Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer infected with programs...I think


  • This topic is locked This topic is locked
107 replies to this topic

#1 senorkevin

senorkevin

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 19 February 2015 - 08:56 PM

I have some programs that have just appeared and I cant remove them. Im sure there are other things too.

Here are the copies from frst.

Many thanks.

Also I have tried with malwarebytes but nothing happens, here is a log.

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 18/02/2015
Scan Time: 09:45:27
Logfile: Malware 1802.txt
Administrator: Yes
 
Version: 2.00.4.1028
Malware Database: v2015.02.18.01
Rootkit Database: v2015.02.03.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 8.1
CPU: x64
File System: NTFS
User: Kevin
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 393888
Time Elapsed: 3 hr, 43 min, 46 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 5
PUP.Optional.MyPCBackup.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\BackupStack, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MyPC Backup, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\MyPC Backup, , [3dac2af5cac0e45211ff039541c22bd5], 
PUP.Optional.MyPCBackup.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\MyPC Backup, , [4b9e24fb1179ba7c2ee2a5f3d132fe02], 
PUP.Optional.VOPackage, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\VOPACKAGE, , [0edba17ecfbb4de9137a8133a65d04fc], 
 
Registry Values: 2
PUP.Optional.VOPackage, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\VOPACKAGE|UninstallString, "C:\Users\Kevin\AppData\Roaming\VOPackage\Uninstall.exe", , [0edba17ecfbb4de9137a8133a65d04fc]
PUP.Optional.MyPCBackup.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\BACKUPSTACK|ImagePath, C:\Program Files (x86)\MyPC Backup\BackupStack.exe, , [3eab65ba9eecfb3bec74119010f39967]
 
Registry Data: 0
(No malicious items detected)
 
Folders: 6
PUP.Optional.MyPCBackup.A, C:\Users\Kevin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup, , [dc0dca55206adc5ac09eb9e8fd062fd1], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\x64, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\x86, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.VOPackage.A, C:\Users\Kevin\AppData\Roaming\VOPackage, , [0ddc9e815535cb6b49946723fb08c63a], 
PUP.Optional.VOPackage.A, C:\Users\Kevin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VOPackage, , [96534ad56624d95dbf1f0b7f44bf0ef2], 
 
Files: 52
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\Service Start.exe, , [b039de417c0e95a1f64bf9f4768b7b85], 
PUP.Optional.MyPCBackup.A, C:\Users\Kevin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk, , [2ebba679fe8c3df94517178aa65d7b85], 
PUP.Optional.MyPCBackup.A, C:\Users\Kevin\Desktop\MyPC Backup.lnk, , [8069899692f85dd9114c1091ec176d93], 
PUP.Optional.MyPCBackup.A, C:\Users\Kevin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup\MyPC Backup.lnk, , [dc0dca55206adc5ac09eb9e8fd062fd1], 
PUP.Optional.MyPCBackup.A, C:\Users\Kevin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup\Uninstall.lnk, , [dc0dca55206adc5ac09eb9e8fd062fd1], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\pt_PT.mo, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\BplusDotNet.dll, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\AlphaFS.dll, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\AlphaVSS.51.x86.dll, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\AlphaVSS.52.x64.dll, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\AlphaVSS.52.x86.dll, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\AlphaVSS.60.x64.dll, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\AlphaVSS.60.x86.dll, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\AlphaVSS.Common.dll, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\BackupStack.exe, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\BackupStackUI.dll, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\RegisterExtensionDotNet20_x64.exe, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\RegisterExtensionDotNet20_x86.exe, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\RegisterExtensionDotNet40_x64.exe, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\RegisterExtensionDotNet40_x86.exe, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\Shared Stack.dll, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\Signup Wizard.exe, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\SignupWizard.dll, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\syncicon.ico, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\System.Data.SQLite.DLL, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\uninst.exe, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\UnRegisterExtensions.exe, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\Updater.exe, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\Updater_.dll, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\websocket-sharp.dll, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\Configuration Updater.exe, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\de_DE.mo, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\es_ES.mo, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\fr_FR.mo, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\GetText.dll, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\InstMgr.dll, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\Ionic.Zip.dll, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\it_IT.mo, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\LogicNP.EZShellExtensions.dll, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\Microsoft.Win32.TaskScheduler.dll, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\MPCBClient.dll, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\MPCBContextMenu.dll, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\mypcbackup.ico, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\NativeHashWrapper.dll, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\Newtonsoft.Json.dll, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\ObjectListView.dll, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\PipeDiff.dll, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\x64\SQLite.Interop.dll, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.MyPCBackup.A, C:\Program Files (x86)\MyPC Backup\x86\SQLite.Interop.dll, , [31b8f02fec9eeb4b1d42069b9b6849b7], 
PUP.Optional.VOPackage.A, C:\Users\Kevin\AppData\Roaming\VOPackage\Uninstall.exe, , [0ddc9e815535cb6b49946723fb08c63a], 
PUP.Optional.VOPackage.A, C:\Users\Kevin\AppData\Roaming\VOPackage\VOPackage.exe, , [0ddc9e815535cb6b49946723fb08c63a], 
PUP.Optional.VOPackage.A, C:\Users\Kevin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VOPackage\Configure.lnk, , [96534ad56624d95dbf1f0b7f44bf0ef2], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)

Attached Files


Edited by senorkevin, 19 February 2015 - 09:02 PM.


