Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Antivirus Pro


  • Please log in to reply
65 replies to this topic

#46 kenlenard

kenlenard
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 22 August 2009 - 07:23 PM

I saw the conversation here and realized that I need to follow the advice of the people who run this board. I think it's possible that anyone could come on here and give advice... some could be good and some could be bad. How would I know?

Edited by kenlenard, 22 August 2009 - 07:23 PM.


BC AdBot (Login to Remove)

 


#47 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:09 AM

Posted 22 August 2009 - 07:33 PM

There would be no way to know. As DaChew thinks, and I agree, I think that it is time for a reformat
Computer Pro

#48 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,260 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:06:09 AM

Posted 22 August 2009 - 08:15 PM

kenlenard

All forum staff members can be distinguished by their Group Membership, which is displayed next to every single post.

Posted Image


David.Prucha:
The tone of your reply is unacceptable. Help, or don't help. But do not berate.

#49 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:09 AM

Posted 22 August 2009 - 08:25 PM

Hi DaChew,

if it is rootkit (and I am quite sure it is) it wont be visible as process (nor in safe mode), because it is running under "svchost.exe" as system service.

- Go to
http://www.gmer.net/#files

- Download .exe file
- Launch it
- Wait a while and run full scan
- Save log file
- Post it here


If you had read this thread thru in it's entirety you would realize running gmer would not work or if it did, this infection is far too complexe to involve a simple rootkit, a custom cleaning taking several steps would have to be implemented with our trained experts in the HJT forum. These are a challenge even for the best helpers. Look at recent threads where Sophos rootkit scanner shows hidden and disabled security executables. This computer won't even run Sophos.

Sometimes you just need to

Posted Image

Edited by DaChew, 22 August 2009 - 08:29 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#50 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,735 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:09 AM

Posted 23 August 2009 - 01:59 AM

I apologize for my absence, and also for the mess that seems to have occurred while I was gone. My apologies to you kenlenard, for you having to go through that. :thumbsup: And my thanks to Amazing Andrew for stepping in to settle things. Now, back to the matter at hand.

I echo DaChew's sentiments in strongly recommending a reformat for this machine. It seems that you have met one of the newest nasties that are floating around on the Web. Rootkit detection and removal research is in overdrive right now, and while a fix may be developed given enough time, at the present moment reformatting your machine and reinstalling the OS is most certainly the path of least suffering.

Let us know what your decision is.

~Blade

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#51 kenlenard

kenlenard
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 23 August 2009 - 01:16 PM

Thanks Blade. So do we think that there is anything in this GMER log that we want to see or should I just cut my losses and retire the machine? I'm fine doing that but I was curious if the log contained anything for educational purposes.

#52 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,735 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:09 AM

Posted 23 August 2009 - 01:35 PM

If you got one to generate, feel free to post it. It couldn't hurt. Don't get your hopes up though.

~Blade

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#53 kenlenard

kenlenard
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 23 August 2009 - 08:09 PM

Oh shoot... I don't know how to post logs on this forum. A little help? :thumbsup:

#54 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,735 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:09 AM

Posted 23 August 2009 - 08:11 PM

Highlight and copy the text of the log, and then just paste it into a reply. :thumbsup:

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#55 kenlenard

kenlenard
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 23 August 2009 - 08:13 PM

How about this...

