Jump to content

Infected with rootkit.0access.H


Recommended Posts

Hello,

Malwarebytes deteced RootKit.0Access.H but couldn't clean it. I ran DDS and I'm posting the DDS and attach logs below. Thanks in advance for your help with this.

Sam

DDS LOG

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29

Run by Usama at 17:23:49 on 2012-04-13

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.163 [GMT -4:00]

.

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

FW: Norton Internet Worm Protection *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe

C:\Program Files\Maxtor\Utils\SyncServices.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Sony\VAIO Power Management\SPMgr.exe

C:\Program Files\Sony\ISB Utility\ISBMgr.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\Maxtor\ManagerApp\Onetouch.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Apoint\Apntex.exe

\\.\globalroot\SystemRoot\system32\svchost.exe -k netsvcs

C:\WINDOWS\explorer.exe

.

============== Pseudo HJT Report ===============

.

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100

uInternet Settings,ProxyOverride = cdn;*.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll

mURLSearchHooks: H - No File

BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol\aol search enhancement\AOLSearch.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn1\YTSingleInstance.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll

TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File

TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe

mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe

mRun: [sonyPowerCfg] c:\program files\sony\vaio power management\SPMgr.exe

mRun: [iSBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe

mRun: [symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [MaxtorOneTouch] c:\program files\maxtor\managerapp\Onetouch.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "c:\documents and settings\all users\application data\malwarebytes\malwarebytes' anti-malware\cleanup.dll",ProcessCleanupScript

IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204

IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202

IE: Transfer by Image Converter 2 Plus - c:\program files\sony\image converter 2\menu.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

LSP: mswsock.dll

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

Notify: igfxcui - igfxdev.dll

Notify: VESWinlogon - VESWinlogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

Hosts: 87.229.126.50 www.google.com

Hosts: 87.229.126.51 www.bing.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\usama\application data\mozilla\firefox\profiles\jsuer6ve.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=

FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll

FF - plugin: c:\documents and settings\usama\application data\move networks\plugins\npqmp071705000014.dll

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.50524.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\veetle\player\npvlc.dll

FF - plugin: c:\program files\veetle\plugins\npVeetle.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_228.dll

.

---- FIREFOX POLICIES ----

FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

FF - user.js: yahoo.homepage.dontask - true

============= SERVICES / DRIVERS ===============

.

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-24 11608]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-1-24 56816]

R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2011-8-10 722616]

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]

R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-1-16 1247600]

S0 uyphwqyl;uyphwqyl;c:\windows\system32\drivers\hpionje.sys --> c:\windows\system32\drivers\hpionje.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-3 133104]

S2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2007-4-6 104000]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-6 253600]

S3 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-1-24 108289]

S3 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-24 185089]

S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [2008-2-16 22136]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-10-3 133104]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]

S3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files\batterycare\WinRing0.sys [2008-7-26 14416]

.

=============== Created Last 30 ================

.

2012-04-13 21:23:21 54016 ----a-w- c:\windows\system32\drivers\pfqpingq.sys

2012-04-06 04:45:17 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-04-06 00:13:21 0 --sha-w- c:\windows\system32\dds_trash_log.cmd

2012-03-26 15:41:34 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll

2012-03-26 15:41:34 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

.

==================== Find3M ====================

.

2012-04-06 05:16:35 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-04-04 19:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

.

============= FINISH: 17:25:05.26 ===============

ATTACH LOG

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 5/12/2006 9:47:28 PM

System Uptime: 4/13/2012 5:05:17 PM (0 hours ago)

Processor: Intel® Pentium® M processor 1.73GHz | N/A | 1729/133mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 69 GiB total, 38.713 GiB free.

D: is Removable

E: is CDROM ()

F: is Removable

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Cisco Systems SSL VPN Adapter

Device ID: ROOT\NET\0000

Manufacturer: Cisco Systems

Name: Cisco Systems SSL VPN Adapter

PNP Device ID: ROOT\NET\0000

Service: CSVirtA

.

==== System Restore Points ===================

.

RP205: 2/20/2012 2:22:07 AM - System Checkpoint

RP206: 3/16/2012 6:56:00 PM - System Checkpoint

RP207: 3/24/2012 11:59:23 AM - System Checkpoint

RP208: 3/26/2012 11:36:50 AM - System Checkpoint

RP209: 4/8/2012 10:56:55 AM - System Checkpoint

RP210: 4/13/2012 4:03:12 PM - System Checkpoint

.

==== Installed Programs ======================

.

.

