Request for help on a security check

FrankMW · December 1, 2013

Hello,

I have been noticing a serious downgrade in my laptop performance in the past months as well as several worrying symptoms: sudden freezes (for c.10-15 seconds) when surfing the Internet, long startup time, strong hard drive and fan activity even when not using the computer, sudden CPU spikes... On top of that, I have also noticed that sometimes, my browser (I use Firefox) refuses to launch. It usually happens when I kind of "rush" at Windows startup. When I do so, killing the Firefow process in the task manager and relaunching doesn't help as nothing happens when I try to launch it again, I have no choice but rebooting my computer to make it work.

I ran MBAM scan, nothing was found. Same result with my antivirus.

In case it might help, I already found infected files in the past using MBAM (notably "Trojan.backdoor", "Spyware.Passwords.XGen" and "Rootkit.TDSS") but as the programm said that they were "Quarantined and deleted successfully", I thought that was ok. As I start learning more about malware, I understand now that was maybe not sufficient and there may be malicious software remaining hidden deeper.

Please find below the DDS logs as advised on https://forums.malwarebytes.org/index.php?showtopic=9573 .

Many thanks in advance to the expert who will help me, this is really much appreciated.

Best,

FM

DDS.txt:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16520 BrowserJavaVersion: 10.9.2
Run by Aurélien at 16:12:58 on 2013-12-01
Microsoft® Windows Vista™ Édition Familiale Premium   6.0.6002.2.1252.33.1036.18.3036.1412 [GMT 1:00]
.
AV: Protection antivirus et antispyware McAfee *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
SP: Protection antivirus et antispyware McAfee *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Pare-feu McAfee *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\HP\HPLaserJetService\HPLaserJetService.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files\PGP Corporation\PGP Desktop\RDDService.exe
C:\Windows\system32\PGPserv.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Toshiba TEMPRO\TemproSvc.exe
C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TECO\TEco.exe
C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba TEMPRO\TemproTray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\HP\ToolboxFX\bin\HPTLBXFX.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\Aurélien\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Windows\ehome\ehsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\conime.exe
C:\Program Files\McAfee\MAT\McPvTray.exe
C:\Program Files\Common Files\McAfee\Core\mchost.exe
C:\Program Files\Common Files\McAfee\Core\mchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
c:\PROGRA~1\mcafee\SITEAD~1\saui.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.

uWindow Title = Internet Explorer, optimized for Bing and MSN

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - c:\program files\mcafee security scan\3.8.130\McAfeeMSS_IE.dll
BHO: Shareaza Web Download Hook: {0EEDB912-C5FA-486F-8334-57288578C627} - e:\programmes\shareaza\RazaWebHook32.dll
BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - <orphaned>
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [spotify Web Helper] "c:\users\aurélien\appdata\roaming\spotify\data\SpotifyWebHelper.exe"
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [HWSetup] "c:\program files\toshiba\utilities\HWSetup.exe" hwSetUP
mRun: [sVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
mRun: [TosSENotify] c:\program files\toshiba\toshiba hdd ssd alert\TosSENotify.exe
mRun: [TPwrMain] c:\program files\toshiba\power saver\TPwrMain.EXE
mRun: [HSON] c:\program files\toshiba\tbs\HSON.exe
mRun: [smoothView] c:\program files\toshiba\smoothview\SmoothView.exe
mRun: [00TCrdMain] c:\program files\toshiba\flashcards\TCrdMain.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [Teco] "c:\program files\toshiba\teco\Teco.exe" /r
mRun: [ToshibaServiceStation] c:\program files\toshiba\toshiba service station\ToshibaServiceStation.exe /hide:60
mRun: [TPCHWMsg] c:\program files\toshiba\tphm\TPCHWMsg.exe
mRun: [NDSTray.exe] "c:\program files\toshiba\configfree\NDSTray.exe"
mRun: [cfFncEnabler.exe] "c:\program files\toshiba\configfree\cfFncEnabler.exe"
mRun: [Toshiba TEMPRO] c:\program files\toshiba tempro\TemproTray.exe
mRun: [Toshiba Registration] c:\program files\toshiba\registration\ToshibaReminder.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [ToolboxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
mRun: [skytel] c:\program files\realtek\audio\hda\Skytel.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [DivXMediaServer] c:\program files\divx\divx media server\DivXMediaServer.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [TOSHIBA Online Product Information] c:\program files\toshiba\toshiba online product information\topi.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\3.8.130\SSScheduler.exe
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Download with &Shareaza - e:\programmes\shareaza\RazaWebHook32.dll/3000
IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/709-44555-9400-3/4
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
LSP: c:\windows\system32\PGPlsp.dll