BC AdBot (Login to Remove)

 


#2 senorkevin

senorkevin
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 19 February 2015 - 11:42 PM

The program I cant remove is called PC Speed up



#3 senorkevin

senorkevin
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 20 February 2015 - 11:26 AM

DO I need to run any other programs?



#4 olgun52

olgun52

  • Malware Response Team
  • 3,786 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:03:53 PM

Posted 20 February 2015 - 02:55 PM

Hello senorkevin and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

 

My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.
 

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.

 

  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks

---------------------------------------------------------------------------------------------------------

 

I am currently reviewing your log.I will be back with a fix for your problem as soon as possible.Please be patient with me during this time.

 

Have a nice day.

:hello:

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#5 olgun52

olgun52

  • Malware Response Team
  • 3,786 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:03:53 PM

Posted 21 February 2015 - 09:34 AM

senorkevin,
 

I see you have P2P software ( uTorrent ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

A reference for the risk of these programs is here

I would strongly recommend that you uninstall it. You can do so via Control Panel >> Programs and Features.

 
Step 1:

  • Download and extract Malwarebytes Anti-Rootkit from here mbar-1.07.0.1009.zip and save it to your desktop.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.
  • Double-click mbar.exe inside the mbar folder then click 'Next'.
  • Note: Malwarebytes Anti-Rootkit requires administrative privileges to function properly.
  • Click 'Update'.
  • When finished updating, click 'Next' then 'Scan'.
  • If you are told you have the 'AppInit_Dlls rootkit', choose not to fix it and proceed with the scan.
  • With some infections, you may see two messages boxes:
    • 'Could not load protection driver'. Click 'OK'.
    • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart, then continue with the rest of these instructions.
  • If malware is found, do NOT press the 'Cleanup' button yet. Click 'Exit'.
  • Please zip and attach the two log files created by the tool within the folder from which it was run.

The logs will be named mbar-log-YYYY-MM-DD (##-##-##).txt and system-log.txt
 
Step 2:
 
Please download and run RogueKiller  32/64 bit to your desktop

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!

Post back the report which should be located on your desktop.
(please don't put logs in code or quotes)


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#6 senorkevin

senorkevin
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 21 February 2015 - 11:11 AM

Hello. Thank you for your reply. I have uninstalled the program and have began scanning. I will post reports when done.



#7 senorkevin

senorkevin
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 21 February 2015 - 12:07 PM

mbar found nothing but the scanner ran this morning. I dont know if that will make a difference.

I'm running rougekiller now...



#8 senorkevin

senorkevin
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 21 February 2015 - 12:59 PM

RogueKiller V10.4.1.0 [Feb 19 2015] by Adlice Software
 
Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : Kevin [Administrator]
Mode : Scan -- Date : 02/21/2015  11:45:48
 
¤¤¤ Processes : 4 ¤¤¤
[Suspicious.Path] JOSrv.exe(2140) -- C:\Users\Kevin\AppData\Roaming\29AD3C80-1424083001-81E2-25E5-50465DE8C0E7\JOSrv.exe[-] -> Killed [TermProc]
[Suspicious.Path] FacebookUpdate.exe(5932) -- C:\Users\Kevin\AppData\Local\Facebook\Update\FacebookUpdate.exe[7] -> Killed [TermProc]
[Suspicious.Path] nsoAAD.tmp(7140) -- C:\Users\Kevin\AppData\Roaming\29AD3C80-1424083001-81E2-25E5-50465DE8C0E7\nsoAAD.tmp[-] -> Killed [TermProc]
[PUP] (SVC) PCSUService -- C:\Program Files (x86)\PC Speed Up\PCSUService.exe[7] -> Stopped
 