GMER 1.0.15.15077 [qcscjxmz.exe] - http://www.gmer.net
Rootkit scan 2009-08-23 08:45:05
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code 873A7280 ZwEnumerateKey
Code 873A2130 ZwFlushInstructionCache
Code 872D52DE ZwSaveKey
Code 872BA4DE ZwSaveKeyEx
Code 873CB096 IofCallDriver
Code 872AD6FE IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 873CB09B
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 872AD703
PAGE ntoskrnl.exe!ZwEnumerateKey 8056EF30 5 Bytes JMP 873A7284
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80576A6A 5 Bytes JMP 873A2134
PAGE ntoskrnl.exe!ZwSaveKey 8064C1EF 5 Bytes JMP 872D52E2
PAGE ntoskrnl.exe!ZwSaveKeyEx 8064C287 5 Bytes JMP 872BA4E2
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !
? C:\WINDOWS\system32\drivers\rootrepeal.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\winlogon.exe[224] C:\WINDOWS\system32\winlogon.exe section is executable [0x01076000, 0xB000, 0x60000060]
.rsrc C:\WINDOWS\system32\winlogon.exe[224] C:\WINDOWS\system32\winlogon.exe entry point in ".rsrc" section [0x01080000]
.text C:\WINDOWS\system32\winlogon.exe[224] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\AA5CE1E8.x86.dll
.text C:\WINDOWS\system32\winlogon.exe[224] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\AA5CE1E8.x86.dll
.text C:\WINDOWS\system32\winlogon.exe[224] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\AA5CE1E8.x86.dll
.rsrc C:\WINDOWS\system32\services.exe[272] C:\WINDOWS\system32\services.exe section is executable [0x0101C000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\system32\services.exe[272] C:\WINDOWS\system32\services.exe entry point in ".rsrc" section [0x0101D000]
.text C:\WINDOWS\system32\services.exe[272] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 0065000A
.text C:\WINDOWS\system32\lsass.exe[284] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 0074000A
.text C:\Documents and Settings\Ken Lenard\Desktop\qcscjxmz.exe[288] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 003A000A
.rsrc C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\system32\svchost.exe[444] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01006000]
.text C:\WINDOWS\system32\svchost.exe[444] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\AA5CE1E8.x86.dll
.text C:\WINDOWS\system32\svchost.exe[444] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\AA5CE1E8.x86.dll
.text C:\WINDOWS\system32\svchost.exe[444] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\AA5CE1E8.x86.dll
.rsrc C:\WINDOWS\system32\svchost.exe[540] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\system32\svchost.exe[540] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01006000]
.text C:\WINDOWS\system32\svchost.exe[540] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\AA5CE1E8.x86.dll
.text C:\WINDOWS\system32\svchost.exe[540] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\AA5CE1E8.x86.dll
.text C:\WINDOWS\system32\svchost.exe[540] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\AA5CE1E8.x86.dll
.rsrc C:\WINDOWS\system32\svchost.exe[596] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x2000, 0x60000060]
.rsrc C:\WINDOWS\system32\svchost.exe[596] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x01006000]
.text C:\WINDOWS\system32\svchost.exe[596] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 0075000A
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[656] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 0082000A
.text C:\WINDOWS\Explorer.exe[936] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\AA5CE1E8.x86.dll
.text C:\WINDOWS\Explorer.exe[936] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\AA5CE1E8.x86.dll
.text C:\WINDOWS\Explorer.exe[936] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\AA5CE1E8.x86.dll

