Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dss/hijackthis Log


  • This topic is locked This topic is locked
14 replies to this topic

#1 hockeypill

hockeypill

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 20 July 2008 - 06:09 PM

Deckard's System Scanner v20071014.68
Run by Joanna on 2008-07-20 18:52:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 1 Restore Point(s) --
1: 2008-07-20 22:52:43 UTC - RP587 - Deckard's System Scanner Restore Point


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis (run as Joanna.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:55:15 PM, on 7/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Temp\dss.exe
C:\hjt\Joanna.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://macon.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: {e5d9d32f-bb45-7bc8-9ba4-b81692d7fec3} - {3cef7d29-618b-4ab9-8cb7-54bbf23d9d5e} - C:\WINDOWS\system32\gnaxhq.dll
O2 - BHO: (no name) - {4F43126C-0B98-46A5-9845-B396D0600EFA} - C:\WINDOWS\system32\nnnnNGxw.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {8611065F-093A-441B-AE4C-4F33DFA9F4C4} - C:\WINDOWS\system32\jkhhi.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {db44479e-62eb-45b1-8094-5cf1e4b33200} - C:\WINDOWS\system32\csuwqck.dll (file missing)
O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - C:\WINDOWS\system32\rqrppop.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe" -startup
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [acb9bb23] rundll32.exe "C:\WINDOWS\system32\huvdmjgb.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BMaf8a88bf] Rundll32.exe "C:\WINDOWS\system32\mhkiwmfk.dll",s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Qjghwjqt] "C:\Program Files\Common Files\?icrosoft\n?tdde.exe"
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKCU\..\Run: [Qbnv] "C:\Documents and Settings\Joanna\Application Data\??crosoft.NET\??rss.exe"
O4 - HKCU\..\Run: [Pvmdmbb] "C:\Program Files\Common Files\s?stem32\d?dplay.exe"
O4 - HKCU\..\Run: [Zlhvxanw] "C:\Documents and Settings\Joanna\Application Data\?asks\s?ool32.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\liger.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\liger.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\liger.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\liger.dll
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1183948681609
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://targetphoto.kodakgallery.com/downlo..._2/axofupld.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: nnnnNGxw - nnnnNGxw.dll (file missing)
O20 - Winlogon Notify: rqrppop - rqrppop.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: (Network Monitor) - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\profsywuywu.html

--
End of file - 9636 bytes

-- HijackThis Fixed Entries (C:\hjt\backups\) ----------------------------------

backup-20080720-180753-627 F3 - REG:win.ini: load=C:\WINDOWS\system32\jkhhi.exe
backup-20080720-180830-560 O2 - BHO: (no name) - {0531C178-8514-4A77-86CF-2EE3129FB15A} - C:\WINDOWS\system32\vtUonooo.dll (file missing)
backup-20080720-180950-267 O2 - BHO: (no name) - {374FE8B4-2354-7AA2-5766-5D00BCB088BA} - C:\WINDOWS\system32\hgf.dll (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>

S1 core - c:\windows\system32\drivers\core.sys (file missing)
S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >

S2 Network Monitor - c:\program files\network monitor\netmon.exe service (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-18 18:30:00 352 --a------ C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (D9CNM9B1-Joanna).job
2008-07-18 14:10:04 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-07-04 23:05:08 358 --a------ C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp officejet 5500 series#1162699364.job