ACDSee 32

Acrobat.com

Active Disk

Adobe Acrobat 4.0

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Photoshop Album 2.0 Starter Edition

Adobe Reader 9.5.1

Advanced SystemCare 3

Apple Mobile Device Support

Apple Software Update

Audacity 1.2.4

Avira AntiVir Personal - Free Antivirus

BatteryCare

Bonjour

BUM

CardRd81

CCScore

Cisco SSL VPN Client

Click to DVD 2.0.03 Menu Data

Click to DVD 2.5.00

Comcast High-Speed Internet Install Wizard

Compatibility Pack for the 2007 Office system

CR2

Critical Update for Windows Media Player 11 (KB959772)

Debut Video Capture Software

DivX Converter

DivX Plus DirectShow Filters

DivX Setup

DivX Version Checker

ERUNT 1.1j

ESSBrwr

ESSCDBK

ESScore

ESSCT

ESSEMAIL

ESSgui

ESShelp

ESSini

ESSPCD

ESSPDock

ESSSONIC

ESSTOOLS

ESSTUTOR

essvatgt

essvcpt

ESSvpaht

ESSvpot

FastStone Image Viewer 2.8

Free FLV Converter V 1.4

Freecorder 2.3 (with Skype Call Recording)

GIMP 2.4.4

Google Chrome

Google Earth

Google Toolbar for Internet Explorer

Google Update Helper

HDAUDIO SoftV92 Data Fax Modem with SmartCP

High Definition Audio Driver Package - KB835221

HijackThis 2.0.2

HLPIndex

HLPPDOCK

HLPSFO

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

Image Converter 2 Plus

Intel® Graphics Media Accelerator Driver for Mobile

Intel® PRO Network Connections Drivers

Intel® PROSet/Wireless Software

InterVideo WinDVD for VAIO

iolo technologies' DriveScrubber 3

IomegaWare 4.0.3

ISScript

iTunes

Java Auto Updater

Java™ 6 Update 29

KODAK EASYSHARE Gallery Easy Upload, v2.1

Kodak EasyShare software

KSU

LiveUpdate 3.0 (Symantec Corporation)

LiveUpdate Notice (Symantec Corporation)

Macromedia Dreamweaver MX

Macromedia Extension Manager

Malwarebytes Anti-Malware version 1.61.0.1400

Maxtor OneTouch III

McAfee Security Scan Plus

mCore

mDriver

Memory Stick Formatter

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Data Access Components KB870669

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office Professional Edition 2003

Microsoft Office Standard Edition 2003

Microsoft Silverlight

Microsoft SQL Server Desktop Engine (VAIO_VEDB)

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Works

mMHouse

Move Media Player

Movie Joiner

Mozilla Firefox 11.0 (x86 en-US)

mPfMgr

mProSafe

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

mWlsSafe

mXML

Notifier

Office 2003 Trial Assistant

OfotoXMI

OpenMG Secure Module 4.3.00

OpenOffice.org Installer 1.0

Orbit Downloader

OTtBP

OTtBPSDK

Panda ActiveScan

QuickTime

RealPlayer

Realtek High Definition Audio Driver

Rhapsody Player Engine

Roxio DigitalMedia Audio

Roxio DigitalMedia Copy

Roxio DigitalMedia Data

Search Enhancement by AOL Search

Security Update for CAPICOM (KB931906)

Security Update for Step By Step Interactive Training (KB898458)

Security Update for Step By Step Interactive Training (KB923723)

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 8 (KB969897)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB972260)

Security Update for Windows Internet Explorer 8 (KB974455)

Security Update for Windows Internet Explorer 8 (KB976325)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Setting Utility Series

SFR

SHASTA

SKIN0001

SKINXSDK

SonicStage 3.3

Sony Certificate PCH

Sony MP4 Shared Library

Sony USB Mouse

Sony Utilities DLL

Sony Video Shared Library

SopCast 3.0.3

Symantec KB-DocID:2003093015493306

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB976749)

Update for Windows Internet Explorer 8 (KB980182)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

VAIO Breeze Wallpaper

VAIO Central

VAIO Entertainment Platform

VAIO Event Service

VAIO Light Flo Wallpaper

VAIO Media 5.0

VAIO Media AC3 Decoder 1.0

VAIO Media Integrated Server 5.0

VAIO Media Redistribution 5.0

VAIO Media Registration Tool 5.0

VAIO Original Screen Saver

VAIO Original Screen Saver VAIO Cozy Screen SD Wide Contents

VAIO Power Management

VAIO Registration

VAIO Security Center

VAIO Support Central

VAIO Update 2

VAIO Wireless LAN Setup Utility

VAIOSurveySA

VC80CRTRedist - 8.0.50727.4053

Veetle TV 0.9.15

Visual C++ 2008 x86 Runtime - (v9.0.30729)

Visual C++ 2008 x86 Runtime - v9.0.30729.01

VLC media player 0.9.8a

VPRINTOL

WebFldrs XP

Windows Backup Utility

Windows Defender

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Media Format 11 runtime

Windows Media Player 10 Hotfix [see KB886612 for more information]

Windows Media Player 11

Windows XP Service Pack 3

WinRAR archiver

WIRELESS

Yahoo! Anti-Spy

Yahoo! Browser Services

Yahoo! Internet Mail

Yahoo! Messenger

Yahoo! Search Protection

Yahoo! Software Update

Yahoo! Toolbar

.

==== Event Viewer Messages From Past Week ========

.

4/13/2012 5:07:18 PM, error: Service Control Manager [7023] - The G400DH service terminated with the following error: The specified module could not be found.

4/13/2012 4:14:47 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb DMICall Fips IntelIde intelppm IPSec MRxSmb NetBIOS NetBT ohci1394 RasAcd Rdbss ssmdrv Tcpip

4/13/2012 4:14:47 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iolo System Service service to connect.