¤¤¤ Registry : 27 ¤¤¤
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2609012034-2213053028-1558288165-1001\Software\Microsoft\Windows\CurrentVersion\Run | Facebook Update : "C:\Users\Kevin\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver  -> Found
[PUP] (X64) HKEY_USERS\S-1-5-21-2609012034-2213053028-1558288165-1001\Software\Microsoft\Windows\CurrentVersion\Run | PCSpeedUp : C:\Program Files (x86)\PC Speed Up\PCSUNotifier.exe  -> Found
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2609012034-2213053028-1558288165-1001\Software\Microsoft\Windows\CurrentVersion\Run | Facebook Update : "C:\Users\Kevin\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver  -> Found
[PUP] (X86) HKEY_USERS\S-1-5-21-2609012034-2213053028-1558288165-1001\Software\Microsoft\Windows\CurrentVersion\Run | PCSpeedUp : C:\Program Files (x86)\PC Speed Up\PCSUNotifier.exe  -> Found
[Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | Malwarebytes Anti-Malware (cleanup) : "C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe" "C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware"  -> Found
[Rans.Gendarm] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | Update : \VOPackage.exe /runonce  -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PCSUService (C:\Program Files (x86)\PC Speed Up\PCSUService.exe) -> Found
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\qqpiru (System32\drivers\uchwsowk.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\serverjo (C:\Users\Kevin\AppData\Roaming\29AD3C80-1424083001-81E2-25E5-50465DE8C0E7\JOSrv.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\zuvicoti (C:\Users\Kevin\AppData\Roaming\29AD3C80-1424083001-81E2-25E5-50465DE8C0E7\nsoAAD.tmp) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCSUService (C:\Program Files (x86)\PC Speed Up\PCSUService.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\serverjo (C:\Users\Kevin\AppData\Roaming\29AD3C80-1424083001-81E2-25E5-50465DE8C0E7\JOSrv.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zuvicoti (C:\Users\Kevin\AppData\Roaming\29AD3C80-1424083001-81E2-25E5-50465DE8C0E7\nsoAAD.tmp) -> Found
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.searchult.com/?bd=hp&oem=clckmn&uid=TOSHIBAXMQ01ABD050_8297SME2SXX8297SME2S&version=2.0.0.1288&pid=414031160&cs=71fce823b48a58162d1c9a20282207d3  -> Found
[PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.searchult.com/?bd=hp&oem=clckmn&uid=TOSHIBAXMQ01ABD050_8297SME2SXX8297SME2S&version=2.0.0.1288&pid=414031160&cs=71fce823b48a58162d1c9a20282207d3  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2609012034-2213053028-1558288165-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.searchult.com/?bd=hp&oem=clckmn&uid=TOSHIBAXMQ01ABD050_8297SME2SXX8297SME2S&version=2.0.0.1288&pid=414031160&cs=71fce823b48a58162d1c9a20282207d3  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2609012034-2213053028-1558288165-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.searchult.com/?bd=hp&oem=clckmn&uid=TOSHIBAXMQ01ABD050_8297SME2SXX8297SME2S&version=2.0.0.1288&pid=414031160&cs=71fce823b48a58162d1c9a20282207d3  -> Found
[PUM.SearchPage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : http://search.searchult.com/?bd=ds&oem=clckmn&uid=TOSHIBAXMQ01ABD050_8297SME2SXX8297SME2S&version=2.0.0.1288&pid=414031160&cs=71fce823b48a58162d1c9a20282207d3&q={searchTerms}  -> Found
[PUM.SearchPage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : http://search.searchult.com/?bd=ds&oem=clckmn&uid=TOSHIBAXMQ01ABD050_8297SME2SXX8297SME2S&version=2.0.0.1288&pid=414031160&cs=71fce823b48a58162d1c9a20282207d3&q={searchTerms}  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.2.9.18 10.3.9.18 10.3.1.100 [(Private Address) (XX)][(Private Address) (XX)][(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.2.9.18 10.3.9.18 10.3.1.100 [(Private Address) (XX)][(Private Address) (XX)][(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4F83C3B3-B028-416E-BCC8-937BE34B1581} | DhcpNameServer : 10.2.9.18 10.3.9.18 10.3.1.100 [(Private Address) (XX)][(Private Address) (XX)][(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{4F83C3B3-B028-416E-BCC8-937BE34B1581} | DhcpNameServer : 10.2.9.18 10.3.9.18 10.3.1.100 [(Private Address) (XX)][(Private Address) (XX)][(Private Address) (XX)]  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
 
¤¤¤ Tasks : 1 ¤¤¤
[Suspicious.Path] FacebookUpdateTaskUserS-1-5-21-2609012034-2213053028-1558288165-1001Core.job -- C:\Users\Kevin\AppData\Local\Facebook\Update\FacebookUpdate.exe (/c /nocrashserver) -> Found
 
¤¤¤ Files : 1 ¤¤¤
[Suspicious.Path][File] Download.lnk -- C:\Users\Kevin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Download.lnk [LNK@] C:\PROGRA~3\{1531B~1\Download.exe --startup=1 -> Found
 
¤¤¤ Hosts File : 3 ¤¤¤
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1 3dns.adobe.com 3dns-1.adobe.com 3dns-2.adobe.com 3dns-3.adobe.com 3dns-4.adobe.com activate.adobe.com activate-sea.adobe.com activate-sjc0.adobe.com activate.wip.adobe.com
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1 adobeereg.com practivate.adobe practivate.adobe.com practivate.adobe.newoa practivate.adobe.ntp practivate.adobe.ipp ereg.adobe.com ereg.wip.adobe.com ereg.wip1.adobe.com
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1 www.adobeereg.com wwis-dubc1-vip60.adobe.com www.wip.adobe.com www.wip1.adobe.com
 
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0x20]) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MQ01ABD050 +++++
--- User ---
[MBR] 2e999f71eb457ca090500919f38269ac
[BSP] 14d3ac15a2ef3a3ef823c93b67fde302 : Empty MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 300 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 616448 | Size: 600 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1845248 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2107392 | Size: 190426 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 392099840 | Size: 350 MB
5 - Basic data partition | Offset (sectors): 392816640 | Size: 264655 MB
6 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 934830080 | Size: 20480 MB
User = LL1 ... OK
User = LL2 ... OK


#9 olgun52

olgun52

  • Malware Response Team
  • 3,786 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:03:53 PM

Posted 21 February 2015 - 01:00 PM

Even if tools don't find malware, I want you to post the logfiles anyway. Thank you. :hello:


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#10 senorkevin

senorkevin
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 21 February 2015 - 01:03 PM

