Jump to content
Sign in to follow this  
GOBBLAH

Laptop Infected with Nasty BCminer.

Recommended Posts

Recently noticed huge lag spikes for no reason, Popped on my Scanner, And found out I had BCminer. Here is my Log:

Malware

Windows 7 x64 NTFS

Internet Explorer 8.0.7600.16385

Chris n Mimi :: CHRISNMIMI-PC [administrator]

04/08/2012 1:48:34 PM

mbam-log-2012-08-04 (14-53-43).txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 553883

Time elapsed: 40 minute(s), 33 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Windows\Installer\{30639c85-cbb6-9e72-5d3f-ed6d208e99ac}\U\00000008.@ (Trojan.Dropper.BCMiner) -> No action taken.

(end)

RogueKiller V7.6.5 [08/03/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version

Started in : Normal mode

User: Chris n Mimi [Admin rights]

Mode: Scan -- Date: 08/04/2012 14:56:53

¤¤¤ Bad processes: 2 ¤¤¤

[sUSP PATH] MediaServer.exe -- C:\ProgramData\TVersity\Media Server\MediaServer.exe -> KILLED [TermProc]

[RESIDUE] MediaServer.exe -- C:\ProgramData\TVersity\Media Server\MediaServer.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 5 ¤¤¤

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Chris n Mimi\AppData\Local\{30639c85-cbb6-9e72-5d3f-ed6d208e99ac}\n.) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : c:\windows\installer\{30639c85-cbb6-9e72-5d3f-ed6d208e99ac}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\windows\installer\{30639c85-cbb6-9e72-5d3f-ed6d208e99ac}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\windows\installer\{30639c85-cbb6-9e72-5d3f-ed6d208e99ac}\L --> FOUND

[ZeroAccess][FILE] @ : c:\users\chris n mimi\appdata\local\{30639c85-cbb6-9e72-5d3f-ed6d208e99ac}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\users\chris n mimi\appdata\local\{30639c85-cbb6-9e72-5d3f-ed6d208e99ac}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\users\chris n mimi\appdata\local\{30639c85-cbb6-9e72-5d3f-ed6d208e99ac}\L --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_32\desktop.ini --> FOUND

[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac_64\desktop.ini --> FOUND

[susp.ASLR][ASLR WIPED-OFF] services.exe : c:\windows\system32\services.exe --> CANNOT FIX

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000BEVT-22ZAT0 ATA Device +++++

--- User ---

[MBR] e34142bfadc0fd026db88ba655e4981c

[bSP] 531d0b34e5551103c06668de331de7b0 : Windows 7 MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 13000 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 26626048 | Size: 100 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 26830848 | Size: 463838 Mo

3 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 250 | Size: 198 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Id Much rather remove the poblem then have to formate :) Thanks for any help in advance <3

Share this post


Link to post
Share on other sites

Welcome to the forum.

Please make sure system restore is running and create a new restore point before continuing!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:



    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

    [*]Select Command Prompt

    [*]In the command window type in notepad and press Enter.

    [*]The notepad opens. Under File menu select Open.

    [*]Select "Computer" and find your flash drive letter and close the notepad.

    [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

    [*]The tool will start to run.

    [*]When the tool opens click Yes to disclaimer.

    [*]Press Scan button.

    [*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

    services.exe

    [*]Now press the Search button

    [*]When the search is complete, search.txt will also be written to your USB

    [*]Type exit and reboot the computer normally

    [*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

Share this post


Link to post
Share on other sites

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Share this post


Link to post
Share on other sites

Ran the program! It turned off my wifi and video setting and some other stuff, And it didnt make a restore point, And the restore point i made is missing..Computers in worse shape now that it was before i ran ComboFix

ComboFix 12-08-05.02 - Chris n Mimi 05/08/2012 12:10:20.1.2 - x64

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.2.1033.18.4091.2635 [GMT -4:00]

Running from: c:\users\Chris n Mimi\Downloads\ComboFix.exe

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\assembly\GAC_32\Desktop.ini

c:\windows\assembly\GAC_64\Desktop.ini

.

c:\windows\system32\Services.exe . . . is infected!!

.

.

