Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Memory Modules Infected:


  • This topic is locked This topic is locked
65 replies to this topic

#1 gmtech68

gmtech68

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 12 September 2009 - 09:19 PM

Hello, I was referred here from another forum topic by Computer Masochist “garmanma”
Link http://www.bleepingcomputer.com/forums/t/255906/infected-memory-modules/

My problem is that I think I have a Memory Module Infection
I can’t get Windows update to finish successfully, Windows Security Alert will not turn on,

Malwarebytes' Anti-Malware 1.40 will only run in safe mode, and I get a report that reads as follows,

Memory Modules Infected:
\\?\globalroot\systemroot\System32\UACsvbmmnsnpn.dll (Trojan.Agent) -> Delete on reboot.

It states that it will finish removing the infection on a reboot, but the infection returns.
Can anyone help me remove this infection for good? Thanks to everyone

I hope I included all the Reports that will be helpfull'

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,091 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:03 AM

Posted 28 September 2009 - 03:09 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 gmtech68

gmtech68
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 30 September 2009 - 05:41 PM

Thank you for everybody's help.
I have attached the latest reports you have requested.

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:03 AM

Posted 01 October 2009 - 09:31 AM

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am Posted Image and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

As I am in the final stages of training an Expert Coach will also oversee your fix. Your benefit will be "four eyes and two brains" but responses may be somewhat delayed so please be patient!!!!

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

==========

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.Posted Image
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
==========

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

==========

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

I will review your logs and post instructions forthcoming.

==========

With your next post please provide:

* OTL.txt
* OTL Extra.txt
* Gmer log

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 gmtech68

gmtech68
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 01 October 2009 - 05:57 PM

Hello, and thanks again for all your efforts and time. It's very much appreciated!
Here is a short summary of the problem I'm having with my laptop.

It all started with a Personal Anti-Virus program pop-up.. That Malwarebytes found and removed, ( I thought it did? ) but soon after the following was discovered ;


I can’t get Windows update to finish successfully, Windows Security Alert will not turn on, Malwarebytes, Spybot SD, and a few other security programs will not run in normal mode

Malwarebytes' Anti-Malware 1.40 will only run in safe mode, and only after I rename the .exe file something else, then I get a report that reads as follows,

Memory Modules Infected:
\\?\globalroot\systemroot\System32\UACsvbmmnsnpn.dll (Trojan.Agent) -> Delete on reboot.

It states that it will finish removing the infection on a reboot, but the infection returnes

Thanks to everyone

#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:03 AM

Posted 02 October 2009 - 07:13 AM

Hello,

Let's begin.

Please note.....

One or more of the identified infections is a Backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If after careful consideration you have decided to move forward with cleanup then please proceed as I have outlined below.

==========

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

==========

Ask Toolbar Warning

I strongly suggest that you uninstall Ask Toolbar. Some of the bad practices of this toolbar are:

  • Promoting its toolbars on sites targeted to kids. Details.
  • Promoting its toolbars through ads that appear to be part of other companies' sites. Details.
  • Promoting its toolbars through other companies' spyware. Details.
  • Installing without any disclosure whatsoever and without any consent whatsoever. Details.
  • Soliciting installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link. Details.
  • Making confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit. Details.
Plesae read the full details HERE.

If you decided to remove Ask Toolbar. Go to Start > Control Panel > Add Remove programs and remove Ask Toolbar.

Then go to C: > Program Files and delete Ask Toolbar
folder.


==========

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
After you disabled Teatimer, download ResetTeaTimer.exe to your desktop.
Then run ResetTeaTimer.exe.
This will only take a few seconds.

==========

We need to create a batch file.
:( Warning :)
This file was written specifically for this user, for use on this particular machine.
Running this on another machine may cause irreparable damage to your operating system
  • Please copy the contents of the code box below
  • Open notepad and paste the contents of the code box there
  • On the top toolbar in notepad select file
  • Then save as
  • In the box that opens type in nuke.bat for the file name
  • Right below that click the down arrow in the line for save as type and select all files
  • Save this to your desktop and close notepad
@echo off
c1kq0st9 -killall
c1kq0st9 -del service UACd.sys
c1kq0st9 -del file C:\Windows\system32\drivers\UACthppcwsixc.sys
c1kq0st9 -del reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
c1kq0st9 -reboot
  • Locate the nuke icon on your desktop and double click it. A box will pop up briefly on your screen and disappear, this is normal
==========

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"
    :OTL
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    
    :Files
    c:\windows\system32\uacinit.dll
    c:\windows\system32\UACmkxpixmhoc.dll
    c:\windows\system32\UACwtreutxbrt.dat
    c:\windows\system32\UACsvbmmnsnpn.dll
    
    :Commands
    [resethosts]
    [emptytemp]
    [Reboot]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
==========

Please Re-run Gmer and post another log for my review

==========

We need to create an OTL Quick Scan
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • A report will open, copy and paste it in a reply here
==========

With your next post please provide:

* Gmer log
* OTL fix log
* OTL log

(Please copy & paste all logs! Do not attach unless I ask you to do so. :( )

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 gmtech68

gmtech68
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 02 October 2009 - 01:04 PM

Thanks again so much for your time and efforts.
Here are the latest reports.

