My HDD is failing as we speak? urgent help required

johnb35 · Mar 23, 2011

Please uninstall the following programs in add/remove programs.

Java(TM) 6 Update 6
TorrentMan Toolbar

Then go here to download the latest version of java.

http://www.java.com/en/download/index.jsp

If you have any illegal torrented software installed, I would highly advise to uninstall it and do a full scan with malwarebytes.

Torrenting software will get you infected most of the time and plus its illegal.

AjsGuns · Mar 23, 2011

Hi John i really appreciate all your help! ive probally given you a headache.
when i try to uninstall Torrentman toolbar this error comes up:
Wise uninstall
Could not open INSTALL.LOG.FILE
all i can click is ok

Also is it now safe to buy things and input my credit card? As i plan to buy something from Eastbay but dont want to get my info stolen.

As far as torrents the only think i've downloaded is a movie, no idea why or how i got this infection :S

Snow90 · Mar 23, 2011

johnb35 said:
Please uninstall the following programs in add/remove programs.

Java(TM) 6 Update 6
TorrentMan Toolbar

Then go here to download the latest version of java.

http://www.java.com/en/download/index.jsp

If you have any illegal torrented software installed, I would highly advise to uninstall it and do a full scan with malwarebytes.

Torrenting software will get you infected most of the time and plus its illegal.

x2

Keep doing multiple scans with several different anti-virus/malware providers. Malwarebytes won't catch everything.

I've used Trojan Remover in the past, very cool piece of software.

http://www.simplysup.com/

johnb35 · Mar 23, 2011

Yes its safe. You can try reinstalling the toolbar and then uninstalling. Or I can give you a combofix script to run to uninstall it from the registry.

Please move the file combofix to your desktop so you can do the following.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Code:

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7c5c0f58-e061-457d-9033-77307f5ed00c}]
2008-05-20 14:43 1526296 ----a-w- c:\program files\TorrentMan\tbTorr.dll

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7c5c0f58-e061-457d-9033-77307f5ed00c}"= "c:\program files\TorrentMan\tbTorr.dll" [2008-05-20 1526296

[-HKEY_CLASSES_ROOT\clsid\{7c5c0f58-e061-457d-9033-77307f5ed00c}]

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7C5C0F58-E061-457D-9033-77307F5ED00C}"= "c:\program files\TorrentMan\tbTorr.dll" [2008-05-20 1526296]

[-HKEY_CLASSES_ROOT\clsid\{7c5c0f58-e061-457d-9033-77307f5ed00c}]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

AjsGuns · Mar 23, 2011

Done hopefully its looking better (no idea how to read it haha):

