100 Mbps Ethernet
   Physical Address. . . . . . . . . : 00-1E-90-4B-EB-C3
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{A98ED8F2-CD2A-4269-A79F-2F73FC9DEF54}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fd:1028:2986:3f57:fefb(Preferred)
   Link-local IPv6 Address . . . . . : fe80::1028:2986:3f57:fefb%12(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : home
   Description . . . . . . . . . . . : isatap.home
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  Wireless_Broadband_Router.home
Address:  192.168.1.1

Name:    google.com
Addresses:  2607:f8b0:4006:801::1006
      74.125.226.224
      74.125.226.233
      74.125.226.231
      74.125.226.229
      74.125.226.226
      74.125.226.238
      74.125.226.227
      74.125.226.230
      74.125.226.225
      74.125.226.228
      74.125.226.232



Pinging google.com [74.125.226.229] with 32 bytes of data:

Reply from 74.125.226.229: bytes=32 time=20ms TTL=250

Reply from 74.125.226.229: bytes=32 time=19ms TTL=250



Ping statistics for 74.125.226.229:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 19ms, Maximum = 20ms, Average = 19ms

Server:  Wireless_Broadband_Router.home
Address:  192.168.1.1

Name:    yahoo.com
Addresses:  206.190.36.45
      98.138.253.109
      98.139.183.24



Pinging yahoo.com [206.190.36.45] with 32 bytes of data:

Reply from 206.190.36.45: bytes=32 time=146ms TTL=246

Reply from 206.190.36.45: bytes=32 time=113ms TTL=246



Ping statistics for 206.190.36.45:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 113ms, Maximum = 146ms, Average = 129ms

Server:  Wireless_Broadband_Router.home
Address:  192.168.1.1

Name:    bleepingcomputer.com
Addresses:  190.93.251.92
      190.93.250.92



Pinging bleepingcomputer.com [190.93.250.92] with 32 bytes of data:

Reply from 190.93.250.92: bytes=32 time=18ms TTL=250

Reply from 190.93.250.92: bytes=32 time=19ms TTL=250



Ping statistics for 190.93.250.92:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 18ms, Maximum = 19ms, Average = 18ms



Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
 11 ...00 0f 66 1e 83 4a ...... Broadcom 802.11g Network Adapter
 10 ...00 1e 90 4b eb c3 ...... NVIDIA nForce 10/100 Mbps Ethernet
  1 ........................... Software Loopback Interface 1
 13 ...00 00 00 00 00 00 00 e0  isatap.{A98ED8F2-CD2A-4269-A79F-2F73FC9DEF54}
 12 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
 14 ...00 00 00 00 00 00 00 e0  isatap.home
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.4     30
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link       192.168.1.4    286
      192.168.1.4  255.255.255.255         On-link       192.168.1.4    286
    192.168.1.255  255.255.255.255         On-link       192.168.1.4    286
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       192.168.1.4    286
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       192.168.1.4    286
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 12     18 ::/0                     On-link
  1    306 ::1/128                  On-link
 12     18 2001::/32                On-link
 12    266 2001:0:5ef5:79fd:1028:2986:3f57:fefb/128
                                    On-link
 11    286 fe80::/64                On-link
 12    266 fe80::/64                On-link
 12    266 fe80::1028:2986:3f57:fefb/128
                                    On-link
 11    286 fe80::7446:68b9:8163:cd5/128
                                    On-link
  1    306 ff00::/8                 On-link
 12    266 ff00::/8                 On-link
 11    286 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\system32\NLAapi.dll [48128] (Microsoft Corporation)
Catalog5 02 C:\Windows\system32\napinsp.dll [50176] (Microsoft Corporation)
Catalog5 03 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 05 C:\Windows\System32\mswsock.dll [223232] (Microsoft Corporation)
Catalog5 06 C:\Windows\System32\winrnr.dll [19968] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 24 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)

**** End of log ****
 


Edited by amiri baraka, 02 February 2014 - 01:37 PM.


#14 amiri baraka

amiri baraka
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 02 February 2014 - 01:48 PM

nice...it APPEARS to be pop-up free.  should i replug-in the extensions?



#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:27 PM

Posted 03 February 2014 - 08:03 AM

nice...it APPEARS to be pop-up free. should i replug-in the extensions?

Yes but only one or two at a time.
You may then be able to identify which one is cause this.

Please let me know.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users