Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What Is This Entry? I Think It's An Infection.


  • This topic is locked This topic is locked
11 replies to this topic

#1 joe blow

joe blow

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 16 June 2008 - 03:58 AM

Hi,

I ran hijackthis and found this.

O23 - Service: UBEGT - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\UBEGT.exe (file missing)

I posted a log at Castlecops, but when I went to check back the next day I could not access their site at all. Any other web site was fine, just not Castlecops.

I guess that their site might be temporarly down but I am worried that I am being blocked by malware.

I will post the log here to see if someone can help.

In an attempt to rid myself of the malware, I checked it (to remove) on hijackthis, then I restored to a previous restore point.

I will post both logs here, the first one is when I found the entry, before I had done anything, and the second is my current status.

I am currently running AVG 7.5 and AVG antispyware, superantispyware, spybot 1.5. AVG anti rootkit and rootkit revealer all find nothing.

If I don't check back tomorrow then I have been blocked here too.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:17:00 PM, on 6/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\dlbtcoms.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1210917758994
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: UBEGT - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\UBEGT.exe (file missing)

--
End of file - 5383 bytes


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:26:27 PM, on 6/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1210917758994
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1693CC5-A61B-4DA5-966C-0A7CD92CA83E}: NameServer = 203.8.183.1 192.189.54.33
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

--
End of file - 5538 bytes

BC AdBot (Login to Remove)

 


#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 18 June 2008 - 03:42 PM

Hi

Both logs are clean :thumbsup:

Yes that was most likely a malware entry, but there is no way of knowing what it was as the file was gone and nothing was being run ...

You can run the following scans & see if they find anything, but I doubt it.

I've locked your thread at Castlecops, thanks for telling us about it, many of us post on several forums & it wastes time if your problem is being looked at on more than one forum, at any given time over 400 posters are waiting for their first reply to a question in THIS forum alone, it is similar on other forums, there are just not enough helpers to go around :)

http://www.castlecops.com/p1098929-Mystery...this_enrty.html

Please run a Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan: Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt
THEN ...

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 joe blow

joe blow
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 19 June 2008 - 03:09 AM

Hi,

Thanks for the reply.

I downloaded malwarebytes from from both the links you left and in both cases it would not run. When I clicked on mbam-setup.exe a window would pop up with "run" I clicked on run and nothing happened.

I have been chasing my tail with this thing for a while now - http://www.bleepingcomputer.com/forums/t/148460/file-and-printer-sharing-trying-to-connect-out/.

My firewall detected someting trying to connect out using File and Printer Sharing. This continued even after I uninstalled File and Printer Sharing. I thought it might just be the firewall playing up so I reverted to the Windows firewall. But I think that is how the entry that I have posted here arrived "O23 - Service: UBEGT - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\UBEGT.exe (file missing)" as it appared soon after I changed firewalls.

So I think I will reinstall as this is all getting out of my league.

I will return in a couple of days, after I reinstall and see if I can run the scans then. I am not certain even a reinstall will get rid of this.

#4 joe blow

joe blow
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 19 June 2008 - 04:11 AM

Sorry, my mistake.

Being logged on to two user accounts seemed to be the problem with Malwarebytes not running.

Here is the log. It was clear.

Malwarebytes' Anti-Malware 1.17
Database version: 869

7:03:13 PM 6/19/2008
mbam-log-6-19-2008 (19-03-13).txt

Scan type: Quick Scan
Objects scanned: 41742
Time elapsed: 4 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I will try the other scans as well before I reinstall.

#5 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 19 June 2008 - 02:11 PM

HI

Being logged on to two user accounts seemed to be the problem with Malwarebytes not running.


Thanks for that ... I would never have picked up on that as causing a problem... I shall get in touch with the author of the program & see what they think.

after I reinstall and see if I can run the scans then. I am not certain even a reinstall will get rid of this.


A format & reinstall will give you a clean start ...

However reinstalling windows over the top (dirty reinstall) will not remove any malware, just as it will not remove any of your personal files. It will repair/replace any corrupt operating system files.