ComboFix 11-03-22.09 - Chris 24/03/2011 1:37.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.3066.1475 [GMT 11:00]
Running from: D:\ComboFix.exe
Command switches used :: c:\users\Chris\Desktop\CFScript.lnk
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-02-23 to 2011-03-23 )))))))))))))))))))))))))))))))
.
.
2011-03-23 14:46 . 2011-03-23 14:46 -------- d-----w- c:\users\TEMP(17)\AppData\Local\temp
2011-03-23 14:46 . 2011-03-23 14:46 -------- d-----w- c:\users\Random\AppData\Local\temp
2011-03-23 14:46 . 2011-03-23 14:46 -------- d-----w- c:\users\Joel\AppData\Local\temp
2011-03-23 14:46 . 2011-03-23 14:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-23 14:22 . 2011-03-23 14:22 -------- d-----w- c:\program files\Common Files\Java
2011-03-23 14:22 . 2011-03-23 14:21 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-03-23 14:22 . 2011-03-23 14:21 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-23 14:21 . 2011-03-23 14:21 -------- d-----w- c:\programdata\McAfee
2011-03-23 13:10 . 2011-03-23 14:47 -------- d-----w- c:\users\Chris\AppData\Local\temp
2011-03-23 12:32 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D5B1C68D-887E-4D7D-8D89-666257EF6FD7}\mpengine.dll
2011-03-22 16:54 . 2011-03-22 16:54 388096 ----a-r- c:\users\Chris\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-03-22 16:54 . 2011-03-22 16:54 -------- d-----w- c:\program files\Trend Micro
2011-03-22 16:46 . 2007-02-01 06:26 2443144 ------w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{25B833FF-11A4-4BD1-909F-1ED3A3F844A2}\mpengine.dll
2011-03-22 16:46 . 2007-02-01 06:26 2443144 ----a-w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{C78B4F74-66B4-44EF-A619-99B1AE2F775D}\mpengine.dll
2011-03-22 16:45 . 2007-02-01 06:26 2443144 ------w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{345E094A-A19D-4FAE-BA5A-0D7FA9638A7E}\mpengine.dll
2011-03-22 16:45 . 2007-02-01 06:26 2443144 ----a-w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{7122D0CE-47AE-4DD6-BD03-2D7683EBE61C}\mpengine.dll
2011-03-22 15:43 . 2007-02-01 06:26 2443144 ------w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{67666841-20E2-48B3-A9D3-079BC233FE99}\mpengine.dll
2011-03-22 15:43 . 2007-02-01 06:26 2443144 ----a-w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{2847514D-EA41-4FD9-A158-C287B4735A24}\mpengine.dll
2011-03-22 15:42 . 2007-02-01 06:26 2443144 ------w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{2B388CD7-78FA-4C5C-98D1-DD117E633BF2}\mpengine.dll
2011-03-22 15:42 . 2007-02-01 06:26 2443144 ----a-w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{2BB0916A-E40D-4E85-937D-54DFA7352D8C}\mpengine.dll
2011-03-22 15:20 . 2007-02-01 06:26 2443144 ------w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{7AFE87C5-A3FB-4752-AC73-43310A647F4F}\mpengine.dll
2011-03-22 15:19 . 2007-02-01 06:26 2443144 ----a-w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{159BB9B4-FA9A-4169-92B5-23BFAA932946}\mpengine.dll
2011-03-22 15:18 . 2007-02-01 06:26 2443144 ------w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{8D39032B-7E46-43A1-AF1C-A0C3AF47EF86}\mpengine.dll
2011-03-22 15:18 . 2007-02-01 06:26 2443144 ----a-w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{CCE68094-168A-47A0-9BBF-5440C3C51837}\mpengine.dll
2011-03-22 15:07 . 2007-02-01 06:26 2443144 ------w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{E8D8073E-6A17-49C7-A0A8-026CB7199D5F}\mpengine.dll
2011-03-22 15:07 . 2007-02-01 06:26 2443144 ----a-w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{B9B43537-F335-4A40-A8DA-FF39188AFA82}\mpengine.dll
2011-03-22 15:07 . 2007-02-01 06:26 2443144 ------w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{1783EB2B-E627-47EC-B27B-10B1F12A6A2E}\mpengine.dll
2011-03-22 15:06 . 2007-02-01 06:26 2443144 ----a-w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{54FF20B5-BF4C-4256-9754-AD41F05E4EF2}\mpengine.dll
2011-03-19 07:14 . 2007-02-01 06:26 2443144 ------w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{5CD76324-D24C-425E-8660-C429468663A1}\mpengine.dll
2011-03-19 07:13 . 2007-02-01 06:26 2443144 ----a-w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{C7D5073C-2257-482A-8292-01E4DCC62B5E}\mpengine.dll
2011-03-19 07:13 . 2007-02-01 06:26 2443144 ------w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{D8B92366-31CB-4A32-81E0-396FC16DA6AB}\mpengine.dll
2011-03-19 07:13 . 2007-02-01 06:26 2443144 ----a-w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{05DDA942-C128-44CD-AFAC-140F6CE18693}\mpengine.dll
2011-03-17 07:53 . 2007-02-01 06:26 2443144 ------w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{1B22B66B-EA56-433B-B1A4-1827503761E2}\mpengine.dll
2011-03-17 07:53 . 2007-02-01 06:26 2443144 ----a-w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{1AFA4F9F-B832-415E-B0BC-61E7A0AD6319}\mpengine.dll