TCP: NameServer = 89.2.0.1 89.2.0.2
TCP: Interfaces\{7ABB6096-5921-4A4A-BF26-2CD2B1882440} : DHCPNameServer = 89.2.0.1 89.2.0.2
TCP: Interfaces\{F70B4991-92CD-4F5C-941B-590AEF0ABA6B} : DHCPNameServer = 192.168.1.1 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\program files\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
AppInit_DLLs= c:\progra~1\google\google~3\GOEC62~1.DLL PGPmapih.dll
LSA: Notification Packages = scecli PGPpwflt
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\31.0.1650.57\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\aurélien\appdata\roaming\mozilla\firefox\profiles\xejwguz7.default\
.
============= SERVICES / DRIVERS ===============
.
R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [2012-10-3 64832]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-3-13 565888]
R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [2011-1-12 136824]
R0 Pgpwdefs;Pgpwdefs;c:\windows\system32\drivers\PGPwdefs.sys [2011-1-12 13432]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2013-10-25 108816]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-11-10 210608]
R1 RapportCerberus_59849;RapportCerberus_59849;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_59849.sys [2013-11-24 340432]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2013-10-25 157264]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2013-10-25 230448]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-26 176128]
R2 camsvc;TOSHIBA Web Camera Service;c:\program files\toshiba\toshiba web camera application\TWebCameraSrv.exe [2009-8-26 20544]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2009-3-10 46448]
R2 FontCache;Service de cache de police Windows;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 HP LaserJet Service;HP LaserJet Service;c:\program files\hp\hplaserjetservice\HPLaserJetService.exe [2010-4-12 142336]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-11-10 167784]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-11-10 167784]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-11-10 167784]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-11-10 167784]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-11-10 203840]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-11-10 169320]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-11-10 172416]
R2 PGP RDD Service;PGP RDD Service;c:\program files\pgp corporation\pgp desktop\RDDService.exe [2011-1-12 166520]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2013-10-25 1444120]
R2 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);c:\program files\toshiba tempro\TemproSvc.exe [2009-3-23 116104]
R2 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2009-8-26 62776]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\toshiba\teco\TecoService.exe [2009-4-24 176128]
R2 TOSHIBA HDD SSD Alert Service;Service TOSHIBA HDD SSD Alert;c:\program files\toshiba\toshiba hdd ssd alert\TosSmartSrv.exe [2009-3-17 73728]
R2 TPCHSrv;TPCH Service;c:\program files\toshiba\tphm\TPCHSrv.exe [2009-4-15 656752]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\drivers\TVALZFL.sys [2009-3-20 12920]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-11-10 60920]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-11-10 235264]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-11-10 363080]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 PGEffect;Pangu effect driver;c:\windows\system32\drivers\PGEffect.sys [2009-8-26 22272]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-6-8 30192]
S3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2012-10-3 146872]
S3 HPFXBULKLEDM;HPFXBULKLEDM;c:\windows\system32\drivers\hppcbulkio.sys [2011-9-10 20504]
S3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hppcfaxio.sys [2011-9-10 21528]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\3.8.130\McCHSvc.exe [2013-9-6 235216]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-11-10 65928]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-11-10 92632]
S3 WPFFontCache_v0400;Cache de police de Windows Presentation Foundation 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
.
=============== Created Last 30 ================
.
2013-12-01 14:24:18   62576   ----a-w-   c:\programdata\microsoft\windows defender\definition updates\{c299f2e9-0b76-40b2-a877-29189d413d6e}\offreg.dll
2013-12-01 14:13:07   7772552   ----a-w-   c:\programdata\microsoft\windows defender\definition updates\{c299f2e9-0b76-40b2-a877-29189d413d6e}\mpengine.dll
2013-11-24 23:02:59   1427968   ----a-w-   c:\windows\system32\inetcpl.cpl
2013-11-24 22:20:24   --------   d-----w-   c:\windows\system32\MRT
2013-11-15 23:06:53   297984   ----a-w-   c:\windows\system32\gdi32.dll
2013-11-15 23:06:45   993792   ----a-w-   c:\windows\system32\crypt32.dll
2013-11-15 23:06:30   596480   ----a-w-   c:\windows\system32\FWPUCLNT.DLL
2013-11-15 23:06:30   444928   ----a-w-   c:\windows\system32\IKEEXT.DLL
.
==================== Find3M ====================
.
2013-11-11 04:50:18   230048   ------w-   c:\windows\system32\MpSigStub.exe
2013-10-25 01:34:18   108816   ----a-w-   c:\windows\system32\drivers\RapportKELL.sys
2013-10-13 09:48:06   1806848   ----a-w-   c:\windows\system32\jscript9.dll
2013-10-13 09:35:38   1129472   ----a-w-   c:\windows\system32\wininet.dll
2013-10-13 09:30:14   142848   ----a-w-   c:\windows\system32\ieUnatt.exe
2013-10-13 09:29:02   420864   ----a-w-   c:\windows\system32\vbscript.dll
2013-10-13 09:25:39   2382848   ----a-w-   c:\windows\system32\mshtml.tlb
2013-10-12 10:40:44   71048   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-12 10:40:44   692616   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2013-02-18 20:56:20   4126720   ----a-w-   c:\program files\GUT4FA3.tmp
2006-05-03 11:06:54   163328   --sha-r-   c:\windows\system32\flvDX.dll
2007-02-21 12:47:16   31232   --sha-r-   c:\windows\system32\msfDX.dll
2008-03-16 14:30:52   216064   --sha-r-   c:\windows\system32\nbDX.dll
2010-01-06 23:00:00   107520   --sha-r-   c:\windows\system32\TAKDSDecoder.dll
.
============= FINISH: 16:13:27,18 ===============