Please DO run the other scans & post the logs, there may be no need to reinstall...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#6 joe blow

joe blow
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 20 June 2008 - 12:35 AM

Hi,


I think the reason Malwarebytes did not run initially was that the pop-up window from my firewall, asking to allow the program to run, came up in the account I was not currently using. When I went back into that account, the pop-up was still there so I allowed it, then everyting ran fine. Don't know why it did this, it has not happened before.

I will try those other scans, may take a day or two.

I have done a clean install before without too many problems but I have heard that this does not always remove all malware. If it does then the most likely method of this infection was the disk that I backed up my security and utilities software on, (I had autoplay disabled when I made and installed the disk).

Is there a program that you could recomend for scanning a CD Rom for malware, AVG and Superantispyware found nothing.

Thanks.

#7 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 20 June 2008 - 03:30 AM

Hi

Once again, thanks for the extra info about malwarebytes :thumbsup:


The Kaspersky Online Scan will scan any disc in the CD drive, as long as it is selected under select a target to scan: choose my computer & it will scan all drives ...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#8 joe blow

joe blow
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 21 June 2008 - 06:15 AM

Hi,

I installed Java 6.3 so that I could use the Kaspersky scan but the scan didn't start. So I updated Java, the download went fine until it started to install. While the Java update was installing someting was downloading to my computer 6 to 8 times faster than I have ever seen anything download to my computer before. I have a slow dialup connection. It was very weird so I disconnected from the net and did a system restore back to before the Java installation.

Then I ran Combofix, here is the log.

ComboFix 08-06-16.5 - Simon 2008-06-21 19:22:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.105 [GMT 10:00]
Running from: C:\Documents and Settings\Simon\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-21 to 2008-06-21 )))))))))))))))))))))))))))))))
.