#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:03 AM

Posted 03 October 2009 - 03:39 AM

Hello again, :(

Please note...
Copy & paste all logs into your next reply. Do not attach logs unless I specifically direct you to do so!

==========

Please do this...

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

With your next post please provide:

* Combofix.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 gmtech68

gmtech68
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 03 October 2009 - 04:48 PM

Hi again,
I’m sending this reply using another laptop, because after running Combofix I can not connect to the internet at ALL.


I disabled my anti-virus AVG resident shield, ran Combofix it still stated that AVG was still active, but ran anyway. It also stated that it was creating a restore point under Windows Recovery Manager, but it’s not showing up under the Recovery Manager.

Everything working fine except I can’t connect the internet at ALL, “wirelessly or wired”. It states that WLAN is on, and Bluetooth is on, but my network states that it is not connected… I’ve tried other locations and other known good connecting sources with other Computers.



ComboFix 09-10-01.05 - janet 10/03/2009 14:33.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3006.1859 [GMT -5:00]
Running from: c:\users\janet\Desktop\thcbytes.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-4016623809-3629486141-1618625363-500
c:\$recycle.bin\S-1-5-21-635738575-79788107-4004967179-500
c:\windows\Installer\18b663.msi
c:\windows\Installer\3ef9d.msi
c:\windows\system32\AutoRun.inf
c:\windows\system32\drivers\ndisrd.sys
c:\windows\system32\drivers\snetcfg.exe
c:\windows\system32\drivers\UACthppcwsixc.sys
c:\windows\system32\KBL.LOG
c:\windows\system32\ndisapi.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UACd.sys
-------\Service_Ndisrd
-------\Service_UACd.sys
-------\Service_NdisrdMP


((((((((((((((((((((((((( Files Created from 2009-09-03 to 2009-10-03 )))))))))))))))))))))))))))))))
.

