Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected - browser redirect unable to open certain programs


  • This topic is locked This topic is locked
31 replies to this topic

#1 blzbuh

blzbuh

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 06 January 2010 - 03:02 PM

Hello kind folks,

My base antivirus is ESET Nod32 supplemented with superantispyware once a week.
Been infected for about a week now. Started with a desktop pic half loading and a fake windows message about being infected by malware in my systray. Malwarebytes cleaned up what it could, superantispyware did what it could. Both programs show nothing infected. Browser is constantly redirected and I cant open a program I use everyday for work.

I have followed every step of posting but you will notice I havent posted my rootrepeal log as it freezes my computer upon loading.

dds:

DDS (Ver_09-12-01.01) - NTFSx86
Run by workstation at 10:04:22.45 on 2010-01-06
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_01
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1278.490 [GMT -8:00]

AV: ThreatFire *On-access scanning disabled* (Updated) {67B2B9A1-25C8-4057-962D-807958FFC9E3}
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AIM6\aolsoftware.exe
c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\workstation\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.800buytickets.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [HijackThis startup scan] c:\program files\trendmicro\hijackthis\HijackThis.exe /startupscan
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Smapp] c:\program files\analog devices\soundmax\Smtray.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRunOnce: [TSC] "c:\docume~1\workst~1\locals~1\temp\housecall\tsc.exe" /HD
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director6/cabs/SW.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {670821E0-76D1-11D4-9F60-009027A966BF} - hxxp://racing.youbet.com/wr_6_2/controls/ybrequest.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143164918645
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38163.7808101852
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.1/jinstall-141-win.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://openfieldsupport.webex.com/client/latest/support/ieatgpc.cab
TCP: {CBB73A67-6A88-46AD-B288-CB8ED82415D5} = 192.168.1.99,206.13.28.12,206.13.29.12
Notify: igfxcui - igfxsrvc.dll
Notify: LMIinit - LMIinit.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: c:\windows\system32\kbdsock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\workst~1\applic~1\mozilla\firefox\profiles\n6c1jjlx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.startup.homepage - hxxps://www.stubhub.com/?gSec=login&goto=%2F%3FgSec%3Dbulkupload%26&cb=1141
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\documents and settings\workstation\application data\mozilla\firefox\profiles\n6c1jjlx.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\workstation\application data\mozilla\firefox\profiles\n6c1jjlx.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\workstation\application data\mozilla\firefox\profiles\n6c1jjlx.default\extensions\technicianconsole@logmeinrescue.com\platform\winnt\plugins\npRescue.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint_.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvlc.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R? ASKService;ASKService
R? ASKUpgrade;ASKUpgrade
R? LMIRfsClientNP;LMIRfsClientNP
R? NAVAP;NAVAP
R? NAVENG;NAVENG
R? NAVEX15;NAVEX15
R? Norton AntiVirus Server;Symantec AntiVirus Client
S? ekrn;Eset Service
S? epfwtdir;epfwtdir
S? LMIInfo;LogMeIn Kernel Information Provider
S? LMIRfsDriver;LogMeIn Remote File System Driver
S? NAVAPEL;NAVAPEL
S? SASDIFSV;SASDIFSV
S? SASENUM;SASENUM
S? SASKUTIL;SASKUTIL
S? Viewpoint Manager Service;Viewpoint Manager Service
S? WinDefend;Windows Defender

=============== Created Last 30 ================

2010-01-06 17:19:09 0 d-----w- c:\program files\TrendMicro
2009-12-23 18:04:14 60744 ----a-w- c:\documents and settings\workstation\g2mdlhlpx.exe
2009-12-16 20:26:40 0 d-----w- c:\program files\Business Objects
2009-12-14 20:46:22 0 d-----w- c:\docume~1\workst~1\applic~1\LogMeIn Rescue
2009-12-14 20:45:11 0 d-----w- c:\program files\LogMeIn Rescue
2009-12-14 20:36:12 14048 ------w- c:\windows\system32\spmsg2.dll
2009-12-10 01:30:36 0 d-----w- c:\docume~1\workst~1\applic~1\Softplicity

==================== Find3M ====================

2009-12-30 22:55:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 22:54:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-03 04:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-28 14:36:11 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-28 14:36:11 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-10-28 06:54:16 634632 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2009-10-28 06:52:46 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-10-26 18:34:56 114688 ----a-w- c:\windows\system32\hkcmd.exe
2009-10-25 14:11:34 77312 ----a-w- c:\windows\MBR.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2009-10-11 16:10:09 236544 ----a-w- c:\windows\PEV.exe
2008-09-11 16:27:19 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091120080912\index.dat

============= FINISH: 10:11:07.37 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 PM

Posted 13 January 2010 - 10:47 AM

Do you still desire help?
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 blzbuh

blzbuh
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 13 January 2010 - 12:18 PM

QUOTE(thcbytes @ Jan 13 2010, 10:47 AM) View Post
Do you still desire help?


