Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

web browser being hijacked - included logs from "Preparation Guide" thread


  • This topic is locked This topic is locked
12 replies to this topic

#1 BHetrick

BHetrick

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 23 February 2010 - 12:35 AM

I'm running XP Home / sp3. I use AVG free and I do have my Windows auto updates running, so everything is current.

At first I was getting "searchclick8" redirects when using Google in Internet Explorer 8. I've downloaded and ran Malwarebites and Combofix (yes, I know I wasn't suppose to run Combofix without being told, but it worked super quite awhile back for a different problem) and it said it detected a rootkit. The first time both programs detected problems and it seemed to remove them.

Now I'm still getting Google redirects, but I'm not seeing any "searchclick8" results. Malwarebites doesn't detect anything. I can copy and paste a link, but just clicking it redirects me. At random times, when IE is open, a new, separate IE window will open on it's own. Each time it attempts to load a random site. But I quickly close that window.

I ran Defogger, DDS, and GMER. Defogger and DDS ran fine, but GMER was a huge pain. I had to run it 4 times and it took ALL day. Twice resulted in the pc rebooting while GMER was running. Another time, it ran and finished, but the pc locked up and I couldn't save a log. The last time I watched with Task Manager. GMER was taxing my cpu at 100% (I'm running a dual core amd and 2 gigs of ram). The last time, again, I couldn't save a log. But this time I did take a high res picture of the results.

I have a hi res picture showing GMER when it finished scanning. The picture is 7.71 MB, so I'm not sure how you would like me to show it. It's too big to attach. I have a Photobucket account, but it's limited to 1 MB pictures. I don't know if that would scale it down too much to be legible.



DDS.txt

DDS (Ver_09-12-01.01) - NTFSx86
Run by Hetrick at 10:10:28.14 on Mon 02/22/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1352 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Silicon Image\3132-W-I32-R SATARAID5\SATARaid5ConfigService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\PayPal\PayPal Plug-In\RBroker.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system\java.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Hetrick\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://yourerie.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: OToolbarHelper Class: {ead3a971-6a23-4246-8691-c9244e858967} - c:\program files\paypal\paypal plug-in\PayPalHelper.dll
TB: PayPal Plug-In: {dc0f2f93-27fa-4f84-acaa-9416f90b9511} - c:\program files\paypal\paypal plug-in\OToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mExplorerRun: [comctl32] wscript.exe c:\windows\system32\comctl32.js
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\satara~1.lnk - c:\windows\installer\{f98bf160-2b31-4613-ba35-66958f51b97c}\_95273811175B2CA0FC7A47.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238708022921
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-2 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-2 28424]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-2 360584]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-12-14 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-12-14 285392]
R2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPORTIO.sys [2009-12-30 3584]
R2 SATARaid5 Config Service;SATARaid5 Configuration Service;c:\program files\silicon image\3132-w-i32-r sataraid5\SATARaid5ConfigService.exe [2005-10-5 131072]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2010-1-9 14976]
R3 portio32;portio32;c:\windows\system32\drivers\portio32.sys [2009-4-5 2048]
S0 wzxsnd;wzxsnd; [x]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\hetrick\locals~1\temp\sas_selfextract\sasdifsv.sys --> c:\docume~1\hetrick\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\hetrick\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\hetrick\locals~1\temp\sas_selfextract\SASKUTIL.sys [?]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 SASENUM;SASENUM;\??\c:\docume~1\hetrick\locals~1\temp\sas_selfextract\sasenum.sys --> c:\docume~1\hetrick\locals~1\temp\sas_selfextract\SASENUM.SYS [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-2-13 11520]

