Jump to content

Can't remove PUM.Hijack.StartMenu. Critical HDD errors & all files hidden.


suchek

Recommended Posts

Hello. I believe I've picked up a fake HDD virus. MBAM detects two PUM.Hijack.StartMenu items but stalls out when I attempt to remove.

After clicking to a website from Google search, a PDF began auto-downloading in my Firefox downloads. Suddenly, programs began shutting down, and I started getting several critical HDD error messages:

• "Device initialization failed"

• "Critical Error. Drive sector not found error"

• "Critical error. Hard drive controller failure"

• "Data Error Reading Drive C:\"

• "System message - Write Fault Error. A write command during the test has failed to complete. This may be due to a media or read/write error. The system generates an exception reference to an invalid system memory address."

I tried to run MBAM, but the scan aborted after a few minutes and MBAM was shut down.

I booted up in Safe Mode. All folders, files, system files, programs, documents, etc. are now unviewable.

I was able to run MBAM.exe using the Run command. MBAM detects two PUM.Hijack.StartMenu items, but when I attempt to remove, MBAM freezes. I shut MBAM down and ran it again and was able to produce the log.

MBAM and DDS logs below. Any help you can provide is very much appreciated.

--------------------------------------------------------------------------------

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.10.08

Windows 7 x64 FAT (Safe Mode)

Internet Explorer 8.0.7600.16385

v :: V-PC [administrator]

9/15/2012 10:37:34 AM

mbam-log-2012-09-15 (11-10-41).txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 360753

Time elapsed: 31 minute(s), 39 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 2

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

--------------------------------------------------------------------------------

.

DDS (Ver_2011-08-26.01) - NTFSAMD64 MINIMAL

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 10.7.2

Run by v at 11:15:58 on 2012-09-15

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.6007.4713 [GMT -7:00]

.

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\Explorer.EXE

C:\Windows\system32\ctfmon.exe

C:\Windows\system32\taskmgr.exe

C:\Program Files (x86)\Malwarebytes\Malwarebytes' Anti-Malware\mbam.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.nytimes.com/

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll

uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\Daemon Tools\DAEMON Tools Lite\DTLite.exe" -autorun

uRun: [Google Update] "C:\Users\v\AppData\Local\Google\Update\GoogleUpdate.exe" /c

mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2

mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"

mRun: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m

mRun: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [RMgOYWJNIRmTJbK.exe] C:\ProgramData\RMgOYWJNIRmTJbK.exe

mRunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe

mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\OFFICE11\EXCEL.EXE/3000

IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MIF5BA~1\OFFICE11\REFIEBAR.DLL

Trusted Zone: alohaenterprise.com\nextstudent

Trusted Zone: nextstudent.com\exchange

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

TCP: DhcpNameServer = 192.168.2.1

TCP: Interfaces\{60DC434B-7369-4C0B-AA1A-DBA2FA0F87E9} : DhcpNameServer = 192.168.2.1

TCP: Interfaces\{60DC434B-7369-4C0B-AA1A-DBA2FA0F87E9}\140707C65602E4564777F627B602564693632693 : DhcpNameServer = 10.0.1.1

TCP: Interfaces\{60DC434B-7369-4C0B-AA1A-DBA2FA0F87E9}\14E64627F696461405 : DhcpNameServer = 192.168.43.1

Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - C:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

BHO-X64: Search Helper - No File

BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO-X64: SkypeIEPluginBHO - No File

BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

BHO-X64: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll

TB-X64: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll

mRun-x64: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

mRun-x64: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun-x64: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2

mRun-x64: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"

mRun-x64: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m

mRun-x64: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun-x64: [RMgOYWJNIRmTJbK.exe] C:\ProgramData\RMgOYWJNIRmTJbK.exe

mRunOnce-x64: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe

mRunOnce-x64: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\v\AppData\Roaming\Mozilla\Firefox\Profiles\g457744h.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\3.0.40624.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npatgpc.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Users\v\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_271.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_265.dll

.

============= SERVICES / DRIVERS ===============

.

R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]

R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]

S1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]

S2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2010-12-29 89600]

S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]

S2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9 155648]

S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-12-29 13336]

S2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2010-12-29 689472]

S2 TurboB;Turbo Boost UI Monitor driver;C:\Windows\system32\DRIVERS\TurboB.sys --> C:\Windows\system32\DRIVERS\TurboB.sys [?]