I need help in a bad way. The situation has gotten worse to the point where I am stuck in a loading loop and cant even access my desktop any more. The computer gets to the windows loading screen and then reboots. I disables auto restart and the error says:

Stop: 0x70000007e (0xC0000005, 0x89e56113, 0xf78d67b0, 0xf78d64ac)


At this point I think saving the computer is out, I just hope to recover some of the data on the drive. Any ideas here?

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 PM

Posted 13 January 2010 - 02:10 PM

Hello,

Don't torch that computer yet! At the worst I should be able to recover your data. At the best I might be able to get you booting again.

==========

Answer some questions first.

What led to the crash?
What programs have you run?
The more info you provide the better I can assist you!
Have you ever run Combofix?
Do you have your Windows XP install disc?

==========

You will need a clean computer to create this disc...

Print these instruction out so that you know what you are doing

First

ISOBurner this will allow you to burn REATOGO-X-PE ISO to a cd and make it bootable. Just install the programme, from there on in it is fairly automatic. Instructions

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to Non-Microsoft
    • Copy and Paste the following code into the textbox. Do not include the word "Code"

      CODE
      netsvcs
      msconfig
      safebootminimal
      safebootnetwork
      activex
      drivers32
      %ALLUSERSPROFILE%\Application Data\*.
      %ALLUSERSPROFILE%\Application Data\*.exe /s
      %APPDATA%\*.
      %APPDATA%\*.exe /s
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the C:\OTL.txt file in your reply.

==========

With your next post please provide:

* Answer to questions
* C:\OTL.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 blzbuh

blzbuh
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 13 January 2010 - 03:16 PM

Got the desktop up and running, when I click to OK after the load all remaining users I get the following:

Registry Access Error:

the IOCTL call made by the application program is not correct.

#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 PM

Posted 13 January 2010 - 03:32 PM

Oh my. That was fast!

Try a reboot and let me know how it goes. If it throws the error again then do not load all the remaining users.

Also I need answers to those questions. It is very important.

Many thanks,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 blzbuh

blzbuh
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 13 January 2010 - 04:01 PM

I believe this started when a pdf file that opened automatically on my computer, I hadnt done anything at the time but my firefox browser was open. I quickly closed it and was fine for the rest of the day.

Maybe a day or two later my program that is my point of sale program for work crashed and I could not get the program to open up again. My desktop pic only half loaded and it looked like there was some weird shading around the shortcuts. I had a fake alert of a malware infection from windows in my systray but I knew not to click it from what I had read. From there it was browser redirects and strange slow behavior.

I ran antimalwarebytes anti malware program and super antispyware which both detected trogans and some other bad stuff. After running those two in safe mode I could reboot regularly and they would show the computer was clean. Unfortuneatly all of the logs are on the computer I cant access. I also ran hijack this and the program I posted the log from above. Next time I rebooted there was pornhub.com and nudetube.com shortcuts on my desktop. After running scans with the antimware and sasw a bunch of trojans and rogue agents showed. I tried to reboot into safe mode and it started looping like described above. I didnt run combofix as I was waiting to speak with someone who knows what they are doing, like you thank heavens. I do not have the xp cd but I can access the windows recovery console and tried a chkdsk /p and chkdsk /r and fixmbr to no avail.

I just tried to run the otlpe program with and without the load remaining users box checked and I get the same error.

#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 PM

Posted 13 January 2010 - 06:19 PM

Ok. Thanks for the detailed information.

Lets boot up a different OS. We will be able to access all your files and folders here including the logs from MBAM and SAS. You will be able to connect to the internet by this route. I might be able to get you booted into Windows again by this method.

