Jump to content

"System tools" and "Memory fixer" virus causing multiple problems


Seeg

Recommended Posts

I was working on my computer when Macfee reported it blocked a trojan. I carried on and noticed there was two new installed programs installed. I quickly deleted the 2 programs and restarted my computer. They quickly took over my computer. Most things cause the computer to give error messages such as "Can't find hard disk space". Luckily I had malware installed. It tried to block me starting it but I went into C:/program files and changed the .exe file to winlogon.exe. That let ne start the program. I did a quick scan once and it showed me 1 found file which I clicked "remove". I restarted my computer and came back to the same messed up desktop and the spam continuing. I started up Malware again and this time did a full scan. Nothing came up. Again I restarted and happened to look into the "quarantine section and seen a file there. I thought maybe the virus put itself there and so I deleted it. I do a scan now and get nothing. So I'm lost of what to do.

I do really appreciate taking the time to read this.

Link to post
Share on other sites

Hi Seeg,

Welcome to the forums!!

Just a note up front:

Please copy/paste all requested scan logs (do NOT attach them)

Download TFC to your desktop

http://oldtimer.geekstogo.com/TFC.exe

  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

It's normal after running TFC cleaner that the PC will be slower to boot the first time.

Some background information on what we're planning to do can be found HERE

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious-1.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Download OTL and save it on your desktop:

http://oldtimer.geekstogo.com/OTL.exe

  • Close all open windows on the Task Bar. Click the OTL icon (for Vista or Win 7, right click the icon and Run as Administrator) to start the program.
  • In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
  • Now click Run Scan at Top left and let the program run uninterrupted. The scan may take 5-10 minutes.
  • Do NOT touch your keyboard until the scan is done!!
  • It will produce two (2) logs on your desktop, one will pop up called OTL.txt; the other will be named Extras.txt.
  • Copy/Paste OTL.txt and attach Extras.txt into your next reply,
  • Exit OTL by clicking the X at top right.

Link to post
Share on other sites

Having the same problem, was on Wowhead when something popped up that said "test" , it installed itself to my desktop, and on the bar, it showed an alert and memory fixer. While I may not be a computer wiz,I do know what is installed on my system. I started getting multiple alerts, and their program screen kept popping up. I deleted the "test" and when trying to run task manager to disable the program, found it had been disabled. Attempted a full scan on Malwarebytes but the virus kept rebooting my computer every 10 minutes. Was unable to uninstall memory fixer, said my C drive was missing. Ran a quick scan and found 50 infected files. The earlier attempts to run a full scan only found 8, so apparently it spread quickly. According to the log, there was one file, in the memory modules, that would have to be deleted manually, after a reboot. However, after rebooting, I could not find that file, and my computer is still acting hinky. I ran full scan with Malwarebytes and Panda Cloud and both said the system was clean. Log from Malwarebytes follows.....

Objects scanned: 143717

Time elapsed: 6 minute(s), 50 second(s)

Memory Processes Infected: 2

Memory Modules Infected: 1

Registry Keys Infected: 45

Registry Values Infected: 3

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 8

Memory Processes Infected:

c:\programdata\fexetwllhygf.exe (Trojan.FakeAlert) -> 1272 -> Unloaded process successfully.

c:\programdata\qqiyconx1vz.exe (Rogue.MemoryFixer) -> 1320 -> Unloaded process successfully.

Memory Modules Infected:

c:\programdata\gnghpnckobir.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{4CF088BD-BE95-40A5-BE9B-677F8683EDEA} (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{305C6CB1-9D31-4489-881D-5A8E2DC3FE14} (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{E79B1445-DFEA-4BEF-A786-E0C0F33C863B} (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Smart-Shopper.IEButtonA.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Smart-Shopper.IEButtonA (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{6FAC4823-815E-4361-836E-46D65ED2550B} (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Smart-Shopper.IEButton.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Smart-Shopper.IEButton (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{911F251E-34FD-465E-B6CE-DF00FF49A6BE} (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Smart-Shopper.HbAx.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Smart-Shopper.HbAx (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{FE4F1649-8909-49C0-87BA-24D65120DB46} (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Smart-Shopper.IEButtonB.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Smart-Shopper.IEButtonB (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{022C671F-6CBA-4A03-A8F9-3B3A361B235A} (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{8AD815FC-607B-419F-8B70-D345A507A54E} (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{90F62EF7-58D1-4E8E-BB3E-CFB10BA9E47B} (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CC3D8FE-F0E0-4DD1-A69A-8C56BCC7BEBF} (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CC3D8FE-F0E0-4DD1-A69A-8C56BCC7BEBF} (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{4A7C84E2-E95C-43C6-8DD3-03ABCD0EB60E} (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A7C84E2-E95C-43C6-8DD3-03ABCD0EB60E} (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BEAC7DC8-E106-4C6A-931E-5A42E7362883} (Adware.GameVance) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{BEAC7DC8-E106-4C6A-931E-5A42E7362883} (Adware.GameVance) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{E79DFBCA-5697-4FBD-94E5-5B2A9C7C1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF6-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4D7B-9389-0F166788785A} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CC3D8FE-F0E0-4DD1-A69A-8C56BCC7BEC0} (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8BCB5337-EC01-4E38-840C-A964F174255B} (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9FF05104-B030-46FC-94B8-81276E4E27DF} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Smart-Shopper.HbInfoBand (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Smart-Shopper.HbInfoBand.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Smart-Shopper.Smrt-ShprCtrl (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Smart-Shopper.Smrt-ShprCtrl.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Smart-Shopper (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Smart-Shopper (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FEXeTWLLHYgf.exe (Trojan.FakeAlert) -> Value: FEXeTWLLHYgf.exe -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qqiYcOnX1Vz (Rogue.MemoryFixer) -> Value: qqiYcOnX1Vz -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zPfzt574OwIDsPw (Rogue.MemoryFixer) -> Value: zPfzt574OwIDsPw -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

c:\RECYCLER\s-1-5-21-0243636035-3055115376-381863306-1556 (TrojanProxy.Slenugga) -> Quarantined and deleted successfully.