Attach.txt:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft® Windows Vista™ Édition Familiale Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 26/08/2009 12:00:59
System Uptime: 01/12/2013 14:50:30 (2 hours ago)
.
Motherboard: TOSHIBA | | KTWAA
Processor: Intel® Core2 Duo CPU T6500 @ 2.10GHz | U2E1 | 2100/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 186 GiB total, 59,561 GiB free.
E: is FIXED (NTFS) - 185 GiB total, 137,555 GiB free.
F: is CDROM (UDF)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP837: 29/09/2013 18:14:38 - Removed Bing Bar
RP838: 06/10/2013 21:30:51 - Windows Update
RP840: 08/10/2013 22:45:04 - Installed Rapport
RP841: 12/10/2013 12:46:57 - Windows Update
RP842: 19/10/2013 12:11:03 - Windows Update
RP843: 27/10/2013 22:59:43 - Windows Update
RP844: 31/10/2013 14:53:23 - Windows Update
RP845: 03/11/2013 13:42:10 - Point de contrôle planifié
RP846: 04/11/2013 12:30:57 - Point de contrôle planifié
RP847: 09/11/2013 11:37:43 - Windows Update
RP848: 16/11/2013 00:07:26 - Windows Update
RP849: 23/11/2013 18:54:55 - Windows Update
RP851: 24/11/2013 22:57:49 - Installed Rapport
RP852: 24/11/2013 23:19:36 - Windows Update
RP853: 01/12/2013 15:11:40 - Windows Update
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.8) - Français
Adobe Shockwave Player 11.5
AGEIA PhysX v7.11.13
ALPS Touch Pad Driver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Applian FLV Player
ASIO4ALL
ATI Catalyst Install Manager
AxCrypt 1.7.2976.0
Baldur's Gate II - Throne of Bhaal
BlackBerry Desktop Software 5.0.1
BlackBerry USB and Modem Drivers 6.0
BlackBerry® Media Sync
Bonjour
C-Dilla Licence Management System
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CCleaner
CD Recovery Toolbox Free 2.0
Citrix Presentation Server Client
Configuration DivX
Deckadance
Fallout: New Vegas
Far Cry
FL Studio 10
Frontlines: Fuel of War
Google Chrome
Google Desktop
Google Earth Plug-in
Google Update Helper
Guitar Pro 4
Hardcore
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP LaserJet Professional CM1410 Series
HP LJ CM1410 MFP Series HP Scan
HPLaserJetHelp_LearnCenter
HPLJUT
hppCM1410LaserJetService
hppFaxDrvCM1410
hppFaxUtilityCM1410
hppLaserJetService
hppSendFaxCM1410
hppTLBXFXCM1410
hpzTLBXFX
I.R.I.S. OCR
IL Download Manager
IL Harmless
Intel® Matrix Storage Manager
IsoBuster 3.2
iThmb Converter version 1.75.0.563
iTunes
Java 7 Update 9
Java Auto Updater
Jeux WildTangent
Logiciel d'archivage WinRAR
Logitech Vid
Logitech Webcam Software
Malwarebytes Anti-Malware version 1.75.0.1300
Manuels TOSHIBA
Maximus
McAfee Security Scan Plus
McAfee Total Protection
MediaCoder 2011
Microsoft .NET Framework 3.5 Language Pack SP1 - fra
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile FRA Language Pack
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (French) 2007
Microsoft Office Excel MUI (French) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2007
Microsoft Office InfoPath MUI (French) 2007
Microsoft Office OneNote MUI (French) 2007
Microsoft Office Outlook MUI (French) 2007
Microsoft Office PowerPoint MUI (French) 2007
Microsoft Office PowerPoint Viewer 2007 (French)
Microsoft Office Professional Plus 2007
Microsoft Office Proof (Arabic) 2007
Microsoft Office Proof (Dutch) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (French) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (French) 2007
Microsoft Office Shared MUI (French) 2007
Microsoft Office Word MUI (French) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Works
Mise à jour Microsoft Office Excel 2007 Help (KB963678)
Mise à jour Microsoft Office Outlook 2007 Help (KB963677)
Mise à jour Microsoft Office Powerpoint 2007 Help (KB963669)
Mise à jour Microsoft Office Word 2007 Help (KB963665)
Module de compatibilité pour Microsoft Office System 2007
Module linguistique Microsoft .NET Framework 3.5 SP1- fra
Module linguistique Microsoft .NET Framework 4 Client Profile FRA
Mozilla Firefox 25.0.1 (x86 fr)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
myphotobook 3.65
PDFCreator
PGP Desktop
Picasa 2
PlayReady PC runtime
PoiZone
QuickTime
RAD Video Tools
Rapport
Realtek 8136 8168 8169 Ethernet Driver
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Safari
Sakura
Sawer
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2840629)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2861697)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2832407)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2861188)
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596825) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597973) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687309) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760411) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760415) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760585) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760591) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2827326) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2827329) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2827324) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office Outlook 2007 (KB2825644) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2597971) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2827330) 32-Bit Edition
Security Update for Module linguistique Microsoft .NET Framework 4 Client Profile FRA (KB2478663)
Security Update for Module linguistique Microsoft .NET Framework 4 Client Profile FRA (KB2518870)
Shareaza 2.5.5.0
Shared C Run-time for x86
Sid Meier's Civilization 4
Skins
Skype Click to Call
Skype™ 5.10
Spotify
Steam
SUPER © v2011.build.49 (July 1st, 2011) version v2011.build.49
The Elder Scrolls V: Skyrim
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA DVD PLAYER
TOSHIBA eco Utility
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Face Recognition
TOSHIBA Flash Cards Support Utility
TOSHIBA Hardware Setup
TOSHIBA HDD/SSD Alert
TOSHIBA Mot de passe responsable
Toshiba Online Product Information
TOSHIBA PC Health Monitor
TOSHIBA Recovery Disc Creator
TOSHIBA Recovery Disk Creator Reminder
TOSHIBA SD Memory Utilities
TOSHIBA Service Station
TOSHIBA Supervisor Password
Toshiba TEMPRO
TOSHIBA Value Added Package
TOSHIBA Web Camera Application
Toxic Biohazard
TRORDCLauncher
Trusteer Sécurité des points d'accès
Universalis 10
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2825642) 32-Bit Edition
Utility Common Driver
VC80CRTRedist - 8.0.50727.6195
VLC media player 1.1.7
Windows Live ID Sign-in Assistant
Windows Media Player Firefox Plugin
WinHTTrack Website Copier 3.47-19
Xvid Video Codec
ZHPDiag 1.31
.
==== End Of File ===========================

Maniac · December 1, 2013

Hello FrankMW and :welcome: ! My name is Borislav and I will be glad to help you solve your malware problem.

Please note:

If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
Make sure you read all of the instructions and fixes thoroughly before continuing with them.
Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

One or more of the identified infections is related to a nasty rootkit component which is difficult to remove. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums from a CLEAN COMPUTER. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, delete the partition, reformat and reinstall the Operating System.

Please read:

Should you decide not to follow this advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, disinfection will require more time and more advanced tools.

Please let us know how you would like to proceed.

FrankMW · December 1, 2013

Hello Borislav,

and many thanks for your help.

I would like to proceed with you. I understand the risks and the fact that it might not completely fix the issue, still I would like to try this option before pursuing the formating route.

As a side note, there are also a few things I wanted to ask you.

When talking about the nasty infection, are you referring to the Rootkit.TDSS, or the Trojan.backdoor (or both maybe) ? The reason for the question is the following : the Rootkit.tdss seems to come from surfing on the internet, while the second one was inside a file that was shared on my college network, which means that in the latter case the hacker may be someone I (more or less) knew. As a result I am also interested in knowing what such malware can or cannot do (for instance, are they active only when the pc is connected on a network, or can they spy on offline activity?).

I am very grateful for your help and answers.

Maniac · December 2, 2013

When talking about the nasty infection, are you referring to the Rootkit.TDSS, or the Trojan.backdoor (or both maybe) ?

The problem is the same with both of them.

As a result I am also interested in knowing what such malware can or cannot do (for instance, are they active only when the pc is connected on a network, or can they spy on offline activity?).