2009-10-03 19:40 . 2009-10-03 19:40 -------- d-----w- c:\users\shared users\AppData\Local\temp
2009-10-03 19:40 . 2009-10-03 19:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-03 14:57 . 2009-10-01 15:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-02 15:43 . 2009-10-02 15:43 -------- d-----w- C:\_OTL
2009-09-13 15:37 . 2009-09-13 15:37 -------- d-----w- c:\programdata\Cobian
2009-09-13 15:36 . 2009-09-13 15:37 -------- d-----w- c:\program files\Cobian Backup 9
2009-09-10 16:59 . 2009-09-10 16:59 0 ----a-w- c:\users\janet\settings.dat
2009-09-09 16:59 . 2009-09-09 17:02 -------- d-----w- c:\program files\Windows Live Safety Center
2009-09-09 06:44 . 2009-09-09 06:44 -------- d-----w- c:\users\janet\DoctorWeb
2009-09-04 08:58 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-04 08:58 . 2009-09-04 08:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-04 08:58 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 07:51 . 2009-09-04 07:51 -------- d-----w- c:\program files\Trend Micro
2009-09-04 07:42 . 2009-09-04 07:42 -------- d-----w- c:\windows\system32\EventProviders
2009-09-04 07:12 . 2009-09-04 07:12 -------- d-----w- c:\users\janet\AppData\Roaming\SUPERAntiSpyware.com
2009-09-04 07:12 . 2009-09-04 07:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-04 07:11 . 2009-09-04 07:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-03 23:43 . 2009-09-03 23:43 -------- d-----w- c:\users\janet\Bluetooth Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-03 19:41 . 2008-06-29 23:01 12 ----a-w- c:\windows\bthservsdp.dat
2009-10-03 19:27 . 2009-02-14 00:30 27839 ----a-w- c:\programdata\nvModes.dat
2009-10-02 18:19 . 2008-04-25 03:01 -------- d-----w- c:\program files\Java
2009-10-02 15:24 . 2009-09-03 16:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-02 15:24 . 2009-09-03 16:44 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-10-01 20:11 . 2008-09-06 21:18 1356 ----a-w- c:\users\janet\AppData\Local\d3d9caps.dat
2009-09-22 21:01 . 2008-07-21 05:47 2220 ----a-w- c:\users\janet\AppData\Roaming\wklnhst.dat
2009-09-10 08:10 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-06 17:50 . 2009-01-11 02:19 -------- d-----w- c:\users\janet\AppData\Roaming\Juniper Networks
2009-09-05 06:27 . 2008-07-20 23:23 -------- d-----w- c:\users\janet\AppData\Roaming\Yahoo!
2009-09-04 08:35 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-09-04 08:35 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-09-04 08:35 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-09-04 08:35 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-09-04 08:35 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-09-04 08:35 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-09-04 08:09 . 2009-09-04 08:09 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_HpqKbFiltr_01005.Wdf
2009-09-04 06:34 . 2008-07-20 23:19 -------- d-----w- c:\programdata\avg8
2009-09-03 14:21 . 2008-07-20 21:55 76568 ----a-w- c:\users\janet\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-03 00:12 . 2009-09-03 00:12 -------- d-----w- c:\program files\CCleaner
2009-09-02 19:19 . 2009-09-02 19:19 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-09-02 13:40 . 2008-04-25 02:33 -------- d-----w- c:\programdata\Microsoft Help
2009-09-02 02:46 . 2009-08-28 08:01 -------- d-----w- c:\program files\Common Files\Uninstall
2009-09-02 02:24 . 2009-09-02 02:24 -------- d-----w- c:\users\janet\AppData\Roaming\Malwarebytes
2009-09-02 02:24 . 2009-09-02 02:24 -------- d-----w- c:\programdata\Malwarebytes
2009-09-02 02:10 . 2008-06-29 23:28 -------- d-----w- c:\programdata\NVIDIA
2009-09-02 00:28 . 2009-09-02 00:28 -------- d-----w- c:\users\janet\AppData\Roaming\MSNInstaller
2009-08-28 12:39 . 2009-09-02 13:27 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-02 13:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-24 20:36 . 2008-07-20 23:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-24 20:36 . 2008-07-20 23:19 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-24 20:36 . 2008-07-20 23:19 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-14 17:07 . 2009-09-10 02:30 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-10 02:30 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-10 02:30 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-10 02:30 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-10 02:30 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-10 02:30 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-10 02:30 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-10 02:30 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-10 02:30 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16 . 2009-09-10 02:30 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-03 20:07 . 2009-08-03 20:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 20:07 . 2009-08-03 20:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 20:07 . 2009-08-03 20:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-25 10:23 . 2009-06-20 00:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-18 16:06 . 2009-07-29 01:44 827904 ----a-w- c:\windows\system32\wininet.dll
2009-07-18 16:01 . 2009-07-29 01:44 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-07-18 09:46 . 2009-07-29 01:44 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 14:35 . 2009-08-12 17:36 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-14 13:00 . 2009-08-12 17:35 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 12:59 . 2009-08-12 17:35 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-14 12:58 . 2009-08-12 17:35 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-14 10:59 . 2009-08-12 17:35 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-11 19:32 . 2009-09-10 02:30 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-07-11 19:32 . 2009-09-10 02:30 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-07-11 19:32 . 2009-09-10 02:30 513024 ----a-w- c:\windows\system32\wlansvc.dll
2009-07-11 19:29 . 2009-09-10 02:30 127488 ----a-w- c:\windows\system32\L2SecHC.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 14:55 1090816 ------w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-10-01 1783136]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-06-03 160592]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1033512]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-20 468264]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"snp2uvc"="c:\windows\vsnp2uvc.exe" [2008-08-02 675840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-24 2007832]