S2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-12-29 2320920]

S3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]

S3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]

S3 BcmVWL;Broadcom Virtual Wireless;C:\Windows\system32\DRIVERS\bcmvwl64.sys --> C:\Windows\system32\DRIVERS\bcmvwl64.sys [?]

S3 btusbflt;Bluetooth USB Filter;C:\Windows\system32\drivers\btusbflt.sys --> C:\Windows\system32\drivers\btusbflt.sys [?]

S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\system32\DRIVERS\btwl2cap.sys --> C:\Windows\system32\DRIVERS\btwl2cap.sys [?]

S3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\system32\DRIVERS\CtClsFlt.sys --> C:\Windows\system32\DRIVERS\CtClsFlt.sys [?]

S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-5 114144]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]

S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]

S3 TurboBoost;TurboBoost;C:\Program Files\Intel\TurboBoost\TurboBoost.exe [2009-11-2 126352]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]

.

=============== Created Last 30 ================

.

2012-09-10 23:12:52 379904 ---ha-w- C:\ProgramData\RMgOYWJNIRmTJbK.exe

2012-09-10 18:30:18 69000 ---ha-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F8A52000-996B-41D1-B1F7-728EC38EA79B}\offreg.dll

2012-09-08 17:20:51 9310152 ---ha-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F8A52000-996B-41D1-B1F7-728EC38EA79B}\mpengine.dll

2012-09-05 23:12:55 95208 ---ha-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll

2012-08-31 04:40:47 73696 ---ha-w- C:\Program Files (x86)\Mozilla Firefox\breakpadinjector.dll

2012-08-25 02:48:21 -------- d--h--w- C:\Program Files (x86)\Amazon

2012-08-25 02:47:33 -------- d--h--w- C:\Program Files\Amazon

.

==================== Find3M ====================

.

2012-09-05 23:12:51 746984 ---ha-w- C:\Windows\SysWow64\deployJava1.dll

2012-09-05 23:09:16 73416 ---ha-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-09-05 23:09:16 696520 ---ha-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-07-18 17:31:12 3146752 ----a-w- C:\Windows\System32\win32k.sys

2012-07-04 22:01:38 58880 ----a-w- C:\Windows\System32\browcli.dll

2012-07-04 22:01:38 136704 ----a-w- C:\Windows\System32\browser.dll

2012-07-04 21:23:55 41472 ----a-w- C:\Windows\SysWow64\browcli.dll

2012-06-27 07:03:25 1197568 ----a-w- C:\Windows\System32\wininet.dll

2012-06-27 06:59:12 57856 ----a-w- C:\Windows\System32\licmgr10.dll

2012-06-27 06:03:21 981504 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-06-27 06:01:19 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll

2012-06-27 05:41:43 482816 ----a-w- C:\Windows\System32\html.iec

2012-06-27 04:58:58 1638912 ----a-w- C:\Windows\System32\mshtml.tlb

2012-06-27 04:53:25 386048 ----a-w- C:\Windows\SysWow64\html.iec

2012-06-27 04:19:51 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-06-19 15:53:55 129024 ---ha-w- C:\Windows\RegBootClean64.exe

2012-06-19 15:53:41 21520 ---ha-w- C:\Windows\DCEBoot64.exe

.

============= FINISH: 11:23:53.71 ===============

--------------------------------------------------------------------------------

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume2

Install Date: 1/22/2011 11:58:55 PM

System Uptime: 9/15/2012 10:25:16 AM (1 hours ago)

.

Motherboard: Dell Inc. | | 0G62V9

Processor: Intel® Core™ i5 CPU M 460 @ 2.53GHz | CPU 1 | 2533/533mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 581 GiB total, 464.071 GiB free.

D: is CDROM ()

E: is Removable

F: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}

Description: Security Processor Loader Driver

Device ID: ROOT\LEGACY_SPLDR\0000

Manufacturer:

Name: Security Processor Loader Driver

PNP Device ID: ROOT\LEGACY_SPLDR\0000

Service: spldr

.

==== System Restore Points ===================

.