2008-06-21 18:10 . 2008-06-21 18:11 <DIR> d-------- C:\Program Files\Java
2008-06-21 18:10 . 2008-06-21 18:10 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-20 19:46 . 1998-01-09 00:00 1,048,576 --------- C:\WINDOWS\system32\SFMAN.DAT
2008-06-20 19:45 . 2000-12-06 00:11 4,174,814 --a------ C:\WINDOWS\system32\CT4MGM.SF2
2008-06-20 19:45 . 1999-09-23 06:18 2,167,684 -ra------ C:\WINDOWS\system32\ct2mgm.sf2
2008-06-20 19:45 . 2000-02-25 11:49 1,048,576 --a------ C:\WINDOWS\system32\CT1MGM.ROM
2008-06-20 19:45 . 2002-01-03 14:44 59 --a------ C:\WINDOWS\system32\DEFAULT8.SFM
2008-06-20 19:45 . 2002-01-03 14:44 59 --a------ C:\WINDOWS\system32\DEFAULT4.SFM
2008-06-20 19:45 . 2002-01-03 14:44 59 --a------ C:\WINDOWS\system32\DEFAULT.SFM
2008-06-20 19:43 . 2008-06-21 16:50 <DIR> d-------- C:\Program Files\Creative
2008-06-20 19:29 . 2008-06-20 19:29 <DIR> d-------- C:\Documents and Settings\Guest.BART-67DO4UECYT\Application Data\Media Player Classic
2008-06-19 18:45 . 2008-06-19 18:45 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-19 18:45 . 2008-06-19 18:45 <DIR> d-------- C:\Documents and Settings\Simon\Application Data\Malwarebytes
2008-06-19 18:45 . 2008-06-19 18:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-19 18:45 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-19 18:45 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-19 16:44 . 2008-06-19 16:44 <DIR> d-------- C:\Documents and Settings\Guest.BART-67DO4UECYT\Application Data\SiteAdvisor
2008-06-19 16:44 . 2008-06-21 16:50 <DIR> d-------- C:\Documents and Settings\Guest.BART-67DO4UECYT\Application Data\AVG7
2008-06-19 16:43 . 2008-06-21 18:59 <DIR> d-------- C:\Documents and Settings\Guest.BART-67DO4UECYT
2008-06-18 18:31 . 2008-06-18 18:31 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\SiteAdvisor
2008-06-18 18:31 . 2008-06-19 16:21 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\AVG7
2008-06-18 18:25 . 2008-06-19 16:21 <DIR> d---s---- C:\Documents and Settings\Guest
2008-06-18 16:20 . 2008-06-18 16:20 <DIR> d-------- C:\Documents and Settings\Simon\Application Data\Media Player Classic
2008-06-18 16:18 . 2008-06-18 16:18 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-06-18 16:09 . 2008-04-14 04:45 26,368 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-06-11 16:21 . 2008-06-13 21:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 16:18 . 2008-05-09 00:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-05 10:20 . 2008-06-16 16:55 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-05-28 16:57 . 2008-06-16 16:55 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-05-28 14:33 . 2008-06-21 18:59 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-26 16:28 . 2008-05-26 16:28 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-05-26 15:38 . 2008-06-21 16:58 <DIR> d-------- C:\hjt
2008-05-25 18:15 . 2008-05-25 18:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-25 18:14 . 2008-05-25 18:14 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-25 18:14 . 2008-05-25 18:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-25 18:14 . 2008-05-25 18:14 <DIR> d-------- C:\Documents and Settings\Simon\Application Data\SUPERAntiSpyware.com
2008-05-23 16:25 . 2008-06-14 18:09 <DIR> d-------- C:\aaa
2008-05-22 18:21 . 2008-05-27 20:19 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-05-22 12:05 . 2008-05-22 18:31 445 --a------ C:\WINDOWS\dellstat.ini
2008-05-22 12:03 . 2008-05-22 12:04 <DIR> d-------- C:\Program Files\Dell Photo AIO Printer 922
2008-05-22 12:03 . 2003-10-08 01:56 983,101 --a------ C:\WINDOWS\system32\dlbtgf.dll
2008-05-22 12:03 . 2004-06-15 01:09 401,408 --a------ C:\WINDOWS\system32\dlbtutil.dll
2008-05-22 11:58 . 2008-04-14 04:45 59,520 --a------ C:\WINDOWS\system32\drivers\usbhub.sys
2008-05-22 11:58 . 2008-04-14 04:45 59,520 --a--c--- C:\WINDOWS\system32\dllcache\usbhub.sys
2008-05-22 11:21 . 2008-06-16 19:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-22 10:09 . 2008-05-22 10:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2008-05-21 15:40 . 2008-05-22 18:21 <DIR> d-------- C:\Program Files\SiteAdvisor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 09:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-19 08:38 2,240 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err
2008-06-18 05:51 --------- d-----w C:\Documents and Settings\Simon\Application Data\AVG7
2008-06-16 09:15 --------- d-----w C:\Program Files\SpywareBlaster
2008-06-16 06:55 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-16 06:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-30 05:33 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-05-22 01:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-21 05:40 --------- d-----w C:\Documents and Settings\Simon\Application Data\SiteAdvisor
2008-05-21 05:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-18 08:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-18 03:17 --------- d-----w C:\Program Files\Sunbelt Software
2008-05-18 03:15 --------- d-----w C:\Program Files\PhotoFiltre
2008-05-18 03:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-05-18 03:14 --------- d-----w C:\Program Files\Trend Micro
2008-05-18 03:14 --------- d-----w C:\Program Files\CleanUp!
2008-05-18 03:10 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-05-18 03:10 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-05-18 03:10 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-05-16 05:44 --------- d-----w C:\Program Files\CONEXANT
2008-05-16 05:42 --------- d-----w C:\Program Files\Intel
2008-05-16 05:40 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-15 09:24 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 299,520 ----a-w C:\WINDOWS\system32\drmclien.dll
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-13 21:00 103,424 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 19:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-13 19:42 11,264 ------w C:\WINDOWS\system32\spnpinst.exe
2008-04-13 19:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:27 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:35 24,064 ----a-w C:\WINDOWS\system32\pidgen.dll
2008-04-13 18:31 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-13 18:31 2,065,792 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-13 18:30 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 18:14 76,800 ------w C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 17:39 438,784 ------w C:\WINDOWS\system32\xpob2res.dll
2008-04-13 17:39 2,897,920 ------w C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 17:39 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-13 17:28 2,940,928 ----a-w C:\WINDOWS\system32\wmploc.dll
2008-04-13 17:27 79,872 ------w C:\WINDOWS\system32\msxml6r.dll
2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2008-04-13 17:23 8,192 ----a-w C:\WINDOWS\system32\asferror.dll
2008-04-13 17:23 168,448 ------w C:\WINDOWS\system32\wmerror.dll
2008-04-13 17:21 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2008-04-13 17:09 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-13 16:48 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2008-04-13 16:45 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2008-04-13 16:22 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 10:12 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-05-18 16:03 579584]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2008-05-18 16:27 6731312]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-06-19 01:30 290816]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2007-03-31 01:42 36904]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-05-18 13:55 219136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21]
S2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe" [2007-04-26 10:21]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-21 19:27:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-21 19:29:11
ComboFix-quarantined-files.txt 2008-06-21 09:29:03