c:\users\janet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-9-5 727592]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7DAAA77D-D339-4C00-A7D1-42881E692799}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{11C8DC70-3736-4C5E-AA43-D49EAA46E75F}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{6435A5D5-321F-405F-AB32-F4CDD8884A4F}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{CEB005FC-A593-403D-9E0F-B5D6D6CB7B01}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D1D6E669-9DD7-4B12-8B84-4A3DF994AD90}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{7EB085B8-344E-41CB-9D92-AB651F064199}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F5FD2F6C-4959-4877-8963-91D77D16EACE}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{AF92B6E9-02ED-485F-8196-528D4296F852}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B45744D4-86A4-4417-A215-719ED5DE9E9A}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{11CF649A-B94A-4777-BBC2-B29FB89F961F}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{71E69720-498E-4AC0-B143-D5C5E53EA1E4}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{31CFF3C5-6AAF-41F7-8DA3-B892C84140D6}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{8E542A01-ED95-4F9E-82BD-7861AF1DB09E}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{453BEF91-22E1-4ADA-8A2A-A7E5033290C8}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{B78727E1-2761-4660-81DA-AFFD80BAB00C}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{50AAA014-E258-49EB-97EC-105F17359F08}"= Disabled:UDP:e:\setup\HPZNUI01.EXE:hpznui01.exe
"{2E82FC6D-C79E-4F3F-A5C5-5F5DD897AE8B}"= Disabled:TCP:e:\setup\HPZNUI01.EXE:hpznui01.exe
"{D0A2B107-66E7-49BA-B809-C2C435153E98}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{A127141E-94EC-458B-8EDD-A95472C1F548}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{204835D8-D1CB-40A7-8B54-A657F93B9B6D}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{90BBB3B5-01DF-43CD-A804-95BCA4DE59C7}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{0536BF28-0FC9-4BBC-9808-1EE42161DB6A}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{41E5CAE9-75DC-4C3E-81CF-4AD08517D15F}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{4F5B0B5F-9166-4245-A9A4-283AD747FA64}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{A358BD7F-F714-49CA-A211-9BE3E24074BB}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{4D52FB7B-6AD0-4B9C-AA07-14EBAB1ADEDB}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{2206C5EB-D08A-40F2-A10D-C39A890F4426}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{CAC3D798-E820-4B75-B261-22BB5AD48CF1}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{B4870D7E-D81A-42D3-83E4-996453F3FADF}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{EF07C7C0-868B-4EC2-93D4-BE7B52899058}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{95DA4A9A-5127-4426-ABBA-A04BE86CCAD6}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{8130C1D4-3601-4682-893E-4F6902086BFE}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{8733F536-CA30-4A86-A642-E1530C32FDAC}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{8EA6C70B-8F9E-41A4-88B1-18712EBC184A}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{81A8A24C-28B4-40F8-B4CE-4BE3C1CE2AA2}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{04E0167E-BFA6-43B1-B7ED-7D8A9720FE1A}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe:hpqnrs08.exe
"{45E1B8AF-2C6E-46B4-9D67-1F576C9D8C63}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe:hpqnrs08.exe
"{65891D51-35CB-4996-884E-6C72265EF4E6}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{D9739DA5-53AA-45F8-BC69-5AE4447AC5BA}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{E413EE09-07A3-423B-A2D5-E762FDFA21E9}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{3C5D4283-2053-46F8-A602-B9D0B7840798}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{EEEDF008-EC71-4745-9FD1-BE6BD65983DA}c:\\program files\\ares destiny\\aresdestiny.exe"= UDP:c:\program files\ares destiny\aresdestiny.exe:Ares Destiny p2p for windows
"UDP Query User{B8A50B18-48A3-4431-8E35-17E62502339C}c:\\program files\\ares destiny\\aresdestiny.exe"= TCP:c:\program files\ares destiny\aresdestiny.exe:Ares Destiny p2p for windows
"TCP Query User{FA20E401-FEBC-4869-9821-EEADC06E8861}c:\\program files\\ares destiny\\ares.exe"= UDP:c:\program files\ares destiny\ares.exe:Ares p2p for windows
"UDP Query User{463D2884-0084-45FB-A04C-527454DC8CE4}c:\\program files\\ares destiny\\ares.exe"= TCP:c:\program files\ares destiny\ares.exe:Ares p2p for windows
"TCP Query User{397D9A96-69D4-4C5F-A81F-0EEFC5F86527}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{ACB80059-D0A7-477B-849F-5B9D5875B9B4}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [7/20/2008 6:19 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2/11/2009 4:10 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/27/2009 11:24 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/27/2009 11:23 PM 297752]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\System32\drivers\mbamswissarmy.sys [9/4/2009 3:58 AM 38160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-10-03 c:\windows\Tasks\User_Feed_Synchronization-{D7147DCF-C88C-495B-88D9-0BE25B4356A6}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
LSP: c:\windows\system32\wpclsp.dll
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://vrx.frhs.org/dana-cached/sc/JuniperSetupClient.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-DW6 - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-03 14:44
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP000000384F09F110796C0B80 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2480)
c:\windows\system32\btmmhook.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPSched.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
.
**************************************************************************
.
Completion time: 2009-10-03 14:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-03 19:50

Pre-Run: 133,654,671,360 bytes free
Post-Run: 133,333,127,168 bytes free

307 --- E O F --- 2009-10-03 14:57

#10 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:03 AM

Posted 03 October 2009 - 09:24 PM

Hello,

Relax. Please do not "yell" with large bold print. I am here to help you. :)
Well done by the way. We are moving in the right direction.

==========

Please note...
Looks can be deceiving. We are not clean till I give you the "All Clear". :(

==========

It is not uncommon to temporarily lose internet connectivity after running Combofix.
Lets fix that.
Follow these steps sequentially till your connection is restored.

First...

Re-boot.

==========

Then....

Follow these steps.

==========

If you are still not connected then please do this...

Reset TCP/IP Properties

First:

* Go to Start -> Control Panel -> Double click on Network Connections.
* Right click on your default connection (usually Local Area Connection or Wireless Network Connection) and select Properties.

* Select the General tab.
* Double click on Internet Protocol (TCP/IP).

