Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Vista


  • This topic is locked This topic is locked
20 replies to this topic

#1 tedjusko

tedjusko

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 16 April 2010 - 10:22 AM

Infected with: Trojan.Hiloti
Rogue.WinAntiVirus


Hello Everyone,

I need some help! I am running a PC on Vista. A little while I ago my cousin actually got a prompt for a Virus Removal him not knowing that this could potentionally be a fake virus removal prompt he selected to run the program. The program I believe may have been a trojan and I would like to know what steps I should take to remove it.


Here is a copy of my HijackThis Log...

Please advise

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:05 AM, on 4/16/2010
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.17037)
Boot mode: Normal

Running processes:
C:Windowssystem32taskeng.exe
C:Windowssystem32Dwm.exe
C:WindowsExplorer.EXE
C:Program FilesWindows DefenderMSASCui.exe
C:windowsRtHDVCpl.exe
C:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnd.exe
C:windowsSystem32hkcmd.exe
C:windowsSystem32igfxpers.exe
C:Program FilesAviraAntiVir Desktopavgnt.exe
C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
C:Program FilesWindows Media Playerwmpnscfg.exe
C:Program FilesMicrosoft SQL Server80ToolsBinnsqlmangr.exe
C:Program FilesOpenOffice.org 2.3programsoffice.exe
C:Program FilesOpenOffice.org 2.3programsoffice.BIN
C:program filesaviraantivir desktopavcenter.exe
C:Program FilesGoogleChromeApplicationchrome.exe
C:Program FilesGoogleChromeApplicationchrome.exe
C:Windowssystem32SearchFilterHost.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = https://www.yourmom.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: KTBho Class - {25EDC164-41A6-47C3-80BD-5E4FBE1BA7AB} - C:PROGRA~1kaboodleKABOOD~1KTBar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:Program FilesGoogleGoogle ToolbarGoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:Program FilesGoogleGoogleToolbarNotifier5.5.4723.1820swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6binjp2ssv.dll
O3 - Toolbar: Kaboodle Toolbar - {92857633-2441-4A14-8236-DFCB97AD3E87} - C:PROGRA~1kaboodleKABOOD~1KTBar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:Program FilesGoogleGoogle ToolbarGoogleToolbar_32.dll
O4 - HKLM..Run: [Windows Defender] %ProgramFiles%Windows DefenderMSASCui.exe -hide
O4 - HKLM..Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM..Run: [PDF Complete] "C:Program FilesPDF Completepdfsty.exe"
O4 - HKLM..Run: [SetRefresh] C:Program FilesHPSetRefreshSetRefresh.exe
O4 - HKLM..Run: [Share-to-Web Namespace Daemon] C:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnd.exe
O4 - HKLM..Run: [zzzHPSETUP] F:Setup.exe
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre6binjusched.exe"
O4 - HKLM..Run: [IgfxTray] C:Windowssystem32igfxtray.exe
O4 - HKLM..Run: [HotKeysCmds] C:Windowssystem32hkcmd.exe
O4 - HKLM..Run: [Persistence] C:Windowssystem32igfxpers.exe
O4 - HKLM..Run: [avgnt] "C:Program FilesAviraAntiVir Desktopavgnt.exe" /min
O4 - HKLM..RunOnce: [ST Recovery Launcher] %WINDIR%SMINSTlauncher.exe
O4 - HKCU..Run: [ISUSPM Startup] C:PROGRA~1COMMON~1INSTAL~1UPDATE~1isuspm.exe -startup
O4 - HKCU..Run: [swg] "C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe"
O4 - HKCU..Run: [WMPNSCFG] C:Program FilesWindows Media PlayerWMPNSCFG.exe
O4 - HKUSS-1-5-19..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-19..Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-21-1503898200-3715971432-2877152946-1004..Run: [swg] "C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe" (User 'Crew')
O4 - S-1-5-21-1503898200-3715971432-2877152946-1004 Startup: OpenOffice.org 2.3.lnk = C:Program FilesOpenOffice.org 2.3programquickstart.exe (User 'Crew')
O4 - S-1-5-21-1503898200-3715971432-2877152946-1004 User Startup: OpenOffice.org 2.3.lnk = C:Program FilesOpenOffice.org 2.3programquickstart.exe (User 'Crew')
O4 - Startup: Billing.appref-ms
O4 - Global Startup: Adobe Gamma Loader.lnk = C:Program FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe
O4 - Global Startup: Service Manager.lnk = C:Program FilesMicrosoft SQL Server80ToolsBinnsqlmangr.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:Windowssystem32GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~1Office12EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:Program FilesGoogleGoogle ToolbarComponentGoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O13 - Gopher Prefix:
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/45.19/uploader2.cab
O17 - HKLMSystemCCSServicesTcpip..{EFC70CA1-F3AC-4CC8-A30C-855B5C3A37BC}: NameServer = 4.2.2.2
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:Program FilesAviraAntiVir Desktopsched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:Program FilesAviraAntiVir Desktopavguard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:Program FilesSymantecpcAnywhereawhost32.exe
O23 - Service: eMill Server (eMillSrv) - Active+ Software - C:Program FilesActive+eMillbineMillSrv.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:Program FilesGoogleUpdateGoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: IviRegMgr - InterVideo - C:Program FilesCommon FilesInterVideoRegMgriviRegMgr.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:Program FilesPDF Completepdfsvc.exe
O23 - Service: Service1 - - c:iplookup.exe