I cant find the one more mbar



#11 senorkevin

senorkevin
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 21 February 2015 - 01:05 PM

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1012
 
© Malwarebytes Corporation 2011-2012
 
OS version: 6.3.9200 Windows 8.1 x64
 
Account is Administrative
 
Internet Explorer version: 11.0.9600.17631
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 2.295000 GHz
Memory total: 4173148160, free: 1810198528
 
Downloaded database version: v2015.02.21.05
Downloaded database version: v2015.02.20.01
Downloaded database version: v2014.12.06.01
Initializing...
======================
Done!
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
This drive is a GPT Drive.
MBR Signature: 55AA
Disk Signature: 52891CA4
 
GPT Protective MBR Partition information:
 
    Partition 0 type is EFI-GPT (0xee)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1  Numsec = 4294967295
 
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
GPT Partition information:
 
    GPT Header Signature 4546492050415254
    GPT Header Revision 65536 Size 92 CRC 1452013620
    GPT Header CurrentLba = 1 BackupLba 976773167
    GPT Header FirstUsableLba 34  LastUsableLba 976773134
    GPT Header Guid 950b8517-4f81-42c3-b0f-68b1f4d426b3
    GPT Header Contains 128 partition entries starting at LBA 2
    GPT Header Partition entry size = 128
 
    Backup GPT header Signature 4546492050415254
    Backup GPT header Revision 65536 Size 92 CRC 1452013620
    Backup GPT header CurrentLba = 976773167 BackupLba 1
    Backup GPT header FirstUsableLba 34  LastUsableLba 976773134
    Backup GPT header Guid 950b8517-4f81-42c3-b0f-68b1f4d426b3
    Backup GPT header Contains 128 partition entries starting at LBA 976773135
    Backup GPT header Partition entry size = 128
 
    Partition 0 Type c12a7328-f81f-11d2-ba4b-0a0c93ec93b
    Partition ID 1e3b7ddb-2561-4621-a514-adf1bfc7787
    FirstLBA 2048  Last LBA 616447
    Attributes 0
    Partition Name                 EFI system partition
 
    GPT Partition 0 is bootable
    Partition 1 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
    Partition ID 53fca6f1-4120-49f1-9dc9-20f142cb1ade
    FirstLBA 616448  Last LBA 1845247
    Attributes 1
    Partition Name                 Basic data partition
 
    Partition 2 Type e3c9e316-b5c-4db8-817d-f92df0215ae
    Partition ID b083c80c-ee8b-4245-b4e3-2cbc87906ccb
    FirstLBA 1845248  Last LBA 2107391
    Attributes 0
    Partition Name         Microsoft reserved partition
 
    Partition 3 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
    Partition ID 7200359d-96f0-4a96-9857-6e59f29ae985
    FirstLBA 2107392  Last LBA 392099839
    Attributes 0
    Partition Name                 Basic data partition
 
    Partition 4 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
    Partition ID 4a91bbea-f469-4e8a-8cb8-861fbe615ee8
    FirstLBA 392099840  Last LBA 392816639
    Attributes 1
    Partition Name                                     
 
    Partition 5 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
    Partition ID 9391e3b4-adf4-4a69-b550-eac380a975b8
    FirstLBA 392816640  Last LBA 934830079
    Attributes 0
    Partition Name                 Basic data partition
 
    Partition 6 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
    Partition ID 24912961-6cfd-4b5f-aacb-a741b92810
    FirstLBA 934830080  Last LBA 976773119
    Attributes 1
    Partition Name                 Basic data partition
 
Disk Size: 500107862016 bytes
Sector size: 512 bytes
 
Done!
Scan finished
=======================================
 
 
Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished

Found it...I think!



#12 olgun52

olgun52

  • Malware Response Team
  • 3,786 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:03:53 PM

Posted 21 February 2015 - 01:28 PM

Hi, thank you for the logs.
 
Step 1:
FRST Script:
Please download this attached txt.gif  fixlist.txt   10.29KB   0 downloads and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

NOT : It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
and fixlist.txt are in the same location or the fix will not work.
 
Step 2:
Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search, then Clean.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Step 3:
Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista / 7 / 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

Regards. :hello:

 

Attached Files


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#13 senorkevin

senorkevin
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 21 February 2015 - 02:50 PM

DO I need to restart after the fix?


Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 18-02-2015 01
Ran by Kevin at 2015-02-21 13:46:52 Run:2
Running from C:\Users\Kevin\Desktop
Loaded Profiles: Kevin (Available profiles: Kevin)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
CloseProcesses:
C:\Program Files (x86)\PC Speed Up\PCSUService.exe
C:\Users\Kevin\AppData\Roaming\29AD3C80-1424083001-81E2-25E5-50465DE8C0E7\JOSrv.exe
C:\Users\Kevin\AppData\Roaming\29AD3C80-1424083001-81E2-25E5-50465DE8C0E7\nsoAAD.tmp
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\RunOnce: [Update] => \VOPackage.exe /runonce
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR dev: Chrome dev build detected! <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2609012034-2213053028-1558288165-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchult.com/?bd=hp&oem=clckmn&uid=TOSHIBAXMQ01ABD050_8297SME2SXX8297SME2S&version=2.0.0.1288&pid=414031160&cs=71fce823b48a58162d1c9a20282207d3
HKU\S-1-5-21-2609012034-2213053028-1558288165-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchult.com/?bd=hp&oem=clckmn&uid=TOSHIBAXMQ01ABD050_8297SME2SXX8297SME2S&version=2.0.0.1288&pid=414031160&cs=71fce823b48a58162d1c9a20282207d3
SearchScopes: HKLM -> DefaultScope {E921F400-D383-4B1B-9DE6-FCFCACFC1173} URL = 
SearchScopes: HKLM-x32 -> DefaultScope {E921F400-D383-4B1B-9DE6-FCFCACFC1173} URL = 
Toolbar: HKU\S-1-5-21-2609012034-2213053028-1558288165-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll No File
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
R2 PCSUService; C:\Program Files (x86)\PC Speed Up\PCSUService.exe [437704 2014-12-10] ()
R2 serverjo; C:\Users\Kevin\AppData\Roaming\29AD3C80-1424083001-81E2-25E5-50465DE8C0E7\JOSrv.exe [127488 2015-02-16] () [File not signed]
R2 zuvicoti; C:\Users\Kevin\AppData\Roaming\29AD3C80-1424083001-81E2-25E5-50465DE8C0E7\nsoAAD.tmp 
2015-02-18 13:38 - 2015-02-18 13:38 - 00009219 _____ () C:\Users\Kevin\Desktop\Malware 1802.txt
2015-02-17 17:33 - 2015-02-17 17:33 - 00000000 ____D () C:\Users\Kevin\AppData\Roaming\29AD3C80-1424194414-81E2-25E5-50465DE8C0E7
2015-02-16 13:10 - 2015-02-16 13:10 - 00000000 ____D () C:\Users\Kevin\Documents\PCSpeedUp
2015-02-16 12:34 - 2015-02-16 12:34 - 00613057 _____ (CMI Limited) C:\Users\Kevin\AppData\Local\nsp1E64.tmp
2015-02-16 10:37 - 2015-02-19 09:10 - 00000352 _____ () C:\WINDOWS\Tasks\PC SpeedUp Service Deactivator.job
2015-02-16 10:37 - 2015-02-17 17:29 - 00000000 ____D () C:\Program Files (x86)\PC Speed Up
2015-02-16 10:37 - 2015-02-16 12:36 - 00000000 ____D () C:\Users\Kevin\AppData\Roaming\SoftwareUpdater
2015-02-16 10:37 - 2015-02-16 10:37 - 00002714 _____ () C:\WINDOWS\System32\Tasks\PC SpeedUp Service Deactivator
2015-02-16 10:37 - 2015-02-16 10:37 - 00001066 _____ () C:\Users\Kevin\Desktop\PC Speed Up.lnk
2015-02-16 10:37 - 2015-02-16 10:37 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Speed Up
C:\Users\Kevin\AppData\Local\Temp\91EF6D80-9A83-3486-B847-BCC225C120A7.dll
C:\Users\Kevin\AppData\Local\Temp\91EF6D80-9A83-3486-B847-BCC225C120A7.exe
C:\Users\Kevin\AppData\Local\Temp\A68A5AB7-AA27-5400-F37C-DD25BF88CE4E.exe
C:\Users\Kevin\AppData\Local\Temp\cbgcabfccbhi.exe
C:\Users\Kevin\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpydq5by.dll
C:\Users\Kevin\AppData\Local\Temp\Execute2App.exe
C:\Users\Kevin\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe
C:\Users\Kevin\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\Kevin\AppData\Local\Temp\jre-8u31-windows-au.exe
C:\Users\Kevin\AppData\Local\Temp\msvcp90.dll
C:\Users\Kevin\AppData\Local\Temp\msvcr90.dll
C:\Users\Kevin\AppData\Local\Temp\OnlineBackup.exe
C:\Users\Kevin\AppData\Local\Temp\Quarantine.exe
C:\Users\Kevin\AppData\Local\Temp\siinst.exe
C:\Users\Kevin\AppData\Local\Temp\strings.dll
C:\Users\Kevin\AppData\Local\Temp\Uninstall.exe
Task: {1DB32FB4-4517-4C0F-A056-5C645EF6186F} - System32\Tasks\{D64EDCD8-1B38-4CA7-A094-04DA1F65EDD7} => pcalua.exe -a "C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\uninstbb.exe"
Task: {67B87784-60A9-453C-AEAE-F81CFA2F0C45} - System32\Tasks\{19F830D9-3A4D-4120-A73C-A6BDBF2D5B89} => pcalua.exe -a C:\Users\Kevin\AppData\Roaming\VOPackage\Uninstall.exe
Task: {8E46639C-12C4-4D2F-92F5-B548946AF129} - System32\Tasks\LaunchSignup => C:\Program Files (x86)\MyPC Backup\Signup Wizard.exe <==== ATTENTION
Task: {DF6C728A-344A-41DD-B4BB-A97BE32199A5} - System32\Tasks\PC SpeedUp Service Deactivator => C:\Program Files (x86)\PC Speed Up\PCSUSD.exe [2014-12-10] () <==== ATTENTION
Task: C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-2609012034-2213053028-1558288165-1001Core.job => C:\Users\Kevin\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\PC SpeedUp Service Deactivator.job => C:\Program Files (x86)\PC Speed Up\PCSUSD.exe <==== ATTENTION
2015-02-16 10:37 - 2014-12-10 16:04 - 00437704 _____ () C:\Program Files (x86)\PC Speed Up\PCSUService.exe
2015-02-16 10:37 - 2015-02-16 10:37 - 00127488 _____ () C:\Users\Kevin\AppData\Roaming\29AD3C80-1424083001-81E2-25E5-50465DE8C0E7\JOSrv.exe
2015-02-18 23:37 - 2015-02-18 23:37 - 00224256 _____ () C:\Users\Kevin\AppData\Roaming\29AD3C80-1424083001-81E2-25E5-50465DE8C0E7\nsoAAD.tmp
2015-02-16 10:37 - 2014-12-10 16:04 - 00583712 _____ () C:\Program Files (x86)\PC Speed Up\sqlite3.dll
2015-02-17 16:46 - 2015-02-17 16:46 - 00043008 _____ () c:\users\kevin\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpydq5by.dll
AlternateDataStreams: C:\ProgramData\Temp:A303874F
AlternateDataStreams: C:\Users\Kevin\SkyDrive:ms-properties
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PCSUService
HKEY_USERS\S-1-5-21-2609012034-2213053028-1558288165-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.searchult.com/?bd=hp&oem=clckmn&uid=TOSHIBAXMQ01ABD050_8297SME2SXX8297SME2S&version=2.0.0.1288&pid=414031160&cs=71fce823b48a58162d1c9a20282207d3 
HKEY_USERS\S-1-5-21-2609012034-2213053028-1558288165-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.searchult.com/?bd=hp&oem=clckmn&uid=TOSHIBAXMQ01ABD050_8297SME2SXX8297SME2S&version=2.0.0.1288&pid=414031160&cs=71fce823b48a58162d1c9a20282207d3 
FacebookUpdateTaskUserS-1-5-21-2609012034-2213053028-1558288165-1001Core.job -- C:\Users\Kevin\AppData\Local\Facebook\Update\FacebookUpdate.exe
C:\Users\Kevin\AppData\Local\Facebook\Update\FacebookUpdate.exe
C:\Users\Kevin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Download.lnk 
C:\PROGRA~3\{1531B~1\Download.exe 
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
Hosts:
*****************
 