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\winlogon.exe[224] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\AA5CE1E8.x86.dll
IAT C:\WINDOWS\system32\winlogon.exe[224] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\AA5CE1E8.x86.dll
IAT C:\WINDOWS\system32\services.exe[272] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtQueryDirectoryFile] 00045177
IAT C:\WINDOWS\system32\services.exe[272] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00045177
IAT C:\WINDOWS\system32\services.exe[272] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 000450C3
IAT C:\WINDOWS\system32\services.exe[272] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 0004505E
IAT C:\WINDOWS\system32\services.exe[272] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 0004502C
IAT C:\WINDOWS\system32\services.exe[272] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00045430
IAT C:\WINDOWS\system32\services.exe[272] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 000456E2
IAT C:\WINDOWS\system32\services.exe[272] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 000456E2
IAT C:\WINDOWS\system32\services.exe[272] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00045430
IAT C:\WINDOWS\system32\services.exe[272] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 000456E2
IAT C:\WINDOWS\system32\services.exe[272] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00045177
IAT C:\WINDOWS\system32\lsass.exe[284] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 009D5177
IAT C:\WINDOWS\system32\lsass.exe[284] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 009D50C3
IAT C:\WINDOWS\system32\lsass.exe[284] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 009D505E
IAT C:\WINDOWS\system32\lsass.exe[284] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 009D502C
IAT C:\WINDOWS\system32\lsass.exe[284] @ C:\WINDOWS\system32\LSASRV.dll [ntdll.dll!LdrLoadDll] 009D50C3
IAT C:\WINDOWS\system32\lsass.exe[284] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 009D5177
IAT C:\WINDOWS\system32\lsass.exe[284] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrLoadDll] 009D50C3
IAT C:\WINDOWS\system32\lsass.exe[284] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrGetProcedureAddress] 009D505E
IAT C:\WINDOWS\system32\lsass.exe[284] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 009D5430
IAT C:\WINDOWS\system32\lsass.exe[284] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 009D56E2
IAT C:\WINDOWS\system32\lsass.exe[284] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 009D56E2
IAT C:\WINDOWS\system32\lsass.exe[284] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 009D5430
IAT C:\WINDOWS\system32\lsass.exe[284] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 009D56E2
IAT C:\WINDOWS\system32\svchost.exe[444] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\AA5CE1E8.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[444] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\AA5CE1E8.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[444] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 0098502C
IAT C:\WINDOWS\system32\svchost.exe[540] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\AA5CE1E8.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[540] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00B35177
IAT C:\WINDOWS\system32\svchost.exe[540] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00B350C3
IAT C:\WINDOWS\system32\svchost.exe[540] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00B3505E
IAT C:\WINDOWS\system32\svchost.exe[540] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00B3502C
IAT C:\WINDOWS\system32\svchost.exe[540] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00B35430
IAT C:\WINDOWS\system32\svchost.exe[540] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00B356E2
IAT C:\WINDOWS\system32\svchost.exe[540] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00B356E2
IAT C:\WINDOWS\system32\svchost.exe[540] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00B35430
IAT C:\WINDOWS\system32\svchost.exe[540] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00B356E2
IAT C:\WINDOWS\system32\svchost.exe[540] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00B35177
IAT C:\WINDOWS\system32\svchost.exe[596] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00955177
IAT C:\WINDOWS\system32\svchost.exe[596] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 009550C3
IAT C:\WINDOWS\system32\svchost.exe[596] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 0095505E
IAT C:\WINDOWS\system32\svchost.exe[596] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 0095502C
IAT C:\WINDOWS\system32\svchost.exe[596] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00955430
IAT C:\WINDOWS\system32\svchost.exe[596] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 009556E2
IAT C:\WINDOWS\system32\svchost.exe[596] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 009556E2
IAT C:\WINDOWS\system32\svchost.exe[596] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00955430
IAT C:\WINDOWS\system32\svchost.exe[596] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 009556E2
IAT C:\WINDOWS\system32\svchost.exe[596] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00955177
IAT C:\WINDOWS\Explorer.exe[936] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\AA5CE1E8.x86.dll
IAT C:\WINDOWS\Explorer.exe[936] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\AA5CE1E8.x86.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\AA5CE1E8.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [224] 0x35670000
Library \\?\globalroot\Device\__max++>\AA5CE1E8.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [444] 0x35670000
Library \\?\globalroot\Device\__max++>\AA5CE1E8.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [540] 0x35670000
Library \\?\globalroot\Device\__max++>\AA5CE1E8.x86.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.exe [936] 0x35670000

