TechSpot

Embarrassed to have several virus infections

By John Gr
Aug 7, 2012
  1. Wow. I've had computers for 22+ years now and I've been incredibly safe. I've helped my inlaws remove several viruses but this is my first virus situation for me -- and it seems to be a doozy.

    Last night, I noticed my computer playing strange sounds last night (nothing on screen), then I noticed Windows Update was off, Firewall was off, and MSE was uninstalled (no service). Anyway, I reinstalled MSE and found the following:

    Vista x64 on Dell Studio Slim Desktop.

    BlacoleRef.W
    FakePAV
    Sifeld.A
    Sirefef.Y
    Sirefef.W
    Sirefef.AB

    I'm actually in the middle of a migration to Win7 on the same box (W7 is located on a separate physical SSD drive -- not sure this matters, but I figured I'd mention it)

    Help!! (and thanks in advance. I've read a few other threads and you all seem to be doing amazing work here)

    John G
     
  2. John Gr

    John Gr TS Rookie Topic Starter

    I'll post logs from the '5 steps' as soon as I get home today.
     
  3. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.
    Download Farbar Recovery Scan Tool and save it to a flash drive.


    Depending on your type of system, you will have to select 32-bit or 64-bit accordingly. How do I tell?

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Place a check next to List Drivers MD5 as well as the default check marks that are already there
    • Press Scan button.
    • type exit and reboot the computer normally
    • FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.
     
  4. John Gr

    John Gr TS Rookie Topic Starter

    Here you are. I assume from the instructions that I do not need to report the outputs from the '5 steps'? Here is the output from frst64.exe....

    Scan result of Farbar Recovery Scan Tool Version: 05-08-2012 03
    Ran by SYSTEM at 07-08-2012 21:24:23
    Running from K:\
    Windows Vista (TM) Home Premium (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [RtHDVCpl] RAVCpl64.exe [x]
    HKLM\...\Run: [Skytel] Skytel.exe [x]
    HKLM\...\Run: [PMX Daemon] ICO.EXE [x]
    HKLM\...\Run: [LogMeIn GUI] "P:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe" [x]
    HKLM\...\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE [x]
    HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
    HKLM-x32\...\Run: [] [x]
    HKLM-x32\...\Run: [AgentMonitor] "C:\Program Files (x86)\VTech\DownloadManager\System\AgentMonitor.exe" [357800 2011-12-12] ()
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
    HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
    HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
    HKU\John\...\Run: [GoodSync] "p:\Program Files\Siber Systems\GoodSync\GoodSync.exe" /min [x]
    HKU\John\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
    HKU\John\...\Run: [Google Update] "C:\Users\John\AppData\Local\Google\Update\GoogleUpdate.exe" /c [135664 2010-01-07] (Google Inc.)
    HKU\John\...\Run: [chromium] C:\Users\John\AppData\Local\Google\Chrome\Application\chrome.exe --no-startup-window [1229848 2012-07-30] (Google Inc.)
    Tcpip\Parameters: [DhcpNameServer] 71.243.0.12 68.237.161.12 192.168.1.1
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
    ShortcutTarget: APC UPS Status.lnk -> C:\Program Files (x86)\APC\APC PowerChute Personal Edition\Display.exe (No File)
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Conversion to PDF with ScanSnap Organizer.lnk
    ShortcutTarget: Conversion to PDF with ScanSnap Organizer.lnk -> C:\Program Files (x86)\PFU\ScanSnap\Organizer\PfuSsOrgOcrChk.exe (PFU LIMITED)
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\ScanSnap Manager.lnk
    ShortcutTarget: ScanSnap Manager.lnk -> C:\Program Files (x86)\PFU\ScanSnap\Driver\PfuSsMon.exe (PFU LIMITED)
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Windows Home Server.lnk
    ShortcutTarget: Windows Home Server.lnk -> C:\Windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe (Microsoft Corporation)
    Startup: C:\Users\John\Start Menu\Programs\Startup\Dropbox.lnk
    ShortcutTarget: Dropbox.lnk -> (No File)