They keep spying on you, but couldn't send this data if you are not connected to Internet.

Please download Malwarebytes Anti-Rootkit from here

Unzip the contents to a folder in a convenient location.
Open the folder where the contents were unzipped and run mbar.exe
Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
Click on the Cleanup button to remove any threats and reboot if prompted to do so.
Wait while the system shuts down and the cleanup process is performed.
Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

FrankMW · December 2, 2013

Thanks for your answer.

I am not completely clear on to which extent can such malware spy on you. Let's say you transfer some data from an external drive on a pc you have turned offline, you encrypt this data, burn it on a CD and then erase it from your drive. For the whole process the pc remains offline. Is it possible for a malware, say, to watch for the use of encrypting tools like Axcrypt or PGP to turn active, make a secret copy of the files you want to protect when you try to encrypt them, store them somewhere on the computer and send it on a server as soon as internet is turned on again ? I know it might sound kind of extreme but the reports I have been reading about rootkit and stuff are quite alarming I must say.

Or for a maybe more realistic hypothesis, could such malware wait for any encrypted file to be decrypted and, when it is done, copy the clear file and send it to the hacker ? If this is possible, is it at least common or rather theoretical?

I have made the analysis with the anti-rootkit, I will post the two logs below. Nothing was found except at launch, I had an alert saying that appinit_dlls could be a rootkit.

Last point, I realised my Firefox usually freezes at the same time: when some advertising (adress in the style of "googlead.syndication" or something) is downloaded on the site I am starting to browse. Happened again tonight right after I made the anti rootkit scan.

Many thanks,

FM

Malwarebytes Anti-Rootkit BETA 1.07.0.1007
www.malwarebytes.org

Database version: v2013.12.02.10

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Aurélien :: PC-DE-AURÉLIEN [administrator]

02/12/2013 22:57:07
mbar-log-2013-12-02 (22-57-07).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 233736
Time elapsed: 18 minute(s), 59 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1007

© Malwarebytes Corporation 2011-2012

OS version: 6.0.6002 Windows Vista Service Pack 2 x86

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, E:\ DRIVE_FIXED
CPU speed: 2.094000 GHz
Memory total: 3183407104, free: 1711095808

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1007

© Malwarebytes Corporation 2011-2012

OS version: 6.0.6002 Windows Vista Service Pack 2 x86

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, E:\ DRIVE_FIXED
CPU speed: 2.094000 GHz
Memory total: 3183407104, free: 1739444224

Downloaded database version: v2013.12.02.10
Downloaded database version: v2013.10.11.02
=======================================
Initializing...
------------ Kernel report ------------
     12/02/2013 22:57:01
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\acpi.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\DRIVERS\LPCFilter.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\pciide.sys
\SystemRoot\system32\DRIVERS\PCIIDEX.SYS
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\PGPfsfd.sys
\SystemRoot\system32\drivers\mfehidk.sys
\SystemRoot\system32\DRIVERS\Pgpwdefs.sys
\SystemRoot\System32\Drivers\PGPwded.sys
\SystemRoot\System32\Drivers\PxHelp20.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\msrpc.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\system32\DRIVERS\TVALZ_O.SYS
\SystemRoot\system32\DRIVERS\tos_sps32.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\Drivers\RapportKELL.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\system32\drivers\McPvDrv.sys
\SystemRoot\System32\drivers\ecache.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\drivers\crcdisk.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\tunmp.sys
\SystemRoot\system32\DRIVERS\atikmdag.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\Rtlh86.sys
\SystemRoot\system32\DRIVERS\NETw5v32.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\Apfiltr.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\tdcmdpst.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\TVALZFL.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\serscan.sys
\SystemRoot\system32\DRIVERS\pgeffect.sys
\SystemRoot\system32\DRIVERS\msiscsi.sys
\SystemRoot\system32\DRIVERS\storport.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\Drivers\RootMdm.sys
\SystemRoot\system32\drivers\modem.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\RimSerial.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RtHDMIV.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\RTKVHDA.sys
\??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_59849.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\mfewfpk.sys
\SystemRoot\system32\drivers\mfetdik.sys
\SystemRoot\System32\Drivers\Mpfp.sys
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\ipfltdrv.sys
\SystemRoot\system32\DRIVERS\smb.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
\??\C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\drivers\mfeavfk.sys
\SystemRoot\system32\drivers\mfefirek.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\system32\DRIVERS\udfs.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\drivers\spsys.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\drivers\mrxdav.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\PGPdisk.SYS
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\PGPsdk.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\LVPr2Mon.sys
\SystemRoot\system32\drivers\cfwids.sys
\SystemRoot\system32\drivers\HipShieldK.sys
\SystemRoot\system32\drivers\mfeapfk.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8822c710
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xffffffff8635e028
Lower Device Driver Name: \Driver\iaStor\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8822c710, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff887ae018, DeviceName: Unknown, DriverName: \Driver\PGPwded\
DevicePointer: 0xffffffff8822c3f8, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff8822c710, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xffffffff8635e028, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: Unknown, DriverName: \Driver\partmgr\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: ACF99BD0

Partition information:

    Partition 0 type is Other (0x27)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048 Numsec = 3072000

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 3074048 Numsec = 390711296
    Partition file system is NTFS
    Partition is bootable

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 393785344 Numsec = 387637248

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

Disk Size: 400088457216 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-781402768-781422768)...
Done!
Scan finished
=======================================

Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_1_3074048_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
Removal finished

Maniac · December 3, 2013

Or for a maybe more realistic hypothesis, could such malware wait for any encrypted file to be decrypted and, when it is done, copy the clear file and send it to the hacker ? If this is possible, is it at least common or rather theoretical?

It couldn't be so smart.

Step 1

Please download the latest version of TDSSKiller from here and save it to your Desktop.

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
Put a checkmark beside loaded modules.
A reboot will be needed to apply the changes. Do it.
TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
Then click on Change parameters in TDSSKiller.
Check all boxes then click OK.
Click the Start Scan button.
The scan should take no longer than 2 minutes.
If a suspicious object is detected, the default action will be Skip, click on Continue.
If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 2

Download on the desktop RogueKiller
Quit all programs
Start RogueKiller.exe
Wait until Prescan has finished ...
Click on Scan. Click on Report and copy/paste the content of the notepad in your next reply.

