Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

backdoor.tidserv!inf - unable to remove


  • This topic is locked This topic is locked
10 replies to this topic

#1 norm1066

norm1066

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 10 April 2010 - 09:02 PM

I have been fighting this malware for a week now. It was originally discovered by Norton. Norton indicated it requires manual removal. I have attached the DSS log. I cannot run the GMER log. It starts, but I end up with a blue screen that indicates the file kgldyaob.sys is the problem file with error PAGE_FAULT_IN_NONPAGED_AREA. I have tried to run GMER four times with the same result. Thanks in advance for your help. Here is the DSS log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 16:10:33.96 on Sat 04/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.1770 [GMT -5:00]

AV: Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
svchost.exe
C:\Program Files\Xdrive\Xdrive Desktop\XdriveTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Borland\Interbase\Bin\IBGuard.exe
C:\Program Files\Learning Like Crazy\SAM\updateam.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Norton Security Suite\Engine\4.0.0.127\ccSvcHst.exe
C:\WINDOWS\system32\hppapml0.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\cryptainersrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
svchost.exe "C:\WINDOWS\system32\1054a.exe"
C:\Program Files\Xdrive\Xdrive Desktop\XdriveService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Borland\Interbase\Bin\IBServer.exe
C:\Program Files\Norton Security Suite\Engine\4.0.0.127\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton Security Suite\Engine\4.0.0.127\uiStub.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Windows Internet Explorer provided by Comcast
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: {259F616C-A300-44F5-B04A-ED001A26C85C} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\4.0.0.127\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\4.0.0.127\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\4.0.0.127\coIEPlg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [XdriveTrayIcon] "c:\program files\xdrive\xdrive desktop\XdriveTray.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [GoToMyPC] "c:\program files\citrix\gotomypc\g2svc.exe" -logon
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [PPort11reminder] "c:\program files\nuance\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [<NO NAME>]
dRun: [XdriveTray] "c:\program files\xdrive\xdrive desktop\xdrive.exe" /trayicon
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [RealUpgradeHelper] "c:\program files\common files\real\update_ob\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hplase~1.lnk - c:\program files\hewlett-packard\laserjet 33xx\hppdirector.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Save to &Xdrive - c:\program files\xdrive\xdrive desktop\xdrive.exe/std.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: motive.com\patttbc.att
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/0/f/b/0fb0fab9-7f09-4bb6-86d8-8e791ba99ac5/VirtualEarth3D.cab
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/download/ipixx.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo2.walgreens.com/WalgreensActivia.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~4\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0400000.07f\SymDS.sys [2010-4-6 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0400000.07f\SymEFA.sys [2010-4-6 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20100324.001\BHDrvx86.sys [2010-3-24 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0400000.07f\cchpx86.sys [2010-4-6 501888]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-11-17 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-11-17 74480]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0400000.07f\Ironx86.sys [2010-4-6 116272]
R2 Learning Like Crazy: Spanish Accent Maestro update permissions manager. 12.;Learning Like Crazy: Spanish Accent Maestro update permissions manager. 12.;c:\program files\learning like crazy\sam\updateam.exe -permissionmanagerrun --> c:\program files\learning like crazy\sam\updateam.exe -PermissionManagerRun [?]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\4.0.0.127\ccSvcHst.exe [2010-4-6 126392]
R2 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [2007-10-24 100728]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-4-7 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20100402.001\IDSXpx86.sys [2010-4-6 329592]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100410.004\NAVENG.SYS [2010-4-10 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100410.004\NAVEX15.SYS [2010-4-10 1324720]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S2 UPShkmsvc;Uninterruptible Power Supply UPShkmsvc;c:\windows\system32\1054a.exe srv --> c:\windows\system32\1054a.exe srv [?]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-1-30 30192]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2004-5-14 32896]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-11-17 7408]

=============== Created Last 30 ================

2010-04-10 21:07:30 0 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-04-10 18:05:10 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-10 18:05:10 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-10 00:59:50 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-04-10 00:59:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-10 00:59:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-10 00:59:31 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-10 00:59:31 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 03:55:27 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-04-07 03:55:26 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-04-07 03:55:26 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-04-07 03:55:26 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-04-07 03:54:52 0 d-----w- c:\windows\system32\drivers\N360
2010-04-07 03:54:49 0 d-----w- c:\program files\Norton Security Suite
2010-04-07 03:54:41 0 d-----w- c:\program files\NortonInstaller
2010-04-07 03:38:02 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-04-07 03:34:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-04-05 17:50:12 0 d-----w- C:\TechTools
2010-04-02 23:35:34 32 --s-a-w- c:\windows\system32\1747730645.dat
2010-03-24 00:25:11 7982 ----a-w- c:\windows\ComcastSecurity.ico
2010-03-24 00:25:11 15086 ----a-w- c:\windows\ComcastEmail.ico
2010-03-24 00:24:43 0 d-----w- c:\program files\Comcast
2010-03-23 23:52:54 1100 ----a-w- C:\net_save.dna
2010-03-23 23:52:38 0 d-----w- c:\program files\support.com
2010-03-23 23:52:19 0 d-----w- c:\program files\common files\SupportSoft