You mentioned that you can get into the Recovery Console. Was it preloaded with your OS or have you run Combofix prior top this infection?

Let's now create a boot disc so that you can access your files and folders and so I can get a look at a log.....

*** Please print these instructions ***
  1. Download Hiren's BootCD Iso to the desktop of a clean computer.
  2. Extract the zipped HirensBootCD.zip to your desktop.
  3. Open the extracted HirensBootCD folder and extract the zipped HirensBootCD.iso.
  4. Double click the BurnToCD.cmd bat file contained in the HirensBootCD folder. This will launch BurnCDCC.
  5. Insert a blank CD in your drive.
  6. Press Start. This will burn the image to disc. After it has completed...
  7. Restart your sick computer and boot from the HBCD you created.
    • If your PC is not booting from the CD, you need to change the boot order:
      • Restart your PC
      • As soon as you get an image, press the Setup key. This is usually F2, F10, F12 or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
      • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
      • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
      • The tab should now show your current boot order.
      • If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
      • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
    • Your PC should now boot from your CD.
    • Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
  8. When the CD boots choose "Start MiniWindowsXP". Allow Windows to load. You will see a typical Windows Desktop.
  9. You will be able to access your sick drive and save files/folders from here.
  10. Create an ethernet (wired) Internet Connection
    • Double click the Network Support icon on the HBCD desktop
    • A computer screen will appear in the lower right corner system tray
    • Double click HBCD Menu on your HDCD desktop
    • Choose Menu
    • Then Browsers
    • Then Opera
    • Success?
  11. You should now be connected to the internet.
  12. Navigate here to the forum and click this link.
  13. Download the program and save it to the desktop.
  14. Once saved, close all other windows then double click the program to run it.
  15. When completed, a log will open.
  16. Save the log to the desktop using File>Save as, then post the log in a reply.

    Please note: If you are unable to connect to the internet then please download to a flash drive on a clean computer and transfer to the sick computer to run!

  17. In addition you now have access to all your files and folders amoungst many other utilities that we might need to use later. wink.gif
  18. If you double click your Windows Explorer icon on your desktop you will be able to access your hard drive.

Let me know if you encounter any problems and don't forget to answer my question,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 blzbuh

blzbuh
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 13 January 2010 - 07:43 PM

Thanks!

No I have not run combofix before, the computer is an IBM which came preloaded with pc doctor and a few other diagnostic programs.

The Hiren Cd page wont let me download. There is an error when trying to click the download button.

#10 blzbuh

blzbuh
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 13 January 2010 - 08:20 PM

Nevermind, it is working now. I will post results shortly.

#11 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 PM

Posted 13 January 2010 - 09:29 PM

thumbup2.gif
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#12 blzbuh

blzbuh
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 14 January 2010 - 05:13 PM


DDS_BootCD_Version (Ver_09-10-04.01) - NTFSx86
Run at 12:05:59.39 on Thu 01/14/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_01

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
S-1-5-21-3658351237-2758076289-622737274-500_Run: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
S-1-5-21-3658351237-2758076289-622737274-500_Run: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
S-1-5-21-746137067-1972579041-1801674531-1119_Run: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
S-1-5-21-746137067-1972579041-1801674531-1119_Run: [ctfmon.exe] c:\windows\system32\ctfmon.exe
S-1-5-21-746137067-1972579041-1801674531-1119_Run: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
S-1-5-21-746137067-1972579041-1801674531-1119_Run: [HijackThis startup scan] c:\program files\trendmicro\hijackthis\HijackThis.exe /startupscan
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Smapp] c:\program files\analog devices\soundmax\Smtray.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mPolicies-system: EnableLUA = 0 (0x0)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\npjpi160_01.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director6/cabs/SW.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143164918645
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38163.7808101852
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.1/jinstall-141-win.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://openfieldsupport.webex.com/client/latest/support/ieatgpc.cab
Notify: igfxcui - igfxsrvc.dll
Notify: LMIinit - LMIinit.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: c:\windows\system32\kbdsock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\documents and settings\workstation\application data\mozilla\firefox\profiles\n6c1jjlx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.startup.homepage - hxxps://www.stubhub.com/?gSec=login&goto=%2F%3FgSec%3Dbulkupload%26&cb=1141
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\documents and settings\workstation\application data\mozilla\firefox\profiles\n6c1jjlx.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\workstation\application data\mozilla\firefox\profiles\n6c1jjlx.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\workstation\application data\mozilla\firefox\profiles\n6c1jjlx.default\extensions\technicianconsole@logmeinrescue.com\platform\winnt\plugins\npRescue.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint_.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvlc.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