2011-03-17 07:53 . 2007-02-01 06:26 2443144 ------w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{185E9F8F-3934-4491-A04A-F05A8B6BF15B}\mpengine.dll
2011-03-17 07:53 . 2007-02-01 06:26 2443144 ----a-w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{EE6DB036-7E28-456D-8073-717FACBA62F0}\mpengine.dll
2011-03-16 16:18 . 2007-02-01 06:26 2443144 ------w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{744E665B-C796-4880-A90F-36FD0341A9EA}\mpengine.dll
2011-03-16 16:18 . 2007-02-01 06:26 2443144 ----a-w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{75A05A5D-965A-4AD1-A390-F80664AC7D31}\mpengine.dll
2011-03-16 16:18 . 2007-02-01 06:26 2443144 ------w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{D0393250-3C80-4671-B709-D6E243AD71DA}\mpengine.dll
2011-03-16 16:18 . 2007-02-01 06:26 2443144 ----a-w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{A0B2084E-FC45-49F8-935F-2E0641935643}\mpengine.dll
2011-03-16 11:55 . 2007-02-01 06:26 2443144 ------w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{BD911DBF-172E-4AB9-917D-CA33756266FE}\mpengine.dll
2011-03-16 11:55 . 2007-02-01 06:26 2443144 ----a-w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{C4A8C240-F226-4CB3-AB4E-F82F912C5486}\mpengine.dll
2011-03-16 11:55 . 2007-02-01 06:26 2443144 ------w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{655D8C9A-7DD4-4D84-8C56-630BD8085691}\mpengine.dll
2011-03-16 11:55 . 2007-02-01 06:26 2443144 ----a-w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{D75B7FC2-B0B3-4821-B08F-1113CE12C369}\mpengine.dll
2011-03-10 08:15 . 2007-02-01 06:26 2443144 ------w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{995965E6-5359-43C5-9638-5D04842F1239}\mpengine.dll
2011-03-10 08:14 . 2007-02-01 06:26 2443144 ----a-w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{29F94A09-C1F5-4A80-BF76-EC8C05D2C7D0}\mpengine.dll
2011-03-10 08:14 . 2007-02-01 06:26 2443144 ------w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{88F08254-1A4C-475C-92A0-FA903FF01BDF}\mpengine.dll
2011-03-10 08:14 . 2007-02-01 06:26 2443144 ----a-w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{81B3E228-F5A9-4B19-8020-5E983C59905F}\mpengine.dll
2011-03-09 16:22 . 2007-02-01 06:26 2443144 ------w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{2B6C0FDB-99A6-494E-B324-E1124B1E27FE}\mpengine.dll
2011-03-09 16:22 . 2007-02-01 06:26 2443144 ----a-w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{3EA60FE9-EFBC-44B3-BFDD-7D7289194FB5}\mpengine.dll
2011-03-09 16:22 . 2007-02-01 06:26 2443144 ------w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{A273F378-3162-4FAD-BB62-CB4A056CF178}\mpengine.dll
2011-03-09 16:22 . 2007-02-01 06:26 2443144 ----a-w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{C7F5424B-6AC1-45F8-91C2-5A7935F86369}\mpengine.dll
2011-03-09 01:49 . 2010-12-29 17:41 323072 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 01:49 . 2010-12-29 17:41 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-09 01:49 . 2010-12-29 17:41 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 01:49 . 2010-12-29 17:39 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-09 01:48 . 2010-12-17 16:43 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 01:48 . 2010-12-17 15:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-03 03:22 . 2007-02-01 06:26 2443144 ------w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{04B5C4A1-BEAE-48BC-ABDE-4B4550A14A83}\mpengine.dll
2011-03-03 03:22 . 2007-02-01 06:26 2443144 ----a-w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{07AD9627-680B-4042-B1AA-52F50715F029}\mpengine.dll
2011-03-03 03:22 . 2007-02-01 06:26 2443144 ------w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{00E72D2F-012D-425D-8EF5-3547F5A8C174}\mpengine.dll
2011-03-03 03:22 . 2007-02-01 06:26 2443144 ----a-w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{01321FC5-790D-4372-B9C4-51E58B82ED8E}\mpengine.dll
2011-03-02 12:00 . 2007-02-01 06:26 2443144 ------w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{4EABD2EF-221C-4B3C-8E56-B141B65FFC83}\mpengine.dll
2011-03-02 11:59 . 2007-02-01 06:26 2443144 ----a-w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{9F039DA2-3825-4A51-852D-18FDA6A9F132}\mpengine.dll
2011-03-02 11:59 . 2007-02-01 06:26 2443144 ------w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{570CFD2F-6842-4EE5-B583-973A6C3EF08F}\mpengine.dll
2011-03-02 11:59 . 2007-02-01 06:26 2443144 ----a-w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{BB7014AC-C154-4E42-9BAF-D5CD0665F3F2}\mpengine.dll
2011-02-25 14:01 . 2007-02-01 06:26 2443144 ------w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{03ED94DB-A881-4C44-B339-0E71355B603D}\mpengine.dll
2011-02-25 14:01 . 2007-02-01 06:26 2443144 ----a-w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{9A8C16E6-BDE2-47BF-8815-09537F0DF289}\mpengine.dll
2011-02-25 14:01 . 2007-02-01 06:26 2443144 ------w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{73BD216C-D303-4DEF-9150-255023AFC185}\mpengine.dll