==================== Find3M ====================

2010-04-10 19:36:27 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-10 19:36:27 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2010-03-08 03:02:59 721912 ----a-w- c:\documents and settings\administrator\gotomypc_428.exe
2010-02-25 16:54:36 11070976 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 15:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 09:54:25 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2009-06-10 02:52:12 7108 --sh--r- c:\program files\uninstall.log
2007-07-24 02:34:44 471 ----a-w- c:\program files\INSTALL.LOG
2010-01-02 01:16:26 88 --sh--r- c:\windows\system32\1FD66CCBE7.sys
2010-01-02 01:16:30 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-01-06 14:42:09 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-08-17 16:46:07 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081720080818\index.dat

============= FINISH: 16:12:07.85 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:22 AM

Posted 10 April 2010 - 10:14 PM

Hi, norm1066 smile.gif

Welcome.

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)


    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 norm1066

norm1066
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 10 April 2010 - 10:56 PM

First, thanks for the quick response. Here is the log you requested:

22:50:24:296 5428 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
22:50:24:296 5428 ================================================================================
22:50:24:296 5428 SystemInfo:

22:50:24:296 5428 OS Version: 5.1.2600 ServicePack: 3.0
22:50:24:296 5428 Product type: Workstation
22:50:24:296 5428 ComputerName: JEFFS-HOME
22:50:24:296 5428 UserName: Administrator
22:50:24:296 5428 Windows directory: C:\WINDOWS
22:50:24:296 5428 Processor architecture: Intel x86
22:50:24:296 5428 Number of processors: 2
22:50:24:296 5428 Page size: 0x1000
22:50:24:296 5428 Boot type: Normal boot
22:50:24:296 5428 ================================================================================
22:50:24:312 5428 ForceUnloadDriverW: Old driver(klmd21) unloaded successfully
22:50:24:921 5428 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
22:50:24:921 5428 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
22:50:24:921 5428 wfopen_ex: Trying to KLMD file open
22:50:24:921 5428 wfopen_ex: File opened ok (Flags 2)
22:50:24:921 5428 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
22:50:24:921 5428 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
22:50:24:921 5428 wfopen_ex: Trying to KLMD file open
22:50:24:921 5428 wfopen_ex: File opened ok (Flags 2)
22:50:24:921 5428 Initialize success
22:50:24:921 5428
22:50:24:921 5428 Scanning Services ...
22:50:25:265 5428 Raw services enum returned 407 services
22:50:25:281 5428
22:50:25:281 5428 Scanning Kernel memory ...
22:50:25:281 5428 Devices to scan: 6
22:50:25:281 5428
22:50:25:281 5428 Driver Name: Disk
22:50:25:281 5428 IRP_MJ_CREATE : BA0EEBB0
22:50:25:281 5428 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
22:50:25:281 5428 IRP_MJ_CLOSE : BA0EEBB0
22:50:25:281 5428 IRP_MJ_READ : BA0E8D1F
22:50:25:281 5428 IRP_MJ_WRITE : BA0E8D1F
22:50:25:281 5428 IRP_MJ_QUERY_INFORMATION : 804F4562
22:50:25:281 5428 IRP_MJ_SET_INFORMATION : 804F4562
22:50:25:281 5428 IRP_MJ_QUERY_EA : 804F4562
22:50:25:281 5428 IRP_MJ_SET_EA : 804F4562
22:50:25:281 5428 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
22:50:25:281 5428 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
22:50:25:281 5428 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
22:50:25:281 5428 IRP_MJ_DIRECTORY_CONTROL : 804F4562
22:50:25:281 5428 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
22:50:25:281 5428 IRP_MJ_DEVICE_CONTROL : BA0E93BB
22:50:25:281 5428 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
22:50:25:281 5428 IRP_MJ_SHUTDOWN : BA0E92E2
22:50:25:281 5428 IRP_MJ_LOCK_CONTROL : 804F4562
22:50:25:281 5428 IRP_MJ_CLEANUP : 804F4562
22:50:25:281 5428 IRP_MJ_CREATE_MAILSLOT : 804F4562
22:50:25:281 5428 IRP_MJ_QUERY_SECURITY : 804F4562
22:50:25:281 5428 IRP_MJ_SET_SECURITY : 804F4562
22:50:25:281 5428 IRP_MJ_POWER : BA0EAC82
22:50:25:281 5428 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
22:50:25:281 5428 IRP_MJ_DEVICE_CHANGE : 804F4562
22:50:25:281 5428 IRP_MJ_QUERY_QUOTA : 804F4562
22:50:25:281 5428 IRP_MJ_SET_QUOTA : 804F4562
22:50:25:281 5428 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
