Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware has stuck through Mbam. Kasperksy scan report sent me here. Have Root Repeal and DDS reports here.


  • This topic is locked This topic is locked
17 replies to this topic

#1 ARadcliffe

ARadcliffe

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 08 October 2009 - 08:34 PM

Sent here from "Popups, Rapimgr.exe maxing CPU, yudegoku.dll, Popups, disabling McAfee, Spybot S&D not fixing" topic on

BleepingComputer.com > Security > Am I infected? What do I do? forum.

All details that I have been able to determine, as well as all instructions to me and adtions I have taken are on that thread.
<http://www.bleepingcomputer.com/forums/topic262696.html>

I have been instructed to post DDS.txt, ark.txt, and attach the attach.txt files. These will follow in a moment - am starting this topic from an uninfected computer and will post from the infected machine.

BC AdBot (Login to Remove)

 


#2 ARadcliffe

ARadcliffe
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 08 October 2009 - 08:46 PM

As instructed:
DDS.txt report, RootRepeal report text here, and attach.txt attached.

The Kaspersky scan report is in previous thread, http://www.bleepingcomputer.com/forums/t/262696/popups-rapimgrexe-maxing-cpu-yudegokudll/

Please let me know if it is more appropriate that I copy it here - with respect for your storage space in mind I haven't copied the whole thread over. I have put as much detailed description as possible of the problems that I have been having, over there as boopme was helping me walk through the diagnostics they have been having me run to this point.


DDS report


DDS (Ver_09-09-29.01) - NTFSx86
Run by Andrew Radcliffe at 20:40:15.17 on Thu 10/08/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.796 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe
C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdServer.exe
C:\Program Files\iPod\bin\iPodService.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\lxddcoms.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Runtime Software\DriveImage XML\dixml.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Andrew Radcliffe\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/webhp?rls=ig
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Shell=Explorer.exe
BHO: AutorunsDisabled - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: BrowserHelper Class: {ebcdda60-2a68-11d3-8a43-0060083cfb9c} - c:\windows\system32\nzdd.dll
TB: {9FB3908C-6565-4CB0-95F8-E9F85258723C} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
EB: {FE54FA40-D68C-11D2-98FA-00C0F0318AFE} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\zztoy.exe" /runcleanupscript
mRun: [kavoyabin] Rundll32.exe "c:\windows\system32\miluduri.dll",a
mRun: [95143325] c:\docume~1\alluse~1\applic~1\95143325\95143325.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\google~1.lnk - c:\program files\google\google updater\GoogleUpdater.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: moove.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Name-Space Handler: ftp\RealDownload - {EBCDDA5E-2A68-11D3-8A43-0060083CFB9C} - c:\windows\system32\nzdd.dll
Name-Space Handler: http\RealDownload - {EBCDDA5E-2A68-11D3-8A43-0060083CFB9C} - c:\windows\system32\nzdd.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\ c:\windows\system32\ c:\windows\system32\ c:\windows\system32\ c:\windows\system32\ c:\windows\system32\tinonere.dll c:\windows\system32\yamileju.dll c:\windows\system32\yudegoku.dll zodetego.dll c:\windows\system32\miluduri.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: nubowirab - {eda93a25-a6fc-42b1-8046-33a3e0b0aee5} - No File
SSODL: jurivujoz - {d7be5d48-3100-407b-8593-90d14fd98891} - No File
SSODL: hafinajaw - {068721f8-6ab0-4638-a6b6-26445b4664ae} - No File
SSODL: botipawal - {b992244f-3de1-4f51-8010-4280d40c2578} - c:\windows\system32\wisepale.dll
SSODL: modedikok - {f3cca9a6-a0e9-4a79-b3c5-47fbe91fb3d1} - c:\windows\system32\tinonere.dll
SSODL: wiveruduz - {cbe05b73-11e6-494b-a627-1e5a9c1ff5d2} - c:\windows\system32\tinonere.dll
SSODL: yaletirur - {1cfc14c8-a170-40a0-a395-361d2a1f198a} - c:\windows\system32\miluduri.dll
STS: {eda93a25-a6fc-42b1-8046-33a3e0b0aee5} - No File
STS: {d7be5d48-3100-407b-8593-90d14fd98891} - No File
STS: {068721f8-6ab0-4638-a6b6-26445b4664ae} - No File
STS: jugezatag: {b992244f-3de1-4f51-8010-4280d40c2578} - c:\windows\system32\wisepale.dll
STS: jugezatag: {f3cca9a6-a0e9-4a79-b3c5-47fbe91fb3d1} - c:\windows\system32\tinonere.dll
STS: gahurihor: {cbe05b73-11e6-494b-a627-1e5a9c1ff5d2} - c:\windows\system32\tinonere.dll
STS: tokatiluy: {1cfc14c8-a170-40a0-a395-361d2a1f198a} - c:\windows\system32\miluduri.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli pigopimu.dll gutodayo.dll hevotuza.dll jelulede.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R2 RosettaStoneLtdController;RosettaStoneLtdController;c:\program files\rosettastoneltdservices\RosettaStoneLtdController.exe [2008-9-16 352312]
R3 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
S2 gupdate1c98de894ab89ae;Google Update Service (gupdate1c98de894ab89ae);c:\program files\google\update\GoogleUpdate.exe [2009-2-13 133104]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]
S3 ultradfg;ultradfg;c:\windows\system32\drivers\ultradfg.sys [2008-11-13 24576]
S4 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [2008-4-24 99248]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-15 24652]