    ==================== Services (Whitelisted) ======

    4 AcronisOSSReinstallSvc; "C:\Program Files (x86)\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe" [2217416 2007-02-26] ()
    4 AcrSch2Svc; "C:\Program Files (x86)\Common Files\Seagate\Schedule2\schedul2.exe" [571424 2007-04-19] (Acronis)
    2 AERTFilters; C:\Windows\System32\AERTSr64.exe [86016 2008-07-18] (Andrea Electronics Corporation)
    2 arXfrSvc; "C:\Program Files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe" [231280 2011-01-10] (Microsoft Corporation)
    2 esClient; "C:\Program Files\Windows Home Server\esClient.exe" [109936 2011-01-10] (Microsoft Corporation)
    2 HPMSSConnectorSvc; "C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe" [20992 2009-10-05] (HP)
    4 LBTServ; C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe [160272 2008-05-01] (Logitech, Inc.)
    4 LoClntService; "C:\Program Files\Windows Home Server\LightsOutClientService.exe" [49152 2010-11-14] (AxoNet Software GmbH)
    2 MediaCollectorService; "C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe" [81920 2009-10-05] (Hewlett-Packard Company)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
    2 NovacomD; C:\Program Files\Palm, Inc\novacom\amd64\novacomd.exe [71168 2011-03-15] (Palm)
    4 stllssvr; "C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe" [74384 2008-03-24] (MicroVision Development, Inc.)
    2 TivoBeacon2; "C:\Program Files (x86)\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service [868864 2008-07-09] (TiVo Inc.)
    2 vmware-converter-agent; "C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe" -s "C:\ProgramData\VMware\VMware vCenter Converter Standalone\converter-agent.xml" [6285 2012-01-31] ()
    2 vmware-converter-server; "C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe" -s "C:\ProgramData\VMware\VMware vCenter Converter Standalone\converter-server.xml" [4291 2012-01-31] ()
    2 vmware-converter-worker; "C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe" -s "C:\ProgramData\VMware\VMware vCenter Converter Standalone\converter-worker.xml" [6897 2012-01-31] ()
    2 WHSConnector; "C:\Program Files\Windows Home Server\WHSConnector.exe" [489840 2011-01-10] (Microsoft Corporation)
    4 wltrysvc; C:\Windows\System32\WLTRYSVC.EXE C:\Windows\System32\bcmwltry.exe [1889792 2007-08-07] (Dell Inc.)
    2 APC UPS Service; C:\Program Files (x86)\APC\APC PowerChute Personal Edition\mainserv.exe [x]
    2 GsServer; C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe /service [x]
    3 hpqcxs08; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll [x]
    2 hpqddsvc; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqddsvc.dll [x]
    2 HPSLPSVC; C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL [x]
    2 LMIGuardianSvc; "C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe" [x]
    2 LMIMaint; "C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe" [x]
    2 LogMeIn; "C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe" [x]
    4 PD91Agent; "C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe" [x]
    4 PD91Engine; "C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe" [x]
    2 SessionLauncher; C:\Users\John\AppData\Local\Temp\DX9\SessionLauncher.exe [x]
    2 SkypeUpdate; "C:\Program Files (x86)\Skype\Updater\Updater.exe" [x]