2011-02-25 14:00 . 2007-02-01 06:26 2443144 ----a-w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{C72E0C2D-C3DE-4912-A6EC-EA6C5A3E744B}\mpengine.dll
2011-02-24 11:46 . 2011-02-24 14:16 -------- d-----w- c:\users\Chris\AppData\Roaming\vlc
2011-02-24 11:45 . 2011-02-24 11:45 -------- d-----w- c:\program files\VideoLAN
2011-02-24 02:53 . 2007-02-01 06:26 2443144 ------w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{6BE800D1-DFEA-4E7C-913C-396D9A0455ED}\mpengine.dll
2011-02-24 02:53 . 2007-02-01 06:26 2443144 ----a-w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{9A22F591-90A1-48A5-9F50-01BB489C3B1B}\mpengine.dll
2011-02-24 02:53 . 2007-02-01 06:26 2443144 ------w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{7099BF90-7237-4B03-A93C-E5DCEF57229A}\mpengine.dll
2011-02-24 02:53 . 2007-02-01 06:26 2443144 ----a-w- c:\programdata\Microsoft\OneCare Protection\Definition Updates\{E32F61B9-3A37-4690-8DDD-B80DDC2AF75B}\mpengine.dll
2011-02-23 16:02 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 06:11 . 2009-10-02 15:59 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-08 07:50 . 2011-02-10 16:04 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 05:57 . 2011-02-10 16:04 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:25 . 2011-02-10 16:24 2038784 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 14:57 . 2011-01-12 14:37 409600 ----a-w- c:\windows\system32\odbc32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOvrly1]
@="{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}"
[HKEY_CLASSES_ROOT\CLSID\{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}]
2008-07-25 04:41 118784 ----a-w- c:\program files\TrueSuite Access Manager\IconOvrly.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 2153472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-06 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NDSTray.exe"="NDSTray.exe" [BU]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-12-15 184320]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-04-29 417792]
"HDMICtrlMan"="c:\program files\TOSHIBA\HDMICtrlMan\HDMICtrlMan.exe" [2008-04-26 716800]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2007-09-30 66600]
"FingerPrintNotifer"="c:\program files\TrueSuite Access Manager\FpNotifier.exe" [2008-09-28 704512]
"UsbMonitor"="c:\program files\TrueSuite Access Manager\usbnotify.exe" [2008-07-25 94208]
"PwdBank"="c:\program files\TrueSuite Access Manager\PwdBank.exe" [2008-09-03 3152384]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-30 1447168]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 2153472]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2008-04-24 430080]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2008-09-11 11:14 29744 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 06:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-01-05 17:37 1410296 ----a-w- c:\program files\Steam\Steam.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\magix\Common\Database\bin\fbserver.exe [2005-11-17 1527900]
R3 GPU-Z;GPU-Z;c:\users\Joel\AppData\Local\Temp\GPU-Z.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 Nlaceten;Nlaceten; [x]
S0 AlfaFF;AlfaFF mini-filter driver;c:\windows\system32\Drivers\AlfaFF.sys [2008-07-25 42608]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-06-30 34312]
S2 Authentec memory manager;Authentec memory manager service;c:\windows\system32\TAMSvr.exe [2008-09-01 49152]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
S2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-12-20 468224]
S2 OpenLibSys;OpenLibSys;c:\program files\NXP\FM Radio\OpenLibSys.sys [2007-10-19 14672]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-04-28 3658752]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2008-04-15 51160]
S3 QIOMem;Generic IO & Memory Access;c:\windows\system32\DRIVERS\QIOMem.sys [2007-04-10 8192]
S3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe [2008-04-25 73728]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-23 c:\windows\Tasks\User_Feed_Synchronization-{6C6B2973-2FCD-4930-A446-57CDBB80F5A5}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://au.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
TCP: {411AF379-4033-4CD0-B11D-CCA9967E933B} = 10.0.0.138
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{7C5C0F58-E061-457D-9033-77307F5ED00C} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-24 01:47
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5128)
c:\program files\ESET\ESET NOD32 Antivirus\eplgHooks.dll
c:\program files\TrueSuite Access Manager\IconOvrly.dll
.
Completion time: 2011-03-24 01:50:18
ComboFix-quarantined-files.txt 2011-03-23 14:50
ComboFix2.txt 2011-03-23 13:13
.
Pre-Run: 16,923,209,728 bytes free
Post-Run: 17,323,864,064 bytes free
.
- - End Of File - - 9BE96D4B448CF40506D83260E1B4D88F