ASKService; c:\program files\askbardis\bar\bin\AskService.exe
ASKUpgrade; c:\program files\askbardis\bar\bin\ASKUpgrade.exe
drvncdb; [x]
ekrn; "c:\program files\eset\eset nod32 antivirus\ekrn.exe"
epfwtdir; system32\DRIVERS\epfwtdir.sys
H8SRTd.sys; \systemroot\system32\drivers\H8SRTd.sys
Ias; %SystemRoot%\System32\svchost.exe -k netsvcs; c:\windows\system32\Iasv32.dll
LMIInfo; \??\c:\program files\logmein\x86\RaInfo.sys
LMIRfsClientNP; [x]
LMIRfsDriver; \??\c:\windows\system32\drivers\LMIRfsDriver.sys
MBAMSwissArmy; \??\c:\windows\system32\drivers\mbamswissarmy.sys
Outlook; [x]
pelmouse; System32\DRIVERS\pelmouse.sys
pelusblf; System32\DRIVERS\pelusblf.sys
rootrepeal; \??\c:\windows\system32\drivers\rootrepeal.sys
SASDIFSV; \??\c:\program files\superantispyware\SASDIFSV.SYS
SASENUM; \??\c:\program files\superantispyware\SASENUM.SYS
SASKUTIL; \??\c:\program files\superantispyware\SASKUTIL.sys
TfKbMon; System32\Drivers\TfKbMon.sys
Viewpoint Manager Service; "c:\program files\viewpoint\common\ViewpointService.exe"
xyzzrked; [x]
{CBB73A67-6A88-46AD-B288-CB8ED82415D5}; [x]

=============== Created Last 30 ================

2010-01-07 17:36 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 17:36 19,160 a------- c:\windows\system32\drivers\mbam.sys
2010-01-07 17:36 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2010-01-06 21:15 0 a------- c:\windows\system32\drivers\xyzzrked.sys
2010-01-06 17:19 <DIR> --d----- c:\program files\TrendMicro
2009-12-16 20:26 <DIR> --d----- c:\program files\Business Objects

==================== Find3M ====================

2009-11-03 04:42 195,456 -------- c:\windows\system32\MpSigStub.exe
2009-10-28 14:36 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-28 14:36 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-10-28 06:54 634,632 a------- c:\windows\system32\dllcache\iexplore.exe
2009-10-28 06:52 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-10-26 18:34 114,688 a------- c:\windows\system32\hkcmd.exe
2009-10-25 14:11 77,312 a------- c:\windows\MBR.exe
2009-10-21 05:38 75,776 a------- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 25,088 a------- c:\windows\system32\httpapi.dll
2009-10-21 05:38 75,776 -------- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38 25,088 -------- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20 265,728 -------- c:\windows\system32\dllcache\http.sys
2004-06-25 17:34 262,144 a------- c:\documents and settings\all users\NTUSER.DAT
2008-09-11 16:27 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091120080912\index.dat

==== Installed Programs ======================

a new upload file for BargainTix Uploader
Access IBM
Access IBM Cleanup Utility
Access IBM Tools
Adobe Acrobat 7.0 Professional
Adobe Acrobat 7.0.7 Professional
Adobe Flash Player 10 Plugin
AIM 6
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ashampoo Burning Studio 7.21
Azureus
Bonjour
Compatibility Pack for the 2007 Office system
Creative Mass Storage Drivers
Critical Update for Windows Media Player 11 (KB959772)
Crystal Reports
Crystal Reports 2008 Runtime SP1
dBpowerAMP FLAC Codec
dBpowerAMP Mp4 Codec
dBpowerAMP Music Converter
ESET NOD32 Antivirus
Foxit PDF Editor
Foxit Reader
HiJackThis
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB971276-v3)
Hotfix for Windows XP (KB976098-v2)
IBM 32-bit SDK for Java 2, v1.4.1
IBM DLA
IBM Themes
Intel® Extreme Graphics Driver
Intel® PRO Network Adapters and Drivers
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java™ SE Runtime Environment 6 Update 1
KillProcess 2.42
LogMeIn
Macromedia Flash Player 8
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C Runtime
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mouse Suite
Mozilla Firefox (3.5.7)
MSN Messenger 7.5
POSNET
POSNet 2.0
ProMash
QuickTime
Real Alternative 1.9.0
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Simplify Media
SoundMAX
System TuneUp
ThinkCentre Wallpaper
TicketTrader
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VideoLAN VLC media player 0.8.4a
Viewpoint Media Player
VNC Enterprise Edition E4.4.2
VNC Mirror Driver 1.8.0
Vuze
Vuze Toolbar
WebEx
WebFldrs XP
Winamp
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
XPS Essentials Pack
XPS Essentials Pack 1.0
Your Uninstaller! 2008 Version 6.0
Zen Touch Media Explorer (for PlaysForSure devices)