Under General tab:

- Select "Obtain an IP address automatically".
- Select "Obtain DNS server address automatically".

* Click OK twice to save the settings.
* Reboot if you had to change any setting.

Next:

* Go to start > Run copy/paste the contents of the code box excluding "code" in the run box and click OK.

cmd /c (ipconfig /all&nslookup google.com&ping -n 2 google.com&route print) >log.txt&log.txt&del log.txt
A command window opens. Wait until a log.txt file opens.

* Please copy/paste the log file in your reply.

If your internet connection is still down please don't worry. Just tell me about it after you have completed everything I have outlined below!!!

==========

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
==========

:( Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! :)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

File::
c:\windows\TEMP\TMP000000384F09F110796C0B80

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

With your next post please provide:

* Internet connection log (if necessary)
* Are you able to connect to the internet?
* Combofix.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#11 gmtech68

gmtech68
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 03 October 2009 - 11:42 PM

Thanks again for all your help and efforts.
My Internet connection still is not working.

After some researching I found the settings for obtaining an IP address automatically for versions IPv6 and IPv4 "have been and are already checked"
Still without Internet connection.

In Windows Network Diagnosis it states that, The network adapter Wireless Network Connection is not correctly configured to use the IP protocol

Also is it normal that when I drag CFScript.txt file into the ComboFix.exe that the CFScript.txt file remains on the desktop?

My latest logs are as follows…
Thanks again



Windows IP Configuration

Host Name . . . . . . . . . . . . : FamilyHP-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : 00-21-86-3A-62-BA
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{D14CD983-F59B-4A46-9830-444B1BD0F520}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 14:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{107870F0-FBAF-4C4B-BEDE-84BBBEF8836A}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 19:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: UnKnown
Address: 127.0.0.1

Ping request could not find host google.com. Please check the name and try again.

===========================================================================
Interface List
11 ...00 21 86 3a 62 ba ...... Bluetooth Device (Personal Area Network)
1 ........................... Software Loopback Interface 1
22 ...00 00 00 00 00 00 00 e0 isatap.{D14CD983-F59B-4A46-9830-444B1BD0F520}
21 ...00 00 00 00 00 00 00 e0 isatap.{107870F0-FBAF-4C4B-BEDE-84BBBEF8836A}
14 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
1 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None




----------------------------------------------------------------------------

ComboFix 09-10-01.05 - janet 10/03/2009 22:56.2.2 - NTFSx86Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3006.1784 [GMT -5:00]
Running from: c:\users\janet\Desktop\thcbytes.exe
Command switches used :: c:\users\janet\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\TEMP\TMP000000384F09F110796C0B80"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Ndisrd


((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))
.

