Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help About A Worm/trojan.


  • This topic is locked This topic is locked
10 replies to this topic

#1 karakoncolos

karakoncolos

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 24 October 2007 - 05:35 AM

HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:21:54, on 25.10.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Zoom Telephonics, Inc\Zoom ADSL USB Modem\dslmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\mustafa\Desktop\netguide\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O1 - Hosts: 69.5.88.76 www.megaupload.com #24.10.2007
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll (file missing)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{401C4497-3929-400E-957B-2290CEF22883}: NameServer = 195.175.39.40 195.175.39.39
O17 - HKLM\System\CS2\Services\Tcpip\..\{401C4497-3929-400E-957B-2290CEF22883}: NameServer = 195.175.39.40 195.175.39.39
O17 - HKLM\System\CS3\Services\Tcpip\..\{401C4497-3929-400E-957B-2290CEF22883}: NameServer = 195.175.39.40 195.175.39.39
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 5907 bytes

Last combofix log:
ComboFix 07-10-19.1 - mustafa 2007-10-19 1:52:24.1 - NTFSx86
"C:\ComboFix\osid.vbs" �zerinde komut dosyas� ‡al�Ÿt�rma zaman� aŸ�ld�.
Komut dosyas� ‡al�Ÿt�rma durduruldu.
Running from: C:\Documents and Settings\mustafa\Desktop\netguide\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-19 to 2007-10-19 )))))))))))))))))))))))))))))))
.

