Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Hijackthis Log


  • Please log in to reply
15 replies to this topic

#1 benknightsjohnson

benknightsjohnson

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 09 July 2008 - 11:13 AM

Please help me, the main thing is i got the google redirect thing!!! pleeeeeease


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:09:11, on 09/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intra/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intra/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=2057
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = smoothwall:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {837B45D6-BF85-457D-AABF-6D2E7815F791} - C:\WINDOWS\system32\nnnljij.dll (file missing)
O2 - BHO: SSSIEHelperObj Class - {8F26EAA1-D8B4-41A2-994F-704AEEE25536} - C:\WINDOWS\system32\hlpr.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - C:\Program Files\NetProject\sbmdl.dll (file missing)
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-ABCD-7DD20B862223} - C:\Program Files\Helper\1202659113.dll (file missing)
O3 - Toolbar: Web Application - {81705D67-3F73-4983-859B-97D0922E5ABE} - C:\Program Files\NetProject\wamdl.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [PCE Client] C:\WINDOWS\system32\PCENT\PCClient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\RunServices: [CS32] C:\WINDOWS\c32cs2.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {DBFECB3F-B78F-442E-AE46-4952E6F17545} (Bonusprint Image Uploader Version 3.5) - http://webalbum.bonusprint.com/ukipc01/dow...geUploader3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = deanclose.internal
O17 - HKLM\Software\..\Telephony: DomainName = deanclose.internal
O17 - HKLM\System\CCS\Services\Tcpip\..\{37CB7A2C-86F1-4E52-B8F1-961D8409157C}: NameServer = 85.255.114.103,85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F1887C1-AB0D-4F11-A28D-EBB7F8F4A79D}: NameServer = 85.255.114.103,85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{6316FC9D-B9B3-4F55-8774-2EAB9A034D4F}: NameServer = 85.255.114.103,85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C9E99AB-0E6A-4701-AF19-77065160EC6C}: NameServer = 85.255.114.103,85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{94FD9E54-080F-4B49-9CF6-3FB4ED143076}: NameServer = 85.255.114.103,85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{C87B1D8E-601B-40AC-95EE-CC0497202196}: NameServer = 85.255.114.103,85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{F88ECF84-62CF-4A0E-9D58-CAE85A12388D}: NameServer = 85.255.114.103,85.255.112.151
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = deanclose.internal
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.103 85.255.112.151
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = deanclose.internal
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.103 85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.103 85.255.112.151
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O20 - Winlogon Notify: nnnljij - nnnljij.dll (file missing)
O22 - SharedTaskScheduler: didact - {747e1fbe-b70f-441d-bbca-6e536c04924a} - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe

--
End of file - 10749 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:46 PM

Posted 09 July 2008 - 12:00 PM

Hello benknightsjohnson,

Welcome to Bleeping Computer :thumbsup:

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background. So only run it once!

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 benknightsjohnson

benknightsjohnson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 12 July 2008 - 10:48 AM

ok, did all that and it came up with:

SmitFraudFix v2.329

Scan done at 16:26:25.03, 12/07/2008
Run from C:\Program Files\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{747e1fbe-b70f-441d-bbca-6e536c04924a}"="didact"


Killing process


hosts


VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


DNS

Your computer may be victim of a DNS Hijack: 85.255.x.x detected !

Description: Intel® PRO/Wireless 2915ABG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 85.255.114.103
DNS Server Search Order: 85.255.112.151