-- Files created between 2008-06-20 and 2008-07-20 -----------------------------

2008-07-20 18:23:13 0 dr-h----- C:\Documents and Settings\Joanna\Recent
2008-07-20 18:00:13 0 d-------- C:\Program Files\CCleaner
2008-07-20 15:48:02 0 d-------- C:\VundoFix Backups
2008-07-20 15:43:25 0 d-------- C:\Documents and Settings\Joanna\Application Data\wsInspector
2008-07-20 15:41:47 0 d-------- C:\hjt
2008-07-20 15:32:51 0 d-------- C:\Program Files\Startup Inspector for Windows
2008-07-20 14:00:20 0 d-------- C:\Program Files\Panda Security
2008-07-20 13:42:10 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-20 13:42:10 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-20 13:42:10 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-20 13:42:10 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-07-20 13:42:10 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-20 13:42:10 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-20 13:42:10 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-07-20 13:42:10 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-20 13:42:10 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-07-20 13:42:10 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-20 13:42:10 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-07-20 13:42:10 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-20 13:42:10 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-07-20 13:42:10 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-07-20 13:42:10 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-20 13:42:10 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-07-20 13:42:09 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-20 00:00:28 0 d--h----- C:\$AVG8.VAULT$
2008-07-19 21:58:17 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-19 21:58:04 0 d-------- C:\Program Files\AVG
2008-07-19 21:58:03 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-14 09:34:40 105248 --a------ C:\WINDOWS\system32\gnaxhq.dll
2008-07-14 09:34:37 105248 --a------ C:\WINDOWS\system32\vbfkmbve.dll
2008-07-14 09:32:53 81152 --a------ C:\WINDOWS\system32\huvdmjgb.dll
2008-07-14 09:32:40 90896 --a------ C:\WINDOWS\system32\mhkiwmfk.dll
2008-07-12 18:54:24 105248 --a------ C:\WINDOWS\system32\qfflzt.dll
2008-07-12 18:54:23 105248 --a------ C:\WINDOWS\system32\uiamsvtj.dll
2008-07-12 18:51:22 668968 --ahs---- C:\WINDOWS\system32\ooonoUtv.ini2


-- Find3M Report ---------------------------------------------------------------

2008-07-20 12:19:46 0 d-------- C:\Documents and Settings\Joanna\Application Data\Adobe
2008-07-20 00:11:43 0 d-------- C:\Documents and Settings\Joanna\Application Data\s?curity
2008-07-09 08:35:44 4184 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-07-09 08:35:41 88 -r-hs---- C:\WINDOWS\system32\9D84D11131.sys
2008-07-04 09:27:46 56 -r-hs---- C:\WINDOWS\system32\3111D1849D.sys
2008-06-20 16:55:21 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-06-15 21:25:47 0 d-------- C:\Program Files\Railroad Tycoon 3
2008-06-15 21:22:40 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-04 18:06:57 5120 --a------ C:\Documents and Settings\Joanna\Application Data\dvd.bmk


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3cef7d29-618b-4ab9-8cb7-54bbf23d9d5e}]
07/14/2008 09:34 AM 105248 --a------ C:\WINDOWS\system32\gnaxhq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F43126C-0B98-46A5-9845-B396D0600EFA}]
C:\WINDOWS\system32\nnnnNGxw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8611065F-093A-441B-AE4C-4F33DFA9F4C4}]
C:\WINDOWS\system32\jkhhi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{db44479e-62eb-45b1-8094-5cf1e4b33200}]
C:\WINDOWS\system32\csuwqck.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856}]
C:\WINDOWS\system32\rqrppop.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe" [12/23/2007 10:49 AM]
"@"="" []
"DXDllRegExe"="dxdllreg.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [12/23/2007 10:48 AM]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" []
"acb9bb23"="C:\WINDOWS\system32\huvdmjgb.dll" [07/14/2008 09:32 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/20/2008 11:39 AM]
"BMaf8a88bf"="C:\WINDOWS\system32\mhkiwmfk.dll" [07/14/2008 09:32 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/16/2008 08:42 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]
"Qjghwjqt"="C:\Program Files\Common Files\?icrosoft\n?tdde.exe" []
"WinAble"="C:\Program Files\WinAble\winable.exe" []
"Qbnv"="C:\Documents and Settings\Joanna\Application Data\??crosoft.NET\??rss.exe" []
"Pvmdmbb"="C:\Program Files\Common Files\s?stem32\d?dplay.exe" []
"Zlhvxanw"="C:\Documents and Settings\Joanna\Application Data\?asks\s?ool32.exe" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []

C:\Documents and Settings\Joanna\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2/23/2008 1:08:19 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [4/16/2008 8:42:11 PM]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [11/11/2004 12:59:36 PM]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [8/14/2006 1:12:46 PM]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Messenger\profsywuywu.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856}"= C:\WINDOWS\system32\rqrppop.dll [ ]
"{4F43126C-0B98-46A5-9845-B396D0600EFA}"= C:\WINDOWS\system32\nnnnNGxw.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnnNGxw]
nnnnNGxw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrppop]
rqrppop.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtUonooo

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-07-20 18:56:22 ------------

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:57 PM

Posted 20 July 2008 - 06:47 PM

Hello hockeypill,

Welcome back to Bleeping Computer :thumbsup:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 hockeypill

hockeypill
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 20 July 2008 - 07:27 PM

ComboFix 08-07-20.5 - Joanna 2008-07-20 19:58:16.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.201 [GMT -4:00]
Running from: C:\Temp\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Joanna\Application Data\ASKS~1
C:\Documents and Settings\Joanna\Application Data\CROSOF~1.NET
C:\Documents and Settings\Joanna\Application Data\SCURIT~1
C:\Documents and Settings\Joanna\Application Data\SCURIT~1\s?curity\
C:\Documents and Settings\Joanna\My Documents\ICROSO~1.NET
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\asembl~1
C:\Program Files\Common Files\icroso~1
C:\Program Files\Common Files\sstem3~1
C:\Program Files\MediaVideoCodec
C:\Program Files\Messenger\profsywuywu.html
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\Temp\tpBe12
C:\Temp\tpBe12\etFr.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\crosof~1.net
C:\WINDOWS\dat.txt
C:\WINDOWS\pskt.ini
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt
C:\WINDOWS\smbols~1
C:\WINDOWS\stem32~1
C:\WINDOWS\system32\bgjmdvuh.ini
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\gnaxhq.dll
C:\WINDOWS\system32\huvdmjgb.dll
C:\WINDOWS\system32\icroso~1.net
C:\WINDOWS\system32\ihhkj.ini
C:\WINDOWS\system32\ihhkj.ini2
C:\WINDOWS\system32\ineWc01
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mhkiwmfk.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\ooonoUtv.ini
C:\WINDOWS\system32\ooonoUtv.ini2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qfflzt.dll
C:\WINDOWS\system32\smbols~1
C:\WINDOWS\system32\uiamsvtj.dll
C:\WINDOWS\system32\vbfkmbve.dll
C:\WINDOWS\system32\vrjeakrs.ini
C:\WINDOWS\system32\ystem3~1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CORE
-------\Legacy_NETWORK_MONITOR
-------\Service_core
-------\Service_Network Monitor


((((((((((((((((((((((((( Files Created from 2008-06-21 to 2008-07-21 )))))))))))))))))))))))))))))))
.

2008-07-20 19:57 . 2008-07-20 19:56 2,655,750 --a------ C:\Temp\ComboFix.exe
2008-07-20 18:42 . 2008-07-20 18:42 <DIR> d-------- C:\Deckard
2008-07-20 18:41 . 2008-07-20 18:42 686,630 --a------ C:\Temp\dss.exe
2008-07-20 18:00 . 2008-07-20 18:00 <DIR> d-------- C:\Program Files\CCleaner
2008-07-20 16:06 . 2008-07-20 18:00 2,919,360 --a------ C:\Temp\ccsetup209.exe
2008-07-20 16:06 . 2008-07-20 16:06 168,592 --a------ C:\Temp\FxVMonde.exe
2008-07-20 15:48 . 2008-07-20 15:48 <DIR> d-------- C:\VundoFix Backups
2008-07-20 15:47 . 2008-07-20 15:47 119,808 --a------ C:\Temp\VundoFix.exe
2008-07-20 15:43 . 2008-07-20 18:21 <DIR> d-------- C:\Documents and Settings\Joanna\Application Data\wsInspector
2008-07-20 15:41 . 2008-07-20 18:59 <DIR> d-------- C:\hjt
2008-07-20 15:40 . 2008-07-20 15:40 318,369 --a------ C:\Temp\HiJackThis.zip
2008-07-20 15:32 . 2008-07-20 15:34 <DIR> d-------- C:\Program Files\Startup Inspector for Windows
2008-07-20 15:32 . 2008-07-20 15:32 685,988 --a------ C:\Temp\isw2.exe
2008-07-20 14:00 . 2008-07-20 14:00 <DIR> d-------- C:\Program Files\Panda Security
2008-07-20 14:00 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-20 13:42 . 2006-07-06 14:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-07-20 13:42 . 2008-07-20 13:42 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-20 11:38 . 2008-07-20 11:38 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-20 00:00 . 2008-07-20 13:29 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-19 21:58 . 2008-07-20 11:35 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-19 21:58 . 2008-07-19 21:58 <DIR> d-------- C:\Program Files\AVG
2008-07-19 21:58 . 2008-07-19 21:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-19 21:58 . 2008-07-20 11:38 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-19 21:58 . 2008-07-20 11:39 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-12 18:52 . 2008-07-20 18:27 110,455 --a------ C:\WINDOWS\BMaf8a88bf.xml