Note: Don't fix anything without my instructions

In your next reply, post the following log files:

TDSSKiller log
RogueKiller log

FrankMW · December 3, 2013

It couldn't be so smart.

That's a relief. Malware seem so elaborate these days, I was assuming that was possible. At least some of my data should be safe.

Please find below the two logs. I will post them separately as I get a message saying my post is too long other wise.

Thanks.

FrankMW · December 3, 2013

RogueKiller V8.7.9 [Nov 25 2013] par Tigzy
mail : tigzyRK<at>gmail<dot>com
Remontees : http://www.adlice.com/forum/
Site Web : http://www.sur-la-toile.com/RogueKiller/
Blog : http://tigzyrk.blogspot.com/

Systeme d'exploitation : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Demarrage : Mode normal
Utilisateur : Aurélien [Droits d'admin]
Mode : Recherche -- Date : 12/04/2013 00:24:28
| ARK || FAK || MBR |

¤¤¤ Processus malicieux : 0 ¤¤¤

¤¤¤ Entrees de registre : 1 ¤¤¤
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> TROUVÉ

¤¤¤ Tâches planifiées : 0 ¤¤¤

¤¤¤ Entrées Startup : 0 ¤¤¤

¤¤¤ Navigateurs web : 0 ¤¤¤

¤¤¤ Fichiers / Dossiers particuliers: ¤¤¤

¤¤¤ Driver : [CHARGE] ¤¤¤
[inline] IAT @explorer.exe (FindNextFileW) : KERNEL32.dll -> HOOKED (Unknown @ 0x001407B8)
[inline] IAT @explorer.exe (LoadLibraryA) : KERNEL32.dll -> HOOKED (Unknown @ 0x016B03B8)
[inline] IAT @explorer.exe (LoadLibraryW) : KERNEL32.dll -> HOOKED (Unknown @ 0x00140B70)
[inline] IAT @explorer.exe (GetProcAddress) : KERNEL32.dll -> HOOKED (Unknown @ 0x00140AF9)
[inline] IAT @explorer.exe (CreateProcessW) : KERNEL32.dll -> HOOKED (Unknown @ 0x00140BE7)
[inline] IAT @explorer.exe (OpenProcess) : KERNEL32.dll -> HOOKED (Unknown @ 0x016B0077)
[inline] IAT @explorer.exe (LoadImageW) : USER32.dll -> HOOKED (Unknown @ 0x001406CA)
[inline] IAT @explorer.exe (ShellExecuteExW) : SHELL32.dll -> HOOKED (Unknown @ 0x00140741)
[inline] IAT @explorer.exe (CoGetClassObject) : ole32.dll -> HOOKED (Unknown @ 0x00140653)
[inline] EAT @explorer.exe (LdrGetProcedureAddress) : ntdll.dll -> HOOKED (Unknown @ 0x00140CD5)
[inline] EAT @explorer.exe (LdrLoadDll) : ntdll.dll -> HOOKED (Unknown @ 0x00140400)
[inline] EAT @explorer.exe (NtProtectVirtualMemory) : ntdll.dll -> HOOKED (Unknown @ 0x00140D4C)
[inline] EAT @explorer.exe (NtSetSecurityObject) : ntdll.dll -> HOOKED (Unknown @ 0x00140477)
[inline] EAT @explorer.exe (ZwProtectVirtualMemory) : ntdll.dll -> HOOKED (Unknown @ 0x00140D4C)
[inline] EAT @explorer.exe (ZwSetSecurityObject) : ntdll.dll -> HOOKED (Unknown @ 0x00140477)
[inline] EAT @explorer.exe (CreateFileA) : kernel32.dll -> HOOKED (Unknown @ 0x0014091D)
[inline] EAT @explorer.exe (CreatePipe) : kernel32.dll -> HOOKED (Unknown @ 0x00140A0B)
[inline] EAT @explorer.exe (CreateProcessA) : kernel32.dll -> HOOKED (Unknown @ 0x016B0000)
[inline] EAT @explorer.exe (CreateProcessW) : kernel32.dll -> HOOKED (Unknown @ 0x00140BE7)
[inline] EAT @explorer.exe (CreateRemoteThread) : kernel32.dll -> HOOKED (Unknown @ 0x016B0165)
[inline] EAT @explorer.exe (FindNextFileW) : kernel32.dll -> HOOKED (Unknown @ 0x001407B8)
[inline] EAT @explorer.exe (GetProcAddress) : kernel32.dll -> HOOKED (Unknown @ 0x00140AF9)
[inline] EAT @explorer.exe (GetStartupInfoA) : kernel32.dll -> HOOKED (Unknown @ 0x00140A82)
[inline] EAT @explorer.exe (HeapCreate) : kernel32.dll -> HOOKED (Unknown @ 0x016B01DC)
[inline] EAT @explorer.exe (LoadLibraryA) : kernel32.dll -> HOOKED (Unknown @ 0x016B03B8)
[inline] EAT @explorer.exe (LoadLibraryW) : kernel32.dll -> HOOKED (Unknown @ 0x00140B70)
[inline] EAT @explorer.exe (LoadModule) : kernel32.dll -> HOOKED (Unknown @ 0x00140C5E)
[inline] EAT @explorer.exe (OpenProcess) : kernel32.dll -> HOOKED (Unknown @ 0x016B0077)
[inline] EAT @explorer.exe (PeekNamedPipe) : kernel32.dll -> HOOKED (Unknown @ 0x00140994)
[inline] EAT @explorer.exe (ReadProcessMemory) : kernel32.dll -> HOOKED (Unknown @ 0x016B00EE)
[inline] EAT @explorer.exe (VirtualAllocEx) : kernel32.dll -> HOOKED (Unknown @ 0x00140F28)
[inline] EAT @explorer.exe (VirtualAllocExNuma) : kernel32.dll -> HOOKED (Unknown @ 0x016B0341)
[inline] EAT @explorer.exe (VirtualProtect) : kernel32.dll -> HOOKED (Unknown @ 0x00140E3A)
[inline] EAT @explorer.exe (VirtualProtectEx) : kernel32.dll -> HOOKED (Unknown @ 0x00140EB1)
[inline] EAT @explorer.exe (WinExec) : kernel32.dll -> HOOKED (Unknown @ 0x00140DC3)
[inline] EAT @explorer.exe (NdrServerInitialize) : RPCRT4.dll -> HOOKED (Unknown @ 0x0014082F)
[inline] EAT @explorer.exe (NdrStubCall2) : RPCRT4.dll -> HOOKED (Unknown @ 0x001408A6)
[inline] EAT @explorer.exe (PlayEnhMetaFileRecord) : GDI32.dll -> HOOKED (Unknown @ 0x001405DC)
[inline] EAT @explorer.exe (LoadImageW) : USER32.dll -> HOOKED (Unknown @ 0x001406CA)
[inline] EAT @explorer.exe (SetWindowsHookExA) : USER32.dll -> HOOKED (Unknown @ 0x001404EE)
[inline] EAT @explorer.exe (SetWindowsHookExW) : USER32.dll -> HOOKED (Unknown @ 0x00140565)
[inline] EAT @explorer.exe (system) : msvcrt.dll -> HOOKED (Unknown @ 0x016B0253)
[inline] EAT @explorer.exe (ShellExecuteExW) : SHELL32.dll -> HOOKED (Unknown @ 0x00140741)
[inline] EAT @explorer.exe (CoGetClassObject) : ole32.dll -> HOOKED (Unknown @ 0x00140653)
[inline] EAT @explorer.exe (bind) : WS2_32.dll -> HOOKED (Unknown @ 0x016B060B)
[inline] EAT @explorer.exe (recv) : WS2_32.dll -> HOOKED (Unknown @ 0x016B0594)
[inline] EAT @explorer.exe (select) : WS2_32.dll -> HOOKED (Unknown @ 0x016B051D)
[inline] EAT @explorer.exe (send) : WS2_32.dll -> HOOKED (Unknown @ 0x016B04A6)
[inline] EAT @explorer.exe (socket) : WS2_32.dll -> HOOKED (Unknown @ 0x016B042F)
[inline] EAT @explorer.exe (CompatFlagsFromClsid) : urlmon.dll -> HOOKED (Unknown @ 0x016B07E7)
[inline] EAT @explorer.exe (InternetOpenA) : WININET.dll -> HOOKED (Unknown @ 0x016B0770)
[inline] EAT @explorer.exe (InternetOpenUrlA) : WININET.dll -> HOOKED (Unknown @ 0x016B06F9)
[inline] EAT @explorer.exe (InternetReadFile) : WININET.dll -> HOOKED (Unknown @ 0x016B0682)
[inline] EAT @explorer.exe (FwDoNothingOnObject) : FirewallAPI.dll -> HOOKED (Unknown @ 0x35F7AF66)
[inline] EAT @explorer.exe (FwEnableMemTracing) : FirewallAPI.dll -> HOOKED (Unknown @ 0x35F7AF66)
[inline] EAT @explorer.exe (FwSetMemLeakPolicy) : FirewallAPI.dll -> HOOKED (Unknown @ 0x35F7AF66)
[inline] EAT @explorer.exe (OpenColorProfileW) : mscms.dll -> HOOKED (Unknown @ 0x016B08D5)