((((((((((((((((((((((((( Files Created from 2012-07-05 to 2012-08-05 )))))))))))))))))))))))))))))))

.

.

2012-08-05 16:30 . 2012-08-05 16:30 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-08-02 18:04 . 2012-08-02 18:04 -------- d-----w- c:\users\Chris n Mimi\AppData\Roaming\Malwarebytes

2012-08-02 18:03 . 2012-08-02 18:03 -------- d-----w- c:\programdata\Malwarebytes

2012-08-02 18:03 . 2012-08-02 18:03 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-08-02 18:03 . 2012-07-03 17:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-08-01 07:00 . 2012-08-01 07:00 -------- d-----w- c:\program files (x86)\ConvertHelper

2012-08-01 06:53 . 2012-08-01 06:57 -------- d-----w- c:\users\Chris n Mimi\dwhelper

2012-07-23 21:54 . 2012-07-23 21:54 -------- d-----w- c:\users\Chris n Mimi\AppData\Local\ElevatedDiagnostics

2012-07-18 03:56 . 2012-07-18 03:56 -------- d-----w- c:\program files\Speccy

2012-07-18 01:57 . 2012-07-18 01:57 -------- d-----w- c:\users\UpdatusUser

2012-07-18 01:56 . 2012-05-15 09:29 889664 ----a-w- c:\windows\system32\nvvsvc.exe

2012-07-18 01:56 . 2012-05-15 09:29 63296 ----a-w- c:\windows\system32\nvshext.dll

2012-07-18 01:56 . 2012-05-15 09:29 2561856 ----a-w- c:\windows\system32\nvsvcr.dll

2012-07-18 01:56 . 2012-05-15 09:29 118080 ----a-w- c:\windows\system32\nvmctray.dll

2012-07-18 01:56 . 2012-05-15 09:29 3149632 ----a-w- c:\windows\system32\nvsvc64.dll

2012-07-18 01:56 . 2012-05-15 09:28 6151488 ----a-w- c:\windows\system32\nvcpl.dll

2012-07-18 01:56 . 2012-05-15 10:48 68928 ----a-w- c:\windows\system32\OpenCL.dll

2012-07-18 01:56 . 2012-05-15 10:48 61248 ----a-w- c:\windows\SysWow64\OpenCL.dll

2012-07-18 01:56 . 2012-07-18 01:56 -------- d-----w- c:\programdata\NVIDIA Corporation

2012-07-18 01:51 . 2012-07-18 01:51 -------- d-----w- c:\program files\CCleaner

2012-07-15 14:26 . 2012-07-15 14:47 -------- d-----w- c:\program files (x86)\Rosetta Stone

2012-07-15 14:12 . 2012-07-15 14:23 -------- d-----w- C:\rosetta

2012-07-12 14:54 . 2012-07-12 14:54 -------- d-----w- c:\program files (x86)\Xiph.Org

2012-07-12 14:54 . 2012-07-12 14:54 -------- d-----w- c:\program files (x86)\TVersity Codec Pack

2012-07-12 14:53 . 2012-07-12 14:53 -------- d-----w- c:\program files (x86)\Conduit

2012-07-12 14:53 . 2012-07-12 14:53 -------- d-----w- c:\users\Chris n Mimi\AppData\Local\Conduit

2012-07-12 14:53 . 2012-07-12 14:53 -------- d-----w- c:\program files (x86)\TVersitybar

2012-07-12 14:53 . 2012-07-12 14:53 -------- d-----w- c:\programdata\TVersity

2012-07-10 11:27 . 2012-07-10 11:27 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-08-03 15:03 . 2012-04-30 02:39 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-08-03 15:03 . 2012-04-30 02:39 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-05-21 06:42 . 2012-05-21 06:42 231376 ----a-w- c:\windows\system32\drivers\truecrypt.sys

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[7] 2009-07-14 . 24ACB7E5BE595468E3B9AA488B9B4FCB . 328704 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[-] 2009-07-14 . 014A9CB92514E27C0107614DF764BC06 . 328704 . . [6.1.7600.16385] .. c:\windows\system32\services.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{66bd2442-241b-44cd-8c7a-b51037053cdb}"= "c:\program files (x86)\TVersitybar\prxtbTVer.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{66bd2442-241b-44cd-8c7a-b51037053cdb}]

.