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-20 00:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-13 02:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-16 01:25 --------- d-----w C:\Program Files\Railroad Tycoon 3
2008-06-16 01:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2007-12-22 19:02 66,448 ----a-w C:\Program Files\INSTALL.LOG
2007-09-25 22:53 10,385,200 ----a-w C:\Documents and Settings\Joanna\HC41SInstaller.exe
.
<pre>
----a-w		   313,472 2007-12-23 14:48:12  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w		   198,184 2007-12-23 14:48:05  C:\Program Files\BellSouth\HelpCenter40b\bin\sprtcmd .exe
----a-w			81,920 2007-12-23 14:47:57  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w		   249,856 2007-12-23 14:47:57  C:\Program Files\Common Files\InstallShield\UpdateService\isuspm	   .exe
----a-w		   249,856 2007-12-23 14:49:26  C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w			94,208 2007-12-23 14:47:56  C:\Program Files\Dell\Media Experience\DMXLauncher .exe
----a-w		   579,072 2007-12-23 14:48:06  C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w			49,152 2007-12-23 14:47:59  C:\Program Files\HP\HP Software Update\HPWuSchd .exe
----a-w		   212,992 2007-12-23 14:47:59  C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
----a-w		   271,672 2007-12-23 14:48:03  C:\Program Files\iTunes\iTunesHelper .exe
----a-w			32,881 2007-12-23 14:47:54  C:\Program Files\Java\j2re1.4.2_03\bin\jusched .exe
----a-w		 1,694,208 2007-12-23 14:48:07  C:\Program Files\Messenger\msmsgs .exe
----a-w		   286,720 2007-12-23 14:48:01  C:\Program Files\QuickTime\qttask	   .exe
----a-w			26,112 2007-12-23 14:48:01  C:\Program Files\Real\RealPlayer\RealPlay .exe
----a-w			65,536 2007-12-23 14:48:03  C:\Program Files\TVO BLOCKIT\instlsp .exe
----a-w		   143,360 2007-12-23 14:48:02  C:\Program Files\TVO BLOCKIT\nsfx .exe
----a-w			15,360 2007-12-23 14:48:14  C:\WINDOWS\system32\ctfmon .exe
----a-w			77,824 2007-12-23 14:47:53  C:\WINDOWS\system32\hkcmd .exe
----a-w		   114,688 2007-12-23 14:47:53  C:\WINDOWS\system32\igfxpers .exe
----a-w			94,208 2007-12-23 14:47:52  C:\WINDOWS\system32\igfxtray .exe
----a-w		   122,940 2007-12-23 14:47:59  C:\WINDOWS\system32\DLA\DLACTRLW .EXE
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Qjghwjqt"="C:\Program Files\Common Files\?icrosoft\n?tdde.exe" [?]
"Qbnv"="C:\Documents and Settings\Joanna\Application Data\??crosoft.NET\??rss.exe" [?]
"Pvmdmbb"="C:\Program Files\Common Files\s?stem32\d?dplay.exe" [?]
"Zlhvxanw"="C:\Documents and Settings\Joanna\Application Data\?asks\s?ool32.exe" [?]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-16 20:42 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe" [2007-12-23 10:49 249856]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-23 10:48 286720]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [N/A]
"acb9bb23"="C:\WINDOWS\system32\huvdmjgb.dll" [N/A]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-20 11:39 1232152]
"BMaf8a88bf"="C:\WINDOWS\system32\mhkiwmfk.dll" [N/A]
"DXDllRegExe"="dxdllreg.exe" [N/A]