2007-10-19 01:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-19 01:39 2,906 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-15 02:35 <DIR> d-------- C:\Program Files\TuneUp Utilities 2007
2007-10-15 02:35 24,072 --a------ C:\WINDOWS\system32\uxtuneup.dll
2007-10-13 22:08 <DIR> d-------- C:\Documents and Settings\mustafa\Application Data\Dev-Cpp
2007-10-13 22:07 <DIR> d-------- C:\Dev-Cpp
2007-10-09 00:48 <DIR> d-------- C:\Program Files\SON˜CDOOM
2007-10-07 03:15 <DIR> d-------- C:\Program Files\BrainWave Generator
2007-10-07 03:15 303,616 --a------ C:\WINDOWS\IsUninst.exe
2007-10-06 23:09 159,744 --a------ C:\WINDOWS\system32\lfpng13n.dll
2007-10-06 23:08 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2007-10-06 23:08 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2007-10-06 23:08 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2007-10-06 23:08 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2007-10-06 23:08 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2007-10-06 23:08 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2007-10-06 23:08 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2007-10-06 23:08 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2007-10-01 14:02 <DIR> d-------- C:\Program Files\iTunes
2007-10-01 14:02 <DIR> d-------- C:\Program Files\iPod
2007-10-01 14:01 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-10-01 13:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-10-01 13:47 <DIR> d-------- C:\Program Files\QuickTime
2007-09-28 22:50 <DIR> d-------- C:\Documents and Settings\mustafa\Application Data\Nokia Multimedia Player
2007-09-28 19:53 <DIR> d-------- C:\Program Files\skulltag-v097d4-2
2007-09-28 19:46 <DIR> d-------- C:\Program Files\skulltag_files
2007-09-28 18:48 <DIR> d-------- C:\Program Files\HalogenWare
2007-09-28 16:59 <DIR> d-------- C:\Documents and Settings\mustafa\Phone Browser
2007-09-28 16:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2007-09-28 16:54 <DIR> d-------- C:\Documents and Settings\mustafa\Application Data\Nokia
2007-09-28 16:53 <DIR> d-------- C:\Program Files\DIFX
2007-09-28 16:53 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-09-28 16:53 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-09-28 16:52 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-09-28 16:52 <DIR> d-------- C:\Program Files\Nokia
2007-09-28 16:52 <DIR> d-------- C:\Documents and Settings\mustafa\Application Data\PC Suite
2007-09-28 16:52 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-09-28 16:52 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-09-28 16:52 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-09-28 16:52 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-09-28 16:52 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-09-28 16:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-19 10:10 --------- d-----w C:\Program Files\Opera
2007-10-19 08:26 --------- d-----w C:\Documents and Settings\mustafa\Application Data\AVG7
2007-10-19 01:03 --------- d-----w C:\Documents and Settings\mustafa\Application Data\MegauploadToolbar
2007-10-16 10:54 --------- d-----w C:\Documents and Settings\mustafa\Application Data\uTorrent
2007-10-14 23:34 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-14 22:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-10-13 15:20 --------- d-----w C:\Program Files\eMule
2007-10-08 21:49 --------- d-----w C:\Program Files\SONİCDOOM
2007-10-01 11:03 --------- d-----w C:\Documents and Settings\mustafa\Application Data\Apple Computer
2007-10-01 11:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-01 10:49 --------- d-----w C:\Program Files\Apple Software Update
2007-09-25 21:05 --------- d-----w C:\Program Files\Combined Community Codec Pack
2007-09-17 14:55 --------- d-----w C:\Program Files\MegauploadToolbar
2007-09-15 13:31 --------- d-----w C:\Program Files\DAEMON Tools
2007-09-15 13:23 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-09-14 23:17 --------- d-----w C:\Program Files\Java
2007-09-14 23:15 --------- d-----w C:\Program Files\Common Files\Java
2007-09-14 12:00 --------- d-----w C:\Documents and Settings\mustafa\Application Data\Uniblue
2007-09-13 13:09 --------- d--h--r C:\Documents and Settings\mustafa\Application Data\yahoo!
2007-09-13 13:09 --------- d-----w C:\Program Files\Yahoo!
2007-09-13 13:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-13 12:57 --------- d-----w C:\Program Files\SIERRA
2007-09-13 12:54 --------- d-----w C:\Program Files\VDM Sound
2007-09-13 12:54 --------- d-----w C:\Program Files\DOSBox-0.63
2007-09-13 12:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-13 12:52 --------- d-----w C:\Program Files\PinupStripPoker
2007-09-13 12:52 --------- d-----w C:\Program Files\Data Realms
2007-09-13 12:52 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-13 12:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\POP3Profiles
2007-09-13 12:50 --------- d-----w C:\Program Files\Security Task Manager
2007-09-13 12:50 --------- d-----w C:\Program Files\PeerGuardian2
2007-09-13 12:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-09-10 21:14 --------- d-----w C:\Program Files\JRTwine Software
2007-08-27 09:39 --------- d-----w C:\Program Files\Pineapple Works
2007-07-21 23:12 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2007-05-02 11:15 19,552 ----a-w C:\Documents and Settings\mustafa\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2004-09-07 18:25]
"SoundMan"="SOUNDMAN.EXE" [2003-01-07 13:09 C:\WINDOWS\SOUNDMAN.EXE]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2003-12-13 03:50]
"RemoteControl"="C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2004-11-02 20:24]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2002-05-22 01:00]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:45]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-04 01:29]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-10-19 14:16:43 C:\WINDOWS\Tasks\1-Click Maintenance.job"
"2007-10-01 10:49:25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-19 01:58:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-19 2:00:06
.
--- E O F ---


problem:
simply,disconnecting and "win32 generic host process" error message after some slow on computer.it connects to net but after a while computer is getting slow a bit then svchost crashes.im always getting "O17" as seen on hjt log(which classified as domain hi-jacker).
Also i cant use the system restore it's somehow blocked by something.my registry cleaner always finds HKCR/HTTP/Shell which is an empty registry.my daemon tools seem to be corrupted i just deleted the folders of it manually and deleted the "sptd.sys".found a trojan dll in my system32 folder "CddbCdda.dll" i deleted it and removed the key from registry(credits goes to tune-up here but poor program cant use system restore or save me from that problem.corrupted for once so i reinstalled it...etc.)

programs that cant get rid of that problem:
Spybot Search&Destroy,ad-aware SE,ad-aware 2007,NOD32,BitDefender,SUPERAntispyware,AVG anti-spyware,AVG Anti-virus,Sunbelt CounterSpy...etc.
also BitDefender is broken right now.i cant uninstall it.it keeps me sending that product is not installed so i cant uninstall it automatically.i used all the steps before posting these logs.
as you see "i locked all the doors but it keeps coming, which window i forgot then?"

sorry if this is a bit harsh but im in a hurry to learn something from an expert and saving my computer.
thanks for your time.im thinking about a format if no one can answer my question.

Edited by karakoncolos, 24 October 2007 - 06:21 PM.


BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:33 AM

Posted 12 November 2007 - 10:36 PM

Hello and welcome to BC. :thumbsup:

Sorry for the delay in response. If you haven't received help elsewhere yet, and still need assistance, please post a fresh HijackThis log and I'll be happy to help you.

#3 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:33 AM

Posted 19 November 2007 - 02:58 PM

Due to lack of response, this thread will now be closed. If you need this topic reopened, please PM me with the address of the thread.and we will reopen it for you. This applies only to the original topic starter. Everyone else please begin a New Topic.

#4 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:33 AM

Posted 23 November 2007 - 08:18 AM

The thread is re-opened as per pm request. Please post a fresh HijackThis log.

Edited by amateur, 23 November 2007 - 08:20 AM.


#5 karakoncolos

karakoncolos
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 23 November 2007 - 03:20 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:51:13, on 23.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Zoom Telephonics, Inc\Zoom ADSL USB Modem\dslmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\mustafa\Desktop\cd\security\security tools\registry\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O1 - Hosts: 69.5.88.76 www.megaupload.com #24.10.2007
O1 - Hosts: 69.5.88.70 www01.megaupload.com #03.11.2007
O1 - Hosts: 69.5.88.75 www02.megaupload.com #03.11.2007
O1 - Hosts: 69.5.88.75 www03.megaupload.com #03.11.2007
O1 - Hosts: 69.5.88.75 www04.megaupload.com #03.11.2007
O1 - Hosts: 69.5.88.68 www05.megaupload.com #03.11.2007
O1 - Hosts: 69.5.88.69 www06.megaupload.com #03.11.2007
O1 - Hosts: 69.5.88.79 www07.megaupload.com #03.11.2007
O1 - Hosts: 69.5.88.81 www08.megaupload.com #03.11.2007
O1 - Hosts: 69.5.88.87 www09.megaupload.com #03.11.2007
O1 - Hosts: 69.5.88.88 www10.megaupload.com #03.11.2007
O1 - Hosts: 64.72.115.4 www11.megaupload.com #03.11.2007
O1 - Hosts: 64.72.115.5 www12.megaupload.com #03.11.2007
O1 - Hosts: 64.72.115.6 www13.megaupload.com #03.11.2007
O1 - Hosts: 64.72.115.31 www14.megaupload.com #03.11.2007
O1 - Hosts: 64.72.115.32 www15.megaupload.com #03.11.2007
O1 - Hosts: 64.72.115.33 www16.megaupload.com #03.11.2007
O1 - Hosts: 64.72.115.34 www17.megaupload.com #03.11.2007
O1 - Hosts: 64.72.115.7 www18.megaupload.com #03.11.2007
O1 - Hosts: 64.72.115.8 www19.megaupload.com #03.11.2007
O1 - Hosts: 64.72.115.9 www20.megaupload.com #03.11.2007
O1 - Hosts: 64.72.115.10 www21.megaupload.com #03.11.2007
O1 - Hosts: 87.255.33.140 www70.megaupload.com #03.11.2007
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{401C4497-3929-400E-957B-2290CEF22883}: NameServer = 195.175.39.40 195.175.39.39
O17 - HKLM\System\CS5\Services\Tcpip\..\{401C4497-3929-400E-957B-2290CEF22883}: NameServer = 195.175.39.40 195.175.39.39
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6821 bytes


***
thanks for re-opening.

#6 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:33 AM

Posted 23 November 2007 - 07:08 PM

Hi,

Nothing serious is showing in the log, but that may not necessarily mean that the computer is clean though.

im always getting "O17" as seen on hjt log(which classified as domain hi-jacker).

If you're living in Istanbul, Turkey that 017 line should not worry you. It belongs to Turk Telekom RAS Test Network.

For the "win32 generic host process" error message, Microsoft has a hotfix for the problem. Check this page and download the appropriate file for your system, 32 bit or 64 bit. Normally you should not have this problem if you receive service pack updates.

Also i cant use the system restore it's somehow blocked by something.

What happens when you try system restore?

my registry cleaner always finds HKCR/HTTP/Shell which is an empty registry.