=============== Created Last 30 ================

2009-10-08 20:22 --d----- c:\program files\Runtime Software
2009-10-08 19:56 --d----- c:\program files\Cobian Backup 9
2009-10-07 21:36 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-07 21:36 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-07 21:36 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-07 21:02 --d----- c:\docume~1\andrew~1\applic~1\Malwarebytes
2009-10-07 21:02 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-07 19:34 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-10-07 19:32 --d----- c:\program files\SUPERAntiSpyware
2009-10-07 19:32 --d----- c:\docume~1\andrew~1\applic~1\SUPERAntiSpyware.com
2009-10-07 19:30 --d----- c:\program files\common files\Wise Installation Wizard
2009-10-06 21:25 --d----- C:\VundoFix Backups
2009-10-06 19:17 95 a------- c:\windows\This just got put back on_wininit.ini
2009-09-09 18:12 153,088 -------- c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-08-13 23:24 66,048 -------- c:\windows\system32\drivers\geyekrmpfubqtm.sys
2009-08-13 20:18 153,675 a------- c:\windows\system32\geyekrdqjnkgep.dat
2009-08-13 11:16 512,000 -------- c:\windows\system32\dllcache\jscript.dll
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-18 12:05 3,069,440 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 12:05 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\wmpdxm.dll
2009-01-11 01:13 271,879 a------- c:\program files\ultradefrag-2.0.0.bin.i386.exe
2009-01-09 19:58 1,226,248 a------- c:\program files\DMSetup.exe
2008-01-24 22:48 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-08-29 08:07 774,144 ac------ c:\program files\RngInterstitial.dll
2009-07-08 11:11 1,011,246 a--sh--- c:\windows\system32\bosotozo.exe
2009-07-06 20:19 38,400 a--sh--- c:\windows\system32\dinivosa.dll
2009-07-07 12:34 52,224 a--sh--- c:\windows\system32\jelulede.dll
2009-07-08 11:11 37,888 a--sh--- c:\windows\system32\matidaha.dll
2009-07-08 11:11 88,576 a--sh--- c:\windows\system32\miluduri.dll
2009-07-07 12:34 52,224 a--sh--- c:\windows\system32\zasepago.dll
2009-07-07 12:34 52,224 a--sh--- c:\windows\system32\zodetego.dll

============= FINISH: 20:44:52.87 ===============


RootRepeal Report

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/10/08 20:51
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAF87C000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79C9000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAEF19000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\EventCache\{3293A8A1-BEBA-4506-9305-A77437A420CC}.bin
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\andrew radcliffe\local settings\temp\etilqs_eube1tzl3mbgi8woffkt
Status: Allocation size mismatch (API: 8192, Raw: 0)

Path: C:\Documents and Settings\BH\Local Settings\Apps\2.0\JOKVM074.L6B\6O947OBT.EMJ\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\BH\Local Settings\Apps\2.0\JOKVM074.L6B\6O947OBT.EMJ\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

Hidden Services
-------------------
Service Name: geyekrrpuwpinx
Image Path: C:\WINDOWS\system32\drivers\geyekrmpfubqtm.sys

==EOF==

Attached Files



#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:32 PM

Posted 09 October 2009 - 03:58 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#4 ARadcliffe

ARadcliffe
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 09 October 2009 - 08:36 PM

Sam - I am most grateful for the help of you and your team. I am getting started on your instructions now.