RP165: 8/12/2012 11:01:41 PM - Windows Update

RP166: 8/16/2012 12:24:32 AM - Windows Update

RP168: 8/23/2012 11:02:05 PM - Windows Update

RP169: 8/28/2012 7:23:09 PM - Windows Update

RP170: 9/4/2012 7:41:30 AM - Windows Update

RP171: 9/5/2012 4:10:17 PM - Installed Java 7 Update 7

RP172: 9/8/2012 10:20:02 AM - Windows Update

.

==== Installed Programs ======================

.

Across Lite

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader 9.1

Advanced Audio FX Engine

Amazon MP3 Downloader 1.0.15

Apple Application Support

Apple Software Update

Catalyst Control Center - Branding

Catalyst Control Center Graphics Previews Common

Catalyst Control Center Graphics Previews Vista

Catalyst Control Center InstallProxy

Catalyst Control Center Localization All

ccc-core-static

CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help Danish

CCC Help Dutch

CCC Help English

CCC Help Finnish

CCC Help French

CCC Help German

CCC Help Italian

CCC Help Japanese

CCC Help Korean

CCC Help Norwegian

CCC Help Portuguese

CCC Help Russian

CCC Help Spanish

CCC Help Swedish

Cisco EAP-FAST Module

Cisco LEAP Module

Cisco PEAP Module

Compatibility Pack for the 2007 Office system

Consumer In-Home Service Agreement

Cozi

DAEMON Tools Lite

dBpoweramp Music Converter

Dell DataSafe Local Backup

Dell DataSafe Local Backup - Support Software

Dell DataSafe Online

Dell Dock

Dell Getting Started Guide

Dell Support Center (Support Software)

Dell Webcam Central

Google Chrome

GoToAssist 8.0.0.514

GoToMeeting 5.3.0.970

GPL Ghostscript Lite 8.70

IDT Audio

Intel® Control Center

Intel® Management Engine Components

Intel® Rapid Storage Technology

Java 7 Update 7

Java Auto Updater

JavaFX 2.1.1

Junk Mail filter update

Live! Cam Avatar Creator

LoJack Factory Installer

Malwarebytes Anti-Malware version 1.65.0.1400

Microsoft Choice Guard

Microsoft Office 2010

Microsoft Office Professional Edition 2003

Microsoft Search Enhancement Pack

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Sync Framework Runtime Native v1.0 (x86)

Microsoft Sync Framework Services Native v1.0 (x86)

Microsoft Visual C++ 2005 Redistributable

Mozilla Firefox 15.0 (x86 en-US)

Mozilla Maintenance Service

MSVCRT

QuickTime

Realtek USB 2.0 Card Reader

Rosetta Stone Version 3

Roxio Burn

Security Update for CAPICOM (KB931906)

Skype Toolbars

Skype™ 4.2

VLC media player 1.1.11

WebEx

WildTangent Games

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live Mail

Windows Live Messenger

Windows Live Movie Maker

Windows Live Photo Gallery

Windows Live Sign-in Assistant

Windows Live Sync

Windows Live Toolbar

Windows Live Upload Tool

Windows Live Writer

Windows Media Player Firefox Plugin

.

==== Event Viewer Messages From Past Week ========

.

9/15/2012 10:26:16 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.

9/15/2012 10:26:15 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

9/15/2012 10:26:15 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

9/15/2012 10:26:15 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}

9/15/2012 10:26:15 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

9/15/2012 10:26:14 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

9/15/2012 10:26:09 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

9/15/2012 10:25:49 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vwififlt Wanarpv6 WfpLwf ws2ifsl

9/15/2012 10:25:49 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

9/15/2012 10:25:49 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

9/15/2012 10:25:49 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

9/15/2012 10:25:49 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

9/15/2012 10:25:49 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

9/15/2012 10:25:49 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.

9/15/2012 10:25:49 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

9/15/2012 10:25:49 AM, Error: Service Control Manager [7001] - The Network Connections service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

9/15/2012 10:25:49 AM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

9/15/2012 10:25:49 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.

9/15/2012 10:25:49 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

9/15/2012 10:25:49 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

.

==== End Of File ===========================

Link to post
Share on other sites

Hello suchek! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

BACKDOOR WARNING

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Please proceed with the following instructions in Normal mode, not in Safe mode:

Step 1

Please download unhide.exe from here and save it to your Desktop. Double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run. When Unhide is complete, it will create a logfile on the Windows Desktop called Unhide.txt .