Now, this statement is a bit of a cause for concern for me because one can easily make a system inoperable by using registry cleaners.

my daemon tools seem to be corrupted i just deleted the folders of it manually

. The best way to remove a program is via Add or Remove Programs in the Control Panel. Deleting the folders will make it harder if not impossible to remove the program. In such cases, better to reinstall the program and then remove it via Add or Remove Programs.

found a trojan dll in my system32 folder "CddbCdda.dll" i deleted it and removed the key from registry

That is an indication of a very difficult infection but Combofix may have taken care of it.

==========================

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Click Start>Run, type in appwiz.cpl and press Enter.
  • Remove all entries of Runtime Environment (J2SE or JRE) that are listed.
  • Now reboot your computer.
  • Download the latest version of Java Runtime Environment, and install it to your computer.
==========================

Disable Teatimer
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
================================

Download HostsXpert.
  • Unzip HostsXpert to it's own folder.
  • Run HostsXpert.exe
  • Click "Make Writable?" in the upper left corner.
  • Click "Restore MS Hosts file" and then click OK.
  • Close HostsXpert.
  • Note: If a custom Hosts file was in place, you'll have to edit those entries back in.
===============================

Scan with HijackThis and put a checkmark against the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k


Close all browsers/windows other than HijackThis and click on "fix checked".

================================

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
================================

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
  • Please attach extra.txt to your post.
To attach a file to a new post, simply
  • Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  • copy and paste the following into the "Upload File from your Computer" box:

    C:\Deckard\System Scanner\extra.txt

  • Click Upload.

================================

Please post back the Report.txt, Main.tx, extra.txt and a fresh HijackThis log.

#7 karakoncolos

karakoncolos
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 24 November 2007 - 07:58 AM

as deckard and dss scanned my system, i remembered why i disappeared from here for a while.i was busy with dling some brute force and hacking tools-yes that's a confession-.if you got your gf's mail hacked you might think you need it someway.
:blink:
you can tell what a fool i am and as i noticed some of the suspicious files come from some of those tools and some of they already there before i dl the said tools.im sure because i checked my system32 and noticed the suspicious files mostly.
altough gmer or catchme does not recognize the regrun reanimator which ruined my computer a bit and saved me in some points and regrun does not recognize gmer.that's why "gmer.sys" is lost.other than that i figured out i just deleted the dvd-ram autorun by accident... :thumbsup:
i just [bleep]ed the created hack tools-i never used them since i need proxies to make them work.i was busy with my class by the time i dl them so i dont have time to get work on them-.
dont think i just harmed my computer i learned something useful from the "other" site.in example i learned my c: and d: drivers and admin is on net share i shut them up by a little code i learnt there, but they keep giving the net share as i reset.

the another great problem is my computer avoids kaspersky.it must be somewhere."extra.txt" shows the error within unable to load "kl1.sys" to system32.

Product: Kaspersky Anti-Virus 7.0 -- Error 1304.Error writing to file C:\WINDOWS\system32\drivers\kl1.sys. Verify that you have access to that folder.

ok there's no hope and any moderator is free to close this topic.because i look like a troll right now.i removed those hack tools and deleted the suspicious files they're resting in my recycle cabin.

Deckard's System Scanner v20071014.68
Run by Administrator on 2007-11-24 03:45:27
Computer is in Safe Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; computer is in safe mode.


-- Last 5 Restore Point(s) --
21: 2007-11-24 00:56:56 UTC - RP182 - Installed Java™ 6 Update 3
20: 2007-11-24 00:40:47 UTC - RP181 - Removed Java™ 6 Update 2
19: 2007-11-24 00:39:58 UTC - RP180 - Removed Java™ 6 Update 2
18: 2007-11-23 21:18:26 UTC - RP179 - Installed AVG 7.5
17: 2007-11-23 16:55:02 UTC - RP178 - Installed Kaspersky Anti-Virus 7.0.