---- Services - GMER 1.0.15 ----

Service system32\drivers\ESQULklvdnyfqqhxillqeptkkpiexumehitjx.sys (*** hidden *** ) [SYSTEM] esqulserv.sys <-- ROOTKIT !!!
Service C:\WINDOWS\system32\drivers\SKYNETpbbnpinq.sys (*** hidden *** ) [SYSTEM] SKYNETubuoynrk <-- ROOTKIT !!!
Service C:\WINDOWS\system32\drivers\vsfoceupoaqkkv.sys (*** hidden *** ) [SYSTEM] vsfocexenkrgop <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\esqulserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\esqulserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\esqulserv.sys@imagepath \systemroot\system32\drivers\ESQULklvdnyfqqhxillqeptkkpiexumehitjx.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\esqulserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\esqulserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\esqulserv.sys\modules@ESQULserv \\?\globalroot\systemroot\system32\drivers\ESQULklvdnyfqqhxillqeptkkpiexumehitjx.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\esqulserv.sys\modules@ESQULl \\?\globalroot\systemroot\system32\ESQULbrxriwyxrktexwborookfvpyusdoyxiu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\esqulserv.sys\modules@ESQULclk \\?\globalroot\systemroot\system32\ESQULsewwbilmgpqklwaimrmptqoipyqjooaa.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETubuoynrk@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETubuoynrk@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETubuoynrk@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETubuoynrk@imagepath \systemroot\system32\drivers\SKYNETpbbnpinq.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETubuoynrk\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETubuoynrk\main@aid 10107
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETubuoynrk\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETubuoynrk\main@cmddelay 7200
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETubuoynrk\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETubuoynrk\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETubuoynrk\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETubuoynrk\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETubuoynrk\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETubuoynrk\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETpbbnpinq.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETubuoynrk\modules@SKYNETcmd.dll \systemroot\system32\SKYNETdrdtlbkv.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETubuoynrk\modules@SKYNETlog.dat \systemroot\system32\SKYNETigukinuh.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETubuoynrk\modules@SKYNETwsp.dll \systemroot\system32\SKYNETdkvqltna.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETubuoynrk\modules@SKYNET.dat \systemroot\system32\SKYNETocpwwunn.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexenkrgop
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexenkrgop@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexenkrgop@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexenkrgop@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexenkrgop@imagepath \systemroot\system32\drivers\vsfoceupoaqkkv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexenkrgop\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexenkrgop\main@aid 10107
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexenkrgop\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexenkrgop\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexenkrgop\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexenkrgop\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexenkrgop\main\injector@* vsfocewsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexenkrgop\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexenkrgop\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexenkrgop\modules@vsfocerk.sys \systemroot\system32\drivers\vsfoceupoaqkkv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexenkrgop\modules@vsfocecmd.dll \systemroot\system32\vsfocepxesfyxx.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexenkrgop\modules@vsfocelog.dat \systemroot\system32\vsfocemjdulkap.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexenkrgop\modules@vsfocewsp.dll \systemroot\system32\vsfocekgktixfn.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexenkrgop\modules@vsfoce.dat \systemroot\system32\vsfocextniyojc.dat
Reg HKLM\SYSTEM\ControlSet004\Services\esqulserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\esqulserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\esqulserv.sys@imagepath \systemroot\system32\drivers\ESQULklvdnyfqqhxillqeptkkpiexumehitjx.sys
Reg HKLM\SYSTEM\ControlSet004\Services\esqulserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\esqulserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\esqulserv.sys\modules@ESQULserv \\?\globalroot\systemroot\system32\drivers\ESQULklvdnyfqqhxillqeptkkpiexumehitjx.sys
Reg HKLM\SYSTEM\ControlSet004\Services\esqulserv.sys\modules@ESQULl \\?\globalroot\systemroot\system32\ESQULbrxriwyxrktexwborookfvpyusdoyxiu.dll
Reg HKLM\SYSTEM\ControlSet004\Services\esqulserv.sys\modules@ESQULclk \\?\globalroot\systemroot\system32\ESQULsewwbilmgpqklwaimrmptqoipyqjooaa.dll
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETubuoynrk@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETubuoynrk@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETubuoynrk@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETubuoynrk@imagepath \systemroot\system32\drivers\SKYNETpbbnpinq.sys
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETubuoynrk\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETubuoynrk\main@aid 10107
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETubuoynrk\main@sid 0
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETubuoynrk\main@cmddelay 7200
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETubuoynrk\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETubuoynrk\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETubuoynrk\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETubuoynrk\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETubuoynrk\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETubuoynrk\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETpbbnpinq.sys