Files Infected:

c:\programdata\gnghpnckobir.dll (Trojan.FakeAlert) -> Delete on reboot.

c:\programdata\fexetwllhygf.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\programdata\qqiyconx1vz.exe (Rogue.MemoryFixer) -> Quarantined and deleted successfully.

c:\programdata\zpfzt574owidspw.exe (Rogue.MemoryFixer) -> Quarantined and deleted successfully.

c:\dp1.fne (Worm.Autorun) -> Quarantined and deleted successfully.

c:\exmlrpc.fne (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Users\susan\local settings\temporary internet files\Content.IE5\O3PHZ2M0\exe[1].php (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\RECYCLER\s-1-5-21-0243636035-3055115376-381863306-1556\Desktop.ini (TrojanProxy.Slenugga) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Well for an unknown reason tdskiller would not run. No error messages or anything, just refused to open but I did all the other steps. The OTL.text is as follows

OTL logfile created on: 1/6/2011 4:28:16 PM - Run 1

OTL by OldTimer - Version 3.2.20.1 Folder = C:\Documents and Settings\Administrator\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.11)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 67.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 84.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 139.73 Gb Total Space | 78.15 Gb Free Space | 55.93% Space Free | Partition Type: NTFS

Drive D: | 139.73 Gb Total Space | 137.76 Gb Free Space | 98.59% Space Free | Partition Type: NTFS

Computer Name: CJ | User Name: Administrator | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/01/06 16:26:42 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

PRC - [2010/06/10 05:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe

PRC - [2009/12/18 12:52:51 | 000,307,672 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe

PRC - [2009/12/08 14:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

PRC - [2009/10/29 06:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe

PRC - [2009/10/27 11:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe

PRC - [2009/09/16 09:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe

PRC - [2009/09/16 08:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe

PRC - [2009/07/30 16:05:58 | 000,497,000 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe

PRC - [2009/07/08 10:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe

PRC - [2009/07/07 18:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe

PRC - [2008/04/14 06:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2008/01/29 18:38:31 | 000,583,048 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

PRC - [2008/01/07 20:10:30 | 000,210,200 | ---- | M] (Yahoo!, Inc.) -- C:\Program Files\Yahoo!\browser\ycommon.exe

PRC - [2007/10/11 17:19:33 | 001,596,230 | ---- | M] () -- C:\WINDOWS\VistaDrive.exe

PRC - [2007/09/20 16:35:40 | 001,410,344 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

PRC - [2007/09/20 16:35:10 | 000,202,024 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

PRC - [2006/07/21 17:19:46 | 000,129,536 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\browser\ybrwicon.exe

PRC - [2006/03/20 17:00:04 | 000,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe

PRC - [2004/05/25 05:24:38 | 000,393,216 | ---- | M] (2Wire, Inc.) -- C:\Program Files\2Wire\2PortalMon.exe

========== Modules (SafeList) ==========

MOD - [2011/01/06 16:26:42 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

MOD - [2007/10/04 18:58:20 | 000,489,035 | ---- | M] (Stardock Corporation) -- C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll

MOD - [2007/08/27 12:54:08 | 000,028,740 | ---- | M] (Stardock.Net, Inc) -- C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (LiveUpdate)

SRV - File not found [Auto | Stopped] -- -- (LiveUpdate Notice Ex)

SRV - File not found [Auto | Stopped] -- -- (Automatic LiveUpdate Scheduler)

SRV - [2011/01/05 20:01:32 | 003,129,432 | ---- | M] () [Auto | Running] -- c:\Program Files\Common Files\Akamai\netsession_win_dbc0250.dll -- (Akamai)

SRV - [2010/06/10 05:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)

SRV - [2009/12/15 14:07:16 | 000,025,832 | ---- | M] (BioWare) [On_Demand | Stopped] -- C:\Program Files\Dragon Age\bin_ship\daupdatersvc.service.exe -- (DAUpdaterSvc)

SRV - [2009/12/08 14:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)

SRV - [2009/10/27 11:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)

SRV - [2009/09/16 10:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)

SRV - [2009/09/16 09:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)

SRV - [2009/09/16 08:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)

SRV - [2009/07/08 10:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)

SRV - [2009/07/07 18:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)

SRV - [2008/01/29 18:38:31 | 000,583,048 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe -- (LiveUpdate Notice Service)

SRV - [2007/02/27 18:19:14 | 000,123,064 | ---- | M] (SiSoftware) [On_Demand | Stopped] -- C:\Program Files\SiSoftware\SiSoftware Sandra Engineer XI.SP1a\Win32\RpcDataSrv.exe -- (SandraDataSrv)

SRV - [2007/02/27 18:19:10 | 001,323,184 | ---- | M] (SiSoftware) [On_Demand | Stopped] -- C:\Program Files\SiSoftware\SiSoftware Sandra Engineer XI.SP1a\RpcSandraSrv.exe -- (SandraTheSrv)