4/13/2012 4:14:47 PM, error: Service Control Manager [7001] - The VAIO Entertainment File Import Service service depends on the VAIO Entertainment Database Service service which failed to start because of the following error: The dependency service or group failed to start.

4/13/2012 4:14:47 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

4/13/2012 4:14:47 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

4/13/2012 4:14:47 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

4/13/2012 4:14:47 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

4/13/2012 4:14:47 PM, error: Service Control Manager [7001] - The Cisco Systems, Inc. STC Agent service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

4/13/2012 4:14:47 PM, error: Service Control Manager [7000] - The iolo System Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

4/13/2012 4:14:41 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

4/13/2012 4:14:09 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

4/13/2012 3:31:07 PM, error: Service Control Manager [7023] - The ZD1211BU(ZyDAS) service terminated with the following error: The specified module could not be found.

4/13/2012 3:13:13 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde

4/13/2012 3:13:04 PM, error: Service Control Manager [7023] - The Pca service terminated with the following error: The specified module could not be found.

4/13/2012 2:27:23 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.

4/13/2012 1:49:58 AM, error: Service Control Manager [7022] - The VAIO Entertainment File Import Service service hung on starting.

4/11/2012 12:40:52 AM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.

.

==== End Of File ===========================

Link to post
Share on other sites

Hello and :welcome:

Unfortunately ZeroAccess is a nasty rootkit. Please read the following information first.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

thanks Elise.

I ran combofix but it's been frozen for about 20 minutes now on this screen:

Rebooting Windows ... Please wait

Please allow ComboFix to reboot the machine.

WARNING! Do not manually reboot the machine yourself.

I'm assuming this is not normal. Should i reboot the computer manually?

thanks.

Link to post
Share on other sites

Thanks Elise.

I'm pasting the ComboFix log below. I also ran Malwarebytes again and it didn't detect zeroaccess any more, so hopefully this means it's gone (but I do understandand the warning you posted earlier about it). Please let me know if there are any further steps to be taken to ensure the clean-up of my PC. Thanks a lot for your help with this.

___________________________________

ComboFix 12-04-14.02 - Usama 04/14/2012 8:44.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.223 [GMT -4:00]

Running from: F:\ComboFix.exe

FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\Usama\WINDOWS

c:\windows\$NtUninstallKB31017$\1105606863\@

c:\windows\$NtUninstallKB31017$\1105606863\cfg.ini

c:\windows\$NtUninstallKB31017$\1105606863\Desktop.ini

c:\windows\$NtUninstallKB31017$\1105606863\L\lteladfo

c:\windows\$NtUninstallKB31017$\1105606863\U\00000001.@

c:\windows\$NtUninstallKB31017$\1105606863\U\00000002.@

c:\windows\$NtUninstallKB31017$\1105606863\U\00000004.@

c:\windows\$NtUninstallKB31017$\1105606863\U\80000000.@

c:\windows\$NtUninstallKB31017$\1105606863\U\80000004.@

c:\windows\$NtUninstallKB31017$\1105606863\U\80000032.@

c:\windows\$NtUninstallKB31017$\1105606863\version

c:\windows\$NtUninstallKB31017$\2750891535

c:\windows\iun6002.exe

c:\windows\system32\dds_trash_log.cmd

c:\windows\system32\pfmodnt.dll

.

Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected

Restored copy from - The cat found it :)

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_CTSYN

-------\Service_CTSYN

.

.

((((((((((((((((((((((((( Files Created from 2012-03-14 to 2012-04-14 )))))))))))))))))))))))))))))))

.

.

2012-04-14 12:35 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2012-04-13 20:13 . 2012-04-13 20:13 -------- d-----w- c:\documents and settings\NetworkService\Application Data\iolo

2012-04-06 04:45 . 2012-04-06 05:16 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-03-26 15:41 . 2012-03-26 15:41 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll

2012-03-26 15:41 . 2012-03-26 15:41 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-04-06 05:16 . 2011-05-19 14:13 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-04-04 19:56 . 2010-01-24 03:05 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-04-07 05:56 . 2012-02-18 00:43 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-29 94208]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-29 77824]

"Persistence"="c:\windows\system32\igfxpers.exe" [2005-06-29 114688]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-08 114688]

"RTHDCPL"="RTHDCPL.EXE" [2005-06-29 14720000]

"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 45056]

"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]

"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-10-20 184320]

"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-31 198160]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]

"MaxtorOneTouch"="c:\program files\Maxtor\ManagerApp\Onetouch.exe" [2006-08-11 712704]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

2005-05-21 01:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk

backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autobahn.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\autobahn.lnk

backup=c:\windows\pss\autobahn.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk

backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk

backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk

backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Orbit.lnk

backup=c:\windows\pss\Orbit.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Usama^Start Menu^Programs^Startup^autobahn.lnk]

path=c:\documents and settings\Usama\Start Menu\Programs\Startup\autobahn.lnk

backup=c:\windows\pss\autobahn.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]

c:\windows\system32\dumprep 0 -u [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2012-01-02 15:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2012-03-27 12:41 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADUserMon]

2002-09-24 20:39 147456 ----a-w- c:\program files\Iomega\AutoDisk\ADUserMon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]