    ========================== Drivers (Whitelisted) =============

    3 bmdrvr; C:\Windows\SysWow64\Drivers\bmdrvr.sys [74352 2011-03-14] (VMware, Inc.)
    1 cbfs3; C:\Windows\System32\Drivers\cbfs3.sys [340880 2011-09-02] (EldoS Corporation)
    3 libusb0; C:\Windows\System32\Drivers\libusb0.sys [43456 2011-09-22] (http://libusb-win32.sourceforge.net)
    3 lmimirr; C:\Windows\System32\Drivers\lmimirr.sys [11552 2008-07-24] (LogMeIn, Inc.)
    2 LMIRfsDriver; C:\Windows\System32\Drivers\LMIRfsDriver.sys [72216 2008-07-24] (LogMeIn, Inc.)
    3 LVPr2M64; C:\Windows\System32\Drivers\LVPr2M64.sys [30232 2009-04-30] ()
    3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30232 2009-04-30] ()
    3 mr7910; C:\Windows\System32\Drivers\mr7910.sys [55808 2007-03-16] (Mars Semiconductor Corp.)
    3 pmxmouse; C:\Windows\System32\Drivers\pmxmouse.sys [22016 2007-06-01] (Primax Electronics Ltd.)
    3 pmxusblf; C:\Windows\System32\Drivers\pmxusblf.sys [24384 2007-05-24] (Primax Electronics Ltd.)
    3 radpms; C:\Windows\System32\Drivers\radpms.sys [14944 2010-12-15] (LogMeIn, Inc.)
    2 RtNdPt60; C:\Windows\System32\Drivers\RtNdPt60.sys [26624 2008-07-21] (Windows (R) Codename Longhorn DDK provider)
    0 Si3531; C:\Windows\System32\Drivers\Si3531.sys [333864 2009-02-09] (Silicon Image, Inc)
    0 SiFilter; C:\Windows\System32\DRIVERS\SiWinAcc.sys [22568 2009-02-09] (Silicon Image, Inc.)
    0 SiRemFil; C:\Windows\System32\Drivers\SiRemFil.sys [16936 2009-02-09] (Silicon Image, Inc.)
    0 snapman; C:\Windows\System32\Drivers\snapman.sys [276064 2011-05-04] (Acronis)
    3 ViaUsbModemDriver; C:\Windows\System32\DRIVERS\VIA_USB_MODEM.sys [28160 2011-10-04] ()
    3 VIA_USB_ETS; C:\Windows\System32\Drivers\VIA_USB_ETS.sys [21760 2011-10-04] (Via Telecom, Inc.)
    2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}; \??\C:\Program Files (x86)\CyberLink\PowerDVD DX\000.fcl [146928 2009-04-02] (CyberLink Corp.)
    3 AtiHDAudioService; C:\Windows\System32\drivers\AtihdLH6.sys [x]
    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    1 iynwbebw; \??\C:\Windows\system32\drivers\iynwbebw.sys [x]
    1 lcayddei; \??\C:\Windows\system32\drivers\lcayddei.sys [x]
    2 LMIInfo; \??\P:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [x]
    4 LMIRfsClientNP; [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
    3 VBoxNetFlt; C:\Windows\System32\DRIVERS\VBoxNetFlt.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-08-07 21:24 - 2012-08-07 21:24 - 00000000 ____D C:\FRST
    2012-08-06 19:02 - 2012-08-06 19:02 - 00000950 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-08-06 19:02 - 2012-08-06 19:02 - 00000000 ____D C:\Users\John\AppData\Roaming\Malwarebytes
    2012-08-06 19:02 - 2012-08-06 19:02 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-08-06 19:02 - 2012-08-06 19:02 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-08-06 19:02 - 2012-07-03 09:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-08-06 18:44 - 2012-08-06 18:44 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-08-06 18:44 - 2012-08-06 18:44 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client