C:\Documents and Settings\Joanna\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2008-02-23 13:08:19 256000]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-04-16 20:42:11 124400]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36 806912]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2006-08-14 13:12:46 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"2740:UDP"= 2740:UDP:Windows Media Format SDK (iexplore.exe)
"2741:UDP"= 2741:UDP:Windows Media Format SDK (iexplore.exe)

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-20 11:38]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-20 11:38]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-20 11:39]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-20 11:39]
.
Contents of the 'Scheduled Tasks' folder
"2008-07-18 18:10:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-05 03:05:08 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp officejet 5500 series#1162699364.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe6/#Hewlett-Packard#hp officejet 5500 series#1162699364
"2008-07-18 22:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (D9CNM9B1-Joanna).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{4F43126C-0B98-46A5-9845-B396D0600EFA} - C:\WINDOWS\system32\nnnnNGxw.dll
BHO-{8611065F-093A-441B-AE4C-4F33DFA9F4C4} - C:\WINDOWS\system32\jkhhi.dll
BHO-{db44479e-62eb-45b1-8094-5cf1e4b33200} - C:\WINDOWS\system32\csuwqck.dll
ShellExecuteHooks-{4F43126C-0B98-46A5-9845-B396D0600EFA} - C:\WINDOWS\system32\nnnnNGxw.dll
Notify-nnnnNGxw - nnnnNGxw.dll
Notify-rqrppop - rqrppop.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://macon.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Start Page = hxxp://www.yahoo.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-20 20:03:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\liger.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-07-20 20:18:02 - machine was rebooted [Joanna]
ComboFix-quarantined-files.txt 2008-07-21 00:16:38

Pre-Run: 28,980,469,760 bytes free
Post-Run: 28,940,554,240 bytes free

225 --- E O F --- 2008-07-06 15:46:16

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:57 PM

Posted 20 July 2008 - 07:44 PM

Hello,


* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

RenV::
----a-w 313,472 2007-12-23 14:48:12 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w 198,184 2007-12-23 14:48:05 C:\Program Files\BellSouth\HelpCenter40b\bin\sprtcmd .exe
----a-w 81,920 2007-12-23 14:47:57 C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w 249,856 2007-12-23 14:47:57 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 249,856 2007-12-23 14:49:26 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w 94,208 2007-12-23 14:47:56 C:\Program Files\Dell\Media Experience\DMXLauncher .exe
----a-w 579,072 2007-12-23 14:48:06 C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w 49,152 2007-12-23 14:47:59 C:\Program Files\HP\HP Software Update\HPWuSchd .exe
----a-w 212,992 2007-12-23 14:47:59 C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
----a-w 271,672 2007-12-23 14:48:03 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 32,881 2007-12-23 14:47:54 C:\Program Files\Java\j2re1.4.2_03\bin\jusched .exe
----a-w 1,694,208 2007-12-23 14:48:07 C:\Program Files\Messenger\msmsgs .exe
----a-w 286,720 2007-12-23 14:48:01 C:\Program Files\QuickTime\qttask .exe
----a-w 26,112 2007-12-23 14:48:01 C:\Program Files\Real\RealPlayer\RealPlay .exe
----a-w 65,536 2007-12-23 14:48:03 C:\Program Files\TVO BLOCKIT\instlsp .exe
----a-w 143,360 2007-12-23 14:48:02 C:\Program Files\TVO BLOCKIT\nsfx .exe
----a-w 15,360 2007-12-23 14:48:14 C:\WINDOWS\system32\ctfmon .exe
----a-w 77,824 2007-12-23 14:47:53 C:\WINDOWS\system32\hkcmd .exe
----a-w 114,688 2007-12-23 14:47:53 C:\WINDOWS\system32\igfxpers .exe
----a-w 94,208 2007-12-23 14:47:52 C:\WINDOWS\system32\igfxtray .exe
----a-w 122,940 2007-12-23 14:47:59 C:\WINDOWS\system32\DLA\DLACTRLW .EXE