2009-10-04 04:03 . 2009-10-04 04:03 -------- d-----w- c:\users\Temp\AppData\Local\temp
2009-10-04 04:03 . 2009-10-04 04:03 -------- d-----w- c:\users\shared users\AppData\Local\temp
2009-10-04 04:03 . 2009-10-04 04:03 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-10-04 04:03 . 2009-10-04 04:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-03 20:56 . 2009-10-03 20:56 -------- d-----w- c:\users\janet\AppData\Roaming\GTek
2009-10-03 14:57 . 2009-10-01 15:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-02 15:43 . 2009-10-02 15:43 -------- d-----w- C:\_OTL
2009-09-13 15:37 . 2009-09-13 15:37 -------- d-----w- c:\programdata\Cobian
2009-09-13 15:36 . 2009-09-13 15:37 -------- d-----w- c:\program files\Cobian Backup 9
2009-09-10 16:59 . 2009-09-10 16:59 0 ----a-w- c:\users\janet\settings.dat
2009-09-09 16:59 . 2009-09-09 17:02 -------- d-----w- c:\program files\Windows Live Safety Center
2009-09-09 06:44 . 2009-09-09 06:44 -------- d-----w- c:\users\janet\DoctorWeb
2009-09-04 08:58 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-04 08:58 . 2009-09-04 08:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-04 08:58 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 07:51 . 2009-09-04 07:51 -------- d-----w- c:\program files\Trend Micro
2009-09-04 07:42 . 2009-09-04 07:42 -------- d-----w- c:\windows\system32\EventProviders
2009-09-04 07:12 . 2009-09-04 07:12 -------- d-----w- c:\users\janet\AppData\Roaming\SUPERAntiSpyware.com
2009-09-04 07:12 . 2009-09-04 07:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-04 07:11 . 2009-09-04 07:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-04 04:04 . 2008-06-29 23:01 12 ----a-w- c:\windows\bthservsdp.dat
2009-10-04 03:26 . 2009-02-14 00:30 27839 ----a-w- c:\programdata\nvModes.dat
2009-10-02 18:19 . 2008-04-25 03:01 -------- d-----w- c:\program files\Java
2009-10-02 15:24 . 2009-09-03 16:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-02 15:24 . 2009-09-03 16:44 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-10-01 20:11 . 2008-09-06 21:18 1356 ----a-w- c:\users\janet\AppData\Local\d3d9caps.dat
2009-09-22 21:01 . 2008-07-21 05:47 2220 ----a-w- c:\users\janet\AppData\Roaming\wklnhst.dat
2009-09-10 08:10 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-06 17:50 . 2009-01-11 02:19 -------- d-----w- c:\users\janet\AppData\Roaming\Juniper Networks
2009-09-05 06:27 . 2008-07-20 23:23 -------- d-----w- c:\users\janet\AppData\Roaming\Yahoo!
2009-09-04 08:35 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-09-04 08:35 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-09-04 08:35 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-09-04 08:35 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-09-04 08:35 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-09-04 08:35 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-09-04 08:09 . 2009-09-04 08:09 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_HpqKbFiltr_01005.Wdf
2009-09-04 06:34 . 2008-07-20 23:19 -------- d-----w- c:\programdata\avg8
2009-09-03 14:21 . 2008-07-20 21:55 76568 ----a-w- c:\users\janet\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-03 00:12 . 2009-09-03 00:12 -------- d-----w- c:\program files\CCleaner
2009-09-02 19:19 . 2009-09-02 19:19 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-09-02 13:40 . 2008-04-25 02:33 -------- d-----w- c:\programdata\Microsoft Help
2009-09-02 02:46 . 2009-08-28 08:01 -------- d-----w- c:\program files\Common Files\Uninstall
2009-09-02 02:24 . 2009-09-02 02:24 -------- d-----w- c:\users\janet\AppData\Roaming\Malwarebytes
2009-09-02 02:24 . 2009-09-02 02:24 -------- d-----w- c:\programdata\Malwarebytes
2009-09-02 02:10 . 2008-06-29 23:28 -------- d-----w- c:\programdata\NVIDIA
2009-09-02 00:28 . 2009-09-02 00:28 -------- d-----w- c:\users\janet\AppData\Roaming\MSNInstaller
2009-08-28 12:39 . 2009-09-02 13:27 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-02 13:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-24 20:36 . 2008-07-20 23:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-24 20:36 . 2008-07-20 23:19 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-24 20:36 . 2008-07-20 23:19 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-14 17:07 . 2009-09-10 02:30 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-10 02:30 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-10 02:30 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-10 02:30 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-10 02:30 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-10 02:30 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-10 02:30 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-10 02:30 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-10 02:30 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16 . 2009-09-10 02:30 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-03 20:07 . 2009-08-03 20:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 20:07 . 2009-08-03 20:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 20:07 . 2009-08-03 20:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-25 10:23 . 2009-06-20 00:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-18 16:06 . 2009-07-29 01:44 827904 ----a-w- c:\windows\system32\wininet.dll
2009-07-18 16:01 . 2009-07-29 01:44 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-07-18 09:46 . 2009-07-29 01:44 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 14:35 . 2009-08-12 17:36 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-14 13:00 . 2009-08-12 17:35 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 12:59 . 2009-08-12 17:35 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-14 12:58 . 2009-08-12 17:35 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-14 10:59 . 2009-08-12 17:35 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-11 19:32 . 2009-09-10 02:30 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-07-11 19:32 . 2009-09-10 02:30 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-07-11 19:32 . 2009-09-10 02:30 513024 ----a-w- c:\windows\system32\wlansvc.dll
2009-07-11 19:29 . 2009-09-10 02:30 127488 ----a-w- c:\windows\system32\L2SecHC.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-03_19.44.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2009-10-04 03:29 52564 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-10-04 03:29 89304 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-07-20 22:33 . 2009-10-04 03:29 10954 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-635738575-79788107-4004967179-1000_UserData.bin
+ 2008-07-20 21:38 . 2009-10-04 03:51 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-07-20 21:38 . 2009-10-03 19:32 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-07-20 21:38 . 2009-10-03 19:32 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-20 21:38 . 2009-10-04 03:51 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-07-20 21:38 . 2009-10-03 19:32 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-07-20 21:38 . 2009-10-04 03:51 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-08-23 16:18 . 2009-10-04 02:38 6440 c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2009-10-03 19:42 . 2009-10-03 19:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-10-04 04:05 . 2009-10-04 04:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-10-03 19:42 . 2009-10-03 19:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-10-04 04:05 . 2009-10-04 04:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-07-20 23:56 . 2009-10-04 03:01 313774 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2006-11-02 10:33 . 2009-10-03 19:34 595684 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-10-04 03:49 595684 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-10-03 19:34 101350 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-10-04 03:49 101350 c:\windows\System32\perfc009.dat
+ 2008-07-20 23:35 . 2009-10-04 04:04 466744 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 14:55 1090816 ------w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-10-01 1783136]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-06-03 160592]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1033512]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-20 468264]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"snp2uvc"="c:\windows\vsnp2uvc.exe" [2008-08-02 675840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-24 2007832]