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{66bd2442-241b-44cd-8c7a-b51037053cdb}]

2011-05-09 08:49 176936 ----a-w- c:\program files (x86)\TVersitybar\prxtbTVer.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]

"{66bd2442-241b-44cd-8c7a-b51037053cdb}"= "c:\program files (x86)\TVersitybar\prxtbTVer.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{66bd2442-241b-44cd-8c7a-b51037053cdb}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files (x86)\Steam\steam.exe" [2012-08-04 1353080]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]

R4 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-03 250056]

R4 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-08-05 113120]

R4 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-05-15 1262400]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]

S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2012-04-18 188736]

S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]

S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]

S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

Contents of the 'Scheduled Tasks' folder

.

2012-08-05 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-30 15:03]

.

2012-08-05 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4203899070-259090772-3981430821-1000Core.job

- c:\users\Chris n Mimi\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-05-31 00:39]

.

2012-08-05 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4203899070-259090772-3981430821-1000UA.job

- c:\users\Chris n Mimi\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-05-31 00:39]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uInternet Settings,ProxyOverride = *.local

LSP: mswsock.dll

TCP: DhcpNameServer = 192.168.0.1

FF - ProfilePath - c:\users\Chris n Mimi\AppData\Roaming\Mozilla\Firefox\Profiles\dpdtnpbh.default\

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Steam\SteamService.exe

.

**************************************************************************

.

Completion time: 2012-08-05 12:36:30 - machine was rebooted

ComboFix-quarantined-files.txt 2012-08-05 16:36

.

Pre-Run: 315,740,917,760 bytes free

Post-Run: 316,381,765,632 bytes free

.

- - End Of File - - FE0E7A77E01C6B184D820D5C252CAEED

Share this post


Link to post
Share on other sites
* Created a new restore point

ComboFix says it created a new restore point.

--------------------------------

Please download SystemLook from the link below and save it to your Desktop.

http://jpshortstuff....temLook_x64.exe

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :Filefind
    services.exe


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

MrC

Share this post


Link to post
Share on other sites

I just used the restore point, Everything seems normal agin, here is the log.

SystemLook 30.07.11 by jpshortstuff

Log created at 13:25 on 05/08/2012 by Chris n Mimi

Administrator - Elevation successful

========== Filefind ==========

Searching for "services.exe"

C:\Windows\System32\services.exe --a---- 328704 bytes [23:19 13/07/2009] [01:39 14/07/2009] 014A9CB92514E27C0107614DF764BC06

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe --a---- 328704 bytes [23:19 13/07/2009] [01:39 14/07/2009] 24ACB7E5BE595468E3B9AA488B9B4FCB

-= EOF =-

Share this post


Link to post
Share on other sites
IS BC miner removed now?

No it's not.

------------------------------------------------

Using ComboFix we're going to replace the infected "services.exe":

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

FCopy::

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe | C:\Windows\System32\services.exe

ClearJavaCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

Share this post


Link to post
Share on other sites

I get an error during combofix Error opening C:\32788r22fwjfw\License\iexplorer.exe

When i ignore error, I dont have a updated Combofix file.

Share this post


Link to post
Share on other sites

I fixed the issue, But combo doesnt seem to save a new log

ComboFix 12-08-05.02 - Chris n Mimi 05/08/2012 12:10:20.1.2 - x64

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.2.1033.18.4091.2635 [GMT -4:00]

Running from: c:\users\Chris n Mimi\Downloads\ComboFix.exe

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\assembly\GAC_32\Desktop.ini

c:\windows\assembly\GAC_64\Desktop.ini

.

c:\windows\system32\Services.exe . . . is infected!!

.

.

((((((((((((((((((((((((( Files Created from 2012-07-05 to 2012-08-05 )))))))))))))))))))))))))))))))

.

.