22:50:25:281 5428
22:50:25:281 5428 Driver Name: USBSTOR
22:50:25:281 5428 IRP_MJ_CREATE : 9C094218
22:50:25:281 5428 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
22:50:25:281 5428 IRP_MJ_CLOSE : 9C094218
22:50:25:281 5428 IRP_MJ_READ : 9C09423C
22:50:25:281 5428 IRP_MJ_WRITE : 9C09423C
22:50:25:281 5428 IRP_MJ_QUERY_INFORMATION : 804F4562
22:50:25:281 5428 IRP_MJ_SET_INFORMATION : 804F4562
22:50:25:281 5428 IRP_MJ_QUERY_EA : 804F4562
22:50:25:281 5428 IRP_MJ_SET_EA : 804F4562
22:50:25:281 5428 IRP_MJ_FLUSH_BUFFERS : 804F4562
22:50:25:281 5428 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
22:50:25:281 5428 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
22:50:25:281 5428 IRP_MJ_DIRECTORY_CONTROL : 804F4562
22:50:25:281 5428 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
22:50:25:281 5428 IRP_MJ_DEVICE_CONTROL : 9C094180
22:50:25:281 5428 IRP_MJ_INTERNAL_DEVICE_CONTROL : 9C08F9E6
22:50:25:281 5428 IRP_MJ_SHUTDOWN : 804F4562
22:50:25:281 5428 IRP_MJ_LOCK_CONTROL : 804F4562
22:50:25:281 5428 IRP_MJ_CLEANUP : 804F4562
22:50:25:281 5428 IRP_MJ_CREATE_MAILSLOT : 804F4562
22:50:25:281 5428 IRP_MJ_QUERY_SECURITY : 804F4562
22:50:25:281 5428 IRP_MJ_SET_SECURITY : 804F4562
22:50:25:281 5428 IRP_MJ_POWER : 9C0935F0
22:50:25:281 5428 IRP_MJ_SYSTEM_CONTROL : 9C091A6E
22:50:25:281 5428 IRP_MJ_DEVICE_CHANGE : 804F4562
22:50:25:281 5428 IRP_MJ_QUERY_QUOTA : 804F4562
22:50:25:281 5428 IRP_MJ_SET_QUOTA : 804F4562
22:50:25:296 5428 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
22:50:25:296 5428
22:50:25:296 5428 Driver Name: Disk
22:50:25:296 5428 IRP_MJ_CREATE : BA0EEBB0
22:50:25:296 5428 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
22:50:25:296 5428 IRP_MJ_CLOSE : BA0EEBB0
22:50:25:296 5428 IRP_MJ_READ : BA0E8D1F
22:50:25:296 5428 IRP_MJ_WRITE : BA0E8D1F
22:50:25:296 5428 IRP_MJ_QUERY_INFORMATION : 804F4562
22:50:25:296 5428 IRP_MJ_SET_INFORMATION : 804F4562
22:50:25:296 5428 IRP_MJ_QUERY_EA : 804F4562
22:50:25:296 5428 IRP_MJ_SET_EA : 804F4562
22:50:25:296 5428 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
22:50:25:296 5428 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
22:50:25:296 5428 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
22:50:25:296 5428 IRP_MJ_DIRECTORY_CONTROL : 804F4562
22:50:25:296 5428 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
22:50:25:296 5428 IRP_MJ_DEVICE_CONTROL : BA0E93BB
22:50:25:296 5428 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
22:50:25:296 5428 IRP_MJ_SHUTDOWN : BA0E92E2
22:50:25:296 5428 IRP_MJ_LOCK_CONTROL : 804F4562
22:50:25:296 5428 IRP_MJ_CLEANUP : 804F4562
22:50:25:296 5428 IRP_MJ_CREATE_MAILSLOT : 804F4562
22:50:25:296 5428 IRP_MJ_QUERY_SECURITY : 804F4562
22:50:25:296 5428 IRP_MJ_SET_SECURITY : 804F4562
22:50:25:296 5428 IRP_MJ_POWER : BA0EAC82
22:50:25:296 5428 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
22:50:25:296 5428 IRP_MJ_DEVICE_CHANGE : 804F4562
22:50:25:296 5428 IRP_MJ_QUERY_QUOTA : 804F4562
22:50:25:296 5428 IRP_MJ_SET_QUOTA : 804F4562
22:50:25:312 5428 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
22:50:25:312 5428
22:50:25:312 5428 Driver Name: Disk
22:50:25:312 5428 IRP_MJ_CREATE : BA0EEBB0
22:50:25:312 5428 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
22:50:25:312 5428 IRP_MJ_CLOSE : BA0EEBB0
22:50:25:312 5428 IRP_MJ_READ : BA0E8D1F
22:50:25:312 5428 IRP_MJ_WRITE : BA0E8D1F
22:50:25:312 5428 IRP_MJ_QUERY_INFORMATION : 804F4562
22:50:25:312 5428 IRP_MJ_SET_INFORMATION : 804F4562
22:50:25:312 5428 IRP_MJ_QUERY_EA : 804F4562
22:50:25:312 5428 IRP_MJ_SET_EA : 804F4562
22:50:25:312 5428 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
22:50:25:312 5428 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
22:50:25:312 5428 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
22:50:25:312 5428 IRP_MJ_DIRECTORY_CONTROL : 804F4562
22:50:25:312 5428 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
22:50:25:312 5428 IRP_MJ_DEVICE_CONTROL : BA0E93BB
22:50:25:312 5428 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
22:50:25:312 5428 IRP_MJ_SHUTDOWN : BA0E92E2
22:50:25:312 5428 IRP_MJ_LOCK_CONTROL : 804F4562
22:50:25:312 5428 IRP_MJ_CLEANUP : 804F4562
22:50:25:312 5428 IRP_MJ_CREATE_MAILSLOT : 804F4562
22:50:25:312 5428 IRP_MJ_QUERY_SECURITY : 804F4562
22:50:25:312 5428 IRP_MJ_SET_SECURITY : 804F4562
22:50:25:312 5428 IRP_MJ_POWER : BA0EAC82
22:50:25:312 5428 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