I will keep you posted and post results as instructed.

Thanks,
Andy

#5 ARadcliffe

ARadcliffe
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 09 October 2009 - 10:45 PM

ComboFix 09-10-08.04 - Andrew Radcliffe 10/09/2009 23:20.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.822 [GMT -4:00]
Running from: c:\documents and settings\Andrew Radcliffe\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\Installer\85bd78.msp
c:\windows\Installer\85bd8e.msp
c:\windows\Installer\85be0f.msp
c:\windows\jestertb.dll
c:\windows\system32\dinivosa.dll
c:\windows\system32\drivers\fad.sys
c:\windows\system32\drivers\geyekrmpfubqtm.sys
c:\windows\system32\geyekrdqjnkgep.dat
c:\windows\system32\geyekrypkpdulq.dat
c:\windows\system32\jelulede.dll
c:\windows\system32\matidaha.dll
c:\windows\system32\miluduri.dll
c:\windows\system32\zodetego.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_geyekrrpuwpinx
-------\Service_geyekrrpuwpinx


((((((((((((((((((((((((( Files Created from 2009-09-10 to 2009-10-10 )))))))))))))))))))))))))))))))
.

2009-10-09 00:22 . 2009-10-09 00:22 -------- d-----w- c:\program files\Runtime Software
2009-10-08 23:56 . 2009-10-09 00:21 -------- d-----w- c:\program files\Cobian Backup 9
2009-10-08 01:36 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-08 01:36 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-08 01:36 . 2009-10-08 01:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-08 01:02 . 2009-10-08 01:02 -------- d-----w- c:\documents and settings\Andrew Radcliffe\Application Data\Malwarebytes
2009-10-08 01:02 . 2009-10-08 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-07 23:34 . 2009-10-07 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-07 23:32 . 2009-10-07 23:32 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-07 23:32 . 2009-10-07 23:32 -------- d-----w- c:\documents and settings\Andrew Radcliffe\Application Data\SUPERAntiSpyware.com
2009-10-07 23:30 . 2009-10-07 23:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-07 01:25 . 2009-10-07 01:25 -------- d-----w- C:\VundoFix Backups
2009-09-22 03:10 . 2009-09-22 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-14 19:55 . 2009-09-14 19:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-09 23:51 . 2007-10-13 12:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-08 03:12 . 2007-02-17 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-08 03:12 . 2009-01-10 01:40 -------- d-----w- c:\program files\McAfee
2009-09-29 20:23 . 2008-04-25 02:45 -------- d-----w- c:\program files\LxCats_assole
2009-09-22 15:41 . 2007-05-22 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-22 03:16 . 2007-05-22 22:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-15 01:18 . 2008-01-25 02:16 -------- d-----w- c:\documents and settings\Andrew Radcliffe\Application Data\Skype
2009-09-15 01:03 . 2008-01-25 02:48 -------- d-----w- c:\documents and settings\Andrew Radcliffe\Application Data\skypePM
2009-09-06 03:00 . 2004-09-17 02:19 98744 -c--a-w- c:\documents and settings\Andrew Radcliffe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-15 14:23 . 2009-08-15 14:23 -------- d-----w- c:\program files\MSBuild
2009-08-15 14:23 . 2009-08-15 14:23 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2002-12-12 05:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2002-08-29 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 07:56 286208 ------w- c:\windows\system32\wmpdxm.dll
2009-01-11 05:13 . 2009-01-11 05:12 271879 ----a-w- c:\program files\ultradefrag-2.0.0.bin.i386.exe
2009-01-09 23:58 . 2009-01-09 23:58 1226248 ----a-w- c:\program files\DMSetup.exe
2007-08-29 12:07 . 2007-08-29 12:08 774144 -c--a-w- c:\program files\RngInterstitial.dll
2009-07-08 15:11 . 2009-07-08 15:11 1011246 --sha-w- c:\windows\SYSTEM32\bosotozo.exe
2009-07-07 16:34 . 2009-07-07 16:34 52224 --sha-w- c:\windows\SYSTEM32\zasepago.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2003-08-19 06:01 . 2003-08-19 06:01 110592 c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe

2007-03-15 15:09 . 2007-03-15 15:09 460784 c:\program files\DellSupport\bak\DSAgnt.exe

2005-10-18 16:58 . 2005-10-18 16:58 278528 c:\program files\iTunes\bak\iTunesHelper.exe
2009-04-02 20:11 . 2009-04-02 20:11 342312 c:\program files\iTunes\iTunesHelper.exe

2007-07-25 00:07 . 2007-07-12 08:00 132496 c:\program files\Java\jre1.6.0_02\bin\bak\jusched.exe

2006-01-02 15:35 . 2006-01-02 15:35 155648 c:\program files\QuickTime\bak\qttask.exe
2009-01-05 20:18 . 2009-01-05 20:18 413696 c:\program files\QuickTime\QTTask.exe

1980-01-01 05:00 . 2005-10-19 12:59 126976 c:\windows\SYSTEM32\bak\hkcmd.exe

1980-01-01 05:00 . 2005-10-19 12:59 155648 c:\windows\SYSTEM32\bak\igfxtray.exe

2004-09-14 00:33 . 2004-03-15 06:04 122933 c:\windows\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-13 68856]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\zztoy.exe" [2009-09-10 1312080]
"kavoyabin"="c:\windows\system32\miluduri.dll" [N/A]
"95143325"="c:\docume~1\ALLUSE~1\APPLIC~1\95143325\95143325.exe" [N/A]
"hibiheneve"="jelulede.dll" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Google Updater.lnk - c:\program files\Google\Google Updater\GoogleUpdater.exe [2007-10-13 161776]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RosettaStoneLtdController"=3 (0x3)
"gusvc"=2 (0x2)
"iPodService"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"kavoyabin"=Rundll32.exe "c:\windows\system32\fukafati.dll",a

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Computer\\Dell Picture Studio v2.0\\launch.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=
"c:\\WINDOWS\\SYSTEM32\\lxddcoms.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\RosettaStoneLtdServices\\RosettaStoneLtdController.exe"=
"c:\\Program Files\\RosettaStoneLtdServices\\RosettaStoneLtdServer.exe"=
"c:\\Program Files\\RosettaStoneLtdServices\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxddtime.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxddpswx.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxddjswx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 11:42 AM 74480]
R2 RosettaStoneLtdController;RosettaStoneLtdController;c:\program files\RosettaStoneLtdServices\RosettaStoneLtdController.exe [9/16/2008 12:02 PM 352312]
S2 gupdate1c98de894ab89ae;Google Update Service (gupdate1c98de894ab89ae);c:\program files\Google\Update\GoogleUpdate.exe [2/13/2009 10:37 AM 133104]
S3 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 11:42 AM 7408]
S3 ultradfg;ultradfg;c:\windows\SYSTEM32\DRIVERS\ultradfg.sys [11/13/2008 5:52 AM 24576]
S4 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\lxddserv.exe [4/24/2008 10:42 PM 99248]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/15/2007 5:17 PM 24652]
.
Contents of the 'Scheduled Tasks' folder

2009-10-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-13 02:26]

2009-10-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-13 14:37]

2009-10-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-13 14:37]