HKLM\SYSTEM\CCS\Services\Tcpip\..\{37CB7A2C-86F1-4E52-B8F1-961D8409157C}: DhcpNameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CCS\Services\Tcpip\..\{37CB7A2C-86F1-4E52-B8F1-961D8409157C}: NameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CCS\Services\Tcpip\..\{3F1887C1-AB0D-4F11-A28D-EBB7F8F4A79D}: DhcpNameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CCS\Services\Tcpip\..\{3F1887C1-AB0D-4F11-A28D-EBB7F8F4A79D}: NameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6316FC9D-B9B3-4F55-8774-2EAB9A034D4F}: DhcpNameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6316FC9D-B9B3-4F55-8774-2EAB9A034D4F}: NameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7C9E99AB-0E6A-4701-AF19-77065160EC6C}: DhcpNameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7C9E99AB-0E6A-4701-AF19-77065160EC6C}: NameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CCS\Services\Tcpip\..\{94FD9E54-080F-4B49-9CF6-3FB4ED143076}: DhcpNameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CCS\Services\Tcpip\..\{94FD9E54-080F-4B49-9CF6-3FB4ED143076}: NameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C87B1D8E-601B-40AC-95EE-CC0497202196}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C87B1D8E-601B-40AC-95EE-CC0497202196}: NameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CCS\Services\Tcpip\..\{DE6CECA3-7FD5-443F-8B34-2C60046A8AA9}: DhcpNameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F88ECF84-62CF-4A0E-9D58-CAE85A12388D}: DhcpNameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F88ECF84-62CF-4A0E-9D58-CAE85A12388D}: NameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CS1\Services\Tcpip\..\{37CB7A2C-86F1-4E52-B8F1-961D8409157C}: DhcpNameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CS1\Services\Tcpip\..\{37CB7A2C-86F1-4E52-B8F1-961D8409157C}: NameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3F1887C1-AB0D-4F11-A28D-EBB7F8F4A79D}: DhcpNameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3F1887C1-AB0D-4F11-A28D-EBB7F8F4A79D}: NameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6316FC9D-B9B3-4F55-8774-2EAB9A034D4F}: DhcpNameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6316FC9D-B9B3-4F55-8774-2EAB9A034D4F}: NameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7C9E99AB-0E6A-4701-AF19-77065160EC6C}: DhcpNameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7C9E99AB-0E6A-4701-AF19-77065160EC6C}: NameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CS1\Services\Tcpip\..\{94FD9E54-080F-4B49-9CF6-3FB4ED143076}: DhcpNameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CS1\Services\Tcpip\..\{94FD9E54-080F-4B49-9CF6-3FB4ED143076}: NameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C87B1D8E-601B-40AC-95EE-CC0497202196}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C87B1D8E-601B-40AC-95EE-CC0497202196}: NameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DE6CECA3-7FD5-443F-8B34-2C60046A8AA9}: DhcpNameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F88ECF84-62CF-4A0E-9D58-CAE85A12388D}: DhcpNameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F88ECF84-62CF-4A0E-9D58-CAE85A12388D}: NameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CS2\Services\Tcpip\..\{37CB7A2C-86F1-4E52-B8F1-961D8409157C}: DhcpNameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CS2\Services\Tcpip\..\{37CB7A2C-86F1-4E52-B8F1-961D8409157C}: NameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3F1887C1-AB0D-4F11-A28D-EBB7F8F4A79D}: DhcpNameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3F1887C1-AB0D-4F11-A28D-EBB7F8F4A79D}: NameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6316FC9D-B9B3-4F55-8774-2EAB9A034D4F}: DhcpNameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6316FC9D-B9B3-4F55-8774-2EAB9A034D4F}: NameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7C9E99AB-0E6A-4701-AF19-77065160EC6C}: DhcpNameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7C9E99AB-0E6A-4701-AF19-77065160EC6C}: NameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CS2\Services\Tcpip\..\{94FD9E54-080F-4B49-9CF6-3FB4ED143076}: DhcpNameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CS2\Services\Tcpip\..\{94FD9E54-080F-4B49-9CF6-3FB4ED143076}: NameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CS2\Services\Tcpip\..\{C87B1D8E-601B-40AC-95EE-CC0497202196}: NameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CS2\Services\Tcpip\..\{DE6CECA3-7FD5-443F-8B34-2C60046A8AA9}: DhcpNameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F88ECF84-62CF-4A0E-9D58-CAE85A12388D}: DhcpNameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F88ECF84-62CF-4A0E-9D58-CAE85A12388D}: NameServer=85.255.114.103,85.255.112.151
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.114.103 85.255.112.151
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.114.103 85.255.112.151
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.114.103 85.255.112.151


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="kdeze.exe"

Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


Reboot

C:\WINDOWS\system32\kdeze.exe Deleted

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


End


It did remove my background but i know how to get that back but just to tell you because i didnt know if that was good or bad and worth telling you.

Now i don't know what i can and can't do so hopefully i can just carry on running my laptop as normal right? don't have to be cautious anywhere?

thanks for everything so far!

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:46 PM

Posted 14 July 2008 - 11:43 AM

Hello,

Can I see a new HijackThis log please? How is it running?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 benknightsjohnson

benknightsjohnson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 18 July 2008 - 11:44 AM