Step 2

Please download Rkill to your desktop. There are two main different versions. If one of them won't run then download and try to run the other one. You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

  1. Double-click on the Rkill desktop icon to run the tool.
  2. If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  3. A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  4. If not, delete the file, then download and use the second RKill version. Do not reboot until instructed. If the tool does not run from any of the links provided, please let me know.
  5. When the scan is done Notepad will open with rKill log. Post it in your next reply.
    NOTE: rKill.txt log will also be present on your desktop.
    Step 3
    Please download the latest version of TDSSKiller from here and save it to your Desktop.
    • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
      image000q.png
    • Put a checkmark beside loaded modules.
      2012081514h0118.png
    • A reboot will be needed to apply the changes. Do it.
    • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
    • Then click on Change parameters in TDSSKiller.
    • Check all boxes then click OK.
      2012081517h0349.png
    • Click the Start Scan button.
      19695967.jpg
    • The scan should take no longer than 2 minutes.
    • If a suspicious object is detected, the default action will be Skip, click on Continue.
      67776163.jpg
    • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
      Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
      62117367.jpg
      Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
    • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 4

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

In your next reply, post the following log files:

  • unhide log
  • RKill log
  • TDSSKiller log
  • Malwarebytes' Anti-Malware log
  • a new fresh DDS log

Link to post
Share on other sites

Hello, Maniac. Thank you for the backdoor warning. I understand. Yes, please, I would still like to try to clean this machine. Thank you so much for your help, the speedy reply, and your easy-to-follow instructions.

I'd already disconnected this machine from the Internet and have kept it shut down. After booting up today to run the programs you listed for me, I disabled the wireless adapter before running the programs.

I booted up in Normal mode and was able to run both Unhide and RKill. (I was able to run the rkill.exe version.) Logs are below.

However, when I try to run TDSSKiller from my desktop, I get this error:

C:\Users\[...]\Desktop\tdsskiller.exe is not a valid Win32 application.

--------------------------------------------------------------------------------

Unhide by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

Copyright 2008-2012 BleepingComputer.com

More Information about Unhide.exe can be found at this link:

http://www.bleepingcomputer.com/forums/topic405109.html

Program started at: 09/18/2012 11:18:10 PM

Windows Version: Windows 7

Please be patient while your files are made visible again.

Processing the C:\ drive

Finished processing the C:\ drive. 214278 files processed.

Processing the E:\ drive

Finished processing the E:\ drive. 995 files processed.

Restoring the Start Menu.

* 154 Shortcuts and Desktop items were restored.

Searching for Windows Registry changes made by FakeHDD rogues.

- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

* DisableTaskMgr policy was found and deleted!

- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

* HidNoChangingWallPaperden policy was found and deleted!

- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

* Start_ShowControlPanel was set to 0! It was set back to 1!

* Start_ShowHelp was set to 0! It was set back to 1!

* Start_ShowMyComputer was set to 0! It was set back to 1!

* Start_ShowMyDocs was set to 0! It was set back to 1!

* Start_ShowMyMusic was set to 0! It was set back to 1!

* Start_ShowMyPics was set to 0! It was set back to 1!

* Start_ShowPrinters was set to 0! It was set back to 1!

* Start_ShowRun was set to 0! It was set back to 1!

* Start_ShowSearch was set to 0! It was set back to 1!

* Start_ShowSetProgramAccessAndDefaults was set to 0! It was set back to 1!

* Start_ShowRecentDocs was set to 0! It was set back to 2!

* Start_ShowNetConn was set to 0! It was set back to 1!

* Start_ShowNetPlaces was set to 0! It was set back to 1!

* Start_TrackDocs was set to 0! It was set back to 1!

* Start_TrackProgs was set to 0! It was set back to 1!

* Start_ShowUser was set to 0! It was set back to 1!

* Start_ShowMyGames was set to 0! It was set back to 1!

Restarting Explorer.exe in order to apply changes.

Program finished at: 09/18/2012 11:23:20 PM

Execution time: 0 hours(s), 5 minute(s), and 10 seconds(s)

--------------------------------------------------------------------------------

Rkill 2.3.15 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

Copyright 2008-2012 BleepingComputer.com

More Information about Rkill can be found at this link:

http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 09/18/2012 11:26:28 PM in x64 mode.