2008-04-27 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2007-04-20 02:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/webhp?rls=ig
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: moove.com
Name-Space Handler: ftp\RealDownload - {EBCDDA5E-2A68-11D3-8A43-0060083CFB9C} - c:\windows\SYSTEM32\nzdd.dll
Name-Space Handler: http\RealDownload - {EBCDDA5E-2A68-11D3-8A43-0060083CFB9C} - c:\windows\SYSTEM32\nzdd.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{ec2afec9-e463-4538-af15-83abb2794519} - tumaveko.dll
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
SharedTaskScheduler-{eda93a25-a6fc-42b1-8046-33a3e0b0aee5} - (no file)
SharedTaskScheduler-{d7be5d48-3100-407b-8593-90d14fd98891} - (no file)
SharedTaskScheduler-{068721f8-6ab0-4638-a6b6-26445b4664ae} - (no file)
SharedTaskScheduler-{b992244f-3de1-4f51-8010-4280d40c2578} - c:\windows\system32\wisepale.dll
SharedTaskScheduler-{f3cca9a6-a0e9-4a79-b3c5-47fbe91fb3d1} - c:\windows\system32\tinonere.dll
SharedTaskScheduler-{cbe05b73-11e6-494b-a627-1e5a9c1ff5d2} - c:\windows\system32\tinonere.dll
SharedTaskScheduler-{1cfc14c8-a170-40a0-a395-361d2a1f198a} - c:\windows\system32\miluduri.dll
SSODL-nubowirab-{eda93a25-a6fc-42b1-8046-33a3e0b0aee5} - (no file)
SSODL-jurivujoz-{d7be5d48-3100-407b-8593-90d14fd98891} - (no file)
SSODL-hafinajaw-{068721f8-6ab0-4638-a6b6-26445b4664ae} - (no file)
SSODL-botipawal-{b992244f-3de1-4f51-8010-4280d40c2578} - c:\windows\system32\wisepale.dll
SSODL-modedikok-{f3cca9a6-a0e9-4a79-b3c5-47fbe91fb3d1} - c:\windows\system32\tinonere.dll
SSODL-wiveruduz-{cbe05b73-11e6-494b-a627-1e5a9c1ff5d2} - c:\windows\system32\tinonere.dll
SSODL-yaletirur-{1cfc14c8-a170-40a0-a395-361d2a1f198a} - c:\windows\system32\miluduri.dll
SafeBoot-mcmscsvc
SafeBoot-MCODS



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-09 23:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2924)
c:\program files\Bonjour\mdnsNSP.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServer.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-10-10 23:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-10 03:38

Pre-Run: 3,396,562,944 bytes free
Post-Run: 3,666,849,792 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

254 --- E O F --- 2009-09-10 03:52

#6 ARadcliffe

ARadcliffe
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 09 October 2009 - 10:48 PM

Sam - here is my combofix log. My aplogies for no comments in that same post; I seem to be having keyboard issues with the infected computer. Fortunately mouse still works, and I am posting from my uninfected work laptop. Might be a physical issue - was disconnecting things as I pulled data from the machine and may have jostled it.

The only notable event during the run was that twice a balloon popped up from the system tray and said that google had seen me trying to change my search engine and did I want to do that... I ignored it and it went away.

Thanks again for the help,
Andy Radcliffe

#7 ARadcliffe

ARadcliffe
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 09 October 2009 - 11:02 PM

Sam - one more addendum; the keyboard was loosely connected, probably affected in my jostling while unplugging the computer from the router for awhile earlier today.

But, the keyboard now won't work now once securely plugged in. It did occur to me that this might be a side effect of the combofix program so I'd thought I'd let you know the status of that in case it is relevant to the situation.

My plan now is to shut off the cable modem and the monitor and not restart the computer or do anything else until duly instructed.

Will await instructions.

Best,
Andy Radcliffe

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:32 PM

Posted 10 October 2009 - 08:07 AM

We still have a few more things to remove with Combofix. Make sure that your keyboard is securely plugged in and when you reboot it should restore functionality.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
c:\windows\system32\miluduri.dll
c:\windows\SYSTEM32\bosotozo.exe
c:\windows\SYSTEM32\zasepago.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kavoyabin"=-
"95143325"=-
"hibiheneve"=-

Folder::
c:\docume~1\ALLUSE~1\APPLIC~1\95143325
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


=======================



Please update Malwarebytes and run a full scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform full scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 ARadcliffe

ARadcliffe
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 10 October 2009 - 08:19 AM

Sam-

Ok, getting started now.

I'll need to do a reboot before getting started so I can type...

will keep you posted.

Thanks again for all the guidance.

Andy

#10 ARadcliffe

ARadcliffe
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 10 October 2009 - 09:07 AM

Sam-

The reboot put my keyboard working again. Had two popup windows on the reboot that were looking for .dll files that I presume were removed in the first combofix run.

Here is the combofix log from the second run with the CFScript, I am moving on to the Malwarebytes task next.

Thanks,
Andy

ComboFix 09-10-08.04 - Andrew Radcliffe 10/10/2009 9:42.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.883 [GMT -4:00]
Running from: c:\documents and settings\Andrew Radcliffe\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Andrew Radcliffe\Desktop\CFScript

FILE ::
"c:\windows\SYSTEM32\bosotozo.exe"
"c:\windows\system32\miluduri.dll"
"c:\windows\SYSTEM32\zasepago.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\SYSTEM32\bosotozo.exe
c:\windows\SYSTEM32\zasepago.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-10 to 2009-10-10 )))))))))))))))))))))))))))))))
.