2012-08-05 16:30 . 2012-08-05 16:30 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-08-02 18:04 . 2012-08-02 18:04 -------- d-----w- c:\users\Chris n Mimi\AppData\Roaming\Malwarebytes

2012-08-02 18:03 . 2012-08-02 18:03 -------- d-----w- c:\programdata\Malwarebytes

2012-08-02 18:03 . 2012-08-02 18:03 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-08-02 18:03 . 2012-07-03 17:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-08-01 07:00 . 2012-08-01 07:00 -------- d-----w- c:\program files (x86)\ConvertHelper

2012-08-01 06:53 . 2012-08-01 06:57 -------- d-----w- c:\users\Chris n Mimi\dwhelper

2012-07-23 21:54 . 2012-07-23 21:54 -------- d-----w- c:\users\Chris n Mimi\AppData\Local\ElevatedDiagnostics

2012-07-18 03:56 . 2012-07-18 03:56 -------- d-----w- c:\program files\Speccy

2012-07-18 01:57 . 2012-07-18 01:57 -------- d-----w- c:\users\UpdatusUser

2012-07-18 01:56 . 2012-05-15 09:29 889664 ----a-w- c:\windows\system32\nvvsvc.exe

2012-07-18 01:56 . 2012-05-15 09:29 63296 ----a-w- c:\windows\system32\nvshext.dll

2012-07-18 01:56 . 2012-05-15 09:29 2561856 ----a-w- c:\windows\system32\nvsvcr.dll

2012-07-18 01:56 . 2012-05-15 09:29 118080 ----a-w- c:\windows\system32\nvmctray.dll

2012-07-18 01:56 . 2012-05-15 09:29 3149632 ----a-w- c:\windows\system32\nvsvc64.dll

2012-07-18 01:56 . 2012-05-15 09:28 6151488 ----a-w- c:\windows\system32\nvcpl.dll

2012-07-18 01:56 . 2012-05-15 10:48 68928 ----a-w- c:\windows\system32\OpenCL.dll

2012-07-18 01:56 . 2012-05-15 10:48 61248 ----a-w- c:\windows\SysWow64\OpenCL.dll

2012-07-18 01:56 . 2012-07-18 01:56 -------- d-----w- c:\programdata\NVIDIA Corporation

2012-07-18 01:51 . 2012-07-18 01:51 -------- d-----w- c:\program files\CCleaner

2012-07-15 14:26 . 2012-07-15 14:47 -------- d-----w- c:\program files (x86)\Rosetta Stone

2012-07-15 14:12 . 2012-07-15 14:23 -------- d-----w- C:\rosetta

2012-07-12 14:54 . 2012-07-12 14:54 -------- d-----w- c:\program files (x86)\Xiph.Org

2012-07-12 14:54 . 2012-07-12 14:54 -------- d-----w- c:\program files (x86)\TVersity Codec Pack

2012-07-12 14:53 . 2012-07-12 14:53 -------- d-----w- c:\program files (x86)\Conduit

2012-07-12 14:53 . 2012-07-12 14:53 -------- d-----w- c:\users\Chris n Mimi\AppData\Local\Conduit

2012-07-12 14:53 . 2012-07-12 14:53 -------- d-----w- c:\program files (x86)\TVersitybar

2012-07-12 14:53 . 2012-07-12 14:53 -------- d-----w- c:\programdata\TVersity

2012-07-10 11:27 . 2012-07-10 11:27 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-08-03 15:03 . 2012-04-30 02:39 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-08-03 15:03 . 2012-04-30 02:39 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-05-21 06:42 . 2012-05-21 06:42 231376 ----a-w- c:\windows\system32\drivers\truecrypt.sys

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[7] 2009-07-14 . 24ACB7E5BE595468E3B9AA488B9B4FCB . 328704 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

[-] 2009-07-14 . 014A9CB92514E27C0107614DF764BC06 . 328704 . . [6.1.7600.16385] .. c:\windows\system32\services.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{66bd2442-241b-44cd-8c7a-b51037053cdb}"= "c:\program files (x86)\TVersitybar\prxtbTVer.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{66bd2442-241b-44cd-8c7a-b51037053cdb}]

.