Windows Version: Windows 7 Home Premium

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\ProgramData\RMgOYWJNIRmTJbK.exe (PID: 3540) [AU-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

* HKLM\Software\Classes\exefile\shell\open\command\\IsolatedCommand was changed. It was reset to "%1" %*!

* HKLM\Software\Classes\exefile\shell\runas\command\\IsolatedCommand was changed. It was reset to "%1" %*!

Performing miscellaneous checks:

* SMTMP folder detected. Please see this link for more information: http://www.bleepingcomputer.com/forums/topic405109.html

Checking Windows Service Integrity:

* No issues found.

Searching for Missing Digital Signatures:

* No issues found.

Program finished at: 09/18/2012 11:26:41 PM

Execution time: 0 hours(s), 0 minute(s), and 13 seconds(s)

Link to post
Share on other sites

I downloaded TDSSKiller using IE and then Chrome (I'd originally used Firefox), and I got the same error, "tdsskiller.exe is not a valid Win32 application," when trying to run either.

Note: I'm downloading the tdsskiller.exe file from a different machine to a USB drive and then copying the file from the USB drive onto the desktop of the infected machine — I don't know if that makes a difference. Because of the backdoor danger, I didn't want to hook the infected machine up to the internet in order to download the needed cleaner programs. So I've been copying the programs over to the infected machine's desktop from a USB drive.

Link to post
Share on other sites

Thank you, Maniac. I downloaded the Panda USB vaccine and have vaccinated my USB drive as well as the machine I've been using to download the cleaner programs. I'd already used the USB drive between the infected machine and the clean one — before you sent the Panda link — so I'm running malware scans on the second machine to make sure it's still clean. So far, scans haven't detected anything.

As far as the infected machine:

1) What steps should I take next? I'm still not able to run TDSSKiller. I get the "not a valid Win32 application" error when I double-click on the tdsskiller.exe icon on the desktop. I tried three different instances of the .exe file — 1 downloaded via Firefox, 1 via IE, and 1 via Chrome.

2) I've noticed that after I run Unhide, the My Documents folder on my desktop (and the files it contains) become visible. However, everything on the C-drive is still hidden. I can see the C-drive icon in the explorer window, but if you click on it or try to expand the folder list, nothing shows up, and the explorer window says that the C-drive folder is empty. I don't know if Unhide is supposed to be unhiding the folders and program files on the C-drive?

3) After running Unhide, I was going to try to back up my data (My Docs, Firefox profile, Outlook data files) to an external drive. I'll vaccinate the drive w. Panda before I use it. Is there a risk of spreading the infection via data files (e.g., .xls, .doc, ,pst, .ost, .pdf, MP3) if I copy these from the infected machine to my external drive? Also, my PST files are among the program files on the C-drive that are still hidden. I'm not sure how to get to those ...

Thank you very much again for the Panda Security link. I'm going to use that to vaccinate all my USB drives.

Link to post
Share on other sites

No, this is backdoor trojan, don't worry about your data files. unhide working only for specific areas, not for everything.

Note: Please do not run this tool without special supervision and instruction of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Link to post
Share on other sites

Thank you for your guidance. Maniac. I backed up my data files. Here's the ComboFix log:

--------------------------------------------------------------------------------

ComboFix 12-09-22.02 - v 09/22/2012 21:41:42.2.4 - x64

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.6007.4478 [GMT -7:00]

Running from: c:\users\v\Desktop\ComboFix.exe

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\programdata\RMgOYWJNIRmTJbK.exe

Y:\Autorun.inf

.

.

((((((((((((((((((((((((( Files Created from 2012-08-23 to 2012-09-23 )))))))))))))))))))))))))))))))

.

.