2010-09-29 01:33 2407632 ----a-w- c:\program files\IObit\Advanced SystemCare 3\AWC.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BatteryCare]

2010-03-30 14:26 643072 ----a-w- c:\program files\BatteryCare\BatteryCare.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Deskup]

2002-07-16 14:55 32768 ----a-w- c:\program files\Iomega\DriveIcons\deskup.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]

2011-03-21 18:56 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

2005-11-04 21:25 159832 ----a-w- c:\program files\Common Files\AOL\1137443843\ee\AOLHostManager.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Drive Icons]

2002-08-13 18:30 86016 ----a-w- c:\program files\Iomega\DriveIcons\Imgicon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-06-05 17:39 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]

2006-08-11 12:45 712704 ----a-w- c:\program files\Maxtor\ManagerApp\OneTouch.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]

2006-11-17 17:39 136768 ----a-w- c:\program files\McAfee\Common Framework\UdaterUI.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]

2010-06-01 14:17 5252408 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

2002-05-09 07:21 155648 ------w- c:\windows\system32\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2009-12-31 18:37 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]

2005-10-12 05:36 151552 ----a-w- c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

2006-11-03 22:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]

2007-06-08 14:59 224248 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

.

R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [8/10/2011 12:22 PM 722616]

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]

S0 uyphwqyl;uyphwqyl;c:\windows\system32\drivers\hpionje.sys --> c:\windows\system32\drivers\hpionje.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/3/2009 2:03 PM 133104]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/6/2012 12:45 AM 253600]

S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [2/16/2008 10:32 AM 22136]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/3/2009 2:03 PM 133104]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]

S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

S3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files\BatteryCare\WinRing0.sys [7/26/2008 6:30 PM 14416]

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

regspy

jaguar

CTSYN

pccsmcfd

VICESYS

.

Contents of the 'Scheduled Tasks' folder

.

2012-04-14 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 05:16]

.

2011-08-10 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

2011-03-09 c:\windows\Tasks\debutShakeIcon.job

- c:\program files\NCH Software\Debut\debut.exe [2011-03-09 18:52]

.

2012-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-03 18:03]

.

2012-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-03 18:03]

.

2012-04-06 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 22:20]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100

uInternet Settings,ProxyOverride = cdn;*.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204

IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202

IE: Transfer by Image Converter 2 Plus - c:\program files\Sony\Image Converter 2\menu.htm

FF - ProfilePath - c:\documents and settings\Usama\Application Data\Mozilla\Firefox\Profiles\jsuer6ve.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=

FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

FF - user.js: yahoo.homepage.dontask - true

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-WinDefend

MSConfigStartUp-a-squared - c:\program files\A-SQUARED ANTI-MALWARE\a2guard.exe

MSConfigStartUp-Ad-Watch - c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

MSConfigStartUp-avgnt - c:\program files\Avira\AntiVir Desktop\avgnt.exe

MSConfigStartUp-FileHippo - c:\program files\FileHippo.com\UpdateChecker.exe

MSConfigStartUp-mxomssmenu - c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe

MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

AddRemove-Freecorder_1.0 - c:\windows\iun6002.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-04-14 09:36

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

c:\windows\$NtUninstallKB31017$:SummaryInformation 0 bytes hidden from API

.

scan completed successfully

hidden files: 1

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(908)

c:\windows\system32\VESWinlogon.dll

.

- - - - - - - > 'explorer.exe'(612)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Cisco Systems\SSL VPN Client\agent.exe

c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe

c:\program files\Maxtor\Utils\SyncServices.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\program files\Sony\VAIO Event Service\VESMgr.exe

c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

c:\program files\Windows Media Player\WMPNetwk.exe

c:\windows\system32\igfxext.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

c:\windows\RTHDCPL.EXE

c:\program files\Apoint\Apntex.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2012-04-14 09:42:49 - machine was rebooted

ComboFix-quarantined-files.txt 2012-04-14 13:42

ComboFix2.txt 2010-01-27 00:37

.

Pre-Run: 41,527,504,896 bytes free

Post-Run: 41,678,438,400 bytes free

.

- - End Of File - - 6B339B72D2D02878E9D8462FC71DF55F

Link to post
Share on other sites

Hi again,

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:


Driver::
uyphwqyl

File::
c:\windows\system32\drivers\hpionje.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Hi again,

ComboFix ran again and generated the log below. It first gave a message that zeroaccess exists, rebooted, and then ran.

also while it was running it produced the following message:

PEV.exe has encoutnered a problem and needs to close.

I have to add that I've been running ComboFix from a USB drive. Should I have been running it from the C drive? I hope I didn't make a mistake there.

thanks a lot.

ComboFix 12-04-14.02 - Usama 04/14/2012 12:09:08.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.221 [GMT -4:00]

Running from: F:\ComboFix.exe

Command switches used :: F:\CFScript.txt.txt

FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

FILE ::

"c:\windows\system32\drivers\hpionje.sys"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\$NtUninstallKB31017$

c:\windows\$NtUninstallKB31017$\3042987485

.

Infected copy of c:\windows\system32\drivers\redbook.sys was found and disinfected

Restored copy from - The cat found it :)

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_uyphwqyl

.

.