johnb35 · Mar 24, 2011

That script took care of the torrentman toolbar. How is the system running now?

candyman · Mar 25, 2011

My niece had exactly this problem on her computer.

Fortunately I had partitioned her HD but there was a lot of data on Drive D that we needed to save.

Trying to save it to an external 1Gb Hard drive was almost impossible due to the computer being really slowed down.

So I tried re-installing her Win XP on drive C and this cured the problem - so far!

.

pyana1 · Apr 7, 2011

Google'ed the error message I was receiving from my PC and found this forum. Followed all the instructions and just wanted to THANK you guys; would know where to turn or do had I not found this place... Here's the information I received in my log, hopefully someone can tell me what it means.

ComboFix 11-04-06.03 - user 04/07/2011 12:40:25.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.1104 [GMT -4:00]
Running from: c:\users\user\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\46980872.exe
c:\programdata\ux18v6r3h307eun6y4a3so4cgss1u
C:\Recycle.Bin
c:\recycle.bin\config.bin
c:\users\user\AppData\Local\{1E5CFC7C-D25B-4B5A-99C9-7873E54AC89C}
c:\users\user\AppData\Local\{1E5CFC7C-D25B-4B5A-99C9-7873E54AC89C}\chrome.manifest
c:\users\user\AppData\Local\{1E5CFC7C-D25B-4B5A-99C9-7873E54AC89C}\chrome\content\_cfg.js
c:\users\user\AppData\Local\{1E5CFC7C-D25B-4B5A-99C9-7873E54AC89C}\chrome\content\overlay.xul
c:\users\user\AppData\Local\{1E5CFC7C-D25B-4B5A-99C9-7873E54AC89C}\install.rdf
c:\users\user\AppData\Roaming\desktop.ini
c:\users\user\AppData\Roaming\inst.exe
c:\users\user\AppData\Roaming\Local
c:\users\user\AppData\Roaming\Local\Temp\DDM\Settings\.ddr
c:\users\user\AppData\Roaming\Local\Temp\DDM\Settings\0.ddi
c:\users\user\AppData\Roaming\Local\Temp\DDM\Settings\settings.ddi
c:\users\user\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\.ddp
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Restore
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Restore\Uninstall Windows Restore.lnk
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Restore\Windows Restore.lnk
c:\users\user\AppData\Roaming\Microsoft\Windows\Templates\ux18v6r3h307eun6y4a3so4cgss1u
c:\users\user\AppData\Roaming\ntuser.dat
c:\users\user\AppData\Roaming\xssend2
.
.
((((((((((((((((((((((((( Files Created from 2011-03-07 to 2011-04-07 )))))))))))))))))))))))))))))))
.
.
2011-04-07 16:52 . 2011-04-07 16:53 -------- d-----w- c:\users\user\AppData\Local\temp
2011-04-07 16:52 . 2011-04-07 16:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-07 14:52 . 2011-04-07 14:52 548864 ---ha-w- c:\programdata\bSinTMFIBqqAiGT.exe
2011-04-07 14:11 . 2011-04-07 14:59 -------- d--h--w- c:\users\user\AppData\Roaming\BitComet
2011-04-05 23:14 . 2011-04-07 15:47 -------- d--h--w- c:\programdata\eMule
2011-04-04 18:11 . 2011-04-06 04:11 0 ---ha-w- c:\users\user\AppData\Local\Dyereqariwi.bin
2011-04-02 09:56 . 2007-03-19 00:37 65602 ----a-w- c:\windows\system32\cook3260.dll
2011-04-02 09:56 . 2006-09-29 16:26 176165 ----a-w- c:\windows\system32\drv23260.dll
2011-04-02 09:56 . 2006-09-29 16:25 208935 ----a-w- c:\windows\system32\drv33260.dll
2011-04-02 09:56 . 2006-09-29 16:24 217127 ----a-w- c:\windows\system32\drv43260.dll
2011-04-02 09:56 . 2002-12-10 06:20 102439 ----a-w- c:\windows\system32\sipr3260.dll
2011-04-02 09:56 . 2006-05-20 20:16 1184984 ----a-w- c:\windows\system32\wvc1dmod.dll
2011-04-02 09:56 . 2006-05-11 23:21 626688 ----a-w- c:\windows\system32\vp7vfw.dll
2011-03-12 00:53 . 2011-03-12 00:54 -------- d--h--w- c:\programdata\lHiEoDh05200
2011-03-09 11:30 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 11:30 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 11:30 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-09 11:30 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-09 11:30 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 11:30 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-02 09:56 . 2011-01-08 14:45 47360 ---ha-w- c:\users\user\AppData\Roaming\pcouffin.sys
2011-01-08 14:45 . 2011-01-08 14:45 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2011-01-08 08:47 . 2011-02-08 19:55 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28 . 2011-02-08 19:55 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-05-12 21:42 . 2010-05-12 21:42 124344 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2010-05-12 22:22 . 2010-05-12 22:22 13240 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2010-05-12 21:43 . 2010-05-12 21:43 70592 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2010-05-12 21:42 . 2010-05-12 21:42 91576 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2010-05-12 21:42 . 2010-05-12 21:42 22464 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2010-05-12 21:41 . 2010-05-12 21:41 255416 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2010-05-12 21:42 . 2010-05-12 21:42 31160 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2010-05-12 21:42 . 2010-05-12 21:42 40384 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2010-04-14 18:55 . 2010-04-14 18:55 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2010-05-12 21:43 . 2010-05-12 21:43 24000 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-10-11 1244040]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-10-11 21:12 1244040 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-10-11 1244040]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-10-11 1244040]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-10-06 39408]
"bSinTMFIBqqAiGT"="c:\programdata\bSinTMFIBqqAiGT.exe" [2011-04-07 548864]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-05-12 300472]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^PalTalk.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\PalTalk.lnk
backup=c:\windows\pss\PalTalk.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^user^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^user^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^user^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk]
path=c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2010 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-12-14 22:17 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivX Download Manager]
2010-12-08 21:15 63360 ----a-w- c:\program files\DivX\DivX Plus Web Player\DDMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-12-09 19:28 1226608 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX8400 Series]
2007-02-15 11:00 179200 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\E_FATICEA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-10-20 23:01 136176 ---hatw- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 20:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mega Manager]
2010-11-03 16:00 2113024 ----a-w- c:\program files\Megaupload\Mega Manager\MegaManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MRT]
2011-03-10 12:39 37943240 ----a-w- c:\windows\System32\mrt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2010-04-12 08:40 180224 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-05-13 20:12 26192168 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 19:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-10-06 02:55 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-08-14 14:40 1348904 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload]
2007-03-03 19:12 341488 ----a-w- c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-07-12 16:32 74752 ----a-w- c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{914C5BF8-EEDD-4F3A-A8BE-34EE71CF1B29}]
2010-11-15 20:50 300544 ----a-w- c:\program files\Mediafour\XPlay 3\XPlay.exe
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-10-06 136176]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
S0 MDFSYSNT;MacDrive file system driver; [x]
S1 CbFs;CbFs;c:\windows\system32\drivers\cbfs.sys [2010-11-15 145504]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2010-04-16 65584]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 M4iPodWPDService;M4iPodWPDService;c:\program files\Common Files\Mediafour\iPod\M4iPodWPDService.exe [2010-11-15 211968]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [2010-04-24 483688]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2010-04-24 550760]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2010-04-24 195944]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2010-04-24 21864]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2010-04-24 19304]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [2010-04-24 209768]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-06 02:55]
.
2011-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-06 02:55]
.
2011-04-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3170248446-3856931898-3433464971-1000Core.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-22 23:01]
.
2011-04-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3170248446-3856931898-3433464971-1000UA.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-22 23:01]
.
2011-04-07 c:\windows\Tasks\User_Feed_Synchronization-{058A804A-01A9-4505-B0DB-0CCE88379C47}.job
- c:\windows\system32\msfeedssync.exe [2011-02-08 04:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.atcomet.com/b/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:33554
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fr1idh3t.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.atcomet.com/b/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-MacDrive volume icons - (no file)
HKCU-Run-Ydakaponameve - c:\users\user\AppData\Local\emijogumaj.dll
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-cadwbksl - c:\users\user\AppData\Local\Temp\kaulgijoq\djsjaduhmof.exe
MSConfigStartUp-Logitech Vid - c:\program files\Logitech\Vid HD\Vid.exe
MSConfigStartUp-LWS - c:\program files\Logitech\LWS\Webcam Software\LWS.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-07 12:53
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\users\user\AppData\Local\Temp\catchme.dll 53248 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-04-07 12:56:28
ComboFix-quarantined-files.txt 2011-04-07 16:56
.
Pre-Run: 118,644,097,024 bytes free
Post-Run: 122,462,269,440 bytes free
.
- - End Of File - - 8D5B706E62C476E4E078907017D516DB