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. How is it running now please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 hockeypill

hockeypill
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 20 July 2008 - 08:31 PM

ComboFix 08-07-20.5 - Joanna 2008-07-20 21:14:48.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.207 [GMT -4:00]
Running from: C:\Temp\ComboFix.exe
Command switches used :: C:\Temp\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-21 to 2008-07-21 )))))))))))))))))))))))))))))))
.

2008-07-20 19:57 . 2008-07-20 19:56 2,655,750 --a------ C:\Temp\ComboFix.exe
2008-07-20 18:42 . 2008-07-20 18:42 <DIR> d-------- C:\Deckard
2008-07-20 18:41 . 2008-07-20 18:42 686,630 --a------ C:\Temp\dss.exe
2008-07-20 18:00 . 2008-07-20 18:00 <DIR> d-------- C:\Program Files\CCleaner
2008-07-20 16:06 . 2008-07-20 18:00 2,919,360 --a------ C:\Temp\ccsetup209.exe
2008-07-20 16:06 . 2008-07-20 16:06 168,592 --a------ C:\Temp\FxVMonde.exe
2008-07-20 15:48 . 2008-07-20 15:48 <DIR> d-------- C:\VundoFix Backups
2008-07-20 15:47 . 2008-07-20 15:47 119,808 --a------ C:\Temp\VundoFix.exe
2008-07-20 15:43 . 2008-07-20 18:21 <DIR> d-------- C:\Documents and Settings\Joanna\Application Data\wsInspector
2008-07-20 15:41 . 2008-07-20 18:59 <DIR> d-------- C:\hjt
2008-07-20 15:40 . 2008-07-20 15:40 318,369 --a------ C:\Temp\HiJackThis.zip
2008-07-20 15:32 . 2008-07-20 15:34 <DIR> d-------- C:\Program Files\Startup Inspector for Windows
2008-07-20 15:32 . 2008-07-20 15:32 685,988 --a------ C:\Temp\isw2.exe
2008-07-20 14:00 . 2008-07-20 14:00 <DIR> d-------- C:\Program Files\Panda Security
2008-07-20 14:00 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-20 13:42 . 2006-07-06 14:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-07-20 13:42 . 2008-07-20 13:42 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-20 11:38 . 2008-07-20 11:38 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-20 00:00 . 2008-07-20 13:29 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-19 21:58 . 2008-07-20 11:35 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-19 21:58 . 2008-07-19 21:58 <DIR> d-------- C:\Program Files\AVG
2008-07-19 21:58 . 2008-07-19 21:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-19 21:58 . 2008-07-20 11:38 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-19 21:58 . 2008-07-20 11:39 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-12 18:52 . 2008-07-20 18:27 110,455 --a------ C:\WINDOWS\BMaf8a88bf.xml