============= FINISH: 12:07:07.56 ===============


#13 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 PM

Posted 14 January 2010 - 09:15 PM

Very well done. thumbup2.gif

Now lets get a look at a few things...

==========

Open up Explorer in Hirens and go to...
C:\Program Files\Malwarebytes' Anti-Malware
Post the most recent log.

==========

Do this.....

Open Notepad.
Copy contents in the code box into Notepad:

CODE
@ECHO OFF
IF EXIST log1.txt DEL log1.txt
ECHO Deleting files>>log1.txt
FOR %%g in (
"c:\windows\system32\kbdsock.dll"
"c:\windows\system32\Iasv32.dll"
"c:\windows\system32\drivers\xyzzrked.sys") DO (
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
IF EXIST %%g (
ECHO %%g not deleted>>log1.txt
) ELSE (
ECHO %%g deleted>>log1.txt)
) ELSE (
ECHO %%g not found>>log1.txt))
START NOTEPAD.EXE log1.txt
IF EXIST log.txt DEL log2.txt
ECHO Deleting folders>>log2.txt
FOR %%I in (
"c:\program files\askbardis") DO (
IF EXIST %%I (
rmdir /S /Q %%I
DEL %%I
IF EXIST %%I (
ECHO %%I not deleted>>log2.txt
) ELSE (
ECHO %%I deleted>>log2.txt)
) ELSE (
ECHO %%I not found>>log2.txt))
START NOTEPAD.EXE log2.txt
sc delete Ias >log3.txt
notepad log3.txt
sc delete xyzzrked >log4.txt
notepad log4.txt
EXIT


Go to File - Save as...
Fill in the next values:
Location: Desktop
File name: del.bat
File type: All files (*.*).
Now, click Save.

Doubleclick del.bat.
Post the contents of the logfiles 1-4 that opens in your next reply.

==========

Re-run DDS and post a log

==========

We need to take a look at the Minidump files which should help us diagnose the crashing

STEP ONE

In Hiren's boot environment......

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck: Hide protected operating system files (recommended) option.
Click Yes to confirm.


STEP TWO
  1. Go to start and right-click My Computer then Properties
  2. Click the Advanced tab. Under Startup and Recovery section click Settings > (the option Automatically restart should be unchecked and the other two options should be checked).
  3. Under the Write debugging information section there is the Small dump directory: the path to the mini dump folder is given.
After the computer crashes the PC will, on restarting, create a dump file (Minixxxxx.dmp where x represent a number). After a crash you should go to that folder and find the mini dump file inside it to upload it.

Note: %systemroot% usually means Windows so %systemroot%\Minidump is C:\Windows\Minidump


If you have trouble locating the minidump files...
  1. Use the windows search advanced options:
  2. Go to Start then Search. Click All files and folders.
  3. Click More advanced options.
  4. Put a check mark in the box next to search system folders, search hidden files and folders and search sub-folders.
  5. Make sure the Case Sensitive box in not checked.
  6. Type mini*.dmp in the upper box and click on search.
STEP THREE

Now zip the file and attach it to your reply. To attach the file:
  • Click ADDREPLY, under the reply window press Browse... and find the path to the zip file on your computer:
  • Highlight the zip file and click Open then press the green UPLOAD button.
Note: The old mini dump files might have already been removed and you may have to wait for the next crash for a file to be produced.

If need be go ahead and try to boot normal Windows then boot back into Hiren's and post the minidump log for my review.