    ============ 3 Months Modified Files ========================

    2012-08-07 17:15 - 2009-06-18 05:37 - 00000012 ____A C:\Windows\bthservsdp.dat
    2012-08-07 17:15 - 2006-11-02 07:42 - 00032586 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-08-07 17:15 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-07 17:15 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-07 17:15 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-07 17:02 - 2012-04-11 19:15 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-08-07 16:56 - 2010-01-07 19:47 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2351272357-4184536305-1135799588-1000UA.job
    2012-08-07 16:56 - 2010-01-07 19:47 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2351272357-4184536305-1135799588-1000Core.job
    2012-08-07 16:45 - 2006-11-02 04:46 - 00710782 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-07 16:44 - 2008-11-04 07:00 - 01917853 ____A C:\Windows\WindowsUpdate.log
    2012-08-07 16:38 - 2012-01-27 19:46 - 00023728 ____A C:\Windows\PFRO.log
    2012-08-07 16:38 - 2011-10-06 08:16 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-08-07 16:38 - 2008-11-07 08:56 - 00000000 ____A C:\Windows\System32\Drivers\lvuvc.hs
    2012-08-07 16:38 - 2008-11-04 12:14 - 00000288 ____A C:\Windows\Tasks\RtlNICDiagVistaStart.job
    2012-08-07 16:33 - 2012-01-27 19:41 - 00020339 ____A C:\Windows\setupact.log
    2012-08-07 15:34 - 2011-10-06 08:16 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-08-06 19:02 - 2012-08-06 19:02 - 00000950 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-08-06 18:44 - 2011-02-06 13:11 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-08-06 18:44 - 2009-06-03 12:09 - 00725630 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2012-08-02 11:02 - 2012-04-11 19:15 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-08-02 11:02 - 2011-06-18 06:50 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-07-29 06:41 - 2008-11-07 10:01 - 00074240 ____A C:\Users\John\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-07-12 11:53 - 2008-11-11 18:59 - 00087488 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIRfsClientNP.dll
    2012-07-12 11:53 - 2008-11-11 18:59 - 00080800 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIinit.dll
    2012-07-12 11:53 - 2008-11-11 18:59 - 00034720 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIport.dll
    2012-07-03 09:46 - 2012-08-06 19:02 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-07-01 18:59 - 2012-07-01 18:59 - 00000888 ____A C:\Users\Public\Desktop\GoodSync Explorer.lnk
    2012-07-01 18:59 - 2012-07-01 18:59 - 00000878 ____A C:\Users\Public\Desktop\GoodSync.lnk
    2012-06-13 23:27 - 2006-11-02 07:21 - 00456976 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-06-13 23:04 - 2006-11-02 04:35 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
    2012-06-02 14:19 - 2012-06-19 00:14 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-19 00:14 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-19 00:14 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
    2012-06-02 14:19 - 2012-06-19 00:14 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-19 00:14 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-19 00:14 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:19 - 2012-06-19 00:14 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
    2012-06-02 14:15 - 2012-06-19 00:14 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:15 - 2012-06-19 00:14 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 14:12 - 2012-06-19 00:14 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
    2012-06-02 11:19 - 2012-06-19 00:14 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 11:19 - 2012-06-19 00:14 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
    2012-06-02 11:15 - 2012-06-19 00:14 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 11:12 - 2012-06-19 00:14 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
    2012-05-26 06:57 - 2012-05-26 06:57 - 00000904 ____A C:\Users\Public\Desktop\Flixster Collections.lnk
    2012-05-21 07:24 - 2008-11-11 18:59 - 00087456 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIRfsClientNP.dll.000.bak
    2012-05-17 18:47 - 2012-06-13 23:08 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-05-17 18:16 - 2012-06-13 23:08 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-05-17 18:06 - 2012-06-13 23:08 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-05-17 17:59 - 2012-06-13 23:08 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-05-17 17:59 - 2012-06-13 23:08 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-05-17 17:58 - 2012-06-13 23:08 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-05-17 17:58 - 2012-06-13 23:08 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-05-17 17:56 - 2012-06-13 23:08 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-05-17 17:55 - 2012-06-13 23:08 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-05-17 17:55 - 2012-06-13 23:08 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-05-17 17:54 - 2012-06-13 23:08 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-05-17 17:51 - 2012-06-13 23:08 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-05-17 17:51 - 2012-06-13 23:08 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-05-17 17:47 - 2012-06-13 23:08 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-05-17 15:11 - 2012-06-13 23:08 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-05-17 14:48 - 2012-06-13 23:08 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-05-17 14:45 - 2012-06-13 23:08 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-05-17 14:36 - 2012-06-13 23:08 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-05-17 14:35 - 2012-06-13 23:08 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-05-17 14:35 - 2012-06-13 23:08 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-05-17 14:33 - 2012-06-13 23:08 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-05-17 14:31 - 2012-06-13 23:08 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-05-17 14:29 - 2012-06-13 23:08 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-05-17 14:29 - 2012-06-13 23:08 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-05-17 14:27 - 2012-06-13 23:08 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-05-17 14:25 - 2012-06-13 23:08 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-05-17 14:24 - 2012-06-13 23:08 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-05-17 14:20 - 2012-06-13 23:08 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-05-15 12:15 - 2012-06-13 04:19 - 02767360 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

    ZeroAccess:
    C:\Windows\Installer\{4e253807-60b2-fed5-95a9-13e910f82962}
    C:\Windows\Installer\{4e253807-60b2-fed5-95a9-13e910f82962}\@
    C:\Windows\Installer\{4e253807-60b2-fed5-95a9-13e910f82962}\L
    C:\Windows\Installer\{4e253807-60b2-fed5-95a9-13e910f82962}\U
    C:\Windows\Installer\{4e253807-60b2-fed5-95a9-13e910f82962}\U\00000001.@

    ZeroAccess:
    C:\Users\John\AppData\Local\{4e253807-60b2-fed5-95a9-13e910f82962}
    C:\Users\John\AppData\Local\{4e253807-60b2-fed5-95a9-13e910f82962}\@
    C:\Users\John\AppData\Local\{4e253807-60b2-fed5-95a9-13e910f82962}\L
    C:\Users\John\AppData\Local\{4e253807-60b2-fed5-95a9-13e910f82962}\U

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 10%
    Total physical RAM: 8191.18 MB
    Available physical RAM: 7346.39 MB
    Total Pagefile: 8189.33 MB
    Available Pagefile: 7349.91 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB

    ======================= Partitions =========================

    1 Drive c: (OS) (Fixed) (Total:58.59 GB) (Free:10.63 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    2 Drive d: () (Fixed) (Total:111.79 GB) (Free:67.11 GB) NTFS
    3 Drive f: (Media_Local) (Fixed) (Total:1849.01 GB) (Free:141.93 GB) NTFS
    4 Drive g: (Programs) (Fixed) (Total:34.18 GB) (Free:23.2 GB) NTFS
    5 Drive h: (John_Active) (Fixed) (Total:78.12 GB) (Free:27.71 GB) NTFS
    6 Drive I: (RECOVERY) (Fixed) (Total:15 GB) (Free:8 GB) NTFS
    7 Drive j: (GRMCHPXFRER_EN_DVD) (CDROM) (Total:3 GB) (Free:0 GB) UDF
    8 Drive k: () (Removable) (Total:14.9 GB) (Free:14.89 GB) FAT32
    9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    10 Drive y: (Page_File2) (Fixed) (Total:14 GB) (Free:13.91 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 1863 GB 1024 KB
    Disk 1 Online 111 GB 0 B
    Disk 2 Online 698 GB 512 GB
    Disk 3 Online 14 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 14 GB 31 KB
    Partition 0 Extended 1849 GB 14 GB
    Partition 2 Logical 1849 GB 14 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y Page_File2 NTFS Partition 14 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 F Media_Local NTFS Partition 1849 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 111 GB 1024 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 D NTFS Partition 111 GB Healthy

    ==================================================================================

    Partitions of Disk 2:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 62 MB 31 KB
    Partition 2 Primary 15 GB 63 MB
    Partition 3 Primary 58 GB 15 GB
    Partition 0 Extended 624 GB 73 GB
    Partition 4 Logical 34 GB 73 GB
    Partition 5 Logical 78 GB 107 GB

    ==================================================================================

    Disk: 2
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 9 FAT Partition 62 MB Healthy Hidden

    ==================================================================================

    Disk: 2
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 I RECOVERY NTFS Partition 15 GB Healthy

    ==================================================================================

    Disk: 2
    Partition 3
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 5 C OS NTFS Partition 58 GB Healthy

    ==================================================================================

    Disk: 2
    Partition 4
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 6 G Programs NTFS Partition 34 GB Healthy

    ==================================================================================

    Disk: 2
    Partition 5
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 7 H John_Active NTFS Partition 78 GB Healthy

    ==================================================================================

    Partitions of Disk 3:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 14 GB 16 KB

    ==================================================================================

    Disk: 3
    Partition 1
    Type : 0C
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 8 K FAT32 Removable 14 GB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-08-07 16:47

    ======================= End Of Log ==========================
     
  5. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Yeah, we'll work on the difficult infections here. It is so much easier with FRST, to defeat these infections with Sirefef/ZeroAccess.

    FRST64 Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
     
  6. John Gr

    John Gr TS Rookie Topic Starter

    Here it is:

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 05-08-2012 03
    Ran by SYSTEM at 2012-08-08 07:39:19 Run:1
    Running from K:\

    ==============================================

    C:\Windows\Installer\{4e253807-60b2-fed5-95a9-13e910f82962} moved successfully.
    C:\Users\John\AppData\Local\{4e253807-60b2-fed5-95a9-13e910f82962} moved successfully.
    iynwbebw service deleted successfully.
    lcayddei service deleted successfully.

    ==== End of Fixlog ====
     
  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Reboot to Normal Mode....

    • Download RogueKiller and save it on your desktop.
    • Quit all programs
    • Start RogueKiller.exe.
    • Wait until Prescan has finished ...
    • Click on Scan
    [​IMG]

    • Wait for the end of the scan.
    • The report has been created on the desktop.
    • Click on the Delete button.
    [​IMG]

    • The report has been created on the desktop.
    • Next click on the ShortcutsFix

      [​IMG]
    • The report has been created on the desktop.
    Please post:

    All RKreport.txt text files located on your desktop.


    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
     
  8. John Gr

    John Gr TS Rookie Topic Starter

    First Rogue Killer reports

    Report #1



    Report #2

    Report #3


     
  9. John Gr

    John Gr TS Rookie Topic Starter

    Now ComboFix Log

    A few notes on the Combofix run. I suppose these would be in the log, but thought I'd also mention here:

    • I noticed on a few occasions in the window while watching it run that it said it did not have Admin rights to perform some function or another.... (Since it was not in the instructions, I had not it with 'run as Admin')
    • At some point, the computer rebooted. I assume it was after Combofix completed it's run, but I'm not 100% sure about that (from the log below, that seems to be the case... but since it wasn't noted, I wanted to be sure that was normal).
    Log file:
     
  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    That's okay. ComboFix uses SwearWare and a dummy kernel mode driver to elevate its permissions to Admin level.