2012-09-23 05:09 . 2012-09-23 05:09 -------- d-----w- c:\users\Public\AppData\Local\temp

2012-09-23 05:09 . 2012-09-23 05:09 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-09-10 18:30 . 2012-09-10 18:30 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F8A52000-996B-41D1-B1F7-728EC38EA79B}\offreg.dll

2012-09-08 17:20 . 2012-08-23 08:26 9310152 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F8A52000-996B-41D1-B1F7-728EC38EA79B}\mpengine.dll

2012-09-05 23:18 . 2012-09-05 23:18 -------- d-----w- c:\program files (x86)\Common Files\Java

2012-09-05 23:12 . 2012-09-05 23:12 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll

2012-08-31 04:40 . 2012-08-31 04:40 73696 ----a-w- c:\program files (x86)\Mozilla Firefox\breakpadinjector.dll

2012-08-25 02:48 . 2012-08-25 02:48 -------- d-----w- c:\program files (x86)\Amazon

2012-08-25 02:47 . 2012-08-25 02:47 -------- d-----w- c:\program files\Amazon

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-09-05 23:12 . 2011-05-14 04:28 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll

2012-09-05 23:09 . 2012-04-04 20:05 696520 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-09-05 23:09 . 2011-05-17 05:19 73416 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-08-16 07:24 . 2011-01-22 19:52 62134624 ----a-w- c:\windows\system32\MRT.exe

2012-07-18 17:31 . 2012-08-16 07:24 3146752 ----a-w- c:\windows\system32\win32k.sys

2012-07-04 22:04 . 2012-08-16 07:24 73216 ----a-w- c:\windows\system32\netapi32.dll

2012-07-04 22:01 . 2012-08-16 07:24 58880 ----a-w- c:\windows\system32\browcli.dll

2012-07-04 22:01 . 2012-08-16 07:24 136704 ----a-w- c:\windows\system32\browser.dll

2012-07-04 21:23 . 2012-08-16 07:24 41472 ----a-w- c:\windows\SysWow64\browcli.dll

2012-06-27 07:03 . 2012-08-16 07:24 1197568 ----a-w- c:\windows\system32\wininet.dll

2012-06-27 07:03 . 2012-08-16 07:24 1501184 ----a-w- c:\windows\system32\urlmon.dll

2012-06-27 07:03 . 2012-08-16 07:24 134144 ----a-w- c:\windows\system32\url.dll

2012-06-27 07:00 . 2012-08-16 07:24 1026560 ----a-w- c:\windows\system32\mstime.dll

2012-06-27 06:59 . 2012-08-16 07:24 9372672 ----a-w- c:\windows\system32\mshtml.dll

2012-06-27 06:59 . 2012-08-16 07:24 97792 ----a-w- c:\windows\system32\mshtmled.dll

2012-06-27 06:59 . 2012-08-16 07:24 82944 ----a-w- c:\windows\system32\msfeedsbs.dll

2012-06-27 06:59 . 2012-08-16 07:24 736256 ----a-w- c:\windows\system32\msfeeds.dll

2012-06-27 06:59 . 2012-08-16 07:24 57856 ----a-w- c:\windows\system32\licmgr10.dll

2012-06-27 06:58 . 2012-08-16 07:24 64512 ----a-w- c:\windows\system32\jsproxy.dll

2012-06-27 06:58 . 2012-08-16 07:24 247808 ----a-w- c:\windows\system32\ieui.dll

2012-06-27 06:58 . 2012-08-16 07:24 2458624 ----a-w- c:\windows\system32\iertutil.dll

2012-06-27 06:58 . 2012-08-16 07:24 12405760 ----a-w- c:\windows\system32\ieframe.dll

2012-06-27 06:58 . 2012-08-16 07:24 256000 ----a-w- c:\windows\system32\iepeers.dll

2012-06-27 06:58 . 2012-08-16 07:24 445952 ----a-w- c:\windows\system32\iedkcs32.dll

2012-06-27 06:55 . 2012-08-16 07:24 12288 ----a-w- c:\windows\system32\msfeedssync.exe

2012-06-27 06:03 . 2012-08-16 07:24 981504 ----a-w- c:\windows\SysWow64\wininet.dll

2012-06-27 06:01 . 2012-08-16 07:24 44544 ----a-w- c:\windows\SysWow64\licmgr10.dll

2012-06-27 05:41 . 2012-08-16 07:24 482816 ----a-w- c:\windows\system32\html.iec

2012-06-27 04:58 . 2012-08-16 07:24 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2012-06-27 04:53 . 2012-08-16 07:24 386048 ----a-w- c:\windows\SysWow64\html.iec