-- First Restore Point --
1: 2007-11-14 18:47:24 UTC - RP162 - Sistem Denetleme Noktası


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:46:22, on 24.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\mustafa\Desktop\cd\security\security tools\fixes\dss.exe
C:\DOCUME~1\mustafa\Desktop\cd\security\SECURI~1\registry\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4295 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\mustafa\Desktop\cd\security\SECURI~1\registry\backups\) --------------------------------------------------------------------------------

backup-20071122-210918-300 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -
backup-20071122-210918-852 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
backup-20071122-210920-299 O17 - HKLM\System\CS5\Services\Tcpip\..\{401C4497-3929-400E-957B-2290CEF22883}: NameServer = 195.175.39.40 195.175.39.39
backup-20071122-210920-485 O17 - HKLM\System\CCS\Services\Tcpip\..\{401C4497-3929-400E-957B-2290CEF22883}: NameServer = 195.175.39.40 195.175.39.39
backup-20071123-125140-105 O17 - HKLM\System\CCS\Services\Tcpip\..\{401C4497-3929-400E-957B-2290CEF22883}: NameServer = 195.175.39.40 195.175.39.39
backup-20071123-125140-467 O17 - HKLM\System\CS5\Services\Tcpip\..\{401C4497-3929-400E-957B-2290CEF22883}: NameServer = 195.175.39.40 195.175.39.39
backup-20071123-125140-624 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
backup-20071123-131113-578 O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
backup-20071123-131142-959 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -
backup-20071123-131215-690 O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
backup-20071123-131355-774 O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
backup-20071123-221916-539 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
backup-20071123-221916-643 O17 - HKLM\System\CS5\Services\Tcpip\..\{401C4497-3929-400E-957B-2290CEF22883}: NameServer = 195.175.39.40 195.175.39.39
backup-20071123-221916-863 O17 - HKLM\System\CCS\Services\Tcpip\..\{401C4497-3929-400E-957B-2290CEF22883}: NameServer = 195.175.39.40 195.175.39.39
backup-20071123-222053-716 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -
backup-20071124-030254-692 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
backup-20071124-030254-750 O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>

S2 CdaC15BA - c:\windows\system32\drivers\cdac15ba.sys <Not Verified; Macrovision Europe Ltd; Security Windows NT>
S2 STEC3 - c:\windows\system32\stec3.sys <Not Verified; AntiCracking; SVKP driver for NT>
S3 catchme - c:\docume~1\mustafa\locals~1\temp\catchme.sys (file missing)
S3 GMSIPCI - e:\install\gmsipci.sys (file missing)
S3 Partizan - c:\windows\system32\drivers\partizan.sys <Not Verified; Greatis Software; RegRun Security Suite>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>
S4 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S4 C-DillaCdaC11BA - c:\windows\system32\drivers\cdac11ba.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-11-16 17:20:20 394 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job
2007-10-01 12:49:25 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-10-24 and 2007-11-24 -----------------------------