¤¤¤ Ruches Externes: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ Fichier HOSTS: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost

¤¤¤ MBR Verif: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HTS545040B9A300 +++++
--- User ---
[MBR] 9bfd5eb4223161fde2425a59b307fdae
[bSP] 686d1a45e81a0255bbbdba93cbbe1bc8 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 190777 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 393785344 | Size: 189276 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Termine : << RKreport[0]_S_12042013_002428.txt >>

I can't post the other log, I get an error telling me my post is too long!

Maniac · December 4, 2013

Okay, please attach it to your next reply.

FrankMW · December 4, 2013

Good evening,

please find the report attached.

Best,

FM

TDSSKiller.3.0.0.19_03.12.2013_23.59.39_log.txt

Maniac · December 5, 2013

Thanks!

Note: Please do not run this tool without special supervision and instructions of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage and read the ComboFix User's Guide:

Once you've read the article and are ready to use the program you can download it directly from the link below.
Important! - Please make sure you save combofix to your desktop and do not run it from your browser
Direct download link for: ComboFix.exe
Please make sure you disable your security applications before running ComboFix.
Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load.
Please copy/paste the contents or attach that log file to your next reply.
If needed the file can be located here: C:\combofix.txt
NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

FrankMW · December 5, 2013

Ok I will launch this analysis and post the results.

What do you understand from the RogueKiller log? I am quite puzzled by all these hooks.

Maniac · December 5, 2013

Looks good.

FrankMW · December 5, 2013

Good news!

Please find below the CF report.