c:\users\janet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-9-5 727592]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7DAAA77D-D339-4C00-A7D1-42881E692799}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{11C8DC70-3736-4C5E-AA43-D49EAA46E75F}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{6435A5D5-321F-405F-AB32-F4CDD8884A4F}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{CEB005FC-A593-403D-9E0F-B5D6D6CB7B01}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D1D6E669-9DD7-4B12-8B84-4A3DF994AD90}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{7EB085B8-344E-41CB-9D92-AB651F064199}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F5FD2F6C-4959-4877-8963-91D77D16EACE}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{AF92B6E9-02ED-485F-8196-528D4296F852}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B45744D4-86A4-4417-A215-719ED5DE9E9A}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{11CF649A-B94A-4777-BBC2-B29FB89F961F}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{71E69720-498E-4AC0-B143-D5C5E53EA1E4}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{31CFF3C5-6AAF-41F7-8DA3-B892C84140D6}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{8E542A01-ED95-4F9E-82BD-7861AF1DB09E}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{453BEF91-22E1-4ADA-8A2A-A7E5033290C8}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{B78727E1-2761-4660-81DA-AFFD80BAB00C}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{50AAA014-E258-49EB-97EC-105F17359F08}"= Disabled:UDP:e:\setup\HPZNUI01.EXE:hpznui01.exe
"{2E82FC6D-C79E-4F3F-A5C5-5F5DD897AE8B}"= Disabled:TCP:e:\setup\HPZNUI01.EXE:hpznui01.exe
"{D0A2B107-66E7-49BA-B809-C2C435153E98}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{A127141E-94EC-458B-8EDD-A95472C1F548}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{204835D8-D1CB-40A7-8B54-A657F93B9B6D}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{90BBB3B5-01DF-43CD-A804-95BCA4DE59C7}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{0536BF28-0FC9-4BBC-9808-1EE42161DB6A}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{41E5CAE9-75DC-4C3E-81CF-4AD08517D15F}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{4F5B0B5F-9166-4245-A9A4-283AD747FA64}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{A358BD7F-F714-49CA-A211-9BE3E24074BB}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{4D52FB7B-6AD0-4B9C-AA07-14EBAB1ADEDB}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{2206C5EB-D08A-40F2-A10D-C39A890F4426}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{CAC3D798-E820-4B75-B261-22BB5AD48CF1}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{B4870D7E-D81A-42D3-83E4-996453F3FADF}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{EF07C7C0-868B-4EC2-93D4-BE7B52899058}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{95DA4A9A-5127-4426-ABBA-A04BE86CCAD6}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{8130C1D4-3601-4682-893E-4F6902086BFE}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{8733F536-CA30-4A86-A642-E1530C32FDAC}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{8EA6C70B-8F9E-41A4-88B1-18712EBC184A}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{81A8A24C-28B4-40F8-B4CE-4BE3C1CE2AA2}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{04E0167E-BFA6-43B1-B7ED-7D8A9720FE1A}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe:hpqnrs08.exe
"{45E1B8AF-2C6E-46B4-9D67-1F576C9D8C63}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe:hpqnrs08.exe
"{65891D51-35CB-4996-884E-6C72265EF4E6}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{D9739DA5-53AA-45F8-BC69-5AE4447AC5BA}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{E413EE09-07A3-423B-A2D5-E762FDFA21E9}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{3C5D4283-2053-46F8-A602-B9D0B7840798}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{EEEDF008-EC71-4745-9FD1-BE6BD65983DA}c:\\program files\\ares destiny\\aresdestiny.exe"= UDP:c:\program files\ares destiny\aresdestiny.exe:Ares Destiny p2p for windows
"UDP Query User{B8A50B18-48A3-4431-8E35-17E62502339C}c:\\program files\\ares destiny\\aresdestiny.exe"= TCP:c:\program files\ares destiny\aresdestiny.exe:Ares Destiny p2p for windows
"TCP Query User{FA20E401-FEBC-4869-9821-EEADC06E8861}c:\\program files\\ares destiny\\ares.exe"= UDP:c:\program files\ares destiny\ares.exe:Ares p2p for windows
"UDP Query User{463D2884-0084-45FB-A04C-527454DC8CE4}c:\\program files\\ares destiny\\ares.exe"= TCP:c:\program files\ares destiny\ares.exe:Ares p2p for windows
"TCP Query User{397D9A96-69D4-4C5F-A81F-0EEFC5F86527}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{ACB80059-D0A7-477B-849F-5B9D5875B9B4}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [7/20/2008 6:19 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2/11/2009 4:10 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/27/2009 11:24 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/27/2009 11:23 PM 297752]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\System32\drivers\mbamswissarmy.sys [9/4/2009 3:58 AM 38160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-10-04 c:\windows\Tasks\User_Feed_Synchronization-{D7147DCF-C88C-495B-88D9-0BE25B4356A6}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
LSP: c:\windows\system32\wpclsp.dll
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://vrx.frhs.org/dana-cached/sc/JuniperSetupClient.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-03 23:08
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP0000003F923EE78AC5A4DBB6 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4072)
c:\windows\system32\btmmhook.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\windows\System32\WUDFHost.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPSched.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
.
**************************************************************************
.
Completion time: 2009-10-04 23:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-04 04:12
ComboFix2.txt 2009-10-03 19:50