========== Driver Services (SafeList) ==========

DRV - [2010/07/15 14:18:22 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)

DRV - [2009/09/16 09:22:48 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)

DRV - [2009/09/16 09:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)

DRV - [2009/09/16 09:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)

DRV - [2009/09/16 09:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)

DRV - [2009/09/16 09:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)

DRV - [2008/09/23 21:09:07 | 003,331,072 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)

DRV - [2007/10/27 09:23:48 | 000,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)

DRV - [2007/10/27 09:06:02 | 000,305,176 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\iastor76.sys -- (iastor76)

DRV - [2007/07/12 08:35:02 | 000,305,176 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\iaStor.sys -- (iaStor)

DRV - [2007/03/16 07:59:40 | 000,054,272 | ---- | M] (Sonic Focus, Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sfng32.sys -- (sfng32)

DRV - [2006/08/24 13:44:14 | 000,477,696 | ---- | M] (ZyDAS Technology Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ZD1211BU.sys -- (ZD1211BU(ZyDAS)) ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS)

DRV - [2006/06/05 14:49:08 | 000,230,400 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®

DRV - [2006/06/05 04:39:56 | 000,024,064 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iqvw32.sys -- (NAL)

DRV - [2006/03/20 17:06:04 | 001,156,648 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)

DRV - [2004/05/25 05:10:38 | 000,177,664 | R--- | M] (2wire) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wltwo51b.sys -- (wltwo51b)

DRV - [2004/04/13 20:20:08 | 000,015,781 | R--- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdc8021x.sys -- (MDC8021X) AEGIS Protocol (IEEE 802.1x)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://red.clientapps.yahoo.com/customize/.../search/ie.html

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = E5 D0 C4 17 D2 54 04 4D 87 07 38 3E E7 17 E4 97 [binary data]

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.update: false

FF - prefs.js..browser.startup.homepage: "http://us.mg201.mail.yahoo.com/dc/launch?.partner=sbc&.gx=0&.rand=9on6lii5s3mn0"

FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0

FF - prefs.js..extensions.enabledItems: {af559b80-e402-423f-b196-ee2d6c210738}:1.0

FF - HKLM\software\mozilla\Firefox\extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/12/14 16:23:48 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/06 22:41:09 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/10/06 22:41:09 | 000,000,000 | ---D | M]

[2010/04/27 19:13:59 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions

[2010/04/27 19:13:59 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\mozswing@mozswing.org

[2011/01/05 18:56:08 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wl7j9pzi.default\extensions

[2009/12/26 17:43:11 | 000,000,000 | ---D | M] (XUL Cache) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wl7j9pzi.default\extensions\{af559b80-e402-423f-b196-ee2d6c210738}

[2011/01/05 18:11:25 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

[2010/12/14 16:23:48 | 000,000,000 | ---D | M] (McAfee SiteAdvisor) -- C:\PROGRAM FILES\MCAFEE\SITEADVISOR

O1 HOSTS File: ([2004/08/03 23:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Yahoo! IE Suggest) - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\SearchSuggest\YSearchSuggest.dll (Yahoo! Inc.)

O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)

O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)

O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)

O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)

O4 - HKLM..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe (2Wire, Inc.)

O4 - HKLM..\Run: [ContentTransferWMDetector.exe] C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe (Sony Corporation)

O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)

O4 - HKLM..\Run: [McENUI] C:\Program Files\McAfee\MHN\McENUI.exe (McAfee, Inc.)

O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe (Nero AG)

O4 - HKLM..\Run: [sigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)

O4 - HKLM..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)

O4 - HKLM..\Run: [symantec PIF AlertEng] C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (Symantec Corporation)

O4 - HKLM..\Run: [VistaDrive] C:\WINDOWS\VistaDrive.exe ()

O4 - HKLM..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe (Yahoo! Inc.)

O4 - HKCU..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe (Nero AG)

O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (Lime Wire, LLC)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O9 - Extra Button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)

O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)

O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Trusted sites)

O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Trusted sites)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0...heckControl.cab (Windows Genuine Advantage Validation Tool)

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll (Installation Support)

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab (DLM Control)

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254

O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)

O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKCU Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)

O20 - Winlogon\Notify\WBSrv: DllName - C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll - C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll (Stardock Corporation)

O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2008/10/18 14:23:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O33 - MountPoints2\{fe0ee9ec-1d9c-11de-aaa3-001e37f79524}\Shell - "" = AutoRun

O33 - MountPoints2\{fe0ee9ec-1d9c-11de-aaa3-001e37f79524}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{fe0ee9ec-1d9c-11de-aaa3-001e37f79524}\Shell\AutoRun\command - "" = J:\LaunchU3.exe -- File not found

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/01/06 16:26:41 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

[2011/01/06 16:12:36 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\TFC.exe

[2011/01/05 18:57:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Xfire

[2011/01/05 18:57:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Xfire

[2011/01/05 18:57:46 | 000,000,000 | ---D | C] -- C:\Program Files\Xfire

[2011/01/05 18:57:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\LimeWire

[2011/01/05 18:57:39 | 000,000,000 | ---D | C] -- C:\Program Files\PopCap Games

[2011/01/05 18:57:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\PopCap Games

[2011/01/05 18:57:39 | 000,000,000 | ---D | C] -- C:\Program Files\LimeWire

[2011/01/05 18:57:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\LimeWire

[2011/01/05 18:57:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Dragon Age Origins