=============== Created Last 30 ================

2010-02-22 15:07:45 0 ----a-w- c:\documents and settings\hetrick\defogger_reenable
2010-02-21 20:00:22 0 d-----w- c:\docume~1\hetrick\applic~1\AVG9
2010-02-20 19:11:50 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-19 19:36:31 0 d-----r- C:\Sandbox
2010-02-17 07:26:07 0 d-----w- c:\docume~1\alluse~1\applic~1\PCPitstop
2010-02-17 07:24:02 0 d-----w- c:\program files\PCPitstop
2010-02-14 03:39:40 1395 ----a-w- c:\docume~1\hetrick\applic~1\SAS7_000.DAT
2010-02-14 02:38:00 0 d-----w- c:\windows\speech
2010-02-11 05:29:04 0 d-----w- c:\docume~1\hetrick\applic~1\TaxCut
2010-02-11 05:28:18 0 d-----w- c:\program files\PDF995
2010-02-11 05:28:18 0 d-----w- c:\program files\HRBlock2009
2010-02-11 05:27:47 0 d-----w- c:\docume~1\alluse~1\applic~1\TaxCut
2010-02-09 18:36:08 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-09 18:19:27 77312 ----a-w- c:\windows\MBR.exe
2010-02-06 21:37:22 36864 ----a-w- c:\windows\system32\SDDEVMGR.dll
2010-02-03 16:51:40 40496 ----a-w- c:\windows\system\javapc.dll
2010-02-03 16:51:39 87 ----a-w- c:\windows\system\javaset.dll
2010-02-03 16:51:39 73728 ----a-w- c:\windows\system\java.exe
2010-02-03 16:51:39 40960 ----a-w- c:\windows\system\javask.dll
2010-02-03 16:51:39 1294336 ----a-w- c:\windows\system\javats.dll
2010-02-03 16:50:10 9216 ----a-w- c:\windows\base64.exe
2010-02-01 00:42:08 114 ----a-w- c:\windows\system32\comctl32.js
2010-02-01 00:41:43 6623 ----a-w- c:\windows\system32\tlaujpgvshj.hta
2010-01-29 23:18:53 0 d-----w- c:\program files\FAT Sorter
2010-01-28 15:15:07 0 d-----w- c:\windows\Downloaded Installations
2010-01-28 15:04:55 1884160 ----a-w- c:\documents and settings\hetrick\file.xexp
2010-01-28 14:42:11 23117824 ----a-w- c:\documents and settings\hetrick\default.xex
2010-01-28 14:37:39 128593 ----a-w- c:\documents and settings\hetrick\x360_imports.idc
2010-01-28 14:37:39 0 d-----w- c:\documents and settings\hetrick\XexTool

==================== Find3M ====================

2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-15 01:38:37 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-10 03:54:07 261632 ----a-w- c:\windows\PEV.exe
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll

============= FINISH: 10:11:32.40 ===============




And I'd like to add the your help really is appreciated. Searching the web for help, it seems that most results end up sending me here, to Bleeping Computer. Thank you.


Edit. Here's pictures of the GMER scan.


http://i40.photobucket.com/albums/e220/bil...04/7488e3cf.jpg


http://i40.photobucket.com/albums/e220/bil...04/8e303f73.jpg

Attached Files


Edited by BHetrick, 23 February 2010 - 11:13 PM.


BC AdBot (Login to Remove)

 


#2 BHetrick

BHetrick
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 24 February 2010 - 07:20 PM

More info to add. I downloaded and ran Pc pitstop exterminator. It found Trojan.Win32.RootkitPX. So I paid for a license, and of course after that it tells me it can't remove it. Are there any recommendations besides reformatting?

#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 AM

Posted 24 February 2010 - 08:00 PM

Hello, BHetrick.
Good news...that GMER log was very valuable. Thanks for the effort, it shows us what we're dealing with. smile.gif

Now...the bad news.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.



Step 1

Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop as BHetrickCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on BHetrickCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares




If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#4 BHetrick

BHetrick
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 24 February 2010 - 10:37 PM

Hi etavares. I've just took your advice and unplugged the network cable. Since I posted my last update, I've ran a full system scan with PC Tools Spyware Doctor w/ Antivirus. Again, I've taken a snapshot of the results and have uploaded a pic to my Photobucket account.

http://i40.photobucket.com/albums/e220/bil...04/cd035244.jpg

In your opinion, do you feel Spyware Doctor is a wise investment, or should I go another route? Spyware Doctor claims to have removed all the infections, but I've yet to try any browsing as the scan just finished moments after I read your reply, and that pc is offline.

After I post this, I will reconnect and download / run combofix as per your instructions.

#5 BHetrick

BHetrick
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 24 February 2010 - 11:24 PM

ComboFix 10-02-24.01 - Hetrick 02/24/2010 23:07:05.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1537 [GMT -5:00]
Running from: c:\documents and settings\Hetrick\Desktop\BHetrickCF.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-01-25 to 2010-02-25 )))))))))))))))))))))))))))))))
.