Pre-Run: 133,369,409,536 bytes free
Post-Run: 133,334,986,752 bytes free

308 --- E O F --- 2009-10-03 14:57

Edited by gmtech68, 04 October 2009 - 11:04 AM.


#12 gmtech68

gmtech68
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 04 October 2009 - 10:49 AM

Hello, This is an added note to my last reply, hope it helps.

After some researching I found the settings for obtaining an IP address automatically for versions IPv6 and IPv4 "have been and are already checked"
Still without Internet connection.
Thanks

Edited by gmtech68, 04 October 2009 - 11:12 AM.


#13 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:03 AM

Posted 04 October 2009 - 06:42 PM

Hello again,

Please go to Start, right mouse click My Computer and choose Manage. Double click Device Manager. Click the plus sign on Network Adapters. Do you see a yellow exclamation point or red stop sign or a question mark?

Do you see your wireless network adapter?

==========

Please do this:

1. Click on Start button (lower left corner).
2. Type Cmd in the Start Search text box.
3. Press Ctrl-Shift-Enter keyboard shortcut to run Command Prompt as Administrator. Allow elevation request.
4. Copy and paste netsh int ip reset in the Command Prompt shell, and then press the Enter key.
5. Restart the computer.

==========

If you are still unable to connect then please do this...

1. Click Start, copy and paste server manager in the Start Search box, and then click Server Manager in the Programs list.
If you are prompted for an administrator password or for confirmation, type your password, or click Continue.

2. In Server Manager, click Features.
3. In the Features pane, click Add Features.
4. In the Add Features Wizard, click Wireless LAN Service, and then click Next.
5. Click Install.
6. After the installation process is complete, click Close.

Re-boot.

==========

To answer your question...yes it is normal for the script to remain on your desktop.

:( Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! :(

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\TEMP\TMP0000003F923EE78AC5A4DBB6


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

Please re-run Gmer and post a log.

==========

With your next post please provide:

* Answer to my questions
* Are you connected yet?
* Combofix.txt
* Gmer log

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#14 gmtech68

gmtech68
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 04 October 2009 - 08:23 PM

Hello,
Under Network Adapters there are several yellow exclamation points.
And yes I do Think that my wireless network adapter is listed compared to my other laptop. But that doesn't seem to be marked with an yellow exclamation points.
I’ve tried to include a picture of the screen. Sorry about the poor quality.

Posted Image



Then I performed the following steps. In which I Still can't connect

1. Click on Start button (lower left corner).
2. Type Cmd in the Start Search text box.
3. Press Ctrl-Shift-Enter keyboard shortcut to run Command Prompt as Administrator. Allow elevation request.
4. Copy and paste netsh int ip reset in the Command Prompt shell, and then press the Enter key.
5. Restart the computer.

And then,
I typed server manager in the Start Search box, and could not find Server Manager in the Programs list…… I tried this with another laptop I have, and it also didn’t have Server Manager in the Programs list.

I did not proceed with ComboFix, because I couldn’t fulfills the lather step.
Please advise? Thank you

Edited by gmtech68, 04 October 2009 - 09:10 PM.


#15 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:03 AM

Posted 05 October 2009 - 10:31 AM

Hi there,

Thanks for your patience!!!

I have some questions.

How does that computer usually connect to the internet? Ethernet or Wireless?
I take it other computers on your network are able to connect via Ethernet and wirelessly?
You are unable to connect the sick computer via Ethernet and wireless?

Please do this...

- Copy & paste ncpa.cpl into the Start menu search box:
- Right click your Wireless Connection
- Click properties
- Untick "AVG Network Filter Driver".
- Re-boot

Success?

==========

Now this.....

I want you to completely uninstall AVG. We can reinstall it later. Please use this uninstaller. Follow the directions and then re-boot.

Success?

==========

With your next post please provide:

* Answer to my questions
* Are you connected yet?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users