Processes closed successfully.
C:\Program Files (x86)\PC Speed Up\PCSUService.exe => Moved successfully.
C:\Users\Kevin\AppData\Roaming\29AD3C80-1424083001-81E2-25E5-50465DE8C0E7\JOSrv.exe => Moved successfully.
C:\Users\Kevin\AppData\Roaming\29AD3C80-1424083001-81E2-25E5-50465DE8C0E7\nsoAAD.tmp => Moved successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\\Update => value deleted successfully.
C:\WINDOWS\system32\GroupPolicy\Machine => Moved successfully.
C:\WINDOWS\system32\GroupPolicy\GPT.ini => Moved successfully.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
CHR dev: Chrome dev build detected! <======= ATTENTION => Error: No automatic fix found for this entry.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Search Page => Value was restored successfully.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Search Page => Value was restored successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => Value was restored successfully.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL => Value was restored successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Search_URL => Value was restored successfully.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Search_URL => Value was restored successfully.
HKU\S-1-5-21-2609012034-2213053028-1558288165-1001\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKU\S-1-5-21-2609012034-2213053028-1558288165-1001\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL => Value was restored successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
HKU\S-1-5-21-2609012034-2213053028-1558288165-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => value deleted successfully.
HKCR\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => Key not found. 
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\\Default => Value was restored successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9" => Key deleted successfully.
HKLM\Software\Wow6432Node\Mozilla\Thunderbird\Extensions\\msktbird@mcafee.com => value deleted successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command\\Default => Value was restored successfully.
PCSUService => Service deleted successfully.
serverjo => Service deleted successfully.
zuvicoti => Service deleted successfully.
C:\Users\Kevin\Desktop\Malware 1802.txt => Moved successfully.
C:\Users\Kevin\AppData\Roaming\29AD3C80-1424194414-81E2-25E5-50465DE8C0E7 => Moved successfully.
C:\Users\Kevin\Documents\PCSpeedUp => Moved successfully.
C:\Users\Kevin\AppData\Local\nsp1E64.tmp => Moved successfully.
C:\WINDOWS\Tasks\PC SpeedUp Service Deactivator.job => Moved successfully.
C:\Program Files (x86)\PC Speed Up => Moved successfully.
C:\Users\Kevin\AppData\Roaming\SoftwareUpdater => Moved successfully.
C:\WINDOWS\System32\Tasks\PC SpeedUp Service Deactivator => Moved successfully.
C:\Users\Kevin\Desktop\PC Speed Up.lnk => Moved successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Speed Up => Moved successfully.
C:\Users\Kevin\AppData\Local\Temp\91EF6D80-9A83-3486-B847-BCC225C120A7.dll => Moved successfully.
C:\Users\Kevin\AppData\Local\Temp\91EF6D80-9A83-3486-B847-BCC225C120A7.exe => Moved successfully.
C:\Users\Kevin\AppData\Local\Temp\A68A5AB7-AA27-5400-F37C-DD25BF88CE4E.exe => Moved successfully.
C:\Users\Kevin\AppData\Local\Temp\cbgcabfccbhi.exe => Moved successfully.
C:\Users\Kevin\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpydq5by.dll => Moved successfully.
C:\Users\Kevin\AppData\Local\Temp\Execute2App.exe => Moved successfully.
C:\Users\Kevin\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe => Moved successfully.
C:\Users\Kevin\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe => Moved successfully.
C:\Users\Kevin\AppData\Local\Temp\jre-8u31-windows-au.exe => Moved successfully.
C:\Users\Kevin\AppData\Local\Temp\msvcp90.dll => Moved successfully.
C:\Users\Kevin\AppData\Local\Temp\msvcr90.dll => Moved successfully.
C:\Users\Kevin\AppData\Local\Temp\OnlineBackup.exe => Moved successfully.
C:\Users\Kevin\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Users\Kevin\AppData\Local\Temp\siinst.exe => Moved successfully.
C:\Users\Kevin\AppData\Local\Temp\strings.dll => Moved successfully.
C:\Users\Kevin\AppData\Local\Temp\Uninstall.exe => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1DB32FB4-4517-4C0F-A056-5C645EF6186F}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1DB32FB4-4517-4C0F-A056-5C645EF6186F}" => Key deleted successfully.