[2011/01/05 18:57:36 | 000,000,000 | ---D | C] -- C:\Program Files\Dragon Age

[2011/01/05 18:57:36 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\BioWare

[2011/01/05 18:57:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Skype

[2011/01/05 18:57:27 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype

[2011/01/05 18:57:23 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR

[2011/01/05 18:56:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WALKMAN Guide

[2011/01/05 18:24:16 | 000,000,000 | ---D | C] -- C:\Config.Msi

[2011/01/05 18:10:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC

[2011/01/05 16:24:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump

[2011/01/05 16:07:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\{B8F38C03-E25E-4E45-9B1A-7617E5FEF44E}

[2011/01/05 16:05:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\bMcCh06511

[2010/12/28 23:39:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Research In Motion

[2010/12/28 23:38:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Research In Motion

[2010/12/28 23:38:43 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Roxio Shared

[2010/12/28 23:38:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Research In Motion

[2010/12/28 23:38:27 | 000,000,000 | ---D | C] -- C:\Program Files\Research In Motion

[2010/12/26 22:04:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Adobe CS5(2)

[2010/12/26 21:33:40 | 001,228,400 | ---- | C] (Adobe Systems Incorporated) -- D:\My Docs\Photoshop_12_LS1.exe

[2010/12/13 22:34:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Adobe Mini Bridge CS5

[2010/12/13 19:01:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\regid.1986-12.com.adobe

[2010/12/13 18:58:29 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe Media Player

[2010/12/13 18:57:11 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR(2)

[2010/12/13 18:44:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Adobe CS5

[3 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/01/06 16:26:42 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

[2011/01/06 16:23:29 | 000,028,685 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF

[2011/01/06 16:22:36 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2011/01/06 16:22:35 | 000,055,160 | ---- | M] () -- C:\WINDOWS\System32\ativvaxx.cap

[2011/01/06 16:12:36 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\TFC.exe

[2011/01/05 22:40:10 | 000,011,182 | ---- | M] () -- D:\My Docs\Si ganar

Link to post
Share on other sites

We're going to rerun OTL with a script that fixes the infected load points and files on your system as follows:

  • Disable the active protection component of your antivirus by following the directions that apply here:
    http://www.bleepingcomputer.com/forums/topic114351.html
  • Close all open windows on the Task Bar. Click the OTL icon (for Vista or Win 7, right click the icon and Run as Administrator) to restart the OTL program.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
     
    :OTL
    [2011/01/05 17:21:31 | 001,228,854 | ---- | C] () -- C:\fsqwr.bmp
    [2011/01/05 16:08:44 | 000,000,272 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~qNNUDhj9
    [2011/01/05 16:08:44 | 000,000,160 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~qNNUDhj9r
    [2011/01/05 16:08:42 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\qNNUDhj9
    [2011/01/05 16:07:16 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Mrezusumocarez.dat
    [2011/01/05 16:07:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Ntobuv.bin
    [2009/04/26 20:21:28 | 000,023,552 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2010/12/28 23:39:45 | 000,000,256 | ---- | C] () -- C:\WINDOWS\System32\pool.bin
    [2011/01/05 18:56:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\bMcCh06511
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://red.clientapps.yahoo.com/customize/.../search/ie.html
    O4 - HKLM..\Run: [VistaDrive] C:\WINDOWS\VistaDrive.exe ()
    O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (Lime Wire, LLC)
    O32 - AutoRun File - [2008/10/18 14:23:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O33 - MountPoints2\{fe0ee9ec-1d9c-11de-aaa3-001e37f79524}\Shell - "" = AutoRun
    O33 - MountPoints2\{fe0ee9ec-1d9c-11de-aaa3-001e37f79524}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{fe0ee9ec-1d9c-11de-aaa3-001e37f79524}\Shell\AutoRun\command - "" = J:\LaunchU3.exe -- File not found
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [emptyflash]
    [createrestorepoint]
    [reboot]


  • Now click Run Fix and let the program run uninterrupted.
  • Let the program run unhindered, and reboot the PC when it is done
  • Copy/Paste OTL Log in your next reply

Now try to see if you can run TDSSKiller again, and you can also rename it to explorer.exe or try it in safe mode to see if that works.

Question:

How did you download Limewire in Jan 5th when there is a court injunction blocking download of that P2P Program on their website?:

http://www.limewire.com/

[2011/01/05 18:57:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\LimeWire

[2011/01/05 18:57:39 | 000,000,000 | ---D | C] -- C:\Program Files\LimeWire

Please refrain from downloading and installing anything while we're cleaning your PC, otherwise your PC will just become more and more infected, plus it makes it more difficult for me to review all the entries in your logs.

You should uninstall Limewire since it cannot be used any longer any way and P2P filesharing is a well known infection vector.

Link to post
Share on other sites

K I ran the otl program with the commands given everything went smoothly.

All processes killed

========== OTL ==========

C:\fsqwr.bmp moved successfully.

C:\Documents and Settings\All Users\Application Data\~qNNUDhj9 moved successfully.

C:\Documents and Settings\All Users\Application Data\~qNNUDhj9r moved successfully.

C:\Documents and Settings\All Users\Application Data\qNNUDhj9 moved successfully.

C:\WINDOWS\Mrezusumocarez.dat moved successfully.

C:\WINDOWS\Ntobuv.bin moved successfully.

C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini moved successfully.

C:\WINDOWS\system32\pool.bin moved successfully.

Folder C:\Documents and Settings\All Users\Application Data\bMcCh06511\ not found.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\\CustomSearch| /E : value set successfully!