((((((((((((((((((((((((( Files Created from 2012-03-14 to 2012-04-14 )))))))))))))))))))))))))))))))

.

.

2012-04-14 16:00 . 2008-04-13 18:40 57600 -c--a-w- c:\windows\system32\dllcache\redbook.sys

2012-04-14 16:00 . 2008-04-13 18:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys

2012-04-14 12:35 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2012-04-13 20:13 . 2012-04-13 20:13 -------- d-----w- c:\documents and settings\NetworkService\Application Data\iolo

2012-04-06 04:45 . 2012-04-06 05:16 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-03-26 15:41 . 2012-03-26 15:41 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll

2012-03-26 15:41 . 2012-03-26 15:41 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-04-06 05:16 . 2011-05-19 14:13 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-04-04 19:56 . 2010-01-24 03:05 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-04-07 05:56 . 2012-02-18 00:43 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2012-04-14_13.35.31 )))))))))))))))))))))))))))))))))))))))))

.

+ 2012-04-14 16:03 . 2012-04-14 16:03 16384 c:\windows\Temp\Perflib_Perfdata_1b4.dat

+ 2012-04-14 16:26 . 2012-04-14 16:26 16384 c:\windows\Temp\Perflib_Perfdata_124.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-29 94208]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-29 77824]

"Persistence"="c:\windows\system32\igfxpers.exe" [2005-06-29 114688]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-08 114688]

"RTHDCPL"="RTHDCPL.EXE" [2005-06-29 14720000]

"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 45056]

"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]

"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-10-20 184320]

"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-31 198160]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]

"MaxtorOneTouch"="c:\program files\Maxtor\ManagerApp\Onetouch.exe" [2006-08-11 712704]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

2005-05-21 01:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk

backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autobahn.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\autobahn.lnk

backup=c:\windows\pss\autobahn.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk

backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk

backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk

backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Orbit.lnk

backup=c:\windows\pss\Orbit.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Usama^Start Menu^Programs^Startup^autobahn.lnk]

path=c:\documents and settings\Usama\Start Menu\Programs\Startup\autobahn.lnk

backup=c:\windows\pss\autobahn.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]

c:\windows\system32\dumprep 0 -u [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2012-01-02 15:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2012-03-27 12:41 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADUserMon]

2002-09-24 20:39 147456 ----a-w- c:\program files\Iomega\AutoDisk\ADUserMon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]

2010-09-29 01:33 2407632 ----a-w- c:\program files\IObit\Advanced SystemCare 3\AWC.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BatteryCare]

2010-03-30 14:26 643072 ----a-w- c:\program files\BatteryCare\BatteryCare.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Deskup]

2002-07-16 14:55 32768 ----a-w- c:\program files\Iomega\DriveIcons\deskup.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]

2011-03-21 18:56 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

2005-11-04 21:25 159832 ----a-w- c:\program files\Common Files\AOL\1137443843\ee\AOLHostManager.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Drive Icons]

2002-08-13 18:30 86016 ----a-w- c:\program files\Iomega\DriveIcons\Imgicon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-06-05 17:39 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]

2006-08-11 12:45 712704 ----a-w- c:\program files\Maxtor\ManagerApp\OneTouch.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]

2006-11-17 17:39 136768 ----a-w- c:\program files\McAfee\Common Framework\UdaterUI.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]

2010-06-01 14:17 5252408 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

2002-05-09 07:21 155648 ------w- c:\windows\system32\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2009-12-31 18:37 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]

2005-10-12 05:36 151552 ----a-w- c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

2006-11-03 22:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]

2007-06-08 14:59 224248 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

.

R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [8/10/2011 12:22 PM 722616]

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/3/2009 2:03 PM 133104]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/6/2012 12:45 AM 253600]

S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [2/16/2008 10:32 AM 22136]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/3/2009 2:03 PM 133104]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]

S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

S3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files\BatteryCare\WinRing0.sys [7/26/2008 6:30 PM 14416]

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

regspy

jaguar

CTSYN

pccsmcfd

VICESYS

.

Contents of the 'Scheduled Tasks' folder

.

2012-04-14 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 05:16]

.

2011-08-10 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

2011-03-09 c:\windows\Tasks\debutShakeIcon.job

- c:\program files\NCH Software\Debut\debut.exe [2011-03-09 18:52]

.

2012-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-03 18:03]

.

2012-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-03 18:03]

.

2012-04-06 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 22:20]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100

uInternet Settings,ProxyOverride = cdn;*.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204

IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202

IE: Transfer by Image Converter 2 Plus - c:\program files\Sony\Image Converter 2\menu.htm

FF - ProfilePath - c:\documents and settings\Usama\Application Data\Mozilla\Firefox\Profiles\jsuer6ve.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=

FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

FF - user.js: yahoo.homepage.dontask - true

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-04-14 12:28

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(916)

c:\windows\system32\VESWinlogon.dll

.

- - - - - - - > 'explorer.exe'(648)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Cisco Systems\SSL VPN Client\agent.exe

c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe

c:\program files\Maxtor\Utils\SyncServices.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\program files\Sony\VAIO Event Service\VESMgr.exe

c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

c:\program files\Windows Media Player\WMPNetwk.exe

c:\windows\system32\igfxext.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

c:\windows\RTHDCPL.EXE

c:\program files\Apoint\Apntex.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2012-04-14 12:33:42 - machine was rebooted

ComboFix-quarantined-files.txt 2012-04-14 16:33

ComboFix2.txt 2012-04-14 13:42

ComboFix3.txt 2010-01-27 00:37

.