--
End of file - 6863 bytes

Let me know if there is anything you think I should try I need to make sure this PC does not have a virus...

Edit: Moved topic from Vista to the more appropriate forum. Merged own reply to show 0 posts, for queue. ~ Animal

I have downloaded Malwarebytes. I was infected with two files.

Here is the copy of the log. Let me know what I got to do.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3997

Windows 6.0.6000
Internet Explorer 7.0.6000.17037

4/16/2010 2:45:00 PM
mbam-log-2010-04-16 (14-43-27).txt

Scan type: Quick scan
Objects scanned: 157130
Time elapsed: 6 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Crew\AppData\Local\Temp\~TM2961.tmp (Trojan.Hiloti) -> No action taken.

Merged posts. ~ OB

Edited by Orange Blossom, 17 April 2010 - 11:00 PM.


BC AdBot (Login to Remove)

 


#2 tedjusko

tedjusko
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 16 April 2010 - 04:26 PM

I am infected with Trojan.Hiloti & Rogue.WinAntiVirus

===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our MRT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the MRT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 17 April 2010 - 11:01 PM.


#3 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:38 AM

Posted 20 April 2010 - 04:15 PM

Hello tedjusko smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.



In order to better assist you I will need the following:




Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop, post the DDS.txt in the reply window and attach the Attach.txt









  • If you have any CD emulation software such as Daemon or Alcohol please run the following before you run GMER. If you do not skip DeFogger and go right on to GMER. If you do use it let me know so we can reenable when we finish up.



    Disable:


    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers.
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

    Do not re-enable these drivers until otherwise instructed.



    Disable your antivirus along with other security programs such as Windows Defender or TeaTimer before running the following. Instructions can be found Here.



    Download GMER Rootkit Scanner from here to your desktop.
    • Double click the exe file.
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.



      Click the image to enlarge it


    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • Sections
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
    Save it where you can easily find it, such as your desktop, and post it in reply.

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries




    If GMER does not want to run add the following to those that you unchecked and try it again:

    • Registry
    • Files












    Note: Please make only the Attach.txt from DDS an attachment, post the other logs directly into the reply window.



    Thanks,



    thewall



    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #4 tedjusko

    tedjusko
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:03:38 AM

    Posted 21 April 2010 - 08:06 AM

    Hello thewall,

    Thanks alot for helping me out. Although while trying to follow your instructions, I came across a problem in step 1. For some reason I cannot run DDS without it just closing and not producing a log. In the middle of me running this program Vista ask me to sign into my admin account, when I do the screen closes then re appears and shows me that the DDS program is running but at the end there is no log that appears. Please advise.