22:50:25:312 5428 IRP_MJ_DEVICE_CHANGE : 804F4562
22:50:25:312 5428 IRP_MJ_QUERY_QUOTA : 804F4562
22:50:25:312 5428 IRP_MJ_SET_QUOTA : 804F4562
22:50:25:312 5428 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
22:50:25:312 5428
22:50:25:312 5428 Driver Name: Disk
22:50:25:312 5428 IRP_MJ_CREATE : BA0EEBB0
22:50:25:312 5428 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
22:50:25:312 5428 IRP_MJ_CLOSE : BA0EEBB0
22:50:25:312 5428 IRP_MJ_READ : BA0E8D1F
22:50:25:312 5428 IRP_MJ_WRITE : BA0E8D1F
22:50:25:312 5428 IRP_MJ_QUERY_INFORMATION : 804F4562
22:50:25:312 5428 IRP_MJ_SET_INFORMATION : 804F4562
22:50:25:312 5428 IRP_MJ_QUERY_EA : 804F4562
22:50:25:312 5428 IRP_MJ_SET_EA : 804F4562
22:50:25:312 5428 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
22:50:25:312 5428 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
22:50:25:312 5428 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
22:50:25:312 5428 IRP_MJ_DIRECTORY_CONTROL : 804F4562
22:50:25:312 5428 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
22:50:25:312 5428 IRP_MJ_DEVICE_CONTROL : BA0E93BB
22:50:25:312 5428 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
22:50:25:312 5428 IRP_MJ_SHUTDOWN : BA0E92E2
22:50:25:312 5428 IRP_MJ_LOCK_CONTROL : 804F4562
22:50:25:312 5428 IRP_MJ_CLEANUP : 804F4562
22:50:25:312 5428 IRP_MJ_CREATE_MAILSLOT : 804F4562
22:50:25:312 5428 IRP_MJ_QUERY_SECURITY : 804F4562
22:50:25:312 5428 IRP_MJ_SET_SECURITY : 804F4562
22:50:25:312 5428 IRP_MJ_POWER : BA0EAC82
22:50:25:312 5428 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
22:50:25:312 5428 IRP_MJ_DEVICE_CHANGE : 804F4562
22:50:25:312 5428 IRP_MJ_QUERY_QUOTA : 804F4562
22:50:25:312 5428 IRP_MJ_SET_QUOTA : 804F4562
22:50:25:312 5428 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
22:50:25:312 5428
22:50:25:312 5428 Driver Name: atapi
22:50:25:328 5428 IRP_MJ_CREATE : 8AF1FD6B
22:50:25:328 5428 IRP_MJ_CREATE_NAMED_PIPE : 8AF1FD6B
22:50:25:328 5428 IRP_MJ_CLOSE : 8AF1FD6B
22:50:25:328 5428 IRP_MJ_READ : 8AF1FD6B
22:50:25:328 5428 IRP_MJ_WRITE : 8AF1FD6B
22:50:25:328 5428 IRP_MJ_QUERY_INFORMATION : 8AF1FD6B
22:50:25:328 5428 IRP_MJ_SET_INFORMATION : 8AF1FD6B
22:50:25:328 5428 IRP_MJ_QUERY_EA : 8AF1FD6B
22:50:25:328 5428 IRP_MJ_SET_EA : 8AF1FD6B
22:50:25:328 5428 IRP_MJ_FLUSH_BUFFERS : 8AF1FD6B
22:50:25:328 5428 IRP_MJ_QUERY_VOLUME_INFORMATION : 8AF1FD6B
22:50:25:328 5428 IRP_MJ_SET_VOLUME_INFORMATION : 8AF1FD6B
22:50:25:328 5428 IRP_MJ_DIRECTORY_CONTROL : 8AF1FD6B
22:50:25:328 5428 IRP_MJ_FILE_SYSTEM_CONTROL : 8AF1FD6B
22:50:25:328 5428 IRP_MJ_DEVICE_CONTROL : 8AF1FD6B
22:50:25:328 5428 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8AF1FD6B
22:50:25:328 5428 IRP_MJ_SHUTDOWN : 8AF1FD6B
22:50:25:328 5428 IRP_MJ_LOCK_CONTROL : 8AF1FD6B
22:50:25:328 5428 IRP_MJ_CLEANUP : 8AF1FD6B
22:50:25:328 5428 IRP_MJ_CREATE_MAILSLOT : 8AF1FD6B
22:50:25:328 5428 IRP_MJ_QUERY_SECURITY : 8AF1FD6B
22:50:25:328 5428 IRP_MJ_SET_SECURITY : 8AF1FD6B
22:50:25:328 5428 IRP_MJ_POWER : 8AF1FD6B
22:50:25:328 5428 IRP_MJ_SYSTEM_CONTROL : 8AF1FD6B
22:50:25:328 5428 IRP_MJ_DEVICE_CHANGE : 8AF1FD6B
22:50:25:328 5428 IRP_MJ_QUERY_QUOTA : 8AF1FD6B
22:50:25:328 5428 IRP_MJ_SET_QUOTA : 8AF1FD6B
22:50:25:328 5428 Driver "atapi" infected by TDSS rootkit!
22:50:25:328 5428 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
22:50:25:328 5428 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 22:50:25:328 5428 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
22:50:25:328 5428 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
22:50:25:406 5428 vfvi6
22:50:25:484 5428 !dsvbh1
22:50:25:718 5428 dsvbh2
22:50:25:718 5428 fdfb2
22:50:25:718 5428 Backup copy found, using it..
22:50:25:843 5428 will be cured on next reboot
22:50:25:843 5428 Reboot required for cure complete..
22:50:25:937 5428 Cure on reboot scheduled successfully
22:50:25:937 5428
22:50:25:937 5428 Completed
22:50:25:937 5428
22:50:25:937 5428 Results:
22:50:25:937 5428 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
22:50:25:937 5428 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
22:50:25:937 5428 File objects infected / cured / cured on reboot: 1 / 0 / 1
22:50:25:937 5428
22:50:25:937 5428 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
22:50:25:937 5428 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
22:50:25:937 5428 UnloadDriverW: NtUnloadDriver error 1
22:50:26:000 5428 KLMD(ARK) unloaded successfully