ComboFix 13-12-04.04 - Aurélien 05/12/2013 23:24:11.1.2 - x86
Microsoft® Windows Vista™ Édition Familiale Premium   6.0.6002.2.1252.33.1036.18.3036.2021 [GMT 1:00]
Lancé depuis: c:\users\AurÚlien\Desktop\ComboFix.exe
AV: Protection antivirus et antispyware McAfee *Disabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
FW: Pare-feu McAfee *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: Protection antivirus et antispyware McAfee *Disabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Un nouveau point de restauration a été créé
.
   /wow section - STAGE 7
Le processus ne peut pas accéder au fichier car ce fichier est utilisé par un autre processus.
Le processus ne peut pas accéder au fichier car ce fichier est utilisé par un autre processus.
Le processus ne peut pas accéder au fichier car ce fichier est utilisé par un autre processus.
Le processus ne peut pas accéder au fichier car ce fichier est utilisé par un autre processus.
Le processus ne peut pas accéder au fichier car ce fichier est utilisé par un autre processus.
Le processus ne peut pas accéder au fichier car ce fichier est utilisé par un autre processus.
Le processus ne peut pas accéder au fichier car ce fichier est utilisé par un autre processus.
.
.
((((((((((((((((((((((((((((((((((((   Autres suppressions   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\VirusScan
.
.
(((((((((((((((((((((((((((((   Fichiers créés du 2013-11-05 au 2013-12-05 ))))))))))))))))))))))))))))))))))))
.
.
2013-12-05 22:42 . 2013-12-05 22:43   --------   d-----w-   c:\users\Aurélien\AppData\Local\temp
2013-12-05 22:42 . 2013-12-05 22:42   --------   d-----w-   c:\users\Default\AppData\Local\temp
2013-12-03 22:50 . 2013-11-08 01:15   7772552   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{F7D08FEA-3A28-4177-9D0F-EA6EA2062D81}\mpengine.dll
2013-12-02 21:57 . 2013-12-02 22:22   --------   d-----w-   c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-12-02 21:57 . 2013-12-02 21:57   105176   ----a-w-   c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-12-02 21:53 . 2013-12-02 21:53   75992   ----a-w-   c:\windows\system32\drivers\mbamchameleon.sys
2013-11-24 23:02 . 2013-10-13 09:35   1427968   ----a-w-   c:\windows\system32\inetcpl.cpl
2013-11-24 22:20 . 2013-11-24 22:24   --------   d-----w-   c:\windows\system32\MRT
2013-11-15 23:06 . 2013-10-03 12:45   297984   ----a-w-   c:\windows\system32\gdi32.dll
2013-11-15 23:06 . 2013-10-03 12:45   993792   ----a-w-   c:\windows\system32\crypt32.dll
2013-11-15 23:06 . 2013-10-11 02:08   444928   ----a-w-   c:\windows\system32\IKEEXT.DLL
2013-11-15 23:06 . 2013-10-11 02:07   596480   ----a-w-   c:\windows\system32\FWPUCLNT.DLL
.
.
.
((((((((((((((((((((((((((((((((((   Compte-rendu de Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-11 04:50 . 2012-09-24 10:23   230048   ------w-   c:\windows\system32\MpSigStub.exe
2013-10-25 01:34 . 2013-10-25 01:34   108816   ----a-w-   c:\windows\system32\drivers\RapportKELL.sys
2013-10-12 10:40 . 2012-10-05 15:19   692616   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2013-10-12 10:40 . 2011-09-20 14:30   71048   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-18 20:56 . 2013-02-18 20:56   4126720   ----a-w-   c:\program files\GUT4FA3.tmp
2006-05-03 11:06   163328   --sha-r-   c:\windows\System32\flvDX.dll
2007-02-21 12:47   31232   --sha-r-   c:\windows\System32\msfDX.dll
2008-03-16 14:30   216064   --sha-r-   c:\windows\System32\nbDX.dll
2010-01-06 23:00   107520   --sha-r-   c:\windows\System32\TAKDSDecoder.dll
.
.
(((((((((((((((((((((((((((((((((   Points de chargement Reg   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible]
@="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"
[HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]
2011-01-12 19:42   1056888   ----a-w-   c:\windows\System32\PGPfsshl.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-07-03 135680]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Spotify Web Helper"="c:\users\Aurélien\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2013-11-10 1140736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2007-04-16 421888]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2008-11-21 438272]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2009-01-13 34088]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe" [2009-04-23 1011712]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-03-06 468320]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2009-03-09 55160]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2009-03-31 503808]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2009-03-23 729088]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2009-03-29 184320]
"Teco"="c:\program files\TOSHIBA\TECO\Teco.exe" [2009-04-24 1323008]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-04-01 1283384]
"TPCHWMsg"="c:\program files\TOSHIBA\TPHM\TPCHWMsg.exe" [2009-04-15 570736]
"NDSTray.exe"="c:\program files\TOSHIBA\ConfigFree\NDSTray.exe" [2009-05-12 299008]
"cfFncEnabler.exe"="c:\program files\TOSHIBA\ConfigFree\cfFncEnabler.exe" [2009-03-24 16384]
"Toshiba TEMPRO"="c:\program files\Toshiba TEMPRO\TemproTray.exe" [2009-03-23 1045904]
"Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaReminder.exe" [2009-03-04 96144]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-03-13 1278064]
"ToolboxFX"="c:\program files\HP\ToolboxFX\bin\HPTLBXFX.exe" [2010-04-16 58936]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-03-30 1833504]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-03-30 7289376]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"DivXMediaServer"="c:\program files\DivX\DivX Media Server\DivXMediaServer.exe" [2013-01-30 450560]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2013-02-13 1263952]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-31 152392]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TOSHIBA Online Product Information"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2009-03-16 6158240]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.8.130\SSScheduler.exe [2013-9-6 273296]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files\TOSHIBA\TRDCReminder\TRDCReminder.exe [2009-2-24 391072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages   REG_MULTI_SZ     scecli PGPpwflt
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^PGPtray.exe.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\PGPtray.exe.lnk
backup=c:\windows\pss\PGPtray.exe.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06   958576   ----a-w-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-04-21 19:43   59720   ----a-w-   c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2010-07-23 12:37   648536   ----a-w-   c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-08-20 14:44   30192   ----a-w-   c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP LaserJet Professional CM1410 Series Fax]
2010-04-09 14:09   2460472   ------w-   c:\program files\HP\HP LaserJet Professional CM1410 series\Fax Driver\hppfaxprintersrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2013-05-31 09:56   152392   ----a-w-   c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2009-04-30 12:39   5472016   ----a-w-   c:\program files\Logitech\Logitech Vid\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-05-08 08:35   2780432   ----a-w-   c:\program files\Logitech\Logitech WebCam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
2013-03-13 16:40   1278064   ----a-w-   c:\program files\McAfee.com\Agent\mcagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 02:12   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartFaceVWatcher]
2009-03-24 17:33   163840   ----a-w-   c:\program files\TOSHIBA\SmartFaceV\SmartFaceVWatcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
2013-11-10 12:19   1140736   ----a-w-   c:\users\Aurélien\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-04-21 19:25   61440   ----a-w-   c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2013-07-10 01:56   1672616   ----a-w-   c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 07:04   252848   ----a-w-   c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSHIBA Online Product Information]
2009-03-16 17:54   6158240   ----a-w-   c:\program files\TOSHIBA\Toshiba Online Product Information\TOPI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TWebCamera]
2009-04-16 16:42   2513472   ----a-w-   c:\program files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe
.
--- Autres Services/Pilotes en mémoire ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ     Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation   REG_MULTI_SZ     FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-11-24 22:33   1210320   ----a-w-   c:\program files\Google\Chrome\Application\31.0.1650.57\Installer\chrmstp.exe
.
Contenu du dossier 'Tâches planifiées'
.
2013-12-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-05 10:40]
.
2013-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 15:33]
.
2013-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 15:33]
.
.
------- Examen supplémentaire -------
.