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{66bd2442-241b-44cd-8c7a-b51037053cdb}]

2011-05-09 08:49 176936 ----a-w- c:\program files (x86)\TVersitybar\prxtbTVer.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]

"{66bd2442-241b-44cd-8c7a-b51037053cdb}"= "c:\program files (x86)\TVersitybar\prxtbTVer.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{66bd2442-241b-44cd-8c7a-b51037053cdb}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files (x86)\Steam\steam.exe" [2012-08-04 1353080]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]

R4 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-03 250056]

R4 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-08-05 113120]

R4 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-05-15 1262400]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]

S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2012-04-18 188736]

S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]

S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]

S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

Contents of the 'Scheduled Tasks' folder

.

2012-08-05 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-30 15:03]

.

2012-08-05 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4203899070-259090772-3981430821-1000Core.job

- c:\users\Chris n Mimi\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-05-31 00:39]

.

2012-08-05 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4203899070-259090772-3981430821-1000UA.job

- c:\users\Chris n Mimi\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-05-31 00:39]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uInternet Settings,ProxyOverride = *.local

LSP: mswsock.dll

TCP: DhcpNameServer = 192.168.0.1

FF - ProfilePath - c:\users\Chris n Mimi\AppData\Roaming\Mozilla\Firefox\Profiles\dpdtnpbh.default\

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Steam\SteamService.exe

.

**************************************************************************

.

Completion time: 2012-08-05 12:36:30 - machine was rebooted

ComboFix-quarantined-files.txt 2012-08-05 16:36

.

Pre-Run: 315,740,917,760 bytes free

Post-Run: 316,381,765,632 bytes free

.

- - End Of File - - FE0E7A77E01C6B184D820D5C252CAEED

Share this post


Link to post
Share on other sites
Running from: c:\users\Chris n Mimi\Downloads\ComboFix.exe

You didn't create and run the CFScript.txt and you're also not running ComboFix from your desktop as instructed to.

Attached is the CFScript.txt, download it to your desktop and also move ComboFix there.

Now................

CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

Share this post


Link to post
Share on other sites

Sorry, Just required a restart, No Idea... Sorry buddy :)

ComboFix 12-08-05.02 - Chris n Mimi 05/08/2012 14:27:03.1.2 - x64

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.2.1033.18.4091.2807 [GMT -4:00]

Running from: c:\users\Chris n Mimi\Desktop\ComboFix.exe

Command switches used :: c:\users\Chris n Mimi\Desktop\CFScript.txt.txt

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\assembly\GAC_32\Desktop.ini

c:\windows\assembly\GAC_64\Desktop.ini

c:\windows\Installer\{30639c85-cbb6-9e72-5d3f-ed6d208e99ac}\@

c:\windows\Installer\{30639c85-cbb6-9e72-5d3f-ed6d208e99ac}\L\00000004.@

c:\windows\Installer\{30639c85-cbb6-9e72-5d3f-ed6d208e99ac}\L\1afb2d56

c:\windows\Installer\{30639c85-cbb6-9e72-5d3f-ed6d208e99ac}\L\201d3dde

c:\windows\Installer\{30639c85-cbb6-9e72-5d3f-ed6d208e99ac}\U\00000004.@

c:\windows\Installer\{30639c85-cbb6-9e72-5d3f-ed6d208e99ac}\U\00000008.@

c:\windows\Installer\{30639c85-cbb6-9e72-5d3f-ed6d208e99ac}\U\000000cb.@

c:\windows\Installer\{30639c85-cbb6-9e72-5d3f-ed6d208e99ac}\U\80000000.@

c:\windows\Installer\{30639c85-cbb6-9e72-5d3f-ed6d208e99ac}\U\80000032.@

c:\windows\Installer\{30639c85-cbb6-9e72-5d3f-ed6d208e99ac}\U\80000064.@

.

.

--------------- FCopy ---------------

.

c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe --> c:\windows\System32\services.exe

.

((((((((((((((((((((((((( Files Created from 2012-07-05 to 2012-08-05 )))))))))))))))))))))))))))))))

.

.