    #5 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:03:38 AM

    Posted 25 April 2010 - 04:44 PM

    My apologies for not replying sooner. I didn't get the notification of your reply.

    Are you still needing help?
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #6 tedjusko

    tedjusko
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:03:38 AM

    Posted 26 April 2010 - 02:46 PM

    Yes I am. It is no worry I am just waiting on your response.

    #7 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:03:38 AM

    Posted 26 April 2010 - 03:02 PM

    Try running the following first. If it won't run then I have posted instructions for another program.



    RKill by Grinler
    Link #1
    Link #2
    Link #3
    Link #4
    • Download Link #1.
    • Save it to your Desktop.
    • Double click the RKill desktop icon.
      If you are using Vista please right click and run as Admin!
    • A black screen will briefly flash indicating a successful run.
    • If this does not occur please delete that application and download Link #2.
    • Continue process until the tool runs.
    • If the tool does not run from any of the links tell me about it.







    Try to run this if you have no luck with DDS:

    • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)






    Also try to run GMER.
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #8 tedjusko

    tedjusko
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:03:38 AM

    Posted 27 April 2010 - 10:59 AM

    Ok, the wall thanks for helping!

    I tried to download the first link which appeared to be a dead one. I managed to find it and download it from another link. I ran the tool after following your instructions but it did not complete the scan. A screen saying windows cannot open this file came up with the file name being Pev.rkexe came up.

    So

    I then downloaded RSIT and ran it here is the log file.