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:22 AM

Posted 10 April 2010 - 11:42 PM

If the above process did not restart the computer, please manually do so.

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    -----------------------------------------------------------
  4. Double click on combofix.exe & follow the prompts.
  5. Install the Recovery Console if prompted.
  6. When finished, it will produce a report for you.
  7. Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

Edited by JSntgRvr, 10 April 2010 - 11:44 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 norm1066

norm1066
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 11 April 2010 - 12:55 AM

Thanks againn for the prompt reply. Here are the logs:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3976

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/11/2010 12:09:49 AM
mbam-log-2010-04-11 (00-09-49).txt

Scan type: Quick scan
Objects scanned: 116961
Time elapsed: 13 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ComboFix

ComboFix 10-04-10.02 - Administrator 04/11/2010 0:32.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2397 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\INSTALL.LOG
c:\program files\WinPCap\NetMonInstaller.exe
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\program files\WinPCap\Uninstall.exe
c:\windows\system32\1054a.exe
c:\windows\system32\1747730645.dat
c:\windows\system32\drivers\npf.sys
c:\windows\system32\gotomon.log
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UPSHKMSVC
-------\Service_NPF
-------\Service_UPShkmsvc


((((((((((((((((((((((((( Files Created from 2010-03-11 to 2010-04-11 )))))))))))))))))))))))))))))))
.