yeah sorry forgot about that.....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:38:12, on 18/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iLike\1.1.41\ilikesidebar.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=2057
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = smoothwall:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {837B45D6-BF85-457D-AABF-6D2E7815F791} - C:\WINDOWS\system32\nnnljij.dll (file missing)
O2 - BHO: SSSIEHelperObj Class - {8F26EAA1-D8B4-41A2-994F-704AEEE25536} - C:\WINDOWS\system32\hlpr.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [PCE Client] C:\WINDOWS\system32\PCENT\PCClient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\RunServices: [CS32] C:\WINDOWS\c32cs2.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {DBFECB3F-B78F-442E-AE46-4952E6F17545} (Bonusprint Image Uploader Version 3.5) - http://webalbum.bonusprint.com/ukipc01/dow...geUploader3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = deanclose.internal
O17 - HKLM\Software\..\Telephony: DomainName = deanclose.internal
O17 - HKLM\System\CCS\Services\Tcpip\..\{37CB7A2C-86F1-4E52-B8F1-961D8409157C}: NameServer = 85.255.114.103,85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F1887C1-AB0D-4F11-A28D-EBB7F8F4A79D}: NameServer = 85.255.114.103,85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{6316FC9D-B9B3-4F55-8774-2EAB9A034D4F}: NameServer = 85.255.114.103,85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C9E99AB-0E6A-4701-AF19-77065160EC6C}: NameServer = 85.255.114.103,85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{94FD9E54-080F-4B49-9CF6-3FB4ED143076}: NameServer = 85.255.114.103,85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{C87B1D8E-601B-40AC-95EE-CC0497202196}: NameServer = 85.255.114.103,85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{F88ECF84-62CF-4A0E-9D58-CAE85A12388D}: NameServer = 85.255.114.103,85.255.112.151
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = deanclose.internal
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.103 85.255.112.151
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = deanclose.internal
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.103 85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.103 85.255.112.151
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O20 - Winlogon Notify: nnnljij - nnnljij.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe

--
End of file - 9628 bytes




its running the same, its changed my homepage but i left that and did not change it back because i didn't think i should??... and the google thing is still there, but only when i go on .co.uk.
Also when i access hotmail i have to type my password in twice becuase it always says it's wrong on the first time, this is the same for any account on my computer trying to get on hotmail.?
Furthermore, my computer is really really slow and has been for a while. I have had this laptop for a good 3 years now so that might be why but just to tell you.

thanks.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:46 PM

Posted 18 July 2008 - 11:53 AM

Hello,

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {837B45D6-BF85-457D-AABF-6D2E7815F791} - C:\WINDOWS\system32\nnnljij.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{37CB7A2C-86F1-4E52-B8F1-961D8409157C}: NameServer = 85.255.114.103,85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F1887C1-AB0D-4F11-A28D-EBB7F8F4A79D}: NameServer = 85.255.114.103,85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{6316FC9D-B9B3-4F55-8774-2EAB9A034D4F}: NameServer = 85.255.114.103,85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C9E99AB-0E6A-4701-AF19-77065160EC6C}: NameServer = 85.255.114.103,85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{94FD9E54-080F-4B49-9CF6-3FB4ED143076}: NameServer = 85.255.114.103,85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{C87B1D8E-601B-40AC-95EE-CC0497202196}: NameServer = 85.255.114.103,85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{F88ECF84-62CF-4A0E-9D58-CAE85A12388D}: NameServer = 85.255.114.103,85.255.112.151
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.103 85.255.112.151
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.103 85.255.112.151
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.103 85.255.112.151
O20 - Winlogon Notify: nnnljij - nnnljij.dll (file missing)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 benknightsjohnson

benknightsjohnson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 20 July 2008 - 03:33 PM

Malwarebytes' Anti-Malware 1.21
Database version: 971
Windows 5.1.2600 Service Pack 2