2012-08-05 18:33 . 2012-08-05 18:34 -------- d-----w- c:\users\Chris n Mimi\AppData\Local\temp

2012-08-05 18:33 . 2012-08-05 18:33 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-08-02 18:04 . 2012-08-02 18:04 -------- d-----w- c:\users\Chris n Mimi\AppData\Roaming\Malwarebytes

2012-08-02 18:03 . 2012-08-02 18:03 -------- d-----w- c:\programdata\Malwarebytes

2012-08-02 18:03 . 2012-08-02 18:03 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-08-02 18:03 . 2012-07-03 17:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-08-01 07:00 . 2012-08-01 07:00 -------- d-----w- c:\program files (x86)\ConvertHelper

2012-08-01 06:53 . 2012-08-01 06:57 -------- d-----w- c:\users\Chris n Mimi\dwhelper

2012-07-23 21:54 . 2012-08-05 16:46 -------- d-----w- c:\users\Chris n Mimi\AppData\Local\ElevatedDiagnostics

2012-07-18 03:56 . 2012-07-18 03:56 -------- d-----w- c:\program files\Speccy

2012-07-18 01:57 . 2012-08-05 17:22 -------- d-----w- c:\users\UpdatusUser

2012-07-18 01:56 . 2012-05-15 09:29 889664 ----a-w- c:\windows\system32\nvvsvc.exe

2012-07-18 01:56 . 2012-05-15 09:29 63296 ----a-w- c:\windows\system32\nvshext.dll

2012-07-18 01:56 . 2012-05-15 09:29 2561856 ----a-w- c:\windows\system32\nvsvcr.dll

2012-07-18 01:56 . 2012-05-15 09:29 118080 ----a-w- c:\windows\system32\nvmctray.dll

2012-07-18 01:56 . 2012-05-15 09:29 3149632 ----a-w- c:\windows\system32\nvsvc64.dll

2012-07-18 01:56 . 2012-05-15 09:28 6151488 ----a-w- c:\windows\system32\nvcpl.dll

2012-07-18 01:56 . 2012-05-15 10:48 68928 ----a-w- c:\windows\system32\OpenCL.dll

2012-07-18 01:56 . 2012-05-15 10:48 61248 ----a-w- c:\windows\SysWow64\OpenCL.dll

2012-07-18 01:56 . 2012-07-18 01:56 -------- d-----w- c:\programdata\NVIDIA Corporation

2012-07-18 01:51 . 2012-07-18 01:51 -------- d-----w- c:\program files\CCleaner

2012-07-15 14:26 . 2012-07-15 14:47 -------- d-----w- c:\program files (x86)\Rosetta Stone

2012-07-15 14:12 . 2012-07-15 14:23 -------- d-----w- C:\rosetta

2012-07-12 14:54 . 2012-07-12 14:54 -------- d-----w- c:\program files (x86)\Xiph.Org

2012-07-12 14:54 . 2012-07-12 14:54 -------- d-----w- c:\program files (x86)\TVersity Codec Pack

2012-07-12 14:53 . 2012-07-12 14:53 -------- d-----w- c:\program files (x86)\Conduit

2012-07-12 14:53 . 2012-07-12 14:53 -------- d-----w- c:\users\Chris n Mimi\AppData\Local\Conduit

2012-07-12 14:53 . 2012-07-12 14:53 -------- d-----w- c:\program files (x86)\TVersitybar

2012-07-12 14:53 . 2012-07-12 14:53 -------- d-----w- c:\programdata\TVersity

2012-07-10 11:27 . 2012-07-10 11:27 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-08-03 15:03 . 2012-04-30 02:39 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-08-03 15:03 . 2012-04-30 02:39 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-05-21 06:42 . 2012-05-21 06:42 231376 ----a-w- c:\windows\system32\drivers\truecrypt.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{66bd2442-241b-44cd-8c7a-b51037053cdb}"= "c:\program files (x86)\TVersitybar\prxtbTVer.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{66bd2442-241b-44cd-8c7a-b51037053cdb}]

.