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETubuoynrk\modules@SKYNETcmd.dll \systemroot\system32\SKYNETdrdtlbkv.dll
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETubuoynrk\modules@SKYNETlog.dat \systemroot\system32\SKYNETigukinuh.dat
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETubuoynrk\modules@SKYNETwsp.dll \systemroot\system32\SKYNETdkvqltna.dll
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETubuoynrk\modules@SKYNET.dat \systemroot\system32\SKYNETocpwwunn.dat
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexenkrgop (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexenkrgop@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexenkrgop@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexenkrgop@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexenkrgop@imagepath \systemroot\system32\drivers\vsfoceupoaqkkv.sys
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexenkrgop\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexenkrgop\main@aid 10107
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexenkrgop\main@sid 0
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexenkrgop\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexenkrgop\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexenkrgop\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexenkrgop\main\injector@* vsfocewsp.dll
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexenkrgop\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexenkrgop\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexenkrgop\modules@vsfocerk.sys \systemroot\system32\drivers\vsfoceupoaqkkv.sys
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexenkrgop\modules@vsfocecmd.dll \systemroot\system32\vsfocepxesfyxx.dll
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexenkrgop\modules@vsfocelog.dat \systemroot\system32\vsfocemjdulkap.dat
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexenkrgop\modules@vsfocewsp.dll \systemroot\system32\vsfocekgktixfn.dll
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexenkrgop\modules@vsfoce.dat \systemroot\system32\vsfocextniyojc.dat
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\WINDOWS\SYSTEM32\nvdesk32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\InprocServer32@ C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\MiscStatus@ 0
Reg HKLM\SOFTWARE\Classes\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\MiscStatus\1
Reg HKLM\SOFTWARE\Classes\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\MiscStatus\1@ 131473
Reg HKLM\SOFTWARE\Classes\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\ProgID@ MyWebSearchToolBar.SettingsPlugin.1
Reg HKLM\SOFTWARE\Classes\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\TypeLib@ {07B18EA0-A523-4961-B6BB-170DE4475CCA}
Reg HKLM\SOFTWARE\Classes\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\Version@ 1.0
Reg HKLM\SOFTWARE\Classes\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\VersionIndependentProgID@ MyWebSearchToolBar.SettingsPlugin
Reg HKLM\SOFTWARE\Classes\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\InprocServer32@ C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\MiscStatus@ 0
Reg HKLM\SOFTWARE\Classes\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\MiscStatus\1
Reg HKLM\SOFTWARE\Classes\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\MiscStatus\1@ 131473
Reg HKLM\SOFTWARE\Classes\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\TypeLib@ {7473D290-B7BB-4f24-AE82-7E2CE94BB6A9}
Reg HKLM\SOFTWARE\Classes\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\Version@ 1.0
Reg HKLM\SOFTWARE\Classes\CLSID\{ada8c222-95d2-47b5-950b-aebc0a508839}\inprocserver32@ C:\WINDOWS\system32\spria.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{ada8c222-95d2-47b5-950b-aebc0a508839}\inprocserver32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{ada8c222-95d2-47b5-950b-aebc0a508839}\progid@ ORB.ta.1
Reg HKLM\SOFTWARE\Classes\CLSID\{ada8c222-95d2-47b5-950b-aebc0a508839}\typelib@ {1B7F9329-AAF9-4E34-8ECF-C363FD3C60CF}
Reg HKLM\SOFTWARE\Classes\CLSID\{ada8c222-95d2-47b5-950b-aebc0a508839}\versionindependentprogid@ ORB.ta
Reg HKLM\SOFTWARE\Classes\CLSID\{B2C7B2A1-00F3-42BD-F434-00AABA2C8952}\InProcServer32@ C:\WINDOWS\system32\gsf83iujid.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{B2C7B2A1-00F3-42BD-F434-00AABA2C8952}\InProcServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{C2BA40A1-74F3-42BD-F434-12345A2C8953}\InProcServer32@ C:\WINDOWS\system32\jkshfuiehi.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{C2BA40A1-74F3-42BD-F434-12345A2C8953}\InProcServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEDBD817-7666-471F-9ADD-3BE16F1641D2}\InprocServer32@ c:\windows\system32\lhomina.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{FEDBD817-7666-471F-9ADD-3BE16F1641D2}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEDBD817-7666-471F-9ADD-3BE16F1641D2}\ProgID@ Uwtojjmc
Reg HKLM\SOFTWARE\Classes\TypeLib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb}\1.0@ 655708 1.0 Type Library
Reg HKLM\SOFTWARE\Classes\TypeLib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb}\1.0\0
Reg HKLM\SOFTWARE\Classes\TypeLib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb}\1.0\0\win32
Reg HKLM\SOFTWARE\Classes\TypeLib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb}\1.0\0\win32@ C:\WINDOWS\system32\sysloc\sysloc.dll
Reg HKLM\SOFTWARE\Classes\TypeLib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb}\1.0\flags
Reg HKLM\SOFTWARE\Classes\TypeLib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb}\1.0\flags@ 0
Reg HKLM\SOFTWARE\Classes\TypeLib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb}\1.0\helpdir
Reg HKLM\SOFTWARE\Classes\TypeLib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb}\1.0\helpdir@ C:\WINDOWS\system32\sysloc\
Reg HKLM\SOFTWARE\Classes\Uwtojjmc\CLSID@ {FEDBD817-7666-471F-9ADD-3BE16F1641D2}