2010-04-10 18:05 . 2010-04-10 18:05 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-10 18:05 . 2010-04-10 18:05 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-10 18:04 . 2010-04-10 18:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-10 00:59 . 2010-04-10 00:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-10 00:59 . 2010-03-30 05:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-10 00:59 . 2010-04-10 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-10 00:59 . 2010-04-10 00:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-10 00:59 . 2010-03-30 05:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-07 03:55 . 2010-04-07 03:55 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-04-07 03:55 . 2010-04-07 03:55 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-04-07 03:54 . 2010-04-07 03:54 -------- d-----w- c:\windows\system32\drivers\N360
2010-04-07 03:54 . 2010-04-07 03:54 -------- d-----w- c:\program files\Norton Security Suite
2010-04-07 03:54 . 2010-04-07 03:54 -------- d-----w- c:\program files\Windows Sidebar
2010-04-07 03:54 . 2010-04-07 03:54 -------- d-----w- c:\program files\NortonInstaller
2010-04-07 03:38 . 2010-04-07 03:38 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-04-07 03:34 . 2010-04-07 03:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-04-05 17:50 . 2010-04-05 17:51 -------- d-----w- C:\TechTools
2010-04-05 01:02 . 2010-04-05 01:02 -------- d-----w- c:\documents and settings\LocalService\Application Data\EAST Technologies
2010-04-05 01:02 . 2010-04-05 01:02 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\SupportSoft
2010-03-24 00:25 . 2010-03-24 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\SupportSoft
2010-03-24 00:24 . 2010-03-24 00:24 -------- d-----w- c:\program files\Comcast
2010-03-24 00:16 . 2010-03-24 00:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\SupportSoft
2010-03-23 23:52 . 2010-03-23 23:52 -------- d-----w- c:\program files\support.com
2010-03-23 23:52 . 2010-03-23 23:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\SupportSoft
2010-03-23 23:52 . 2010-03-24 00:24 -------- d-----w- c:\program files\Common Files\SupportSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-11 03:51 . 2004-08-04 03:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-11 03:49 . 2008-01-29 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-07 10:04 . 2006-05-29 22:58 -------- d-----w- c:\program files\Google
2010-04-07 04:57 . 2008-11-30 15:32 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-07 03:59 . 2006-05-02 20:51 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-07 03:55 . 2006-05-02 20:51 -------- d-----w- c:\program files\Symantec
2010-04-07 03:55 . 2010-04-07 03:55 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-04-07 03:55 . 2010-04-07 03:55 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-04-07 03:41 . 2006-05-02 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-04-07 03:29 . 2008-02-18 01:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-06 06:00 . 2010-04-11 05:04 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100410.020\NAVENG.SYS
2010-04-06 06:00 . 2010-04-11 05:04 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100410.020\NAVENG32.DLL
2010-04-06 06:00 . 2010-04-11 05:04 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100410.020\NAVEX32A.DLL
2010-04-06 06:00 . 2010-04-11 05:04 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100410.020\NAVEX15.SYS
2010-04-06 06:00 . 2010-04-11 05:04 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100410.020\EECTRL.SYS
2010-04-06 06:00 . 2010-04-11 05:04 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100410.020\CCERASER.DLL
2010-04-06 06:00 . 2010-04-11 05:04 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100410.020\ECMSVR32.DLL
2010-04-06 06:00 . 2010-04-11 05:04 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100410.020\ERASER.SYS
2010-04-04 00:37 . 2009-04-18 19:07 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-02 22:19 . 2006-05-04 03:03 -------- d-----w- c:\program files\palmOne
2010-03-29 03:11 . 2009-08-08 08:10 8421992 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-24 20:38 . 2010-03-24 20:38 536112 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100324.001\BHDrvx86.sys
2010-03-24 20:38 . 2010-03-24 20:38 201616 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100324.001\BHRules.dll
2010-03-24 20:38 . 2010-03-24 20:38 1407888 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100324.001\BHEngine.dll
2010-03-24 20:38 . 2010-03-24 20:38 678960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100324.001\BHDrvx64.sys
2010-03-24 20:38 . 2010-03-24 20:38 611216 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100324.001\bbRGen.dll
2010-03-24 07:02 . 2010-04-07 03:55 897784 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\CLT\cltLMSx.dll
2010-03-24 01:16 . 2006-11-18 22:35 -------- d-----w- c:\program files\Common Files\Motive
2010-03-22 01:36 . 2007-10-25 02:21 -------- d-----w- c:\program files\Cryptainer LE
2010-03-11 09:01 . 2007-07-04 16:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-08 03:02 . 2007-02-04 21:11 721912 ----a-w- c:\documents and settings\Administrator\gotomypc_428.exe
2010-02-25 06:24 . 2005-08-16 09:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 15:16 . 2009-10-03 22:35 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-02 22:21 . 2010-02-02 22:21 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2009-06-10 02:52 . 2009-06-10 02:48 7108 --sh--r- c:\program files\uninstall.log