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
     
  11. John Gr

    John Gr TS Rookie Topic Starter

    Hi DMJ.

    Hmmm.... I ended up running ESET scanner twice. My wife or son must have interrupted the first by closing the window (I don't know if that happened during or after it ran), so I never saw ESET Scanner's "finished" window. However, I did look at the log file after the first run and it seemed to me like it hadn't finished correctly since it was only 4 lines. (It looked basically the same as what I will paste below. So overnight, I ran it again. It ran for more than 4 hours (I have almost 5TB of drives and files on this monster).

    This morning, the "finished" screen reported 800,000+ files scanned and no infections found, no files cleaned. I closed that window without grabbing a screen capture. However, the log file doesn't show anything about the scan itself, just some basic installation logs (seemingly...) The time stamp on the log file is from when I started the scan and not from when I finished it.





    The log file was actually at: C:\Program Files (x86)\ESET\ESET Online Scanner\Quarantine

    Also there appears to be a few files in the Quarantine folder from the first time it ran.... I have uploaded a screenshot of those files and will upload the files themselves if you ask.


    Anyway, let me know if this looks wrong... (and sorry if I'm over-reporting this, I just wanted to pass along my thoughts since It seemed wrong to me.

    Thanks

    John
     

    Attached Files:

  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    That's fine! Excellent work.

    Hi! Your logs appear to be clean. If there are no more issues, then we shall clean up!

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete

    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    * Double-click the CCleaner shortcut on the desktop to start the program.
    * Click on the Options block on the left, then choose Cookies.
    * Under Cookies to Delete, highlight any cookies you would like to retain permanently
    * Click the right arrow > to move them to the Cookies to Keep window.
    * Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
    * Click Cleaner on the left then Run Cleaner on the right to run the program.
    * Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Tell me in your next reply, if you have completed these tasks:
    • Cleaned System Restore
    • Ran OTC
    • Ran CCleaner
    • Ran Security Check
    Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.
     
  13. John Gr

    John Gr TS Rookie Topic Starter

    • Cleaned System Restore
    • Ran OTC
    • Ran CCleaner
    • Ran Security Check

    Computer seems to be running fine, except that:​

    • MSE Definitions update fails (I have not tried an uninstall / reinstall, but that would be my guess...)
    • Windows firewall service is not running and cannot be turned on at the moment.(see attached image)

    Security Check Log:​



     

    Attached Files:

  14. John Gr

    John Gr TS Rookie Topic Starter

    By the way, I assume I should update Jave and Flash as well as firefox and thunderbird (neither of which I really use any more). I won'd do this until you say so...
     
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Yes a reinstall of MSE is best so its services can be fixed.

    Follow this to fix Windows Firewall problems: http://support.microsoft.com/mats/windows_firewall_diagnostic/en-us

    Update Firefox

    Firefox is out of date. Firefox is a very popular web browser, and if it is out of date, it is very vulnerable to security bugs, and other holes. To update it now, click Help > Check for Updates.


    Adobe Flash Player Update!

    Please download the newest version of Adobe Flash Player from Adobe.com

    Before installing: it is important to remove older versions of Flash Player since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Adobe Flash Player. Uninstall/Remove each of them.

    Once old versions are gone, please install the newest version.



    Update Java

    Please download the newest version of Java from Java.com.

    Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

    Once old versions are gone, please install the newest version.

    Read more about Java exploit problems
     
  16. John Gr

    John Gr TS Rookie Topic Starter

    I'm in the process of fixing these things now, but most notably, the Windows Firewall Repair tool was not able to solve the problem...

    Also, I just noticed that Windows Update fails... (see attached).

    Is it possible that the virus removed (deleted permanently) files, services, or dlls related to these processes?
     

    Attached Files:

  17. John Gr

    John Gr TS Rookie Topic Starter

    After some googling today, I have found and fixed both of my remaining problems:

    In case you run into any others with these issues after the virus removal, here is what worked for me...

    For Windows Update failure, it was returning the error: "errors found code 80246008" This was caused by the BITS service being removed / unregistered from services. To add it back I had to do:





    For Windows Firewall Service Failing to start, it was returning the error "1068: dependancy service or group failed to start" It turns out it was the Base Filter Engine service which would not start. The reasons are beyond my skill set, but explained in the link below. To add it back I followed instructions here:




     
  18. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

  19. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Topic marked as solved. √
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...