==========

With your next post please provide:

* MBAM log
* Log1-4
* DDS log
* Minidump log

Kind regards,
~t



Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#14 blzbuh

blzbuh
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 15 January 2010 - 03:30 PM

OK, thanks,

My malware bytes folder doesnt show any log files nor is there a sub folder in there for logs. Here was my last hijack this log though:

Scan saved at 10:51:51 AM, on 2010-01-06
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\TrendMicro\HiJackThis\HijackThis.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\AIM6\aolsoftware.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.800buytickets.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\TrendMicro\HiJackThis\HijackThis.exe /startupscan
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_6_2/controls/ybrequest.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143164918645
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://openfieldsupport.webex.com/client/l...ort/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = TKT.local
O17 - HKLM\Software\..\Telephony: DomainName = TKT.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBB73A67-6A88-46AD-B288-CB8ED82415D5}: NameServer = 192.168.1.99,206.13.28.12,206.13.29.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = TKT.local
O20 - AppInit_DLLs: C:\WINDOWS\system32\kbdsock.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--

I ran the del.bat but it hangs up at the third log it seems and the command box states:

'sc' is not recognized as an internal or external command, operable program or batch file

Here are the first two logs,
1:
Deleting files
"c:\windows\system32\kbdsock.dll" not found
"c:\windows\system32\Iasv32.dll" not found
"c:\windows\system32\drivers\xyzzrked.sys" not found
2:
Deleting folders
"c:\program files\askbardis" not found


I had run this with the same hangup on the third log before but I restarted to get the minidump and seem to have lost those initial logs. I still could not get a minidump after letting the computer crash.
I can locate the folder but it is empty

Here is my dds:

DDS_BootCD_Version (Ver_09-10-04.01) - NTFSx86
Run at 10:13:58.28 on Fri 01/15/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_01

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
S-1-5-21-3658351237-2758076289-622737274-500_Run: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
S-1-5-21-3658351237-2758076289-622737274-500_Run: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
S-1-5-21-746137067-1972579041-1801674531-1119_Run: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
S-1-5-21-746137067-1972579041-1801674531-1119_Run: [ctfmon.exe] c:\windows\system32\ctfmon.exe
S-1-5-21-746137067-1972579041-1801674531-1119_Run: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
S-1-5-21-746137067-1972579041-1801674531-1119_Run: [HijackThis startup scan] c:\program files\trendmicro\hijackthis\HijackThis.exe /startupscan
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Smapp] c:\program files\analog devices\soundmax\Smtray.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mPolicies-system: EnableLUA = 0 (0x0)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\npjpi160_01.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director6/cabs/SW.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143164918645
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38163.7808101852
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.1/jinstall-141-win.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://openfieldsupport.webex.com/client/latest/support/ieatgpc.cab
Notify: igfxcui - igfxsrvc.dll
Notify: LMIinit - LMIinit.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: c:\windows\system32\kbdsock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\documents and settings\workstation\application data\mozilla\firefox\profiles\n6c1jjlx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.startup.homepage - hxxps://www.stubhub.com/?gSec=login&goto=%2F%3FgSec%3Dbulkupload%26&cb=1141
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\documents and settings\workstation\application data\mozilla\firefox\profiles\n6c1jjlx.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\workstation\application data\mozilla\firefox\profiles\n6c1jjlx.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\workstation\application data\mozilla\firefox\profiles\n6c1jjlx.default\extensions\technicianconsole@logmeinrescue.com\platform\winnt\plugins\npRescue.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint_.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvlc.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

ASKService; c:\program files\askbardis\bar\bin\AskService.exe
ASKUpgrade; c:\program files\askbardis\bar\bin\ASKUpgrade.exe
drvncdb; [x]
ekrn; "c:\program files\eset\eset nod32 antivirus\ekrn.exe"
epfwtdir; system32\DRIVERS\epfwtdir.sys
H8SRTd.sys; \systemroot\system32\drivers\H8SRTd.sys
Ias; %SystemRoot%\System32\svchost.exe -k netsvcs; c:\windows\system32\Iasv32.dll
LMIInfo; \??\c:\program files\logmein\x86\RaInfo.sys
LMIRfsClientNP; [x]
LMIRfsDriver; \??\c:\windows\system32\drivers\LMIRfsDriver.sys
MBAMSwissArmy; \??\c:\windows\system32\drivers\mbamswissarmy.sys
Outlook; [x]
pelmouse; System32\DRIVERS\pelmouse.sys
pelusblf; System32\DRIVERS\pelusblf.sys
rootrepeal; \??\c:\windows\system32\drivers\rootrepeal.sys
SASDIFSV; \??\c:\program files\superantispyware\SASDIFSV.SYS
SASENUM; \??\c:\program files\superantispyware\SASENUM.SYS
SASKUTIL; \??\c:\program files\superantispyware\SASKUTIL.sys
TfKbMon; System32\Drivers\TfKbMon.sys
Viewpoint Manager Service; "c:\program files\viewpoint\common\ViewpointService.exe"
xyzzrked; [x]
{CBB73A67-6A88-46AD-B288-CB8ED82415D5}; [x]