C:\Windows\System32\Tasks\{D64EDCD8-1B38-4CA7-A094-04DA1F65EDD7} => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{D64EDCD8-1B38-4CA7-A094-04DA1F65EDD7}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{67B87784-60A9-453C-AEAE-F81CFA2F0C45}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{67B87784-60A9-453C-AEAE-F81CFA2F0C45}" => Key deleted successfully.
C:\Windows\System32\Tasks\{19F830D9-3A4D-4120-A73C-A6BDBF2D5B89} => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{19F830D9-3A4D-4120-A73C-A6BDBF2D5B89}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8E46639C-12C4-4D2F-92F5-B548946AF129}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8E46639C-12C4-4D2F-92F5-B548946AF129}" => Key deleted successfully.
C:\Windows\System32\Tasks\LaunchSignup => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\LaunchSignup" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DF6C728A-344A-41DD-B4BB-A97BE32199A5}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DF6C728A-344A-41DD-B4BB-A97BE32199A5}" => Key deleted successfully.
C:\Windows\System32\Tasks\PC SpeedUp Service Deactivator not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PC SpeedUp Service Deactivator" => Key deleted successfully.
C:\WINDOWS\Tasks\FacebookUpdateTaskUserS-1-5-21-2609012034-2213053028-1558288165-1001Core.job => Moved successfully.
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => Moved successfully.
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => Moved successfully.
C:\WINDOWS\Tasks\PC SpeedUp Service Deactivator.job not found.
"C:\Program Files (x86)\PC Speed Up\PCSUService.exe" => File/Directory not found.
"C:\Users\Kevin\AppData\Roaming\29AD3C80-1424083001-81E2-25E5-50465DE8C0E7\JOSrv.exe" => File/Directory not found.
"C:\Users\Kevin\AppData\Roaming\29AD3C80-1424083001-81E2-25E5-50465DE8C0E7\nsoAAD.tmp" => File/Directory not found.
"C:\Program Files (x86)\PC Speed Up\sqlite3.dll" => File/Directory not found.
"c:\users\kevin\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpydq5by.dll" => File/Directory not found.
C:\ProgramData\Temp => ":A303874F" ADS removed successfully.
"C:\Users\Kevin\SkyDrive" => ":ms-properties" ADS not found.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PCSUService => Error: No automatic fix found for this entry.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.searchult.com/?bd=hp&oem=clckmn&uid=TOSHIBAXMQ01ABD050_8297SME2SXX8297SME2S&version=2.0.0.1288&pid=414031160&cs=71fce823b48a58162d1c9a20282207d3 => Error: No automatic fix found for this entry.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.searchult.com/?bd=hp&oem=clckmn&uid=TOSHIBAXMQ01ABD050_8297SME2SXX8297SME2S&version=2.0.0.1288&pid=414031160&cs=71fce823b48a58162d1c9a20282207d3 => Error: No automatic fix found for this entry.
HKEY_USERS\S-1-5-21-2609012034-2213053028-1558288165-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.searchult.com/?bd=hp&oem=clckmn&uid=TOSHIBAXMQ01ABD050_8297SME2SXX8297SME2S&version=2.0.0.1288&pid=414031160&cs=71fce823b48a58162d1c9a20282207d3 => Error: No automatic fix found for this entry.
HKEY_USERS\S-1-5-21-2609012034-2213053028-1558288165-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.searchult.com/?bd=hp&oem=clckmn&uid=TOSHIBAXMQ01ABD050_8297SME2SXX8297SME2S&version=2.0.0.1288&pid=414031160&cs=71fce823b48a58162d1c9a20282207d3 => Error: No automatic fix found for this entry.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : http://search.searchult.com/?bd=ds&oem=clckmn&uid=TOSHIBAXMQ01ABD050_8297SME2SXX8297SME2S&version=2.0.0.1288&pid=414031160&cs=71fce823b48a58162d1c9a20282207d3&q => Error: No automatic fix found for this entry.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : http://search.searchult.com/?bd=ds&oem=clckmn&uid=TOSHIBAXMQ01ABD050_8297SME2SXX8297SME2S&version=2.0.0.1288&pid=414031160&cs=71fce823b48a58162d1c9a20282207d3&q => Error: No automatic fix found for this entry.
FacebookUpdateTaskUserS-1-5-21-2609012034-2213053028-1558288165-1001Core.job -- C:\Users\Kevin\AppData\Local\Facebook\Update\FacebookUpdate.exe => Error: No automatic fix found for this entry.
C:\Users\Kevin\AppData\Local\Facebook\Update\FacebookUpdate.exe => Moved successfully.
C:\Users\Kevin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Download.lnk => Moved successfully.
C:\PROGRA~3\{1531B~1\Download.exe => Moved successfully.
 