2010-03-02 00:51 . 2008-08-08 17:59 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2010-01-02 01:16 . 2006-06-04 04:14 88 --sh--r- c:\windows\system32\1FD66CCBE7.sys
2010-01-02 01:16 . 2006-06-04 04:14 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 18:58 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2010-01-04 17:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2010-01-04 17:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\xdrive.LinkedFolder]
@="{5D64CBA3-BDEC-427C-8A7F-8CB7C9EA7C74}"
[HKEY_CLASSES_ROOT\CLSID\{5D64CBA3-BDEC-427C-8A7F-8CB7C9EA7C74}]
2008-02-28 00:18 77824 ----a-w- c:\program files\Xdrive\Xdrive Desktop\Overlay.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\xdrive.LinkedSharedFolder]
@="{7C541B8D-BD5A-4687-9010-50E2B5D4A8E4}"
[HKEY_CLASSES_ROOT\CLSID\{7C541B8D-BD5A-4687-9010-50E2B5D4A8E4}]
2008-02-28 00:18 77824 ----a-w- c:\program files\Xdrive\Xdrive Desktop\Overlay.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\xdrive.SharedFolder]
@="{39C2972F-3338-471B-8D67-FA82E46E3AC2}"
[HKEY_CLASSES_ROOT\CLSID\{39C2972F-3338-471B-8D67-FA82E46E3AC2}]
2008-02-28 00:18 77824 ----a-w- c:\program files\Xdrive\Xdrive Desktop\Overlay.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XdriveTrayIcon"="c:\program files\Xdrive\Xdrive Desktop\XdriveTray.exe" [2008-02-28 253952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-02 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2007-01-12 249904]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-03-02 30192]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"PPort11reminder"="c:\program files\Nuance\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"XdriveTray"="c:\program files\Xdrive\Xdrive Desktop\xdrive.exe" [2008-02-28 1168736]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP LaserJet Director.lnk - c:\program files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe [2007-12-4 204800]
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2010-1-4 2893624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-01-09 16:55 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-01-12 23:45 10800 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]
backup=c:\windows\pss\AT&T Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cordless DUALphone Startup.lnk]
backup=c:\windows\pss\Cordless DUALphone Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McafWelcome
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLSService]
2009-04-14 21:32 55808 ----a-w- c:\program files\DYMO\DYMO Label Software\DLSService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP AutoIndexer]
2002-04-22 18:57 90112 ----a-w- c:\program files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP SchedIndexer]
2002-04-22 18:56 94208 ----a-w- c:\program files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2007-10-05 21:10 46368 ----a-w- c:\program files\Nuance\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-23 01:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
2004-06-01 10:46 196608 ----a-w- c:\program files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpAgent]
2007-06-11 18:59 943656 ----a-w- c:\program files\Nuance\OmniPage15\OpAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware15]
2007-06-11 19:00 79400 ----a-w- c:\program files\Nuance\OmniPage15\OpWare15.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2007-10-05 21:12 29984 ----a-w- c:\program files\Nuance\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 20:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2008-11-07 20:31 21633320 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smart touch i1100]
2007-11-08 16:55 163840 ----a-w- c:\program files\Kodak\Document Imaging\kds_i1100\Smart touch\KSSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 15:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-01-09 16:55 2002160 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-07-02 02:06 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Audible\\Bin\\AudibleDownloadHelper.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0400000.07F\SymDS.sys [4/6/2010 10:55 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0400000.07F\SymEFA.sys [4/6/2010 10:55 PM 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100324.001\BHDrvx86.sys [3/24/2010 3:38 PM 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0400000.07F\cchpx86.sys [4/6/2010 10:55 PM 501888]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/17/2008 4:11 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/17/2008 4:11 PM 74480]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0400000.07F\Ironx86.sys [4/6/2010 10:55 PM 116272]
R2 Learning Like Crazy: Spanish Accent Maestro update permissions manager. 12.;Learning Like Crazy: Spanish Accent Maestro update permissions manager. 12.;c:\program files\Learning Like Crazy\SAM\updateam.exe -PermissionManagerRun --> c:\program files\Learning Like Crazy\SAM\updateam.exe -PermissionManagerRun [?]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.0.0.127\ccSvcHst.exe [4/6/2010 10:54 PM 126392]
R2 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [10/24/2007 9:21 PM 100728]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [4/7/2010 1:25 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100402.001\IDSXpx86.sys [4/6/2010 10:58 PM 329592]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 9:41 AM 135664]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/30/2008 9:39 PM 30192]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/17/2008 4:11 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2010-04-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-24 19:46]