2010-02-25 04:05 . 2010-02-25 04:05 43056 ----a-w- c:\windows\system\javapc.dll
2010-02-25 04:05 . 2010-02-22 15:38 40960 ----a-w- c:\windows\system\javask.dll
2010-02-25 04:05 . 2010-02-22 15:37 73728 ----a-w- c:\windows\system\java.exe
2010-02-25 04:05 . 2005-07-11 21:26 1449984 ----a-w- c:\windows\system\javats.dll
2010-02-25 00:31 . 2010-02-25 00:31 -------- d-----w- c:\documents and settings\Hetrick\Local Settings\Application Data\Threat Expert
2010-02-25 00:24 . 2010-02-25 04:03 -------- d-----w- c:\program files\Spyware Doctor
2010-02-25 00:24 . 2010-02-25 04:02 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-02-23 05:46 . 2010-02-23 05:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-02-22 05:41 . 2010-02-22 05:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sony Corporation
2010-02-21 20:00 . 2010-02-21 20:00 -------- d-----w- c:\documents and settings\Hetrick\Application Data\AVG9
2010-02-20 19:11 . 2010-02-20 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-19 19:36 . 2010-02-19 19:36 -------- d-----r- C:\Sandbox
2010-02-17 07:26 . 2010-02-24 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2010-02-17 07:24 . 2010-02-17 07:24 -------- d-----w- c:\program files\PCPitstop
2010-02-15 04:52 . 2010-02-15 04:52 -------- d-----w- c:\documents and settings\Hetrick\Local Settings\Application Data\Scansoft
2010-02-14 02:42 . 2010-02-14 02:42 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2010-02-14 02:41 . 2010-02-25 04:02 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-14 02:38 . 2010-02-20 19:10 -------- d-----w- c:\windows\speech
2010-02-11 06:36 . 2010-02-11 06:36 3262128 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Downloads\HRBlockPA.exe
2010-02-11 05:29 . 2010-02-11 05:30 16832384 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026001xupd.exe
2010-02-11 05:29 . 2010-02-11 05:29 -------- d-----w- c:\documents and settings\Hetrick\Application Data\TaxCut
2010-02-11 05:28 . 2010-02-11 05:28 -------- d-----w- c:\program files\HRBlock2009
2010-02-11 05:28 . 2010-02-11 05:28 -------- d-----w- c:\program files\PDF995
2010-02-11 05:27 . 2010-02-11 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut
2010-02-09 19:04 . 2010-02-09 19:46 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-09 18:58 . 2010-02-09 18:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Opera
2010-02-09 18:36 . 2010-02-09 18:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-09 17:35 . 2010-02-09 17:35 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-02-06 21:37 . 2010-02-06 21:37 -------- d-----w- c:\program files\Panasonic
2010-02-06 21:37 . 2006-02-27 16:45 36864 ----a-w- c:\windows\system32\SDDEVMGR.dll
2010-02-03 16:50 . 2010-02-25 04:04 9216 ----a-w- c:\windows\base64.exe
2010-01-29 23:21 . 2010-01-29 23:21 -------- d-----w- c:\documents and settings\Hetrick\Local Settings\Application Data\HolosTek,_Inc
2010-01-29 23:18 . 2010-02-02 18:52 -------- d-----w- c:\program files\FAT Sorter
2010-01-28 15:15 . 2010-01-28 15:15 -------- d-----w- c:\windows\Downloaded Installations
2010-01-28 14:37 . 2010-01-28 14:41 -------- d-----w- c:\documents and settings\Hetrick\XexTool