Pre-Run: 35,059,032,064 bytes free
Post-Run: 35,109,244,928 bytes free

182



After Combofix I ran Rootkit Revealer and the log came back like this.

HKU\.DEFAULT\Control Panel\International 6/21/2008 7:29 PM 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 6/21/2008 7:29 PM 0 bytes Security mismatch.
HKU\S-1-5-21-1417001333-789336058-839522115-1004\Control Panel\International 6/21/2008 7:29 PM 0 bytes Security mismatch.
HKU\S-1-5-21-1417001333-789336058-839522115-1004\Control Panel\International\Geo 6/21/2008 7:29 PM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International 6/21/2008 7:29 PM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 6/21/2008 7:29 PM 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 5/15/2008 7:37 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 5/15/2008 7:37 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed 6/21/2008 7:33 PM 4 bytes Data mismatch between Windows API and raw hive data.

I don't really know but it didn't look good.

Also somewhere during all this an extra Internet Explorer icon has appeared on my desktop.

#9 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 21 June 2008 - 02:33 PM

Hi

Also somewhere during all this an extra Internet Explorer icon has appeared on my desktop.


That will be Combofix restoring defaults, it may also have made IE the default browser (if it wasn't already)

While the Java update was installing someting was downloading to my computer 6 to 8 times faster than I have ever seen anything download to my computer before. I have a slow dialup connection. It was very weird so I disconnected from the net and did a system restore back to before the Java installation.


So you panicked :thumbsup:

AS all you were doing was installing java at the time, like you I've no idea what was actually happening there ... but I doubt it was malware ... a similar thing happened to me several years ago when I was on dial-up. I was using proxy servers at the time, and because they are not reliable to stay on line, I was using a program which would automatically use the fastest proxy, I had a 56k modem which would normally download at well under 56k, when one day suddenly one of the servers started downloading at several hundred... I never found any malware, never had any problems, & it never happened again. it's always been a puzzle.

The Rootkit Revealer log is clean ... they are all "false positives"!

Take a look here :-

http://forum.sysinternals.com/forum_posts.asp?TID=8882

The same goes for all the entries in the Rootkit Revealer log

You wont be able to see the HKLM\SECURITY\Policy keys in Regedit, this is by design, for your safety. I could give you a way to see them, but it wouldn't achieve anything, & if you made any changes, you may not be able to boot into windows again.

By the way it's only the latest version of Rootkit Revealer which shows those keys, they were always there but earlier versions didn't scan that section of the registry.

The Combofix log is clean as well :)

It's a pity about KASPERSKY, it does a good deep scan & may have shown something, but somehow I doubt it ...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#10 joe blow

joe blow
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 22 June 2008 - 12:33 AM

Hi,

Thanks for the help, and yes, I did panic. It's just that there seemed to be so many funny little things going on.

At some point I will download the latest Java and install it offline and then try the Kaspersky scan on more time.

Thanks again for the help.

#11 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 22 June 2008 - 04:07 PM

You're very welcome :thumbsup:

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#12 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 24 July 2008 - 04:33 PM

Due to lack of feedback This thread is now treated as resolved and duly closed.

If the original poster would like it re-opened, please send me a PM with a link to this thread.

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users