    Let me know! Thanks Again

    info.txt logfile of random's system information tool 1.06 2010-04-27 11:47:19

    ======Uninstall list======

    -->C:\Program Files\InstallShield Installation Information\{69333A04-5134-40A5-A055-9166A7AA1EC8}\setup.exe -runfromtemp -l0x0009 -removeonly
    Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
    Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
    Adobe Photoshop 7.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
    Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE
    Business Contact Manager for Outlook 2007 SP2-->"C:\Program Files\Microsoft Small Business\Business Contact Manager\SetupBootstrap\Setup.exe" /remove {B32C4059-6E7A-41EF-AD20-56DF1872B923}
    Business Contact Manager for Outlook 2007 SP2-->MsiExec.exe /X{B32C4059-6E7A-41EF-AD20-56DF1872B923}
    eMill-->C:\Program Files\Active+\eMill\Setup\Setup.exe /Remove
    FileZilla Client 3.3.1-->C:\Program Files\FileZilla FTP Client\uninstall.exe
    Foxit Reader-->C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
    FreeMeter-->C:\PROGRA~1\FREEME~1\UNWISE.EXE C:\PROGRA~1\FREEME~1\INSTALL.LOG
    GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)-->C:\Windows\SQL9_KB970892_ENU\Hotfix.exe /Uninstall
    Google Chrome-->"C:\Program Files\Google\Chrome\Application\4.1.249.1059\Installer\setup.exe" --uninstall --system-level
    Google Toolbar for Firefox-->C:\ProgramData\Google\Toolbar for Firefox\Firefox_Toolbar_Uninstaller.exe
    Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_E85CDE7661A53A6A.exe" /uninstall
    Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
    Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
    Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
    HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
    HP Backup & Recovery Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F9F7336-6DF8-476F-ABF6-C70A17FAF619}\setup.exe" -l0x9 -uninst -removeonly
    HP Customer Experience Enhancements-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB5E289E-76BF-4251-9F3F-9B763F681AE0}\setup.exe" -l0x9 -removeonly
    HP Easy Setup - Core-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F94234DB-FD06-42C3-B88D-6FC4DC9F988C}\setup.exe" -l0x9
    HP Easy Setup - Frontend-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBE5C83E-4DC5-494F-8A23-3AAE242E94C2}\setup.exe" -l0x9 -removeonly
    HP Memories Disc-->MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
    HP Photo and Imaging 2.2 - Scanjet 3970 Series-->MsiExec.exe /I{796ADAFF-7C5B-4CED-BA11-55A3644F1E0D}
    HUD-->"C:\Program Files\Fonality\HUD\uninstall.exe"
    Intel® Graphics Media Accelerator Driver-->C:\Windows\system32\igxpun.exe -uninstall
    InterVideo WinDVD-->"C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
    Java™ 6 Update 15-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216015FF}
    Java™ 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
    Java™ 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
    Java™ 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
    Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
    Java™ SE Runtime Environment 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
    Kaboodle IE Toolbar-->MsiExec.exe /X{40A2048E-3B70-41E1-8C0C-72A31679A0DB}
    LiveReg (Symantec Corporation)-->C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
    LiveUpdate 1.6 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
    Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
    Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
    Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
    Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
    Microsoft .NET Framework 3.5 SP1-->C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
    Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
    Microsoft Office 2000 Premium-->MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
    Microsoft Office 2003 Web Components-->MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
    Microsoft Office 2007 Primary Interop Assemblies-->MsiExec.exe /X{50120000-1105-0000-0000-0000000FF1CE}
    Microsoft Office Small Business Connectivity Components-->MsiExec.exe /X{A939D341-5A04-4E0A-BB55-3E65B386432D}
    Microsoft SQL Server 2000-->C:\Windows\IsUninst.exe -f"C:\Program Files\Microsoft SQL Server\80\Tools\Uninst.isu" -c"C:\Program Files\Microsoft SQL Server\80\Tools\sqlsun.dll" -msql.mif
    Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)-->MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
    Microsoft SQL Server 2005-->"C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
    Microsoft SQL Server Desktop Engine-->MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
    Microsoft SQL Server Native Client-->MsiExec.exe /I{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}
    Microsoft SQL Server Setup Support Files (English)-->MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
    Microsoft SQL Server VSS Writer-->MsiExec.exe /I{56B4002F-671C-49F4-984C-C760FE3806B5}
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148-->MsiExec.exe /X{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}
    Mozilla Firefox (3.5.7)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
    OpenOffice.org 2.3-->MsiExec.exe /I{83C03FBE-4492-4133-BBAB-421CD88ADA32}
    PayClock EZ 2004-->C:\PROGRA~1\PAYCLOCK\PCZUNINS.EXE
    PDF Complete-->C:\Program Files\PDF Complete\pdfiutil.exe /UGUI
    Picasa 3-->"C:\Program Files\Google\Picasa3\Uninstall.exe"
    Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\SETUP.exe" -l0x9 -removeonly
    Symantec pcAnywhere-->MsiExec.exe /I{D05E8183-866A-11D3-97DF-0000F8D8F2E9}
    SyncBack-->"C:\Program Files\2BrightSparks\SyncBack\unins000.exe"
    Trojan Remover 6.8.1-->"C:\Program Files\Trojan Remover\unins000.exe"
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""

    ======Security center information======

    AV: AntiVir Desktop
    AS: AntiVir Desktop
    AS: Windows Defender

    ======System event log======

    Computer Name: Peach
    Event Code: 11
    Message: The driver detected a controller error on \Device\Ide\IdePort2.
    Record Number: 519072
    Source Name: atapi
    Time Written: 20100427085532.626938-000
    Event Type: Error
    User:

    Computer Name: Peach
    Event Code: 4
    Message: The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-18\Printers\Connections. The print spooler could not open the registry key. This can occur if the registry key is corrupt or missing, or if the registry recently became unavailable.
    Record Number: 519078
    Source Name: Microsoft-Windows-SpoolerWin32SPL
    Time Written: 20100427114613.000000-000
    Event Type: Warning
    User:

    Computer Name: Peach
    Event Code: 4
    Message: The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-18\Printers\Connections. The print spooler could not open the registry key. This can occur if the registry key is corrupt or missing, or if the registry recently became unavailable.
    Record Number: 519079
    Source Name: Microsoft-Windows-SpoolerWin32SPL
    Time Written: 20100427114613.000000-000
    Event Type: Warning
    User:

    Computer Name: Peach
    Event Code: 11
    Message: The driver detected a controller error on \Device\Ide\IdePort2.
    Record Number: 519080
    Source Name: atapi
    Time Written: 20100427114649.619938-000
    Event Type: Error
    User:

    Computer Name: Peach
    Event Code: 11
    Message: The driver detected a controller error on \Device\Ide\IdePort2.
    Record Number: 519088
    Source Name: atapi
    Time Written: 20100427144802.235938-000
    Event Type: Error
    User:

    =====Application event log=====

    Computer Name: Peach
    Event Code: 3011
    Message: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.
    Record Number: 30783
    Source Name: Microsoft-Windows-LoadPerf
    Time Written: 20100426155455.000000-000
    Event Type: Error
    User:

    Computer Name: Peach
    Event Code: 1000
    Message: Faulting application o.dat, version 0.0.0.0, time stamp 0x4760416b, faulting module KERNEL32.DLL, version 6.0.6000.16386, time stamp 0x4549bdc9, exception code 0xc0000139, fault offset 0x00008fc7, process id 0x1718, application start time 0x01cae56b7417a8a8.
    Record Number: 30785
    Source Name: Application Error
    Time Written: 20100426180820.000000-000
    Event Type: Error
    User:

    Computer Name: Peach
    Event Code: 10005
    Message: Product: Microsoft Office 2007 Primary Interop Assemblies -- Please install Microsoft Office 2007 before installing this product.
    Record Number: 30794
    Source Name: MsiInstaller
    Time Written: 20100427070024.000000-000
    Event Type: Error
    User: NT AUTHORITY\SYSTEM

    Computer Name: Peach
    Event Code: 1024
    Message: Product: Microsoft Office 2007 Primary Interop Assemblies - Update 'Security Update for Microsoft Office PowerPoint 2007 (KB957789)' could not be installed. Error code 1603. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127
    Record Number: 30795
    Source Name: MsiInstaller
    Time Written: 20100427070024.000000-000
    Event Type: Error
    User: NT AUTHORITY\SYSTEM

    Computer Name: Peach
    Event Code: 1000
    Message: Faulting application o.dat, version 0.0.0.0, time stamp 0x43fbb13a, faulting module USER32.DLL!SetScrollP, version 6.0.6000.16386, time stamp 0x4549bdc9, exception code 0xc0000139, fault offset 0x00008fc7, process id 0x1a4c, application start time 0x01cae6194315e3d8.
    Record Number: 30815
    Source Name: Application Error
    Time Written: 20100427145231.000000-000
    Event Type: Error
    User:

    =====Security event log=====

    Computer Name: Peach
    Event Code: 4624
    Message: An account was successfully logged on.

    Subject:
    Security ID: S-1-0-0
    Account Name: -
    Account Domain: -
    Logon ID: 0x0

    Logon Type: 3

    New Logon:
    Security ID: S-1-5-7
    Account Name: ANONYMOUS LOGON
    Account Domain: NT AUTHORITY
    Logon ID: 0x54f2cdc
    Logon GUID: {00000000-0000-0000-0000-000000000000}

    Process Information:
    Process ID: 0x0
    Process Name: -

    Network Information:
    Workstation Name: RED
    Source Network Address: 192.168.1.241
    Source Port: 3931

    Detailed Authentication Information:
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only): NTLM V1
    Key Length: 0

    This event is generated when a logon session is created. It is generated on the computer that was accessed.

    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

    The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
    - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
    Record Number: 797793
    Source Name: Microsoft-Windows-Security-Auditing
    Time Written: 20100404201941.990550-000
    Event Type: Audit Success
    User:

    Computer Name: Peach
    Event Code: 4634
    Message: An account was logged off.