Pre-Run: 41,751,470,080 bytes free

Post-Run: 41,739,673,600 bytes free

.

- - End Of File - - 0338CC848238AD1E51AAAE8995587297

Link to post
Share on other sites

Lets do an additional scan here first.

OTL

-----

Please download OTL from one of the following mirrors:

[*]Save it to your desktop.

[*]Double click on the otlicon.png icon on your desktop.

[*]Copy and Paste the following code into the customscanfix.png textbox.

netsvcs

[*]Click the NONE button and Push runscan.png

[*]A report will open. Copy and Paste that report in your next reply.

Link to post
Share on other sites

ok, here's the OTL log.

OTL logfile created on: 4/14/2012 3:33:05 PM - Run 4

OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\Usama\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.42 Mb Total Physical Memory | 189.42 Mb Available Physical Memory | 37.70% Memory free

1.20 Gb Paging File | 0.94 Gb Available in Paging File | 78.18% Paging File free

Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 68.52 Gb Total Space | 38.91 Gb Free Space | 56.79% Space Free | Partition Type: NTFS

Computer Name: POST-MINIMALISM | User Name: Usama | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

NetSvcs: 6to4 - File not found

NetSvcs: AppMgmt - %SystemRoot%\System32\appmgmts.dll File not found

NetSvcs: HidServ - %SystemRoot%\System32\hidserv.dll File not found

NetSvcs: Ias - File not found

NetSvcs: Iprip - File not found

NetSvcs: Irmon - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: regspy - %systemroot%\system32\epoxusdm.dll File not found

NetSvcs: jaguar - %systemroot%\system32\mf.dll File not found

NetSvcs: CTSYN - File not found

NetSvcs: pccsmcfd - %systemroot%\system32\tvichw32.dll File not found

NetSvcs: VICESYS - %systemroot%\system32\marvinbus.dll File not found

NetSvcs: WmdmPmSp - File not found

< End of report >

Link to post
Share on other sites

Here it is.

OTL logfile created on: 4/14/2012 4:48:25 PM - Run 5

OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\Usama\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.42 Mb Total Physical Memory | 183.86 Mb Available Physical Memory | 36.59% Memory free

1.20 Gb Paging File | 0.93 Gb Available in Paging File | 77.28% Paging File free

Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 68.52 Gb Total Space | 38.91 Gb Free Space | 56.78% Space Free | Partition Type: NTFS

Drive F: | 954.10 Mb Total Space | 948.05 Mb Free Space | 99.37% Space Free | Partition Type: FAT32

Computer Name: POST-MINIMALISM | User Name: Usama | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========

< HKLM\software\microsoft\windows nt\currentversion\svchost >

"HTTPFilter" = HTTPFilter [binary data]

"LocalService" = [binary data over 100 bytes]

"NetworkService" = DnsCache [binary data]

"netsvcs" = [binary data over 100 bytes]

"DcomLaunch" = DcomLaunchTermService [binary data]

"rpcss" = RpcSs [binary data] -- [2009/02/09 08:10:48 | 000,401,408 | ---- | M] (Microsoft Corporation)

"imgsvc" = StiSvc [binary data]

"termsvcs" = TermService [binary data]

"WudfServiceGroup" = WUDFSvc [binary data] -- [2006/09/28 19:56:14 | 000,055,808 | ---- | M] (Microsoft Corporation)

"eapsvcs" = eaphost [binary data]

"dot3svc" = dot3svc [binary data] -- [2008/04/13 20:11:52 | 000,132,096 | ---- | M] (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\DComLaunch]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\dot3svc]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\eapsvcs]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\HTTPFilter]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\LocalService]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\netsvcs]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\PCHealth]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\termsvcs]

< End of report >

Link to post
Share on other sites

HI Elise,

I did another run of ComboFix. This time it didn't say it detected zeroaccess, so hopefully that means it got cleaned. Here's the new log.

___________________________

ComboFix 12-04-14.02 - Usama 04/15/2012 8:17.4.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.73 [GMT -4:00]

Running from: F:\ComboFix.exe

FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

.

((((((((((((((((((((((((( Files Created from 2012-03-15 to 2012-04-15 )))))))))))))))))))))))))))))))

.

.

2012-04-14 19:27 . 2012-04-14 19:27 -------- d-----w- C:\_OTL

2012-04-14 16:00 . 2008-04-13 18:40 57600 -c--a-w- c:\windows\system32\dllcache\redbook.sys

2012-04-14 16:00 . 2008-04-13 18:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys

2012-04-14 12:35 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2012-04-13 20:13 . 2012-04-13 20:13 -------- d-----w- c:\documents and settings\NetworkService\Application Data\iolo

2012-04-06 04:45 . 2012-04-06 05:16 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-03-26 15:41 . 2012-03-26 15:41 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll

2012-03-26 15:41 . 2012-03-26 15:41 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-04-06 05:16 . 2011-05-19 14:13 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-04-04 19:56 . 2010-01-24 03:05 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-04-07 05:56 . 2012-02-18 00:43 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2012-04-14_13.35.31 )))))))))))))))))))))))))))))))))))))))))

.