2010-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 14:41]

2010-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 14:41]

2010-04-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Save to &Xdrive - c:\program files\Xdrive\Xdrive Desktop\xdrive.exe/std.html
Trusted Zone: motive.com\patttbc.att
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-RunOnce-RealUpgradeHelper - c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe
Notify-NavLogon - (no file)
SafeBoot-klmdb.sys
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
MSConfigStartUp-CTFMON - (no file)
MSConfigStartUp-Google Update - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
AddRemove-RemoteView 1.50 - c:\program files\Digi-Watcher.com\RemoteView 1.50\Uninst.exe
AddRemove-WinPcapInst - c:\program files\WinPcap\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-11 00:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ldap]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Learning Like Crazy: Spanish Accent Maestro update permissions manager. 12.]
--

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.0.0.127\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.0.0.127\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1686535616-4168136305-308842460-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,de,73,0b,af,37,6e,d6,42,80,c4,2a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,de,73,0b,af,37,6e,d6,42,80,c4,2a,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'explorer.exe'(6036)
c:\windows\system32\WININET.dll
c:\program files\MozyHome\mozyshell.dll
c:\program files\Xdrive\Xdrive Desktop\Overlay.dll
c:\program files\Xdrive\Xdrive Desktop\ClientCommonUI.dll
c:\program files\Xdrive\Xdrive Desktop\Engine.dll
c:\windows\system32\zlib1.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\Borland\Interbase\Bin\IBGuard.exe
c:\program files\Learning Like Crazy\SAM\updateam.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\MozyHome\mozybackup.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\windows\system32\cryptainersrv.exe
c:\program files\Xdrive\Xdrive Desktop\XdriveService.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Borland\Interbase\Bin\IBServer.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-04-11 00:47:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-11 05:47

Pre-Run: 97,596,936,192 bytes free
Post-Run: 97,577,820,160 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 333BD483F4B21080ED7D47A4FF919A3D





#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:22 AM

Posted 11 April 2010 - 01:11 AM

Seems clear.

Lets check for remnants.

Please run the F-Secure Online Scanner
  • For information click Here.
  • Allow the installation of the Add-ons and Accept the License Agreement.
  • Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 norm1066

norm1066
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 11 April 2010 - 12:05 PM

Here is the F-Secure report. It looks like we're all clear.

Scanning Report
Sunday, April 11, 2010 02:14:23 - 03:04:55
Computer name: JEFFS-HOME
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\

No malware found

Statistics
Scanned:
* Files: 60448
* System: 4505
* Not scanned: 17
Actions:
* Disinfected: 0
* Renamed: 0
* Deleted: 0
* Not cleaned: 0
* Submitted: 0
Files not scanned:
* C:\PAGEFILE.SYS
* C:\HIBERFIL.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1558\A0374437.SYS
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1555\A0373956.SYS
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\CMNCLNT\_LCK\_AVPAPP_{BB639333-810A-4BF8-85F5-C537857F55FC}0
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\CMNCLNT\_LCK\_ISDATAPR_{E8EFD4CD-DE52-4444-9511-EFF3B158724B}0
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\CMNCLNT\_LCK\_NPC.TRAY.{1AFE47BB-FCF1-4096-9039-1FEBC9A0CCCF}0
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\CMNCLNT\_LCK\_ISDATAPR_{FF9AC67A-E394-46AE-B150-B3365343F166}G
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\CMNCLNT\_LCK\_UI.HOST.{1AFE47BB-FCF1-4096-9039-1FEBC9A0CCCF}0
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\CMNCLNT\_LCK\_{869594F6-6511-4780-AD37-49B479DA2A4F}0
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\CMNCLNT\_LCK\_{4E9CB39A-5F78-4887-A3D6-2790DE9DDE11}0

Options
Scanning engines:
Scanning options:
* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use advanced heuristics

Thank you VERY much for your assistance. I was going to try to do this on my own, but I have a feeling that somethign wouldn't have gone right and that I might have ended up in a worse place.



#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:22 AM

Posted 11 April 2010 - 03:08 PM

Looks clear. How is it doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 norm1066

norm1066
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 13 April 2010 - 03:42 PM

Thanks again. All is running well. I think we may have it licked.

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:22 AM

Posted 13 April 2010 - 05:52 PM

Congratulations.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix.
  • Rename Combofix to Uninstall and click on it. That should remove the application.
Please download OTC by OldTimer.
  • Save it to your desktop.
  • Please double-click OTC.exe to run it. (Vista users, please right click on OTC.exe and select "Run as an Administrator")
  • This will delete the tools we used in the removal of malware, including this program.
  • If you are asked to reboot to complete the removal process then please do so
Upon restart, manually remove any remaining tools.

Create a Restore point:
  1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  2. In the System Restore dialog box, click Create a restore point, and then click Next.
  3. Type a description for your restore point, such as "After Cleanup", then click Create.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  3. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  4. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  5. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  6. ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes!

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:22 AM

Posted 27 April 2010 - 12:55 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users