=============== Created Last 30 ================

2010-01-07 17:36 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 17:36 19,160 a------- c:\windows\system32\drivers\mbam.sys
2010-01-07 17:36 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2010-01-06 17:19 <DIR> --d----- c:\program files\TrendMicro
2009-12-16 20:26 <DIR> --d----- c:\program files\Business Objects

==================== Find3M ====================

2009-11-03 04:42 195,456 -------- c:\windows\system32\MpSigStub.exe
2009-10-28 14:36 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-28 14:36 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-10-28 06:54 634,632 a------- c:\windows\system32\dllcache\iexplore.exe
2009-10-28 06:52 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-10-26 18:34 114,688 a------- c:\windows\system32\hkcmd.exe
2009-10-25 14:11 77,312 a------- c:\windows\MBR.exe
2009-10-21 05:38 75,776 a------- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 25,088 a------- c:\windows\system32\httpapi.dll
2009-10-21 05:38 75,776 -------- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38 25,088 -------- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20 265,728 -------- c:\windows\system32\dllcache\http.sys
2004-06-25 17:34 262,144 a------- c:\documents and settings\all users\NTUSER.DAT
2008-09-11 16:27 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091120080912\index.dat

==== Installed Programs ======================

a new upload file for BargainTix Uploader
Access IBM
Access IBM Cleanup Utility
Access IBM Tools
Adobe Acrobat 7.0 Professional
Adobe Acrobat 7.0.7 Professional
Adobe Flash Player 10 Plugin
AIM 6
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ashampoo Burning Studio 7.21
Azureus
Bonjour
Compatibility Pack for the 2007 Office system
Creative Mass Storage Drivers
Critical Update for Windows Media Player 11 (KB959772)
Crystal Reports
Crystal Reports 2008 Runtime SP1
dBpowerAMP FLAC Codec
dBpowerAMP Mp4 Codec
dBpowerAMP Music Converter
ESET NOD32 Antivirus
Foxit PDF Editor
Foxit Reader
HiJackThis
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB971276-v3)
Hotfix for Windows XP (KB976098-v2)
IBM 32-bit SDK for Java 2, v1.4.1
IBM DLA
IBM Themes
Intel® Extreme Graphics Driver
Intel® PRO Network Adapters and Drivers
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java™ SE Runtime Environment 6 Update 1
KillProcess 2.42
LogMeIn
Macromedia Flash Player 8
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C Runtime
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mouse Suite
Mozilla Firefox (3.5.7)
MSN Messenger 7.5
POSNET
POSNet 2.0
ProMash
QuickTime
Real Alternative 1.9.0
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Simplify Media
SoundMAX
System TuneUp
ThinkCentre Wallpaper
TicketTrader
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VideoLAN VLC media player 0.8.4a
Viewpoint Media Player
VNC Enterprise Edition E4.4.2
VNC Mirror Driver 1.8.0
Vuze
Vuze Toolbar
WebEx
WebFldrs XP
Winamp
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
XPS Essentials Pack
XPS Essentials Pack 1.0
Your Uninstaller! 2008 Version 6.0
Zen Touch Media Explorer (for PlaysForSure devices)

============= FINISH: 10:15:03.95 ===============



#15 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 PM

Posted 15 January 2010 - 05:19 PM

Hi,

Please boot HBCD
  • Start
  • Run
  • Type cmd in the run box and press Ok
  • Copy and paste the green bolded into the command prompt Window then type Exit
copy X:\i386\System32\drivers\atapi.sys C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys

Reboot and see if Windows will load.

Thanks,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users