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-24 20:55 . 2009-04-03 03:18 -------- d-----w- c:\documents and settings\Hetrick\Application Data\GrabIt
2010-02-23 20:25 . 2009-04-04 21:20 1732608 ----a-w- c:\documents and settings\Hetrick\Application Data\Xbins\xbinsftp.exe
2010-02-20 23:57 . 2009-06-04 00:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-20 19:11 . 2009-06-03 21:51 -------- d-----w- c:\documents and settings\Hetrick\Application Data\SUPERAntiSpyware.com
2010-02-19 15:56 . 2010-02-14 03:39 1395 ----a-w- c:\documents and settings\Hetrick\Application Data\SAS7_000.DAT
2010-02-16 01:33 . 2009-04-05 18:45 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-02-13 22:23 . 2009-11-22 04:42 2592 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-11 06:01 . 2009-04-02 21:51 28584 ----a-w- c:\documents and settings\Hetrick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-06 21:37 . 2009-04-02 22:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-01 16:06 . 2009-10-27 19:58 -------- d-----w- c:\documents and settings\Hetrick\Application Data\vlc
2010-01-22 18:52 . 2009-11-11 16:58 -------- d-----w- c:\documents and settings\Hetrick\Application Data\abgx360
2010-01-14 15:37 . 2010-01-14 15:37 -------- d-----w- c:\documents and settings\Hetrick\Application Data\EPSON
2010-01-14 15:35 . 2009-05-09 04:17 -------- d-----w- c:\program files\EPSON
2010-01-14 15:33 . 2009-04-02 21:49 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-10 18:11 . 2010-01-10 03:59 -------- d-----w- c:\documents and settings\Hetrick\Application Data\Western Digital
2010-01-10 03:59 . 2010-01-10 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Western Digital
2010-01-07 21:07 . 2009-06-04 00:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-06-04 00:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-04 22:51 . 2010-01-04 22:49 -------- d-----w- c:\program files\Common Files\Nero
2010-01-04 22:50 . 2010-01-04 22:49 -------- d-----w- c:\program files\Nero
2010-01-04 22:49 . 2010-01-04 22:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-12-31 16:50 . 2002-08-29 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-30 16:29 . 2009-12-30 16:29 -------- d-----w- c:\program files\DLPortIO
2009-12-21 19:14 . 2006-06-23 16:33 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2009-04-02 20:32 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-15 01:38 . 2009-04-02 22:54 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-15 01:38 . 2009-04-02 22:54 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-15 01:38 . 2009-04-02 22:54 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-15 01:38 . 2009-04-02 22:54 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-12-14 07:08 . 2002-08-29 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2002-08-29 12:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2002-08-29 01:04 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2002-08-29 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2005-08-30 04:02 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2001-08-17 22:36 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2002-08-29 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2002-08-29 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2002-08-29 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2001-08-17 22:36 48128 ----a-w- c:\windows\system32\iyuv_32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"nwiz"="nwiz.exe" [2008-09-18 1657376]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 90112]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2009-01-29 57344]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-01-29 52392]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-13 127036]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"comctl32"="wscript.exe" [2008-05-08 155648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SATARaid5Manager.lnk - c:\windows\Installer\{F98BF160-2B31-4613-BA35-66958F51B97C}\_95273811175B2CA0FC7A47.exe [2009-9-30 1206]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-15 01:38 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\myiHome\\app\\myiHome-server.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4625:UDP"= 4625:UDP:Windows Media Format SDK (iexplore.exe)
"4624:UDP"= 4624:UDP:Windows Media Format SDK (iexplore.exe)
"4630:UDP"= 4630:UDP:Windows Media Format SDK (iexplore.exe)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/2/2009 5:54 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/2/2009 5:54 PM 360584]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 11:03 AM 169312]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [12/14/2009 8:38 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [12/14/2009 8:38 PM 285392]
R2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPORTIO.sys [12/30/2009 11:29 AM 3584]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [1/9/2010 11:25 PM 14976]
R3 portio32;portio32;c:\windows\system32\drivers\portio32.sys [4/5/2009 10:07 PM 2048]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S0 wzxsnd;wzxsnd; [x]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Hetrick\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Hetrick\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Hetrick\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys --> c:\docume~1\Hetrick\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys [?]
S2 SATARaid5 Config Service;SATARaid5 Configuration Service;c:\program files\Silicon Image\3132-W-I32-R SATARAID5\SATARaid5ConfigService.exe [10/5/2005 5:19 PM 131072]
S3 SASENUM;SASENUM;\??\c:\docume~1\Hetrick\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS --> c:\docume~1\Hetrick\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2/13/2009 2:02 PM 11520]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yourerie.com/
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-24 23:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A6D0A9A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba737852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK
malicious code @ sector 0x1d1c4581 size 0x1b5 !
PE file found in sector at 0x01D1C4581 !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(832)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2712)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-24 23:16:44
ComboFix-quarantined-files.txt 2010-02-25 04:16
ComboFix2.txt 2010-02-20 22:00
ComboFix3.txt 2010-02-20 18:20
ComboFix4.txt 2010-02-16 20:28
ComboFix5.txt 2010-02-22 05:51

Pre-Run: 38,839,947,264 bytes free
Post-Run: 38,817,755,136 bytes free

- - End Of File - - 853B45AE6FFBDE38564C9A09FA2055EE


#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 AM

Posted 25 February 2010 - 07:56 PM

Hello, BHetrick.