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-21 01:14 --------- d-----w C:\Program Files\TVO BLOCKIT
2008-07-21 01:14 --------- d-----w C:\Program Files\iTunes
2008-07-20 00:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-13 02:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-09 12:35 4,184 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-06-20 20:55 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-06-16 01:25 --------- d-----w C:\Program Files\Railroad Tycoon 3
2008-06-16 01:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-13 02:21 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-24 02:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-22 19:02 66,448 ----a-w C:\Program Files\INSTALL.LOG
2007-09-25 22:53 10,385,200 ----a-w C:\Documents and Settings\Joanna\HC41SInstaller.exe
.
<pre>
----a-w		   249,856 2007-12-23 14:47:57  C:\Program Files\Common Files\InstallShield\UpdateService\isuspm	   .exe
----a-w		   286,720 2007-12-23 14:48:01  C:\Program Files\QuickTime\qttask	   .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-07-20_20.15.39.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 10:00:00 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
+ 2007-12-23 14:48:14 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
+ 2007-12-23 14:47:59 122,940 ----a-w C:\WINDOWS\system32\DLA\DLACTRLW.EXE
- 2004-08-04 10:00:00 15,360 ----a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
+ 2007-12-23 14:48:14 15,360 ----a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
+ 2007-12-23 14:47:53 77,824 ----a-w C:\WINDOWS\system32\hkcmd.exe
+ 2007-12-23 14:47:53 114,688 ----a-w C:\WINDOWS\system32\igfxpers.exe
+ 2007-12-23 14:47:52 94,208 ----a-w C:\WINDOWS\system32\igfxtray.exe
+ 2008-07-21 00:03:28 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Qjghwjqt"="C:\Program Files\Common Files\?icrosoft\n?tdde.exe" [?]
"Qbnv"="C:\Documents and Settings\Joanna\Application Data\??crosoft.NET\??rss.exe" [?]
"Pvmdmbb"="C:\Program Files\Common Files\s?stem32\d?dplay.exe" [?]
"Zlhvxanw"="C:\Documents and Settings\Joanna\Application Data\?asks\s?ool32.exe" [?]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-16 20:42 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-23 10:48 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2007-12-23 10:48 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe" [N/A]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-23 10:48 286720]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [N/A]
"acb9bb23"="C:\WINDOWS\system32\huvdmjgb.dll" [N/A]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-20 11:39 1232152]
"BMaf8a88bf"="C:\WINDOWS\system32\mhkiwmfk.dll" [N/A]
"DXDllRegExe"="dxdllreg.exe" [N/A]

C:\Documents and Settings\Joanna\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2008-02-23 13:08:19 256000]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-04-16 20:42:11 124400]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36 806912]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2006-08-14 13:12:46 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"2740:UDP"= 2740:UDP:Windows Media Format SDK (iexplore.exe)
"2741:UDP"= 2741:UDP:Windows Media Format SDK (iexplore.exe)

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-20 11:38]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-20 11:38]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-20 11:39]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-20 11:39]
.
Contents of the 'Scheduled Tasks' folder
"2008-07-18 18:10:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-05 03:05:08 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp officejet 5500 series#1162699364.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe6/#Hewlett-Packard#hp officejet 5500 series#1162699364
"2008-07-18 22:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (D9CNM9B1-Joanna).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-20 21:17:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\liger.dll
.
Completion time: 2008-07-20 21:19:46
ComboFix-quarantined-files.txt 2008-07-21 01:18:43
ComboFix2.txt 2008-07-21 00:18:04

Pre-Run: 28,902,469,632 bytes free
Post-Run: 28,890,759,168 bytes free

149 --- E O F --- 2008-07-06 15:46:16

running much better

Edited by hockeypill, 20 July 2008 - 08:32 PM.


#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:57 PM

Posted 20 July 2008 - 08:35 PM

Hello,

Good to know it's better. :thumbsup: Can I also see a new Hijackthis log please? :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 hockeypill

hockeypill
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 20 July 2008 - 08:56 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:47 PM, on 7/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://macon.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe" -startup
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [acb9bb23] rundll32.exe "C:\WINDOWS\system32\huvdmjgb.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BMaf8a88bf] Rundll32.exe "C:\WINDOWS\system32\mhkiwmfk.dll",s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Qjghwjqt] "C:\Program Files\Common Files\?icrosoft\n?tdde.exe"
O4 - HKCU\..\Run: [Qbnv] "C:\Documents and Settings\Joanna\Application Data\??crosoft.NET\??rss.exe"
O4 - HKCU\..\Run: [Pvmdmbb] "C:\Program Files\Common Files\s?stem32\d?dplay.exe"
O4 - HKCU\..\Run: [Zlhvxanw] "C:\Documents and Settings\Joanna\Application Data\?asks\s?ool32.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\liger.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\liger.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\liger.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\liger.dll
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1183948681609
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://targetphoto.kodakgallery.com/downlo..._2/axofupld.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8489 bytes