+ 2012-04-15 12:08 . 2012-04-15 12:08 16384 c:\windows\Temp\Perflib_Perfdata_b4.dat

+ 2012-04-15 12:08 . 2012-04-15 12:08 16384 c:\windows\Temp\Perflib_Perfdata_158.dat

+ 2010-06-23 19:43 . 2012-04-14 19:11 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2010-06-23 19:43 . 2012-03-24 15:52 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2006-01-05 18:34 . 2012-04-14 19:11 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2006-01-05 18:34 . 2012-03-24 15:52 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2012-04-14 19:11 . 2012-04-14 19:11 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2010-06-23 19:43 . 2012-03-24 15:52 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-29 94208]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-29 77824]

"Persistence"="c:\windows\system32\igfxpers.exe" [2005-06-29 114688]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-08 114688]

"RTHDCPL"="RTHDCPL.EXE" [2005-06-29 14720000]

"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 45056]

"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]

"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-10-20 184320]

"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-31 198160]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]

"MaxtorOneTouch"="c:\program files\Maxtor\ManagerApp\Onetouch.exe" [2006-08-11 712704]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

2005-05-21 01:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk

backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autobahn.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\autobahn.lnk

backup=c:\windows\pss\autobahn.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk

backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk

backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk

backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Orbit.lnk

backup=c:\windows\pss\Orbit.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Usama^Start Menu^Programs^Startup^autobahn.lnk]

path=c:\documents and settings\Usama\Start Menu\Programs\Startup\autobahn.lnk

backup=c:\windows\pss\autobahn.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]

c:\windows\system32\dumprep 0 -u [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2012-01-02 15:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2012-03-27 12:41 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADUserMon]

2002-09-24 20:39 147456 ----a-w- c:\program files\Iomega\AutoDisk\ADUserMon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]

2010-09-29 01:33 2407632 ----a-w- c:\program files\IObit\Advanced SystemCare 3\AWC.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BatteryCare]

2010-03-30 14:26 643072 ----a-w- c:\program files\BatteryCare\BatteryCare.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Deskup]

2002-07-16 14:55 32768 ----a-w- c:\program files\Iomega\DriveIcons\deskup.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]

2011-03-21 18:56 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

2005-11-04 21:25 159832 ----a-w- c:\program files\Common Files\AOL\1137443843\ee\AOLHostManager.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Drive Icons]

2002-08-13 18:30 86016 ----a-w- c:\program files\Iomega\DriveIcons\Imgicon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-06-05 17:39 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]

2006-08-11 12:45 712704 ----a-w- c:\program files\Maxtor\ManagerApp\OneTouch.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]

2006-11-17 17:39 136768 ----a-w- c:\program files\McAfee\Common Framework\UdaterUI.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]

2010-06-01 14:17 5252408 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

2002-05-09 07:21 155648 ------w- c:\windows\system32\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2009-12-31 18:37 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]

2005-10-12 05:36 151552 ----a-w- c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

2006-11-03 22:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]

2007-06-08 14:59 224248 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

.

R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [8/10/2011 12:22 PM 722616]

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/3/2009 2:03 PM 133104]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/6/2012 12:45 AM 253600]

S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [2/16/2008 10:32 AM 22136]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/3/2009 2:03 PM 133104]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]

S3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files\BatteryCare\WinRing0.sys [7/26/2008 6:30 PM 14416]

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

regspy

jaguar

CTSYN

pccsmcfd

VICESYS

.

Contents of the 'Scheduled Tasks' folder

.

2012-04-14 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 05:16]

.

2011-08-10 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

2011-03-09 c:\windows\Tasks\debutShakeIcon.job

- c:\program files\NCH Software\Debut\debut.exe [2011-03-09 18:52]

.

2012-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-03 18:03]

.

2012-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-03 18:03]

.

2012-04-06 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 22:20]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100

uInternet Settings,ProxyOverride = cdn;*.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204

IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202

IE: Transfer by Image Converter 2 Plus - c:\program files\Sony\Image Converter 2\menu.htm

FF - ProfilePath - c:\documents and settings\Usama\Application Data\Mozilla\Firefox\Profiles\jsuer6ve.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=

FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

FF - user.js: yahoo.homepage.dontask - true

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-04-15 08:30

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(924)

c:\windows\system32\VESWinlogon.dll

.

- - - - - - - > 'explorer.exe'(3668)

c:\windows\system32\WININET.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2012-04-15 08:35:52

ComboFix-quarantined-files.txt 2012-04-15 12:35

ComboFix2.txt 2012-04-14 16:33

ComboFix3.txt 2012-04-14 13:42

ComboFix4.txt 2010-01-27 00:37

.

Pre-Run: 41,752,752,128 bytes free

Post-Run: 41,726,230,528 bytes free

.

- - End Of File - - B0357E9821C1DF211F85559D1C8022DC

Link to post
Share on other sites

Good to hear that! :) Do you have any other problem left?

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:

  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

Your Adobe Reader is now up to date!