2009-10-09 00:22 . 2009-10-09 00:22 -------- d-----w- c:\program files\Runtime Software
2009-10-08 23:56 . 2009-10-09 00:21 -------- d-----w- c:\program files\Cobian Backup 9
2009-10-08 01:36 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-08 01:36 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-08 01:36 . 2009-10-08 01:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-08 01:02 . 2009-10-08 01:02 -------- d-----w- c:\documents and settings\Andrew Radcliffe\Application Data\Malwarebytes
2009-10-08 01:02 . 2009-10-08 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-07 23:34 . 2009-10-07 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-07 23:32 . 2009-10-07 23:32 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-07 23:32 . 2009-10-07 23:32 -------- d-----w- c:\documents and settings\Andrew Radcliffe\Application Data\SUPERAntiSpyware.com
2009-10-07 23:30 . 2009-10-07 23:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-07 01:25 . 2009-10-07 01:25 -------- d-----w- C:\VundoFix Backups
2009-09-22 03:10 . 2009-09-22 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-14 19:55 . 2009-09-14 19:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-09 23:51 . 2007-10-13 12:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-08 03:12 . 2007-02-17 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-08 03:12 . 2009-01-10 01:40 -------- d-----w- c:\program files\McAfee
2009-09-29 20:23 . 2008-04-25 02:45 -------- d-----w- c:\program files\LxCats_assole
2009-09-22 15:41 . 2007-05-22 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-22 03:16 . 2007-05-22 22:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-15 01:18 . 2008-01-25 02:16 -------- d-----w- c:\documents and settings\Andrew Radcliffe\Application Data\Skype
2009-09-15 01:03 . 2008-01-25 02:48 -------- d-----w- c:\documents and settings\Andrew Radcliffe\Application Data\skypePM
2009-09-06 03:00 . 2004-09-17 02:19 98744 -c--a-w- c:\documents and settings\Andrew Radcliffe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-15 14:23 . 2009-08-15 14:23 -------- d-----w- c:\program files\MSBuild
2009-08-15 14:23 . 2009-08-15 14:23 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2002-12-12 05:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2002-08-29 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 07:56 286208 ------w- c:\windows\system32\wmpdxm.dll
2009-01-11 05:13 . 2009-01-11 05:12 271879 ----a-w- c:\program files\ultradefrag-2.0.0.bin.i386.exe
2009-01-09 23:58 . 2009-01-09 23:58 1226248 ----a-w- c:\program files\DMSetup.exe
2007-08-29 12:07 . 2007-08-29 12:08 774144 -c--a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-10_03.30.10 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2003-08-19 06:01 . 2003-08-19 06:01 110592 c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe

2007-03-15 15:09 . 2007-03-15 15:09 460784 c:\program files\DellSupport\bak\DSAgnt.exe

2005-10-18 16:58 . 2005-10-18 16:58 278528 c:\program files\iTunes\bak\iTunesHelper.exe
2009-04-02 20:11 . 2009-04-02 20:11 342312 c:\program files\iTunes\iTunesHelper.exe

2007-07-25 00:07 . 2007-07-12 08:00 132496 c:\program files\Java\jre1.6.0_02\bin\bak\jusched.exe

2006-01-02 15:35 . 2006-01-02 15:35 155648 c:\program files\QuickTime\bak\qttask.exe
2009-01-05 20:18 . 2009-01-05 20:18 413696 c:\program files\QuickTime\QTTask.exe