2007-11-24 03:22:16 0 d-------- C:\WINDOWS\ERUNT
2007-11-24 02:57:06 0 d-------- C:\Program Files\Common Files\Java
2007-11-23 23:19:26 0 d-------- C:\Documents and Settings\mustafa\Application Data\AVG7
2007-11-23 23:19:11 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-23 18:52:46 0 d-------- C:\kav
2007-11-23 18:49:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-23 13:15:14 0 d-------- C:\WINDOWS\pss
2007-11-22 02:48:47 0 d-------- C:\Program Files\[bleep]
2007-11-20 19:29:20 300326 --a------ C:\WINDOWS\system32\perfh041.dat
2007-11-20 19:29:20 45784 --a------ C:\WINDOWS\system32\perfc041.dat
2007-11-20 15:59:06 0 d-------- C:\Program Files\Babylon
2007-11-20 15:58:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Babylon
2007-11-20 15:58:45 0 d-------- C:\Documents and Settings\mustafa\Application Data\Babylon
2007-11-20 15:49:29 0 dr-h----- C:\Program Files\rnamfler
2007-11-19 05:16:47 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-19 05:16:35 0 d-------- C:\Fraps
2007-11-18 02:58:53 0 d-------- C:\Program Files\[bleep]
2007-11-16 21:19:28 0 d-------- C:\Program Files\ConnectionServices
2007-11-16 21:19:17 0 d-------- C:\Program Files\BitAccelerator
2007-11-16 01:06:44 0 d-------- C:\Documents and Settings\mustafa\Application Data\Uniblue
2007-11-15 02:01:21 0 d-------- C:\Program Files\Mp3 My Mp3 2.0
2007-11-12 22:04:56 0 d-------- C:\Program Files\[bleep]
2007-11-12 03:29:54 0 d-------- C:\Program Files\Autodesk
2007-11-12 03:29:47 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-11-12 03:29:44 12464 --a------ C:\WINDOWS\system32\drivers\CDAC15BA.SYS <Not Verified; Macrovision Europe Ltd; Security Windows NT>
2007-11-12 03:27:51 0 d-------- C:\Program Files\AnswerWorks 4.0
2007-11-12 03:26:46 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2007-11-12 03:26:46 0 d-------- C:\Program Files\AutoCAD 2004
2007-11-12 03:26:46 0 d-------- C:\Documents and Settings\mustafa\Application Data\Autodesk
2007-11-12 03:26:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2007-11-10 23:25:38 0 d-------- C:\Documents and Settings\mustafa\Application Data\FFSJ
2007-11-04 06:03:59 0 d-------- C:\Program Files\Google
2007-10-31 18:01:45 0 d-------- C:\Documents and Settings\mustafa\Application Data\vlc
2007-10-31 17:45:47 0 d-------- C:\Program Files\VideoLAN
2007-10-28 01:36:34 0 d-------- C:\Program Files\[bleep]
2007-10-28 01:24:57 22528 --a------ C:\WINDOWS\system32\Partizan.exe <Not Verified; Greatis Software; RegRun Security Suite>
2007-10-28 01:24:57 31170 --a------ C:\WINDOWS\system32\drivers\Partizan.sys <Not Verified; Greatis Software; RegRun Security Suite>
2007-10-26 00:44:20 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-26 00:44:20 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-10-26 00:44:20 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-26 00:44:19 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-10-26 00:44:19 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-10-25 12:02:41 0 d-------- C:\RootkitNO
2007-10-24 16:02:25 20625440 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-24 15:34:41 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-24 15:33:03 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft Windows NT™ Operating System>
2007-10-24 15:30:58 0 d-------- C:\WINDOWS\system32\ZoneLabs
2007-10-24 00:31:29 3937083 --a------ C:\WINDOWS\system32\SBSP.dat


-- Find3M Report ---------------------------------------------------------------

2007-11-24 02:58:23 0 d-------- C:\Program Files\Java
2007-11-24 02:57:06 0 d-------- C:\Program Files\Common Files
2007-11-24 02:29:16 0 d-------- C:\Program Files\eMule
2007-11-22 15:13:06 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-11-20 20:03:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-13 01:22:50 0 d-------- C:\Program Files\TuneUp Utilities 2007
2007-11-06 22:42:41 0 d-------- C:\Program Files\skulltag-v097d4-2
2007-11-02 09:58:15 300326 --a------ C:\WINDOWS\system32\perfh01F.dat
2007-11-02 09:58:15 45784 --a------ C:\WINDOWS\system32\perfc01F.dat
2007-10-24 22:09:38 81984 --a------ C:\WINDOWS\system32\bdod.bin
2007-10-24 00:31:56 246 --a------ C:\WINDOWS\system32\SBFC.dat
2007-10-23 23:29:10 0 d-------- C:\Program Files\CCleaner
2007-10-23 22:07:03 0 d-------- C:\Program Files\Lavasoft
2007-10-23 01:24:05 0 d-------- C:\Program Files\Common Files\BitDefender
2007-10-22 22:19:19 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-10-20 23:53:57 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-19 20:42:23 0 d-------- C:\Program Files\Safer Networking
2007-10-19 14:54:43 2906 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-19 13:44:04 0 d-------- C:\Program Files\Opera
2007-10-19 13:43:15 0 d-------- C:\Program Files\SONİCDOOM
2007-10-19 13:43:14 0 d-------- C:\Program Files\BrainWave Generator
2007-10-19 13:42:43 0 d-------- C:\Program Files\Apple Software Update
2007-10-19 13:42:36 0 d-------- C:\Program Files\QuickTime
2007-10-19 13:42:20 0 d-------- C:\Program Files\skulltag_files
2007-10-19 13:42:08 0 d-------- C:\Program Files\Common Files\Nokia
2007-10-19 13:42:05 0 d-------- C:\Program Files\Common Files\PCSuite
2007-10-19 13:42:00 0 d-------- C:\Program Files\PC Connectivity Solution
2007-10-19 13:42:00 0 d-------- C:\Program Files\DIFX
2007-10-19 13:41:52 0 d-------- C:\Program Files\Nokia
2007-10-19 13:41:37 0 d-------- C:\Program Files\Combined Community Codec Pack
2007-10-19 13:41:30 0 d-------- C:\Program Files\MegauploadToolbar
2007-10-19 13:39:13 0 d-------- C:\Program Files\iTunes
2007-10-01 13:02:33 0 d-------- C:\Program Files\iPod
2007-10-01 13:01:22 0 d-------- C:\Program Files\Common Files\Apple
2007-09-28 17:48:36 0 d-------- C:\Program Files\HalogenWare
2007-09-15 15:41:59 2368 --a------ C:\WINDOWS\system32\STEC3.sys <Not Verified; AntiCracking; SVKP driver for NT>
2007-09-11 13:02:40 81920 --a------ C:\WINDOWS\system32\frapsvid.dll <Not Verified; Beepa P/L; FRAPS>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09.07.2001 10:50]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [07.09.2004 17:25]
"SoundMan"="SOUNDMAN.EXE" [07.01.2003 12:09 C:\WINDOWS\SOUNDMAN.EXE]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [13.12.2003 02:50]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [18.06.2007 14:10]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [26.09.2007 13:42]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [07.09.2006 19:19]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [06.09.2007 15:14]
"RemoteControl"="C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [23.11.2007 23:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25.09.2007 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [04.08.2004 00:45]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [23.11.2007 23:22]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programlar\BaŸlang�‡\
DSLMON.lnk - C:\Program Files\Zoom Telephonics, Inc.\Zoom ADSL USB Modem\dslmon.exe [26.04.2007 11:09:28]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13.02.2001 09:01:04]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp




-- End of Deckard's System Scanner: finished at 2007-11-24 03:47:08 ------------

Attached Files


Edited by karakoncolos, 24 November 2007 - 08:14 AM.


#8 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:33 AM

Posted 24 November 2007 - 09:28 AM

Hi,



Couple of points before we go on. I am sure you are aware by now that downloading crack software is a sure way of getting infected, and so is running an unpatched operating system. Also avoid using p2p file sharing programs like uTorrent. The nature of P2P filesharing is so that even if one is using a "clean" program, many of the files downloaded from non-documented sources have the potential of being infected. So, regardless of whether one is using a "clean" program, one may still be prone to infection by malware because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. Remove them via Add or Remove Programs.

just [bleep]ed the created hack tools-i never used them since i need proxies to make them work.i was busy with my class by the time i dl them so i dont have time to get work on them-.

Please remove them via Add or Remove Programs in Control Panel.

=======================================

I'm missing the SDFix log. Please read my instructions in my previous post and post the Report.txt from SDFix

=======================================

Do you have two antivirus applications installed and running now, i.e. BitDefender and AVG? If you are running two antivirus programs at the same time, this is NOT a good thing. Multiple antivirus programs can bog down your system, interfere with each other, and may even cause crashes. I highly recommend you remove all but one of them using the Add/Remove Programs in the Control Panel.

=======================================

I really need to see an online scan results. Please download Dr.Web CureIt to the desktop. Make sure that your firewall does not block it, and your antivirus does not interfere.


Disconnect this PC from the internet and close all open programs.

It's crucial that you follow this next step exactly as instructed: Do not multi-task while the scan is running...only DrWeb can be active
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously, along with a new HijackThis log in your next reply.
===========================================

Your DSS log was taken in safe mode. I need it from normal mode.

=======================================

Expecting:

Report.txt from SDFix
DrWeb.csv
DSS main txt(in Normal Mode)

#9 karakoncolos

karakoncolos
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 29 November 2007 - 05:28 PM

thanks for your kindness.
but my computer just blown away and gave
UNMOUNTABLE_BOOT_VOLUME
error with blue screen of death.i just formatted it and now dling the AVG 7.5 free edition again.thanks for your kindness and help i appreciate it.
now...i know i should open a new topic about it.but im thinking about:
Spybot,Ad-Aware SE 2007,AVG 7.5 free,,ZoneAlarm,Tune-Up Utilities and ERUNT for guarding my registry.any other advices as a last stand(before you close it.)?sure i'll dl the tools you adviced and keep them at a folder.