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on this link to open ESET OnlineScan in a new window.
  2. Click the esetonlinebtn.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetsmartinstaller_enu.png
      icon on your desktop.

    3. Check "YES, I accept the Terms of Use."
    4. Click the Start button.
    5. Accept any security warnings from your browser.
    6. Under scan settings, check "Scan Archives" and "Remove found threats"
    7. Click Advanced settings and select the following:
      • Scan potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology

[*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

[*]When the scan completes, click List Threats

[*]Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

[*]Click the Back button.

[*]Click the Finish button.

Link to post
Share on other sites

Yes, if the ESET scan came back clean you can do the following.

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites

Hi Elise,

I ran ESETscan. Here is the list of threats. Were any of these dangerous? Please let me know if any further steps are needed to ensure the clean-up of the computer. Thanks a lot!

_________________________________

C:\Documents and Settings\All Users\Application Data\ReviverSoft\RegistryReviver\InstallCache\{E31E4E05-4B6B-42A5-8623-EB530F8147F5}\RegistryReviver.msi a variant of Win32/SlowPCfighter application deleted - quarantined

C:\Documents and Settings\Usama\Application Data\OpenCandy\OpenCandy_6233F074395545C0BB2A6AD17385F8C7\PPIRegistryReviverSetup_silent.exe a variant of Win32/SlowPCfighter application cleaned by deleting - quarantined

C:\Documents and Settings\Usama\Application Data\OpenCandy\OpenCandy_6233F074395545C0BB2A6AD17385F8C7\PPIRegRevSilent_p2v1.exe a variant of Win32/SlowPCfighter application deleted - quarantined

C:\Documents and Settings\Usama\Application Data\Sun\Java\Deployment\cache\6.0\34\78752fe2-2bcac98a a variant of Java/Exploit.CVE-2012-0507.H trojan deleted - quarantined

C:\Documents and Settings\Usama\Application Data\Sun\Java\Deployment\cache\6.0\38\6df5cba6-2c816bce multiple threats deleted - quarantined

C:\Documents and Settings\Usama\Local Settings\Application Data\Mozilla\Firefox\Profiles\jsuer6ve.default\Cache(3)\C97D92BAd01 JS/Exploit.Agent.NBX trojan cleaned by deleting - quarantined

C:\Documents and Settings\Usama\Local Settings\Application Data\Mozilla\Firefox\Profiles\jsuer6ve.default\Cache(3)\F7D8C119d01 JS/Exploit.Agent.NBX trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\WINDOWS\system32\pfmodnt.dll.vir Win32/Sirefef.ER trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\netbt.sys.vir Win32/Sirefef.DA trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\redbook.sys.vir a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{266C838D-FBFB-4B34-AEB1-8F1880FFA6B4}\RP208\A0118461.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{266C838D-FBFB-4B34-AEB1-8F1880FFA6B4}\RP208\A0119461.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{266C838D-FBFB-4B34-AEB1-8F1880FFA6B4}\RP208\A0119635.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{266C838D-FBFB-4B34-AEB1-8F1880FFA6B4}\RP208\A0119762.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{266C838D-FBFB-4B34-AEB1-8F1880FFA6B4}\RP208\A0119852.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{266C838D-FBFB-4B34-AEB1-8F1880FFA6B4}\RP208\A0119862.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{266C838D-FBFB-4B34-AEB1-8F1880FFA6B4}\RP209\A0119945.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{266C838D-FBFB-4B34-AEB1-8F1880FFA6B4}\RP209\A0119967.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{266C838D-FBFB-4B34-AEB1-8F1880FFA6B4}\RP209\A0120039.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{266C838D-FBFB-4B34-AEB1-8F1880FFA6B4}\RP209\A0120170.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{266C838D-FBFB-4B34-AEB1-8F1880FFA6B4}\RP209\A0120286.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{266C838D-FBFB-4B34-AEB1-8F1880FFA6B4}\RP209\A0120298.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{266C838D-FBFB-4B34-AEB1-8F1880FFA6B4}\RP210\A0120316.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{266C838D-FBFB-4B34-AEB1-8F1880FFA6B4}\RP210\A0120330.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{266C838D-FBFB-4B34-AEB1-8F1880FFA6B4}\RP211\A0120483.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{266C838D-FBFB-4B34-AEB1-8F1880FFA6B4}\RP211\A0120491.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{266C838D-FBFB-4B34-AEB1-8F1880FFA6B4}\RP211\A0120527.dll Win32/Sirefef.ER trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{266C838D-FBFB-4B34-AEB1-8F1880FFA6B4}\RP211\A0121678.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{266C838D-FBFB-4B34-AEB1-8F1880FFA6B4}\RP211\A0121927.msi a variant of Win32/SlowPCfighter application deleted - quarantined

C:\System Volume Information\_restore{266C838D-FBFB-4B34-AEB1-8F1880FFA6B4}\RP211\A0121928.exe a variant of Win32/SlowPCfighter application cleaned by deleting - quarantined

C:\System Volume Information\_restore{266C838D-FBFB-4B34-AEB1-8F1880FFA6B4}\RP211\A0121929.exe a variant of Win32/SlowPCfighter application deleted - quarantined

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.