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\SYSTEM32\DRIVERS\vsfoceupoaqkkv.sys 64512 bytes <-- ROOTKIT !!!
File C:\WINDOWS\SYSTEM32\vsfocekgktixfn.dll 17920 bytes
File C:\WINDOWS\SYSTEM32\vsfocelog.dat 315 bytes
File C:\WINDOWS\SYSTEM32\vsfocemjdulkap.dat 67089 bytes
File C:\WINDOWS\SYSTEM32\vsfocepxesfyxx.dll 39424 bytes
File C:\WINDOWS\SYSTEM32\vsfocextniyojc.dat 91 bytes

---- EOF - GMER 1.0.15 ----


#56 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:09 AM

Posted 23 August 2009 - 08:32 PM

Library \\?\globalroot\Device\__max++>\AA5CE1E8.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [224] 0x35670000
Library \\?\globalroot\Device\__max++>\AA5CE1E8.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [444] 0x35670000
Library \\?\globalroot\Device\__max++>\AA5CE1E8.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [540] 0x35670000
Library \\?\globalroot\Device\__max++>\AA5CE1E8.x86.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.exe [936] 0x35670000


This infection will be very difficult to remove at the present time
Chewy

No. Try not. Do... or do not. There is no try.

#57 kenlenard

kenlenard
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 24 August 2009 - 06:38 PM

Okay, thanks everyone. I appreciate the help. I have already started the process of getting my other PC up & running and retiring the infected one.

One last question... is it safe to move files back & forth between the infected machine & another machine with a memory stick? I know that viruses can tag along with user files, but I don't ever remember seeing or hearing it happen. Thanks again!

#58 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,735 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:09 AM

Posted 24 August 2009 - 06:45 PM

Since we don't know exactly which infections we're dealing with here, we should take some precautions before we attempt to move files from the infected machine. Run the following on your clean computer, and make sure you insert your flash drives at the prompt.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

As far as the files themselves go:

2 guidelines/rules when backing up:

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do NOT backup any applications/installers and Do NOT backup any files with the following extensions
  • .exe
  • .scr
  • .htm
  • .html
  • .xml
  • .zip
  • .rar
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#59 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:09 AM

Posted 24 August 2009 - 06:46 PM

I would use this program on the clean computer and the usb drive first

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
Chewy

No. Try not. Do... or do not. There is no try.

#60 ComputerNutjob

ComputerNutjob

  • Banned
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:09 AM

Posted 24 August 2009 - 07:04 PM

You two were right on target at the same time.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users