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:57 PM

Posted 20 July 2008 - 09:09 PM

Hello,

Please download WinHelp2002's DelDomains by right-clicking on the following link, and choosing "Save Target As":
http://www.mvps.org/winhelp2002/DelDomains.inf
Save the file to the desktop. Then go to the desktop, right click on DelDomains.inf, and choose Install. You may not see any noticeable changes or prompts; this is normal. Then please restart your computer.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O4 - HKLM\..\Run: [acb9bb23] rundll32.exe "C:\WINDOWS\system32\huvdmjgb.dll",b
O4 - HKLM\..\Run: [BMaf8a88bf] Rundll32.exe "C:\WINDOWS\system32\mhkiwmfk.dll",s
O4 - HKCU\..\Run: [Qjghwjqt] "C:\Program Files\Common Files\?icrosoft\n?tdde.exe"
O4 - HKCU\..\Run: [Qbnv] "C:\Documents and Settings\Joanna\Application Data\??crosoft.NET\??rss.exe"
O4 - HKCU\..\Run: [Pvmdmbb] "C:\Program Files\Common Files\s?stem32\d?dplay.exe"
O4 - HKCU\..\Run: [Zlhvxanw] "C:\Documents and Settings\Joanna\Application Data\?asks\s?ool32.exe"
O4 - Startup: PowerReg Scheduler.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer once again.

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 hockeypill

hockeypill
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 21 July 2008 - 10:22 AM

Malwarebytes' Anti-Malware 1.22
Database version: 972
Windows 5.1.2600 Service Pack 2

10:25:09 AM 7/21/2008
mbam-log-7-21-2008 (10-25-09).txt

Scan type: Quick Scan
Objects scanned: 38930
Time elapsed: 11 hour(s), 41 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\BMaf8a88bf.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMaf8a88bf.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\core.cache.dsk (Rootkit.Agent) -> Quarantined and deleted successfully.






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:02 AM, on 7/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
c:\hjt\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://macon.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe" -startup
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\liger.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\liger.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\liger.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\liger.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1183948681609
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://targetphoto.kodakgallery.com/downlo..._2/axofupld.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7100 bytes

Edited by hockeypill, 21 July 2008 - 10:25 AM.


#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:57 PM

Posted 21 July 2008 - 10:44 AM

Hello,

How is it running?

Thanks,
tea

Edited by teacup61, 21 July 2008 - 10:44 AM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 hockeypill

hockeypill
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 21 July 2008 - 11:19 AM

Much better. The scan looks clean to me. Is that your opinion?

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:57 PM

Posted 23 July 2008 - 03:01 PM

Hello,

Good. :thumbsup: I'd like to have a file analysed, please, before I say all is well. :)

Please navigate to the following file:

c:\windows\system32\liger.dll

Please go to VirusTotal and submit the file for a scan and post the results in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 hockeypill

hockeypill
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:57 PM

Posted 24 July 2008 - 04:51 AM

It will take me a day or two to get that file. I was working on my sister-in-law's computer and I have already given it back to her. I did find the following information on that file though.

http://www.siteadvisor.com/sites/truevine....loads/11525502/

She is using the True Vine TVO BLOCKIT filter so that file should be safe.

Do you still want it submitted?

Edited by hockeypill, 24 July 2008 - 04:59 AM.


#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:57 PM

Posted 24 July 2008 - 11:00 PM

Hello there,

No, that's all right. :thumbsup: You told me what I needed to know. A lot of times a user doesn't know what a specific file does, so I just ask for the upload. Thank you for letting me know. :)

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

If there are no further problems:

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:57 PM

Posted 08 August 2008 - 01:21 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users