    Subject:
    Security ID: S-1-5-7
    Account Name: ANONYMOUS LOGON
    Account Domain: NT AUTHORITY
    Logon ID: 0x54f2cdc

    Logon Type: 3

    This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
    Record Number: 797794
    Source Name: Microsoft-Windows-Security-Auditing
    Time Written: 20100404201953.305550-000
    Event Type: Audit Success
    User:

    Computer Name: Peach
    Event Code: 4624
    Message: An account was successfully logged on.

    Subject:
    Security ID: S-1-0-0
    Account Name: -
    Account Domain: -
    Logon ID: 0x0

    Logon Type: 3

    New Logon:
    Security ID: S-1-5-7
    Account Name: ANONYMOUS LOGON
    Account Domain: NT AUTHORITY
    Logon ID: 0x55fdfd6
    Logon GUID: {00000000-0000-0000-0000-000000000000}

    Process Information:
    Process ID: 0x0
    Process Name: -

    Network Information:
    Workstation Name: RED
    Source Network Address: 192.168.1.241
    Source Port: 3979

    Detailed Authentication Information:
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only): NTLM V1
    Key Length: 0

    This event is generated when a logon session is created. It is generated on the computer that was accessed.

    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

    The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
    - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
    Record Number: 797795
    Source Name: Microsoft-Windows-Security-Auditing
    Time Written: 20100404222925.207550-000
    Event Type: Audit Success
    User:

    Computer Name: Peach
    Event Code: 4634
    Message: An account was logged off.

    Subject:
    Security ID: S-1-5-7
    Account Name: ANONYMOUS LOGON
    Account Domain: NT AUTHORITY
    Logon ID: 0x55fdfd6

    Logon Type: 3

    This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
    Record Number: 797796
    Source Name: Microsoft-Windows-Security-Auditing
    Time Written: 20100404222934.895550-000
    Event Type: Audit Success
    User:

    Computer Name: Peach
    Event Code: 4624
    Message: An account was successfully logged on.

    Subject:
    Security ID: S-1-0-0
    Account Name: -
    Account Domain: -
    Logon ID: 0x0

    Logon Type: 3

    New Logon:
    Security ID: S-1-5-7
    Account Name: ANONYMOUS LOGON
    Account Domain: NT AUTHORITY
    Logon ID: 0x56db4b0
    Logon GUID: {00000000-0000-0000-0000-000000000000}

    Process Information:
    Process ID: 0x0
    Process Name: -

    Network Information:
    Workstation Name: RED
    Source Network Address: 192.168.1.241
    Source Port: 4024

    Detailed Authentication Information:
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only): NTLM V1
    Key Length: 0

    This event is generated when a logon session is created. It is generated on the computer that was accessed.

    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

    The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
    - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
    Record Number: 797797
    Source Name: Microsoft-Windows-Security-Auditing
    Time Written: 20100405001731.917550-000
    Event Type: Audit Success
    User:

    ======Environment variables======

    "ComSpec"=%SystemRoot%\system32\cmd.exe
    "FP_NO_HOST_CHECK"=NO
    "OS"=Windows_NT
    "Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\Symantec\pcAnywhere\;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\
    "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
    "PROCESSOR_ARCHITECTURE"=x86
    "TEMP"=%SystemRoot%\TEMP
    "TMP"=%SystemRoot%\TEMP
    "USERNAME"=SYSTEM
    "windir"=%SystemRoot%
    "PROCESSOR_LEVEL"=15
    "PROCESSOR_IDENTIFIER"=x86 Family 15 Model 6 Stepping 5, GenuineIntel
    "PROCESSOR_REVISION"=0605
    "NUMBER_OF_PROCESSORS"=2
    "PLATFORM"=BPC
    "OnlineServices"=Online Services