2012-06-27 04:19 . 2012-08-16 07:24 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DAEMON Tools Lite"="c:\program files (x86)\Daemon Tools\DAEMON Tools Lite\DTLite.exe" [2012-02-13 3481408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-06-08 284696]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-06-02 98304]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]

"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]

"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2010-02-09 1807680]

"DellSupportCenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-30 421888]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-04-27 421160]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]

"Launcher"="c:\program files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe" [2010-08-12 163040]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-12-29 1082656]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-03-30 53800]

R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-03-30 35104]

R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-08-31 114144]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-03-17 232480]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-03-17 325152]

R3 TurboBoost;TurboBoost;c:\program files\Intel\TurboBoost\TurboBoost.exe [2009-11-02 126352]

R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]

S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-03-31 283200]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]

S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-03 89600]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-06-02 203264]

S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]

S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-06-08 13336]

S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2010-08-20 689472]

S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [2009-11-02 13784]

S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-03-03 2320920]

S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-06-02 6857728]

S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-06-02 264192]

S3 BcmVWL;Broadcom Virtual Wireless;c:\windows\system32\DRIVERS\bcmvwl64.sys [2010-02-03 20984]

S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-06-15 172704]

S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]

.

.

Contents of the 'Scheduled Tasks' folder

.

2012-09-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2731273616-2889505413-518904877-1000Core.job

- c:\users\v\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-30 05:27]

.

2012-09-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2731273616-2889505413-518904877-1000UA.job

- c:\users\v\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-30 05:27]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-06-18 487424]

"Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2010-02-03 5712896]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.nytimes.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\OFFICE11\EXCEL.EXE/3000

IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

Trusted Zone: alohaenterprise.com\nextstudent

Trusted Zone: nextstudent.com\exchange

FF - ProfilePath - c:\users\v\AppData\Roaming\Mozilla\Firefox\Profiles\g457744h.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/

.

- - - - ORPHANS REMOVED - - - -

.

Wow6432Node-HKLM-Run-RMgOYWJNIRmTJbK.exe - c:\programdata\RMgOYWJNIRmTJbK.exe

HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe

AddRemove-dBpoweramp Music Converter - c:\windows\system32\SpoonUninstall.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]

"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DbgagD\1*]

"value"="?\05\02\1d\02\01#é"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-09-22 22:28:01

ComboFix-quarantined-files.txt 2012-09-23 05:27

.

Pre-Run: 497,562,943,488 bytes free

Post-Run: 498,568,183,808 bytes free

.

- - End Of File - - AC7F5D0FE4598C32CCEC6A901E4C01C9

Link to post
Share on other sites

Thanks a lot! :)

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

ok, I have "Remove found threats" and "Scan for potentially unwanted applications" both checked. There are three additional options; should any of these also be checked?:

• Scan archives

• Scan for potentially unsafe applications

• Enable Anti-Stealth technology

The Anti-Stealth option is checked by default; the other two are not checked.

Link to post
Share on other sites

Maniac, I went ahead and ran the ESET scan w. the additional scan options checked. Log is below.

When the scan was finished, I had the option to choose "Uninstall application on close" and "Delete quarantined files." I left both unchecked, so ESET is still installed.

--------------------------------------------------------------------------------

ESETSmartInstaller@High as CAB hook log:

OnlineScanner64.ocx - registred OK

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=29ee5187ebb7154aae31e0aeead4bf45

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2012-09-23 08:53:02

# local_time=2012-09-23 01:53:02 (-0700, US Mountain Standard Time)

# country="United States"

# lang=1033

# osver=6.1.7600 NT

# compatibility_mode=5893 16776573 100 94 0 99973770 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=176332

# found=2

# cleaned=2

# scan_time=3283

C:\Qoobox\Quarantine.zip a variant of Win32/Kryptik.ALQD trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\ProgramData\RMgOYWJNIRmTJbK.exe.vir a variant of Win32/Kryptik.ALQD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Link to post
Share on other sites

Thank you very much! The machine is better, although not quite all the way back to its pre-infection state.

All my programs, folders, and files seem to be visible and accessible now, and I haven't had any recurrences of the HDD or "Write Fault" error messages. Additionally, the rogue HDD-error icon that had appeared in my system tray (red circle w. a white X) is now gone.