1980-01-01 05:00 . 2005-10-19 12:59 126976 c:\windows\SYSTEM32\bak\hkcmd.exe

1980-01-01 05:00 . 2005-10-19 12:59 155648 c:\windows\SYSTEM32\bak\igfxtray.exe

2004-09-14 00:33 . 2004-03-15 06:04 122933 c:\windows\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-13 68856]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\zztoy.exe" [2009-09-10 1312080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Google Updater.lnk - c:\program files\Google\Google Updater\GoogleUpdater.exe [2007-10-13 161776]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RosettaStoneLtdController"=3 (0x3)
"gusvc"=2 (0x2)
"iPodService"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Computer\\Dell Picture Studio v2.0\\launch.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=
"c:\\WINDOWS\\SYSTEM32\\lxddcoms.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\RosettaStoneLtdServices\\RosettaStoneLtdController.exe"=
"c:\\Program Files\\RosettaStoneLtdServices\\RosettaStoneLtdServer.exe"=
"c:\\Program Files\\RosettaStoneLtdServices\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxddtime.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxddpswx.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxddjswx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 11:42 AM 74480]
R2 RosettaStoneLtdController;RosettaStoneLtdController;c:\program files\RosettaStoneLtdServices\RosettaStoneLtdController.exe [9/16/2008 12:02 PM 352312]
R3 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
S2 gupdate1c98de894ab89ae;Google Update Service (gupdate1c98de894ab89ae);c:\program files\Google\Update\GoogleUpdate.exe [2/13/2009 10:37 AM 133104]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 11:42 AM 7408]
S3 ultradfg;ultradfg;c:\windows\SYSTEM32\DRIVERS\ultradfg.sys [11/13/2008 5:52 AM 24576]
S4 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\lxddserv.exe [4/24/2008 10:42 PM 99248]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/15/2007 5:17 PM 24652]
.
Contents of the 'Scheduled Tasks' folder

2009-10-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-13 02:26]

2009-10-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-13 14:37]

2009-10-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-13 14:37]

2008-04-27 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2007-04-20 02:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/webhp?rls=ig
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: moove.com
Name-Space Handler: ftp\RealDownload - {EBCDDA5E-2A68-11D3-8A43-0060083CFB9C} - c:\windows\SYSTEM32\nzdd.dll
Name-Space Handler: http\RealDownload - {EBCDDA5E-2A68-11D3-8A43-0060083CFB9C} - c:\windows\SYSTEM32\nzdd.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-10 09:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(620)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-10-10 9:54
ComboFix-quarantined-files.txt 2009-10-10 13:52
ComboFix2.txt 2009-10-10 03:40

Pre-Run: 3,661,172,736 bytes free
Post-Run: 3,621,376,000 bytes free

195 --- E O F --- 2009-09-10 03:52

#11 ARadcliffe

ARadcliffe
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 10 October 2009 - 10:39 AM

Malwarebytes' Anti-Malware 1.41
Database version: 2936
Windows 5.1.2600 Service Pack 3

10/10/2009 11:33:17 AM
mbam-log-2009-10-10 (11-33-17).txt

Scan type: Full Scan (C:\|)
Objects scanned: 217020
Time elapsed: 1 hour(s), 13 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Sam-

Here is my MBAM scan.
It is asking me to reboot, I am going to post this and proceed with that reboot. I'll check the log to see if there is new information.

Andy


Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\bosotozo.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1683\A0210597.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1684\A0210723.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Andrew Radcliffe\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

#12 ARadcliffe

ARadcliffe
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 10 October 2009 - 10:53 AM

Sam-

Ok, have rebooted. No change to the log file on reboot - my guess is that you already knew that.

Nice quick reboot, no issues.

Awaiting further instructions.

Thanks again for all the help - the length of the log file alone versus three days ago is indicative of how far better things are...
Andy

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:32 PM

Posted 10 October 2009 - 04:15 PM

Your logs are looking pretty good to me. How are things on your end? Any issues remaining?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 ARadcliffe

ARadcliffe
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 10 October 2009 - 05:35 PM

Sam-

That's good news. Have not operated the machine since my last post - didn't want to spawn anything else in case it wasn't clean - and so was awaiting your analysis.

I am most grateful for your assistance - and if I could, I would like to ask one more favor of you.

I'd like to understand what the proper precautions might be to reduce the risk of this happening again. As we don't use this computer for any applications that require the utmost in performance, I would like to armor the heck out of it so we don't wind up this creek again.

What protection applications that are available are most effective in preventing infections of this nature? Is there a suite of these that you can recommend?

I have blown away my McAfee in the course of this battle, once I realized that most of the high-end stuff that yourself and boopme were recommending had new updates that were on the order of days or even hours, instead of McAfee's weeks or months... so I am going to venture out again gently, and am not going away from the very well-lighted parts of the internet until the machine is properly set up.

Thanks once again for this most generous use of your time and expertise.

Best,
Andy

#15 ARadcliffe

ARadcliffe
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 10 October 2009 - 05:52 PM

Sam - I can't believe how fast everything loads. We must have been a mess for awhile...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users