johnb35 · Apr 7, 2011

pyana1,

Please follow these instructions.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Code:

File::
c:\programdata\bSinTMFIBqqAiGT.exe
c:\users\user\AppData\Local\Dyereqariwi.bin


Registry::
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-10-11 1244040]

[-HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-10-11 21:12 1244040 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-10-11 1244040]

[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-10-11 1244040]

[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

Reglock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

I also need you to post a malwarebytes and hijackthis log in your next reply. Please follow these instructions for downloading and running them.

Please download Malwarebytes' Anti-Malware from here or here and save it to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version. Please keep updating until it says you have the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
A log will be saved automatically which you can access by clicking on the Logs tab within Malwarebytes' Anti-Malware

If for some reason Malwarebytes will not install or run please download and run Rkill.scr, Rkill.exe, or Rkill.com but DO NOT reboot the system and then try installing or running Malwarebytes. If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it. Once a log appears on the screen, you can try running malwarebytes or downloading other programs.

Download the HijackThis installer from here.
Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

Most of what HijackThis lists will be harmless or even essential, don't fix anything yet.

Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log

Trainmaster · Apr 21, 2011

Having the same problem as original poster - here's my Hijack This Log

malware bytes is still running; here's my hijack this log

I don't recognize this program - i have never seen it in my taskmaster process list before
C:\Documents and Settings\All Users\Application Data\MRtPNAFMRSnT.exe