However, a couple of things that are still non-functional or a little off:

1) I clicked on the TDSSKiller.exe file on my desktop to see if I could get it to launch. I wasn't going to run the scan — I planned on cancelling if/once the interface launched — but I wanted to see if I could at least launch the program now. TDSSKiller still won't launch. I'm still getting the same "tdsskiller.exe is not a valid Win32 application" error. (I was able to run TDSSKiller on this machine successfully back in June.)

I was noticing that this forum poster reported the same "not a valid Win32 app" error: http://forums.malwarebytes.org/index.php?showtopic=115979

Is the Win32 error I'm getting related to the backdoor Trojan that infected my machine? or is this a separate infection issue?

2) My desktop background, which had been the default Dell/Win 7 aero blue theme, has been a solid black since I first restarted the machine after infection. I'm able to go to my appearance personalization options to change the theme back to the default, but I don't know if the remaining black background is an infection remnant that I need to be worried about. It shows up in my theme personalization options as an "Unsaved Theme." (I'm sorry if this is a dumb question to be worried about. I'm just wary of everything out-of-the-ordinary now.)

Link to post
Share on other sites

Sorry for this follow-up post, Maniac, I just noticed a couple additional issues when I went to shut down the infected machine:

3) When I went to shut down the machine, I got the message that Windows was waiting for background programs to close. The only thing I'd tried to do after booting up was launch TDSSKiller, which failed. I didn't click on, launch, or run anything else, and my computer isn't hooked up to the internet. (I'd disabled the wireless network adapter and turned off my wireless router.) I don't know what was running in the background — the computer was shutting down, so I didn't get to Task Manager — or if I should be worried that I got this background-programs message?

4) Before shutting down, when I tried to do a safe eject of my USB thumb drive, I got the error that the device couldn't be stopped because it was currently in use. I've been getting this "device in use" eject failure since infection, even when all I do is plug in the USB and don't access anything on it or copy anything to/from it. Just now, I had plugged in the USB drive to test it but hadn't interacted with it at all, so should the USB device show as being in use? Prior to infection, I had no issues with being able to stop and safe-eject the USB drive, so long as no file on it was currently being accessed by an active program.

Link to post
Share on other sites

Maniac, I'm not sure what steps to take next? My machine still isn't functioning quite properly (still getting the " *.exe is not a valid Win32 application" error and running into some sort of unidentified program that seems to be running in the background). I haven't uninstalled Combofix or deleted/cleaned up any of the quarantines.

Waiting for instructions ...

Thank you for all your help so far.

Link to post
Share on other sites

Is the Win32 error I'm getting related to the backdoor Trojan that infected my machine? or is this a separate infection issue?

If you read my first post you will learn that you are infected with backdoor. And this line is really important:

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.
When I went to shut down the machine, I got the message that Windows was waiting for background programs to close. The only thing I'd tried to do after booting up was launch TDSSKiller, which failed. I didn't click on, launch, or run anything else, and my computer isn't hooked up to the internet. (I'd disabled the wireless network adapter and turned off my wireless router.) I don't know what was running in the background — the computer was shutting down, so I didn't get to Task Manager — or if I should be worried that I got this background-programs message?

There is no way to answer this question. You have over 10 programs that run after starting the operating system. Furthermore, we started with you EOS, and so on. I do not see what the problem is.

4) Before shutting down, when I tried to do a safe eject of my USB thumb drive, I got the error that the device couldn't be stopped because it was currently in use. I've been getting this "device in use" eject failure since infection, even when all I do is plug in the USB and don't access anything on it or copy anything to/from it. Just now, I had plugged in the USB drive to test it but hadn't interacted with it at all, so should the USB device show as being in use? Prior to infection, I had no issues with being able to stop and safe-eject the USB drive, so long as no file on it was currently being accessed by an active program.

This couldn't be due to the infecton. Sometimes it happens, here too.

Please download one of the following and run it:

http://download.bleepingcomputer.com/FixExec/32-bit/FixExec.com

http://download.bleepingcomputer.com/FixExec/32-bit/FixExec.pif

http://download.bleepingcomputer.com/FixExec/32-bit/FixExec.scr

When FixExec has finished running it will create a log on your Windows desktop called FixExec.txt. This log will contain a list of the items that were repaired on your computer. Post it in your next reply.

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.