I forgot to warn you to please do not run any other scans, programs or make any other changes to your computer while we work together. No worries, it was my fault. But, please don't do any extra scans or fixes in the future until I give the all clean at the end, or we'll be working against each other with possible bad consequences to your machine. In any case, you still show signs of infection anyway so we need a different tool to take a look and identify the infection.

In this case, I think one of the rootkits was taken care of by Spyware Doctor, but we'll need to verify since I can't see what file was detected in the picture. What I'm looking for can be seen by RootRepeal too, so we'll run that...should be quicker and save you a bluescreen instead of GMERDo you still have the log from it you can post? If you do...please post in your reply. It looks like it may have removed several, bu. t you likely still have one other serious infection. It's up to you if it's worth the money. I generally find freeware works just as well for home/personal use.



Step 1

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT


  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply. If they are too big to paste in one reply, please split them into separate posts.



Step 2

We Need to check for Rootkits with RootRepeal
  1. Download RootRepeal from the following location and save it to your desktop.
  2. Extract RootRepeal.exe from the archive.
  3. Open on your desktop.
  4. Click the tab.
  5. Click the button.
  6. Check all seven boxes:
  7. Push Ok
  8. Check the box for your main system drive (Usually C:), and press Ok.
  9. Allow RootRepeal to run a scan of your system. This may take some time.
  10. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.



Step 3

We need to run Profiles by noahdfear.
  1. Download Profiles and save it to your desktop.
  2. Double-click profiles.exe and post the resulting log into your reply.



Step 4

In your reply, please post:
  • OTL reports from Step 1
  • Root Repeal log from step 2
  • Profiles log from step 3
  • Spyware Doctor log if you can dig it up...the one yesterday where it removed a bunch of stuff.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 BHetrick

BHetrick
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 27 February 2010 - 10:42 PM

Actually, I took your advice and did a reformat/reinstall. I do appreciate the time you took to look over my problem. In the end I felt this was my best and safest option.



#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 AM

Posted 28 February 2010 - 07:54 AM

OK, the TDSS rootkit is fairly common and not a fun infection. here's some reading material to help you with the reformat.

Here's a good article on how to reformat:
When Should I Format, How Should I Reinstall

Also, to protect yourself against malware and reduce your chance of reinfection in the future, I strongly recommend to have a look at following links (giving some advice and tips):


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 BHetrick

BHetrick
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 01 March 2010 - 02:21 PM

Thanks. That was some good reading.

In the beginning, before I got infected, I was using AVG free, Windows Defender, and just the Windows firewall. When I noticed I was infected was about the same time I started playing with Sandboxie. Do you feel sandbox software works with todays threats?

In the "prevention" link you provided, from there I followed the "recommended" link, and I see Win firewall isn't there. Would you recommend any firewalls from that list which are user-friendly?



#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 AM

Posted 01 March 2010 - 07:05 PM

Unfortunately, I'm not too familiar with Sandbox. I will say that VMs such as these can be helpful, but you can still get infected on the host computer.

The Win XP firewall only stops inbound threats...so it helps if someone's just pinging your IP to find a hole. However, if you get a virus on your computer, it does not have the outbound protection to stop your information from leaving the computer, or calling home to get instructions for a botnet.

Now, the XP firewall is better than nothing....trust me on that one. There's not truly user friendly outbound protection...you will get pop ups saying "xyz.exe is trying to access the internet". You'll have to decide what you want to do each time. As long as you think about it (e.g. I just updated Adobe Reader so I know it's OK" then I suggest Zone Alarm or COMODO. I've used ZoneAlarm with success, although others prefer COMODO. Both are free. If you get into the habit of just clicking "OK", that doesn't help you any more than the Windows firewall. Hope that helps.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 BHetrick

BHetrick
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 01 March 2010 - 08:25 PM

Actually yes, that does help. I didn't know about outbound protection.

Well, more like it just didn't cross my mind. I have tried a couple different av suites in the past where I have received that "so-n-so is trying to access the internet", in fact right now I'm using the 30 day free trial of AVG Internet Security and I get that message. I guess it just didn't cross my mind before now when using Windows firewall.

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 AM

Posted 02 March 2010 - 10:20 PM

Good....let me know if you have any more questions. I'll leave this thread open for a few more days.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 AM

Posted 06 March 2010 - 07:48 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. smile.gif

If you are the topic starter, and need this topic reopened, please contact me via PM with the address of this thread.

Everyone else please begin a new topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users