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:08:05 PM, on 4/21/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Carbonite\CarbonitePreinstaller.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Application Data\MRtPNAFMRSnT.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.remcpapc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6437
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110118075944.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [Reminder] "C:\WINDOWS\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Recguard] "C:\WINDOWS\SMINST\RECGUARD.EXE"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] "C:\WINDOWS\system32\WLTRAY"
O4 - HKLM\..\Run: [HPLJ Config] "C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe" -c Direct -p DOT4_002 -pn "LaserJet 1012 Series" -n 0 -l 1033 -sl 120000
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [CarboniteSetupLite] "C:\Program Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent
O4 - HKCU\..\Run: [DelayShred] "c:\PROGRA~1\mcafee\mshr\ShrCL.EXE" /P7 /q c:\DOCUME~1\owner\LOCALS~1\temp\TEMPOR~1\Content.IE5\S68H14M1.SH! c:\DOCUME~1\owner\LOCALS~1\temp\TEMPOR~1\Content.IE5\K86IFILP.SH! c:\DOCUME~1\owner\LOCALS~1\temp\TEMPOR~1\Content.SH! c:\DOCUME~1\owner\LOCALS~1\temp\TEMPOR~1.SH! c:\DOCUME~1\owner\LOCALS~1\temp\TEMPOR~1.SH!\Content.SH!\S68H14M1.SH! c:\DOCUME~1\owner\LOCALS~1\temp\TEMPOR~1.SH!\Content.SH! c:\DOCUME~1\owner\LOCALS~1\temp\MPROJE~1\SYSTEM~1.SH! c:\DOCUME~1\owner\LOCALS~1\temp\MPROJE~1\MPLAYE~1.SH! c:\DOCUME~1\owner\LOCALS~1\temp\MPROJE~1\FLASHP~1.SH! c:\DOCUME~1\owner\LOCALS~1\temp\MPROJE~1\FLASH6~1.SH! c:\DOCUME~1\owner\LOCALS~1\temp\MPROJE~1\FILE31~1.SH! c:\DOCUME~1\owner\LOCALS~1\temp\MPROJE~1.SH! c:\DOCUME~1\owner\LOCALS~1\temp\FRF695~1.SH! c:\DOCUME~1\owner\LOCALS~1\temp\FRC26F~1.SH! c:\DOCUME~1\owner\LOCALS~1\temp\FROMCA~4.SH! c:\DOCUME~1\owner\LOCALS~1\temp\FROMCA~3.SH! c:\DOCUME~1\owner\LOCALS~1\temp\History\History.SH! c:\DOCUME~1\owner\LOCALS~1\temp\History.SH! c:
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [MRtPNAFMRSnT] "C:\Documents and Settings\All Users\Application Data\MRtPNAFMRSnT.exe"
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Startup: Seagate 2GET6XM1 Product Registration.lnk = C:\Documents and Settings\Owner\Application Data\Leadertech\PowerRegister\Seagate 2GET6XM1 Product Registration.exe
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Update Page Content - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\refreshpage.htm
O8 - Extra context menu item: View All Originals On Page - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O8 - Extra context menu item: View Original Image - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{97B6CB8F-1BEA-4002-B0EE-CF309F13BD95}: NameServer = 69.78.96.14 66.174.95.44
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--
End of file - 10352 bytes

johnb35 · Apr 21, 2011

Always run malwarebytes first before posting the hijackthis log. Repost the hijackthis log after posting the malwarebytes log.

Trainmaster · Apr 21, 2011

OK. Malwarebytes is still running. I'll check back in few minutes, get its log, rerun hijack this, get its log and post them for you.

Trainmaster · Apr 22, 2011

I am still out here. I had run a full scan on malwarebytes, and it had scanned over 150000 files and had been running for over 2 hours and 40 minutes, then my screen went black, and a window poopped up saying the following : "Windows delayed write failed X Windows was unable to save all the data for the file \\System32\\496A8300. The data has been lost. The error may be caused by a failure of your computer hardware.

The system then rebooted itself and the whole popup screen episode described by the original poster began again.

I am currently rerunning malwarebytes as "quick scan" hope this is OK.

johnb35 · Apr 22, 2011

yes, all that is needed is a quick scan. it may help to run the rkill program before running malwarebytes.

please download and run Rkill.scr, Rkill.exe, or Rkill.com but DO NOT reboot the system and then try installing or running Malwarebytes. If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it. Once a log appears on the screen, you can try running malwarebytes or downloading other programs.

Trainmaster · Apr 22, 2011

Currently trying to get rkill. Having to fight it as you described.

Trainmaster · Apr 22, 2011

Downloaded and ran rkill - rerunning malwarebytes

running quick scan in malware bytes will post log and rerun hijack this and post its log as well.

Trainmaster · Apr 22, 2011

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6417

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

4/21/2011 11:02:39 PM
mbam-log-2011-04-21 (23-02-17).txt

Scan type: Quick scan
Objects scanned: 50264
Time elapsed: 8 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MRtPNAFMRSnT (Trojan.FakeAlert) -> Value: MRtPNAFMRSnT -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\mrtpnafmrsnt.exe (Trojan.FakeAlert) -> No action taken.