22:04:51 20/07/2008
mbam-log-7-20-2008 (22-04-51).txt

Scan type: Quick Scan
Objects scanned: 49702
Time elapsed: 13 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 22
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{837B45D6-BF85-457D-AABF-6D2E7815F791} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{81705d67-3f73-4983-859b-97d0922e5abe} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{37cb7a2c-86f1-4e52-b8f1-961d8409157c}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.103,85.255.112.151 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3f1887c1-ab0d-4f11-a28d-ebb7f8f4a79d}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.103,85.255.112.151 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6316fc9d-b9b3-4f55-8774-2eab9a034d4f}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.103,85.255.112.151 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7c9e99ab-0e6a-4701-af19-77065160ec6c}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.103,85.255.112.151 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{94fd9e54-080f-4b49-9cf6-3fb4ed143076}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.103,85.255.112.151 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{de6ceca3-7fd5-443f-8b34-2c60046a8aa9}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.103,85.255.112.151 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f88ecf84-62cf-4a0e-9d58-cae85a12388d}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.103,85.255.112.151 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{37cb7a2c-86f1-4e52-b8f1-961d8409157c}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.103,85.255.112.151 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3f1887c1-ab0d-4f11-a28d-ebb7f8f4a79d}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.103,85.255.112.151 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6316fc9d-b9b3-4f55-8774-2eab9a034d4f}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.103,85.255.112.151 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7c9e99ab-0e6a-4701-af19-77065160ec6c}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.103,85.255.112.151 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{94fd9e54-080f-4b49-9cf6-3fb4ed143076}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.103,85.255.112.151 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{de6ceca3-7fd5-443f-8b34-2c60046a8aa9}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.103,85.255.112.151 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f88ecf84-62cf-4a0e-9d58-cae85a12388d}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.103,85.255.112.151 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{37cb7a2c-86f1-4e52-b8f1-961d8409157c}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.103,85.255.112.151 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3f1887c1-ab0d-4f11-a28d-ebb7f8f4a79d}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.103,85.255.112.151 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{6316fc9d-b9b3-4f55-8774-2eab9a034d4f}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.103,85.255.112.151 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7c9e99ab-0e6a-4701-af19-77065160ec6c}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.103,85.255.112.151 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{94fd9e54-080f-4b49-9cf6-3fb4ed143076}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.103,85.255.112.151 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{de6ceca3-7fd5-443f-8b34-2c60046a8aa9}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.103,85.255.112.151 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{f88ecf84-62cf-4a0e-9d58-cae85a12388d}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.103,85.255.112.151 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Disk (Trojan.Agent) -> Quarantined and deleted successfully.





and the hijackthis log is.....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:33:40, on 20/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kontiki\KHost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=2057
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = smoothwall:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: SSSIEHelperObj Class - {8F26EAA1-D8B4-41A2-994F-704AEEE25536} - C:\WINDOWS\system32\hlpr.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [PCE Client] C:\WINDOWS\system32\PCENT\PCClient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\RunServices: [CS32] C:\WINDOWS\c32cs2.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {DBFECB3F-B78F-442E-AE46-4952E6F17545} (Bonusprint Image Uploader Version 3.5) - http://webalbum.bonusprint.com/ukipc01/dow...geUploader3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = deanclose.internal
O17 - HKLM\Software\..\Telephony: DomainName = deanclose.internal
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = deanclose.internal
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = deanclose.internal
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe

--
End of file - 7950 bytes

thanks......

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:46 PM

Posted 20 July 2008 - 03:43 PM

Much better. :thumbsup: How is it running today?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 benknightsjohnson

benknightsjohnson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 21 July 2008 - 01:05 PM

the google thing has stopped and is working fine, but i still have to type my hotmail password in twice before i can log in.

thanks

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:46 PM

Posted 23 July 2008 - 02:57 PM

Hello,

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please download and run Bit Defender 8 online scanner
  • Install the program and then follow the prompts to download all available updates.
  • Select Antivirus and then click the Settings button. Click Default. Click Ok.
  • Select Local Drives and click Scan.
  • When the scan is complete save the log and post it back here in your next reply.
Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 benknightsjohnson

benknightsjohnson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 27 July 2008 - 02:42 AM

hey i tried this the other day and it came up with no virus' but it i think i might have done it wrong and so am trying again now. When i went on the online scanner thing, it did not give me any options about antivirus, it just came up and did the updates and sarted scanning. I have internet explorer 7 by the way.
thanks.

#12 benknightsjohnson

benknightsjohnson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 27 July 2008 - 02:50 AM

oh yeah and also, i started it online but then couldn't keep online so went off and carried on, i don't know if that matters and was just wondering if i had to be online.

thanks

oh yeah and also, i started it online but then couldn't keep online so went off and carried on, i don't know if that matters and was just wondering if i had to be online.

thanks

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:46 PM

Posted 30 July 2008 - 06:49 PM

Hello,

And what was the outcome? Are you still having the same problem?

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 benknightsjohnson

benknightsjohnson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 31 July 2008 - 08:12 AM

yep still gotta type it in twice...?

the exact report was....

BitDefender Online Scanner



Scan report generated at: Sun, Jul 27, 2008 - 10:26:13





Scan path: C:\;







Statistics

Time
01:00:38

Files
114790

Folders
6491

Boot Sectors
2

Archives
1053

Packed Files
6819




Results

Identified Viruses
0

Infected Files
0

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
0




Engines Info

Virus Definitions
1395217

Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins
16

Archive plugins
43

Unpack plugins
7

E-mail plugins
6

System plugins
5




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:46 PM

Posted 31 July 2008 - 03:30 PM

Hello,

Fix this line with HijackThis : R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=2057

Reboot and see if you still have the same problem.

Let me know. :thumbsup:
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users