=========  ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
 
=========  netsh winsock reset all =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
 
=========  netsh int ipv4 reset =========
 
Resetting Global, OK!
Resetting Interface, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting , failed.
Access is denied.
 
Resetting , OK!
Restart the computer to complete this action.
 
 
========= End of CMD: =========
 
 
=========  netsh int ipv6 reset =========
 
Resetting Interface, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting , failed.
Access is denied.
 
Resetting , OK!
Resetting , OK!
Restart the computer to complete this action.
 
 
========= End of CMD: =========
 
C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.
EmptyTemp: => Removed 10.8 GB temporary data.
 
 
The system needed a reboot. 
 
==== End of Fixlog 13:47:32 ====

Also my google homepage has changed to Searchult



#14 olgun52

olgun52

  • Malware Response Team
  • 3,786 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:03:53 PM

Posted 21 February 2015 - 03:26 PM

OK. Please PC resatart now and run others steps


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#15 senorkevin

senorkevin
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 21 February 2015 - 03:43 PM

# AdwCleaner v4.111 - Logfile created 21/02/2015 at 13:54:40
# Updated 18/02/2015 by Xplode
# Database : 2015-02-18.3 [Server]
# Operating system : Windows 8.1 Single Language  (x64)
# Username : Kevin - KEVIN
# Running from : C:\Users\Kevin\Desktop\adwcleaner_4.111.exe
# Option : Scan
 
***** [ Services ] *****
 
Service Found : BackupStack
Service Found : pcsuservice
 
***** [ Files / Folders ] *****
 
File Found : C:\Users\Kevin\Desktop\Continue Live Installation.lnk
Folder Found : C:\Program Files (x86)\AnyProtectEx
Folder Found : C:\ProgramData\16210007909975131688
Folder Found : C:\Users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\hgcbekfjcjanabcadhmnilbgnfdjjnoe
Folder Found : C:\Users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\hgcbekfjcjanabcadhmnilbgnfdjjnoe
Folder Found : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\hgcbekfjcjanabcadhmnilbgnfdjjnoe
Folder Found : C:\Users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\hgcbekfjcjanabcadhmnilbgnfdjjnoe
Folder Found : C:\Users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\hgcbekfjcjanabcadhmnilbgnfdjjnoe
Folder Found : C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\hgcbekfjcjanabcadhmnilbgnfdjjnoe
Folder Found : C:\Users\Kevin\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\hgcbekfjcjanabcadhmnilbgnfdjjnoe
Folder Found : C:\Users\Kevin\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\hgcbekfjcjanabcadhmnilbgnfdjjnoe
Folder Found : C:\Users\Kevin\AppData\Local\Microsoft\Silverlight\OutOfBrowser\Speedchecker.PCSpeedUp
Folder Found : C:\Users\Kevin\AppData\Roaming\AnyProtectEx
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKCU\Software\AnyProtect
Key Found : HKCU\Software\Speedchecker Limited
Key Found : [x64] HKCU\Software\AnyProtect
Key Found : [x64] HKCU\Software\Speedchecker Limited
Key Found : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B89F5C49-51DB-4974-AB5A-E25901AA339C}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E9B5B0D2-D08A-49FC-8B5C-159B60BAA268}
Key Found : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Found : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Key Found : HKLM\SOFTWARE\Classes\S
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCSU-SL_is1
Value Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [pcspeedup]
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17416
 
 
-\\ Google Chrome v35.0.1916.153
 
[C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://search.aol.com/aol/search?query={searchTerms}
[C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://www.trovi.com/Results.aspx?gd=&ctid=CT3324774&octid=EB_ORIGINAL_CTID&ISID=M0B082408-539A-4116-A3E1-1D5BB26539EB&SearchSource=58&CUI=&UM=6&UP=SP4234220F-1105-4243-8686-7A750236B6E9&q={searchTerms}&SSPV=
 
-\\ Comodo Dragon v
 
 
-\\ Chrome Canary v
 
*************************
 
AdwCleaner[R0].txt - [1436 bytes] - [19/08/2014 07:32:14]
AdwCleaner[R1].txt - [419 bytes] - [21/02/2015 13:53:03]
AdwCleaner[R2].txt - [4047 bytes] - [21/02/2015 13:54:40]
AdwCleaner[S0].txt - [1471 bytes] - [19/08/2014 07:34:57]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R2].txt - [4165 bytes] ##########





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users