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\VistaDrive deleted successfully.

C:\WINDOWS\VistaDrive.exe moved successfully.

File move failed. C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk scheduled to be moved on reboot.

C:\Program Files\LimeWire\LimeWire.exe moved successfully.

C:\AUTOEXEC.BAT moved successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fe0ee9ec-1d9c-11de-aaa3-001e37f79524}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fe0ee9ec-1d9c-11de-aaa3-001e37f79524}\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fe0ee9ec-1d9c-11de-aaa3-001e37f79524}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fe0ee9ec-1d9c-11de-aaa3-001e37f79524}\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fe0ee9ec-1d9c-11de-aaa3-001e37f79524}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fe0ee9ec-1d9c-11de-aaa3-001e37f79524}\ not found.

File J:\LaunchU3.exe not found.

========== COMMANDS ==========

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

[EMPTYTEMP]

User: admin

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Administrator

->Temp folder emptied: 11948445 bytes

->Temporary Internet Files folder emptied: 57894699 bytes

->Java cache emptied: 2012 bytes

->FireFox cache emptied: 4302595 bytes

->Flash cache emptied: 3482 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 17216 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33656 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 71.00 mb

[EMPTYFLASH]

User: admin

User: Administrator

->Flash cache emptied: 0 bytes

User: All Users

User: Default User

->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.20.1 log created on 01072011_204403

Files\Folders moved on Reboot...

File\Folder C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk not found!

C:\Documents and Settings\Administrator\Local Settings\Temp\~DF8076.tmp moved successfully.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\A90672I0\ac[5].htm moved successfully.

File move failed. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat scheduled to be moved on reboot.

File\Folder C:\WINDOWS\temp\Perflib_Perfdata_7dc.dat not found!

Registry entries deleted on Reboot...

That was the log file should it be needed. TDS killer still will not work. It just does not do anything when I click on it.

I do appologise for all the extra little problems but ever since this happened everything seems to be messed up in some way shape or form. Thank you very much for taking the time to help

Link to post
Share on other sites

That's fine!! Thanks!!

Please also download MBRCheck to your desktop

http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe

  • Double click MBRCheck.exe to run (Vista and Win 7 users should right-click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy/paste that report into your next reply

Now, the next program cannot be even downloaded with McAfee ON so you must disable your antivirus before downloading and until the log is produced after a reboot!

Please Run ComboFix by following the steps provided in exactly this sequence:

Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it beofre proceeding:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! BEFORE downloading Combofix, temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.

Using ComboFix ->

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to iexplore.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it iexplore.exe.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers and programs.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  • If Combofix asks to update, please allow it to do so. If it renames itself back to Combofix.exe - this is normal!!
  • If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities. This is for your safety !!

1. To Launch Combofix

Click Start --> Run, and enter (copy/paste)this command exactly as shown:

"%userprofile%\desktop\iexplore.exe" /killall

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post C:\ComboFix.txt in your next reply.

ONLY If You have problems running Combofix then try running it in "Safe Mode with Networking" as follows:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading normally, the Advanced Options Menu should appear;
  • Select the option, to run Windows in "Safe Mode with Networking", then press Enter.
  • Choose your usual account, and launch Combofix as instructed above.

Try running TDSSKiller AGAIN, but this time do it in SAFE MODE:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading normally, the Advanced Options Menu should appear;
  • Select the option, to run Windows in "Safe Mode", then press Enter.
  • Choose your usual account, and double-click TDSSKiller on your desktop to launch it

Link to post
Share on other sites

I ran MBR Check and got a log,

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows XP Professional

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x000001fc

Kernel Drivers (total 125):

0x804D7000 \WINDOWS\system32\ntkrnlpa.exe

0x806E4000 \WINDOWS\system32\hal.dll

0xBA5A8000 \WINDOWS\system32\KDCOM.DLL

0xBA4B8000 \WINDOWS\system32\BOOTVID.dll

0xB9F79000 ACPI.sys

0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS

0xB9F68000 pci.sys

0xBA0A8000 isapnp.sys

0xBA0B8000 ohci1394.sys

0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS

0xBA0D8000 MountMgr.sys

0xB9F49000 ftdisk.sys

0xBA5AC000 dmload.sys

0xB9F23000 dmio.sys

0xBA328000 PartMgr.sys

0xBA0E8000 VolSnap.sys

0xB9E5C000 iaStor.sys

0xB9D95000 iastor76.sys

0xBA0F8000 disk.sys

0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xB9D75000 fltmgr.sys

0xB9D63000 sr.sys

0xB9D4C000 KSecDD.sys

0xB9CBF000 Ntfs.sys

0xB9C92000 NDIS.sys

0xB9C78000 Mup.sys

0xBA128000 \SystemRoot\system32\DRIVERS\nic1394.sys

0xBA298000 \SystemRoot\system32\DRIVERS\intelppm.sys

0xB8C99000 \SystemRoot\system32\DRIVERS\ati2mtag.sys

0xB8C85000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

0xB8C4C000 \SystemRoot\system32\DRIVERS\e1e5132.sys

0xBA4A8000 \SystemRoot\system32\DRIVERS\usbuhci.sys

0xB8C28000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xBA4B0000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xB8C03000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0xBA2A8000 \SystemRoot\system32\DRIVERS\imapi.sys