    -----------------EOF-----------------


    #9 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:03:38 AM

    Posted 27 April 2010 - 12:15 PM

    Thanks for getting that up. There should have been two logs generated and I will need the one called log.txt
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #10 tedjusko

    tedjusko
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:03:38 AM

    Posted 28 April 2010 - 10:22 AM

    Logfile of random's system information tool 1.06 (written by random/random)
    Run by Admin at 2010-04-27 11:47:11
    Microsoft® Windows Vistaâ„¢ Business
    System drive C: has 3 GB (5%) free of 62 GB
    Total RAM: 3063 MB (28% free)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:47:15 AM, on 4/27/2010
    Platform: Windows Vista (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.17037)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\windows\RtHDVCpl.exe
    C:\Program Files\PDF Complete\pdfsty.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\windows\System32\igfxtray.exe
    C:\windows\System32\hkcmd.exe
    C:\windows\System32\igfxpers.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Windows\system32\taskeng.exe
    C:\billing\billing.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IEUser.exe
    C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
    C:\windows\System32\notepad.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE
    C:\Program Files\Microsoft Office\Office\FRONTPG.EXE
    C:\Windows\system32\rdpclip.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\windows\SMINST\scheduler.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\windows\RtHDVCpl.exe
    C:\Program Files\PDF Complete\pdfsty.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Windows\System32\mobsync.exe
    C:\Users\Admin\AppData\Local\Apps\2.0\L1BNEH47.GET\95WHRQVW.XO3\bill..tion_80627326a32ab4f2_0001.0000_4dbff9f3a3f64553\Billing.exe
    C:\Program Files\Internet Explorer\ieuser.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
    C:\Program Files\FileZilla FTP Client\filezilla.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\Crew\Desktop\RSIT.exe
    C:\Program Files\Trend Micro\HijackThis\Admin.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.weloveyourmom.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: KTBho Class - {25EDC164-41A6-47C3-80BD-5E4FBE1BA7AB} - C:\PROGRA~1\kaboodle\KABOOD~1\KTBar.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
    O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Kaboodle Toolbar - {92857633-2441-4A14-8236-DFCB97AD3E87} - C:\PROGRA~1\kaboodle\KABOOD~1\KTBar.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"
    O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\HP\SetRefresh\SetRefresh.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [zzzHPSETUP] F:\Setup.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\RunOnce: [ST Recovery Launcher] %WINDIR%\SMINST\launcher.exe
    O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-21-1503898200-3715971432-2877152946-1004\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'Crew')
    O4 - S-1-5-21-1503898200-3715971432-2877152946-1004 Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe (User 'Crew')
    O4 - S-1-5-21-1503898200-3715971432-2877152946-1004 User Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe (User 'Crew')
    O4 - Startup: Billing.appref-ms
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    O13 - Gopher Prefix:
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
    O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/45.19/uploader2.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EFC70CA1-F3AC-4CC8-A30C-855B5C3A37BC}: NameServer = 4.2.2.2
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: eMill Server (eMillSrv) - Active+ Software - C:\Program Files\Active+\eMill\bin\eMillSrv.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
    O23 - Service: Service1 - - c:\iplookup.exe

    --
    End of file - 8686 bytes

    ======Scheduled tasks folder======

    C:\Windows\tasks\Google Software Updater.job
    C:\Windows\tasks\GoogleUpdateTaskMachineCore1cac66ec1954ace.job
    C:\Windows\tasks\SyncBack Peach Backup.job
    C:\Windows\tasks\User_Feed_Synchronization-{8976DA08-340C-4843-9E7B-95F1724B0C6D}.job