Trainmaster · Apr 22, 2011

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6417

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

4/21/2011 11:08:51 PM
mbam-log-2011-04-21 (23-08-51).txt

Scan type: Quick scan
Objects scanned: 50264
Time elapsed: 8 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MRtPNAFMRSnT (Trojan.FakeAlert) -> Value: MRtPNAFMRSnT -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\mrtpnafmrsnt.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Trainmaster · Apr 22, 2011

Hijackthis log file

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:28:03 PM, on 4/21/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Carbonite\CarbonitePreinstaller.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.remcpapc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6437
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110118075944.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [Reminder] "C:\WINDOWS\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Recguard] "C:\WINDOWS\SMINST\RECGUARD.EXE"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] "C:\WINDOWS\system32\WLTRAY"
O4 - HKLM\..\Run: [HPLJ Config] "C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe" -c Direct -p DOT4_002 -pn "LaserJet 1012 Series" -n 0 -l 1033 -sl 120000
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [CarboniteSetupLite] "C:\Program Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [DelayShred] "c:\PROGRA~1\mcafee\mshr\ShrCL.EXE" /P7 /q c:\DOCUME~1\owner\LOCALS~1\temp\TEMPOR~1\Content.IE5\S68H14M1.SH! c:\DOCUME~1\owner\LOCALS~1\temp\TEMPOR~1\Content.IE5\K86IFILP.SH! c:\DOCUME~1\owner\LOCALS~1\temp\TEMPOR~1\Content.SH! c:\DOCUME~1\owner\LOCALS~1\temp\TEMPOR~1.SH! c:\DOCUME~1\owner\LOCALS~1\temp\TEMPOR~1.SH!\Content.SH!\S68H14M1.SH! c:\DOCUME~1\owner\LOCALS~1\temp\TEMPOR~1.SH!\Content.SH! c:\DOCUME~1\owner\LOCALS~1\temp\MPROJE~1\SYSTEM~1.SH! c:\DOCUME~1\owner\LOCALS~1\temp\MPROJE~1\MPLAYE~1.SH! c:\DOCUME~1\owner\LOCALS~1\temp\MPROJE~1\FLASHP~1.SH! c:\DOCUME~1\owner\LOCALS~1\temp\MPROJE~1\FLASH6~1.SH! c:\DOCUME~1\owner\LOCALS~1\temp\MPROJE~1\FILE31~1.SH! c:\DOCUME~1\owner\LOCALS~1\temp\MPROJE~1.SH! c:\DOCUME~1\owner\LOCALS~1\temp\FRF695~1.SH! c:\DOCUME~1\owner\LOCALS~1\temp\FRC26F~1.SH! c:\DOCUME~1\owner\LOCALS~1\temp\FROMCA~4.SH! c:\DOCUME~1\owner\LOCALS~1\temp\FROMCA~3.SH! c:\DOCUME~1\owner\LOCALS~1\temp\History\History.SH! c:\DOCUME~1\owner\LOCALS~1\temp\History.SH! c:
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Startup: Seagate 2GET6XM1 Product Registration.lnk = C:\Documents and Settings\Owner\Application Data\Leadertech\PowerRegister\Seagate 2GET6XM1 Product Registration.exe
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Update Page Content - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\refreshpage.htm
O8 - Extra context menu item: View All Originals On Page - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O8 - Extra context menu item: View Original Image - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--
End of file - 9967 bytes

Trainmaster · Apr 22, 2011

Thank you, comments and questions

I have spent this morning restoring my desktop icons and un-hiding my files that the virus hid. Please let me know if you saw anything on my logs that needs further attention. I do have a few follow-up questions.

Is it now safe to distribute files created on my pc? I am a CPA and I send out emails with attachments frequently, sometimes Word or Excel, but mostly I send out docs as .pdf files because most of my clients do not have Microsoft Office on their home pc’s. Is there a possibility of transmitting this virus to them?

If I go to Start, All Programs I see only two programs, where formerly I saw just about everything ever installed on this machine. Is there any quick and easy way to repopulate that list with my program names?

I was previously running Mcafee and Spy Sweeper as my “joint malware defense task force”. This is a legacy from my days with my original dial-up internet service provider, MSN, who provided free downloads for their subscribers. Being an “If it aint broke don’t fix it” type of guy I kept them even after switching to Verizon Wireless Broadband for internet access. They had faithfully protected me until yesterday morning. Do you have observations/suggestions for anti-virus / anti-spyware use going forward?

Finally, I wanted to say thank you to you and the others who made this forum what it is. We have similar forums in the CPA community that are indispensable for sharing knowledge of tax information and accounting software tips and troubleshooting. As a hopelessly small, one professional firm, I appreciate being able to come to a computer forum site such as this and receive technical advice. This experience was so much more productive than anytime I ever spent on the phone or online with a computer or software manufacturer’s so called “tech support”. I will tell others in the future to refer here for help.

My HDD is failing as we speak? urgent help required

Administrator

Member

New Member

Administrator

Member

Administrator

New Member

New Member

Administrator

New Member

Administrator

New Member

New Member

Administrator

New Member

New Member

New Member

New Member

New Member

New Member