0xBA2B8000 \SystemRoot\system32\DRIVERS\cdrom.sys

0xBA2C8000 \SystemRoot\system32\DRIVERS\redbook.sys

0xB8BE0000 \SystemRoot\system32\DRIVERS\ks.sys

0xBA72D000 \SystemRoot\system32\DRIVERS\audstub.sys

0xBA2D8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xB9C1F000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xB8BC9000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xBA2E8000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xBA2F8000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xBA338000 \SystemRoot\system32\DRIVERS\TDI.SYS

0xB8BB8000 \SystemRoot\system32\DRIVERS\psched.sys

0xBA308000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xBA340000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xBA348000 \SystemRoot\system32\DRIVERS\raspti.sys

0xB8B88000 \SystemRoot\system32\DRIVERS\rdpdr.sys

0xBA318000 \SystemRoot\system32\DRIVERS\termdd.sys

0xBA360000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xBA350000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xBA5D8000 \SystemRoot\system32\DRIVERS\swenum.sys

0xB8B2A000 \SystemRoot\system32\DRIVERS\update.sys

0xB9C03000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xBA138000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xBA5DA000 \SystemRoot\system32\DRIVERS\USBD.SYS

0xBA238000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xA97EF000 \SystemRoot\system32\drivers\sthda.sys

0xA97CB000 \SystemRoot\system32\drivers\portcls.sys

0xBA268000 \SystemRoot\system32\drivers\drmk.sys

0xBA620000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xBA748000 \SystemRoot\System32\Drivers\Null.SYS

0xBA622000 \SystemRoot\System32\Drivers\Beep.SYS

0xBA420000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0xBA428000 \SystemRoot\System32\drivers\vga.sys

0xBA624000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xBA626000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xBA430000 \SystemRoot\System32\Drivers\Msfs.SYS

0xBA438000 \SystemRoot\System32\Drivers\Npfs.SYS

0xB7E64000 \SystemRoot\system32\DRIVERS\rasacd.sys

0xA9748000 \SystemRoot\system32\DRIVERS\ipsec.sys

0xA96EF000 \SystemRoot\system32\DRIVERS\tcpip.sys

0xA96C9000 \SystemRoot\system32\DRIVERS\ipnat.sys

0xA96A2000 \SystemRoot\System32\Drivers\Mpfp.sys

0xBA288000 \SystemRoot\system32\DRIVERS\wanarp.sys

0xB7DEA000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys

0xB7DDA000 \SystemRoot\system32\DRIVERS\arp1394.sys

0xA967A000 \SystemRoot\system32\DRIVERS\netbt.sys

0xA9630000 \SystemRoot\System32\drivers\afd.sys

0xB7DCA000 \SystemRoot\system32\DRIVERS\netbios.sys

0xA9565000 \SystemRoot\system32\DRIVERS\rdbss.sys

0xA94F5000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xA94C2000 \SystemRoot\system32\drivers\mfehidk.sys

0xB7DBA000 \SystemRoot\System32\Drivers\Fips.SYS

0xB7581000 \SystemRoot\system32\DRIVERS\hidusb.sys

0xB7DAA000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS

0xBA400000 \SystemRoot\system32\DRIVERS\usbccgp.sys

0xA4F9F000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS

0xA427B000 \SystemRoot\system32\DRIVERS\zd1211Bu.sys

0xA4F97000 \SystemRoot\system32\DRIVERS\NuidFltr.sys

0xB69B0000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS

0xA4200000 \SystemRoot\system32\DRIVERS\Wdf01000.sys

0xB5961000 \SystemRoot\system32\DRIVERS\mouhid.sys

0xBA5A0000 \SystemRoot\system32\DRIVERS\kbdhid.sys

0xB69A0000 \SystemRoot\System32\Drivers\Cdfs.SYS

0xA4139000 \SystemRoot\System32\Drivers\dump_iaStor.sys

0xBF800000 \SystemRoot\System32\win32k.sys

0xA966A000 \SystemRoot\System32\drivers\Dxapi.sys

0xA4907000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0xBA711000 \SystemRoot\System32\drivers\dxgthk.sys

0xBF012000 \SystemRoot\System32\ati2dvag.dll

0xBF062000 \SystemRoot\System32\ati2cqag.dll

0xBF0EE000 \SystemRoot\System32\atikvmag.dll

0xBF15B000 \SystemRoot\System32\atiok3x2.dll

0xBF19E000 \SystemRoot\System32\ati3duag.dll

0xBF571000 \SystemRoot\System32\ativvaxx.dll

0xBFFA0000 \SystemRoot\System32\ATMFD.DLL

0xA9344000 \SystemRoot\system32\DRIVERS\mdc8021x.sys

0xA9340000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0xB6980000 \SystemRoot\system32\DRIVERS\rspndr.sys

0xA1E44000 \SystemRoot\system32\DRIVERS\mrxdav.sys

0xA1DB7000 \SystemRoot\system32\drivers\wdmaud.sys

0xB7D8A000 \SystemRoot\system32\drivers\sysaudio.sys

0xA1BA1000 \SystemRoot\system32\DRIVERS\srv.sys

0xA1A21000 \SystemRoot\system32\DRIVERS\secdrv.sys

0xA1610000 \SystemRoot\System32\Drivers\HTTP.sys

0xA4F67000 \SystemRoot\system32\drivers\mfebopk.sys

0xA1158000 \SystemRoot\system32\drivers\mfeavfk.sys

0xA051E000 \SystemRoot\system32\drivers\mfesmfk.sys

0x9FFF0000 \SystemRoot\system32\drivers\kmixer.sys

0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 54):