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{66bd2442-241b-44cd-8c7a-b51037053cdb}]

2011-05-09 08:49 176936 ----a-w- c:\program files (x86)\TVersitybar\prxtbTVer.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]

"{66bd2442-241b-44cd-8c7a-b51037053cdb}"= "c:\program files (x86)\TVersitybar\prxtbTVer.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{66bd2442-241b-44cd-8c7a-b51037053cdb}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2012-05-14 880496]

"Facebook Update"="c:\users\Chris n Mimi\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-12 138096]

"Steam"="c:\program files (x86)\Steam\steam.exe" [2012-08-05 1353080]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

"CloneCDTray"="c:\program files (x86)\SlySoft\CloneCD\CloneCDTray.exe" [2009-01-29 57344]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]

.

c:\users\Chris n Mimi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2012-5-14 576000]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-03 250056]

R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-18 113120]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]

S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-05-15 1262400]

S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2012-04-18 188736]

S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]

S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]

S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]

.

.

Contents of the 'Scheduled Tasks' folder

.

2012-08-05 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-30 15:03]

.

2012-08-04 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4203899070-259090772-3981430821-1000Core.job

- c:\users\Chris n Mimi\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-05-31 00:39]

.

2012-08-04 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4203899070-259090772-3981430821-1000UA.job

- c:\users\Chris n Mimi\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-05-31 00:39]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uInternet Settings,ProxyOverride = *.local

TCP: DhcpNameServer = 192.168.0.1

FF - ProfilePath - c:\users\Chris n Mimi\AppData\Roaming\Mozilla\Firefox\Profiles\dpdtnpbh.default\

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\programdata\TVersity\Media Server\MediaServer.exe

.

**************************************************************************

.

Completion time: 2012-08-05 14:38:26 - machine was rebooted

ComboFix-quarantined-files.txt 2012-08-05 18:38

ComboFix2.txt 2012-08-05 16:36

.

Pre-Run: 316,415,520,768 bytes free

Post-Run: 316,439,330,816 bytes free

.

- - End Of File - - D757A3F2CECAD822468669032549A5D9

Share this post


Link to post
Share on other sites

Looks Good...

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Then.....

Run another scan with RogueKiller and post the log, MrC

Please let me know how computer is running now, MrC

Share this post


Link to post
Share on other sites

:(

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.02.07

Windows 7 x64 NTFS

Internet Explorer 8.0.7600.16385

Chris n Mimi :: CHRISNMIMI-PC [administrator]

05/08/2012 2:48:24 PM

mbam-log-2012-08-05 (14-48-24).txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 547132

Time elapsed: 39 minute(s), 13 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\Qoobox\Quarantine\C\Windows\assembly\GAC_32\Desktop.ini.vir (Trojan.0access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Windows\Installer\{30639c85-cbb6-9e72-5d3f-ed6d208e99ac}\U\00000008.@.vir (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.

(end)

Restarting then posting rogue

Share this post


Link to post
Share on other sites

RogueKiller V7.6.5 [08/03/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version

Started in : Normal mode

User: Chris n Mimi [Admin rights]

Mode: Scan -- Date: 08/05/2012 15:32:59

¤¤¤ Bad processes: 2 ¤¤¤

[sUSP PATH] MediaServer.exe -- C:\ProgramData\TVersity\Media Server\MediaServer.exe -> KILLED [TermProc]

[RESIDUE] MediaServer.exe -- C:\ProgramData\TVersity\Media Server\MediaServer.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 4 ¤¤¤

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FOLDER] U : c:\windows\installer\{30639c85-cbb6-9e72-5d3f-ed6d208e99ac}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\windows\installer\{30639c85-cbb6-9e72-5d3f-ed6d208e99ac}\L --> FOUND

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000BEVT-22ZAT0 ATA Device +++++

--- User ---

[MBR] e34142bfadc0fd026db88ba655e4981c

[bSP] 531d0b34e5551103c06668de331de7b0 : Windows 7 MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 13000 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 26626048 | Size: 100 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 26830848 | Size: 463838 Mo

3 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 250 | Size: 198 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[6].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt ;

RKreport[6].txt

Share this post


Link to post
Share on other sites

Run RogueKiller an delete these:

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FOLDER] U : c:\windows\installer\{30639c85-cbb6-9e72-5d3f-ed6d208e99ac}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\windows\installer\{30639c85-cbb6-9e72-5d3f-ed6d208e99ac}\L --> FOUND

MrC

Share this post


Link to post
Share on other sites

How are we doing??

Do you still need help or can I close this post??

MrC

Share this post


Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.