uInternet Settings,ProxyOverride = *.local

IE: Download with &Shareaza - e:\programmes\Shareaza\RazaWebHook32.dll/3000
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\PGPlsp.dll
TCP: DhcpNameServer = 89.2.0.1 89.2.0.2
FF - ProfilePath - c:\users\Aurélien\AppData\Roaming\Mozilla\Firefox\Profiles\xejwguz7.default\
.
- - - - ORPHELINS SUPPRIMES - - - -
.
HKLM-Run-McAfeeUpdaterUI - c:\program files\McAfee\Common Framework\UdaterUI.exe
SafeBoot-87999736.sys
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-MSN Toolbar - c:\program files\MSN Toolbar\Platform\4.0.0357.1\mswinext.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-12-05 23:43
Windows 6.0.6002 Service Pack 2 NTFS
.
Recherche de processus cachés ...
.
Recherche d'éléments en démarrage automatique cachés ...
.
Recherche de fichiers cachés ...
.
Scan terminé avec succès
Fichiers cachés: 0
.
**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs chargées dans les processus actifs ---------------------
.
- - - - - - - > 'Explorer.exe'(6140)
c:\windows\System32\PGPfsshl.dll
.
Heure de fin: 2013-12-05 23:48:15
ComboFix-quarantined-files.txt 2013-12-05 22:48
.
Avant-CF: 63 701 106 688 octets libres
Après-CF: 65 867 304 960 octets libres
.
- - End Of File - - 9220E9B171673F192058E11A84B97AC8
5C616939100B85E558DA92B899A0FC36

Maniac · December 6, 2013

Please scan your machine with ESET OnlineScan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.
  Save it to your Desktop.
- Double click on the to download the ESET Smart Installer. icon on your Desktop.
Check "YES, I accept the Terms of Use."
Click the Start button.
Accept any security warnings from your browser.
Under Scan Settings, check "Scan Archives" and "Remove found threats"
Click Advanced settings and select the following:
- Scan potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth technology
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, click List Threats
Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Click the Back button.
Click the Finish button.

FrankMW · December 8, 2013

Hi,

looks like there was something wrong at step 7 of combo fix, it that ok?

please find below log for ESET scan.

Best,

Aurélien

C:\Program Files\PDFCreator\Toolbar\pdfforge Toolbar_setup.exe   Win32/Toolbar.Widgi application   cleaned by deleting - quarantined
C:\Users\Aurélien\AppData\Local\Mozilla\Firefox\Profiles\xejwguz7.default\Cache\8\E9\95F37d01   HTML/ScrInject.B.Gen virus   deleted - quarantined
C:\Users\Aurélien\Downloads\MediaCoder2011-R9-5198.zip   Win32/OpenCandy application   deleted - quarantined
C:\Users\Aurélien\Downloads\PDFCreator-1_2_3_setup.exe   multiple threats   cleaned by deleting - quarantined
C:\Users\Aurélien\Downloads\super_super_v2011_build_49_anglais_19891.exe   Win32/OpenCandy application   cleaned by deleting - quarantined
E:\Programmes\Media coder\MediaCoder2011-R9-5198.exe   Win32/OpenCandy application   cleaned by deleting - quarantined
E:\Telechargements\AxCrypt-1.7.2976.0-Setup.exe   Win32/OpenCandy application   cleaned by deleting - quarantined
E:\Telechargements\AxCrypt-Setup.exe   Win32/OpenCandy application   cleaned by deleting - quarantined

Maniac · December 8, 2013

It happens sometimes.

Please download the Kaspersky Virus Removal Tool from here to your Desktop.

Double-click the Removal Tool.

Click the cog in the upper right corner:

Select down to and including your main drive.

Once done please select the Automatic Scan tab and press Start Scan.

Allow AVP to delete all infections found.

Once it has finished select the Report tab.

Select the Detected threats report from the left and press the Save button.

Save it to your Desktop and post the contents in your next reply.

FrankMW · December 8, 2013

Ok I will do this analysis, thanks.

To my knowledge, the opencandy stuff is adware - do you know about the other threats found by ESET?

Maniac · December 11, 2013

Widgi.Toolbar installs some different applications that are used to collect data about user's surfing behaviour and generate personalized ads.

The main purpose of HTML/ScrInject.B is to modify webpages by inserting malicious iFrames into their HTML pages. The HTML iFrame element allows to plit the browser's window into different segments, each segment containing a different document. So when malicious iFrames are installed in particular webpages, it can result in flash advertisements that lead to other malware-related websites.

Please post your Kaspersky log.

FrankMW · December 13, 2013

Many thanks - Is there some kind of malware encyclopedia from where you can source this kind of information ?

Sorry for the delay, I will post the log in the coming days - I have tried to do the analysis before but had to cancel it as it was taking too long a time (c.14 hours !)

Maniac · December 13, 2013

No, there is not such a thing. Did you notice my avatar? This is the answer.

FrankMW · December 15, 2013

Haha good... actually I was not sure how reliable were the descriptions I could find as I know there are some fake anti-virus sites, but I am probably getting a bit too precautious.

Kapersky did not find anything apparently so I have no log about detected threats.

Looking at the automatic scan log, I can notice there are several files which are marked as "not processed" because they were either "locked" (hiberfil.sys, pagefile.sys) or "access denied" (c:\system Volume Information)

Maniac · December 15, 2013

They are system files and folders, so it is okay.

How are things now?

FrankMW · December 19, 2013

Not much better I must say... For what I understand (please correct me if I am wrong) from the logs I posted, it looks like the analyses did not find much malware on my computer.

Still it sounds like fan and drive are under heavy use. Looking at the performance monitor, I can see that my processor capacity is often used at almost 100% with no apparent reason. May the problem come from somewhere else? I

Maniac · December 19, 2013

As I said in my first post: "One or more of the identified infections is related to rootkit component". They could seriously harm your system.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Request for help on a security check

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information