0 System Idle Process

4 System

664 C:\WINDOWS\system32\smss.exe

880 csrss.exe

912 C:\WINDOWS\system32\winlogon.exe

960 C:\WINDOWS\system32\services.exe

972 C:\WINDOWS\system32\lsass.exe

1136 C:\WINDOWS\system32\ati2evxx.exe

1152 C:\WINDOWS\system32\svchost.exe

1220 svchost.exe

1276 C:\WINDOWS\system32\svchost.exe

1516 svchost.exe

1552 svchost.exe

1756 C:\WINDOWS\system32\ati2evxx.exe

1920 C:\WINDOWS\system32\spoolsv.exe

1980 svchost.exe

360 C:\WINDOWS\system32\svchost.exe

604 C:\Program Files\Java\jre6\bin\jqs.exe

720 C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

768 C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

796 C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

820 C:\WINDOWS\explorer.exe

680 C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe

164 C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe

1456 C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe

1712 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

1816 C:\Program Files\McAfee\MPF\MpfSrv.exe

2312 C:\WINDOWS\system32\svchost.exe

2404 C:\WINDOWS\system32\svchost.exe

3624 C:\PROGRA~1\McAfee.com\Agent\mcagent.exe

3784 alg.exe

2820 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

2924 C:\WINDOWS\stsystra.exe

2968 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

3024 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

1024 C:\Program Files\2Wire\2PortalMon.exe

3060 C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

3536 C:\PROGRA~1\Yahoo!\browser\ycommon.exe

3224 C:\Program Files\Microsoft IntelliType Pro\itype.exe

3864 C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe

184 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

3808 C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

4088 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

1420 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

3812 C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

4900 C:\WINDOWS\system32\wuauclt.exe

6100 C:\Program Files\Skype\Phone\Skype.exe

1936 C:\Program Files\Skype\Plugin Manager\skypePM.exe

2280 C:\Program Files\Internet Explorer\iexplore.exe

5672 C:\Program Files\Internet Explorer\iexplore.exe

5780 C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe

4708 C:\Program Files\Internet Explorer\iexplore.exe

4280 C:\Program Files\Internet Explorer\iexplore.exe

6020 C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000022`eeec8000 (NTFS)

PhysicalDrive0 Model Number: Maxtor7V300F0, Rev: VA111630

Size Device Name MBR Status

--------------------------------------------

279 GB \\.\PhysicalDrive0 Windows XP MBR code detected

SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

But I ran the combo fix and immediately blue screened. Restarted computer and I got a message saying Computer recovered.

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WERbc04.dir00\Mini010811-01.dmp

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WERbc04.dir00\sysdata.xml

That was included in the message.

I'm not going to lie, after that experience I'm getting a little freaked out with all this.

Link to post
Share on other sites

That Blue Screen (BSOD) usually occurs if there is a driver conflict and despite its fear-inspiring message I wouldn't be too freaked out about it. Did you run Combofix in safe mode or normal mode?

Do you have your XP installation CD's. I am not asking so you can reformat and reinstall but rather so you can get access to Windows XP Recovery console.

You have to disable all anti-malware active protection before this next step.

Download DDS and save it to your desktop from >here<

dds_scr.gif

Disable any script blocking programs you may have installed (such as Norton script blocking), and then double-click dss.scr to run the tool.

  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt

    [*]Save both reports to your desktop

    [*]Please copy and paste dds.txt into your next reply (do NOT attach and hold on to attach.txt for now).

Download DDS and save it to your desktop from here

Link to post
Share on other sites

I was running combo fix in normal mode when it caused the blue screen.

I don't think my computer came with xp disks.

dds logs

DDS (Ver_10-12-12.02) - NTFSx86

Run by Administrator at 16:58:20.46 on Sat 01/08/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1293 [GMT -6:00]

AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\System32\svchost.exe -k Akamai

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\WINDOWS\Explorer.EXE

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\svchost.exe -k netsvcs

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\stsystra.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\Program Files\2Wire\2PortalMon.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\WINDOWS\system32\dwwin.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Administrator\Desktop\dds.scr

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://att.yahoo.com

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

mWinlogon: SfcDisable=-99 (0xffffff9d)

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Yahoo! IE Suggest: {5a263cf7-56a6-4d68-a8cf-345be45bc911} - c:\program files\yahoo!\searchsuggest\YSearchSuggest.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"

mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe

mRun: [2wSysTray] c:\program files\2wire\2PortalMon.exe

mRun: [symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [ContentTransferWMDetector.exe] c:\program files\sony\content transfer\ContentTransferWMDetector.exe

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab

DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: WBSrv - c:\program files\stardock\object desktop\windowblinds\wbsrv.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\wl7j9pzi.default\

FF - prefs.js: browser.startup.homepage - hxxp://us.mg201.mail.yahoo.com/dc/launch?.partner=sbc&.gx=0&.rand=9on6lii5s3mn0

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: XUL Cache: {af559b80-e402-423f-b196-ee2d6c210738} - %profile%\extensions\{af559b80-e402-423f-b196-ee2d6c210738}

FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor

============= SERVICES / DRIVERS ===============

R0 iastor76;iastor76;c:\windows\system32\drivers\iastor76.sys [2007-10-27 305176]

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-12-23 214664]

R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-3 14336]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-23 93320]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-12-23 359952]

R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-12-23 144704]

R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-12-23 606736]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-12-23 79816]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-12-23 35272]

R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-12-23 40552]

S1 qktifbrz;qktifbrz;\??\c:\windows\system32\drivers\qktifbrz.sys --> c:\windows\system32\drivers\qktifbrz.sys [?]