Edited by karakoncolos, 29 November 2007 - 05:30 PM.


#10 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:33 AM

Posted 29 November 2007 - 06:28 PM

You're welcome. I'm sorry about the misfortune you had. Sounds like a corrupt file system which may not have been difficult to fix if you have the XP installation disk (unless you have a hard disk that is already failing) but you've already formatted.

The DSS reported that your physical memory was 256 MiB. That's not enough to run XP. Recommended memory is 512 MiB. You might like to keep that in mind and perhaps add some memory to your computer.

Total Physical Memory: 256 MiB (512 MiB recommended).


Here are some steps to make your surfing more secure in future:

Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Avoid illegal sites, because that's where most malware is present.

* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Keep your antivirus-program up-to-date and do regular scans with it. Please make sure that you have only one active antivirus program on your system.

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site http://windowsupdate.microsoft.com/ to get the critical updates.

If you are running Microsoft, or any portion thereof, go to the Microsoft's Office Update site http://office.microsoft.com/officeupdate/m...g.aspx?lc=en-us and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Keep your pestware-scanners up-to-date and do regular scans with them.

To keep your computer free of Spyware, Adware, Hijackers etc., download and install the following free pestware-scanners (if you haven't installed them already):
AdAwareA tutorial on installing & using this product can be found here: http://www.bleepingcomputer.com/forums/tutorial43.html
Spybot A tutorial on installing & using this product can be found here: http://www.bleepingcomputer.com/forums/tutorial43.html
Windows Defender here

The following free realtime pestscanners prevent a number of malware-variants from entering your computer, in the first place:

SpywareBlaster A tutorial on installing & using this product can be found here: http://www.bleepingcomputer.com/forums/tutorial49.html
SpywareGuard here

If you haven't got one, already, install a firewall and keep it up-to-date. Please make sure that you have only one active firewall on your system.

A firewall will prevent unauthorized contact between your computer and internet. A tutorial on Firewalls and a listing of some available ones can be found here:
http://forum.malwareremoval.com/viewtopic.php?p=56#56
http://www.bleepingcomputer.com/forums/tutorial60.html

Test your firewall here to make sure that it's working properly

Install these programs, to make surfing with Internet Explorer safer:

A popup-blocker, e.g. Google Toolbar here: A popup-blocker prevents popup-windows from opening, when you come along a websites that uses them, during internet-surfing. To provide privacy, select disable advanced features when installing.

IE-SPYAD This utility adds a long list of known bad sites to Internet Explorer's Restricted Sites zone. This prevents those sites from executing their malicious programs on your computer. A tutorial on installing this product can be found here: http://www.spywarewarrior.com/uiuc/resource.htm

SiteHound by Firetrust introduces the SiteHound Toolbar - the safe way to browse the Internet. With SiteHound, when you browse the Internet, you're shown a warning page every time you go to a site which is a known scam, potentially loads viruses or spyware on to your computer, has questionable content or anything you would not consider reasonable.
This product can be downloaded from here: here:

Install and use an alternative browser to surf on the internet.

Because Internet Explorer is the most-used browser on the planet, most of the hijackers, adware and spyware are made to abuse your computer thru Internet Explorer.
Here are some good alternative browsers:
Mozilla Suite here
Mozilla Firefox here
Opera here
Netscape here
Important: You can not uninstall Internet Explorer.
First of all, it's part of Windows and you'll need it to download and install Windows Updates.
Secondly, There are some sites that are only accessable with Internet Explorer, e.g. most of the Online Malware-scanners.

Ccleaner is a useful utility to clean the temporary files and cookies on a regular basis. Tutorial for CCleaner will explain how to use it. Note: Don't use the Registry (formerly Issues) block as it deals with the registry and can be dangerous.

But above all, keep all your software UP-TO-DATE at all time!!

A colleague of ours has excellent information and tips on the prevention of malware here and more on improving speed/system performance after malware removal here .
Happy Surfing! :thumbsup:

#11 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:33 AM

Posted 06 December 2007 - 10:29 AM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please PM me with the address of the thread, and we will reopen it for you. This applies only to the original topic starter. Everyone else please begin a New Topic.

Edited by amateur, 06 December 2007 - 10:30 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users