S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-12-23 34248]

=============== Created Last 30 ================

2011-01-08 18:59:33 2560 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\usmt\iconlib.dll

2011-01-08 18:20:13 72432 ----a-w- C:\WindowsXP-KB894075-x86-Symbols-ENU.exe

2011-01-08 18:19:11 0 ----a-w- C:\WindowsXP-KB894075-x86-ENU.exe

2011-01-08 06:16:20 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-01-08 05:52:30 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE

2011-01-08 05:49:35 -------- d-sh--w- c:\documents and settings\administrator\IETldCache

2011-01-08 05:44:48 7680 ------w- c:\windows\system32\dllcache\iecompat.dll

2011-01-08 05:44:09 -------- d-----w- c:\windows\ie8updates

2011-01-08 05:44:03 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll

2011-01-08 05:44:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2011-01-08 05:44:02 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2011-01-08 05:43:14 -------- dc-h--w- c:\windows\ie8

2011-01-08 04:46:05 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys

2011-01-08 04:45:58 153088 ------w- c:\windows\system32\dllcache\triedit.dll

2011-01-08 04:43:58 45568 ------w- c:\windows\system32\dllcache\wab.exe

2011-01-08 03:38:41 -------- d-----w- c:\windows\pss

2011-01-08 03:13:26 293376 ----a-w- c:\windows\system32\browserchoice.exe

2011-01-08 02:44:03 -------- d-----w- C:\_OTL

2011-01-06 00:57:58 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-01-06 00:57:58 -------- d-----w- c:\windows\system32\wbem\Repository

2011-01-06 00:57:39 -------- d-----w- c:\program files\PopCap Games

2011-01-06 00:57:39 -------- d-----w- c:\program files\LimeWire

2011-01-06 00:57:36 -------- d-----w- c:\program files\Dragon Age

2011-01-06 00:57:36 -------- d-----w- c:\program files\common files\BioWare

2011-01-05 22:07:15 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\{B8F38C03-E25E-4E45-9B1A-7617E5FEF44E}

2011-01-05 22:05:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\bMcCh06511

2010-12-29 05:39:42 -------- d-----w- c:\docume~1\admini~1\applic~1\Research In Motion

2010-12-29 05:38:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\Research In Motion

2010-12-29 05:38:30 -------- d-----w- c:\program files\common files\Research In Motion

2010-12-29 05:38:27 -------- d-----w- c:\program files\Research In Motion

2010-12-14 04:34:21 -------- d-----w- c:\docume~1\admini~1\applic~1\Adobe Mini Bridge CS5

2010-12-14 01:01:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\regid.1986-12.com.adobe

2010-12-14 00:57:11 -------- d-----w- c:\program files\common files\Adobe AIR(2)

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26:58 43520 ------w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-11-03 12:25:54 385024 ------w- c:\windows\system32\html.iec

2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

2009-12-26 07:52:10 203776 --sh--w- c:\windows\system32\unrar.exe

============= FINISH: 17:05:44.48 ===============

Link to post
Share on other sites

We're going to rerun OTL with another script as follows:

  • Disable the active protection component of your antivirus by following the directions that apply here:
    http://www.bleepingcomputer.com/forums/topic114351.html
  • Close all open windows on the Task Bar. Click the OTL icon (for Vista or Win 7, right click the icon and Run as Administrator) to restart the OTL program.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    [2011/01/05 19:07:39 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\vtscheduletask.job

    :reg
    [HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon]
    SfcDisable=0

    :Services
    qktifbrz

    :Files
    C:\windows\system32\unrar.exe
    c:\windows\system32\drivers\qktifbrz.sys
    C:\Documents and Settings\All Users\Application Data\bMcCh06511
    C:\Documents and Settings\Administrator\Local Settings\Application Data\{B8F38C03-E25E-4E45-9B1A-7617E5FEF44E}

    :Commands
    [emptytemp]
    [emptyflash]
    [createrestorepoint]
    [reboot]


  • Now click Run Fix and let the program run uninterrupted.
  • Let the program run unhindered, and reboot the PC when it is done
  • Copy/Paste OTL Log in your next reply

This next set of directions relies on mbr.exe existing in your C:\Windows directory

DDS and Combofix should have put it there.

If they didn't, you'll get a "file not found" error when performing the next set of "Directions on Running mbr.exe".

You can correct that by downloading mbr.exe from >HERE< and you MUST save it to C:\Windows

Then repeat, Directions on Running mbr.exe.

Directions on Running mbr.exe

Open a command prompt (click Start -> Run, type cmd, and hit Enter)

Copy / Paste the following command in bolded text at the command prompt, and hit Enter

mbr.exe -s -t > "%userprofile%\desktop\mbr.log"

Open the log it created by double-clicking mbr.log on your desktop

Copy and paste the contents of mbr.log into your next reply.

=====

Please download Rootkit Unhooker and save it on your desktop.

http://www.kernelmode.info/ARKs/RKUnhookerLE.EXE

  • Temporarily disable your antivirus and antimalware real-time protection before performing a scan by following the directions that apply HERE
  • Double click RkU3.8.388.590.exe to run the program
  • Click the Report tab, then click Scan
  • Check Drivers and Stealth Code
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it. Click Close
  • Re-enable your security programs
  • Copy the entire contents of the report and paste it in your next reply.

Note - If You get this warning it is ok, just ignore it:

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

Link to post
Share on other sites

  • 5 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.