    ======Registry dump======

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{25EDC164-41A6-47C3-80BD-5E4FBE1BA7AB}]
    KTBho Class - C:\PROGRA~1\kaboodle\KABOOD~1\KTBar.dll [2007-02-15 221269]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
    Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-02-09 279664]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
    Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll [2010-02-10 812528]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
    Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-08-29 41760]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    {92857633-2441-4A14-8236-DFCB97AD3E87} - Kaboodle Toolbar - C:\PROGRA~1\kaboodle\KABOOD~1\KTBar.dll [2007-02-15 221269]
    {2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-02-09 279664]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2007-06-26 1006264]
    "RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2006-11-09 3784704]
    "PDF Complete"=C:\Program Files\PDF Complete\pdfsty.exe [2007-04-13 331552]
    "SetRefresh"=C:\Program Files\HP\SetRefresh\SetRefresh.exe [2003-11-20 525824]
    "Share-to-Web Namespace Daemon"=C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [2002-04-17 69632]
    "zzzHPSETUP"=F:\Setup.exe []
    "SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-08-29 149280]
    "IgfxTray"=C:\Windows\system32\igfxtray.exe [2008-01-02 141848]
    "HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2008-01-02 166424]
    "Persistence"=C:\Windows\system32\igfxpers.exe [2008-01-02 133656]
    "avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2010-03-02 282792]
    "TrojanScanner"=C:\Program Files\Trojan Remover\Trjscan.exe [2010-02-27 1165192]
    "Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2010-03-30 1086856]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "ST Recovery Launcher"=C:\Windows\SMINST\launcher.exe [2007-03-07 44168]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe [2005-02-16 221184]
    "swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-01-13 39408]
    "WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2006-11-02 201728]

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
    Billing.appref-ms

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
    C:\Windows\system32\igfxdev.dll [2008-01-02 200704]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PCANotify]
    C:\Windows\system32\PCANotify.dll [2002-02-15 24638]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "dontdisplaylastusername"=0
    "legalnoticecaption"=
    "legalnoticetext"=
    "shutdownwithoutlogon"=1
    "undockwithoutlogon"=1
    "LocalAccountTokenFilterPolicy"=1

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86cb3db0-161d-11df-803a-0019bb5ee61f}]
    shell\AutoRun\command - H:\StyleEaseAPA.exe


    ======List of files/folders created in the last 1 months======

    2010-04-27 11:47:11 ----D---- C:\rsit
    2010-04-22 13:59:58 ----D---- C:\Program Files\FreeMeter
    2010-04-22 13:49:09 ----D---- C:\Program Files\BandwidthMeterPro
    2010-04-16 14:19:50 ----D---- C:\Users\Admin\AppData\Roaming\Malwarebytes
    2010-04-16 14:19:41 ----D---- C:\ProgramData\Malwarebytes
    2010-04-16 14:19:41 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
    2010-04-16 11:16:46 ----AD---- C:\ProgramData\TEMP
    2010-04-16 11:14:13 ----A---- C:\Windows\system32\ztvunrar36.dll
    2010-04-16 11:14:13 ----A---- C:\Windows\system32\ztvunace26.dll
    2010-04-16 11:14:12 ----A---- C:\Windows\system32\ztvcabinet.dll
    2010-04-16 11:14:12 ----A---- C:\Windows\system32\UNRAR3.dll
    2010-04-16 11:14:12 ----A---- C:\Windows\system32\unacev2.dll
    2010-04-16 11:14:09 ----D---- C:\Users\Admin\AppData\Roaming\Simply Super Software
    2010-04-16 11:14:09 ----D---- C:\ProgramData\Simply Super Software
    2010-04-16 11:14:09 ----D---- C:\Program Files\Trojan Remover
    2010-04-16 10:46:44 ----D---- C:\Program Files\Trend Micro
    2010-04-16 10:27:00 ----D---- C:\ProgramData\Avira
    2010-04-16 10:27:00 ----D---- C:\Program Files\Avira
    2010-04-13 17:37:50 ----A---- C:\Windows\system32\ntoskrnl.exe
    2010-04-13 17:37:50 ----A---- C:\Windows\system32\ntkrnlpa.exe
    2010-04-13 17:37:45 ----A---- C:\Windows\system32\vbscript.dll
    2010-04-13 17:37:31 ----A---- C:\Windows\system32\wintrust.dll
    2010-04-13 17:36:10 ----A---- C:\Windows\system32\tcpipcfg.dll
    2010-04-13 17:36:10 ----A---- C:\Windows\system32\netiougc.exe
    2010-04-13 17:36:10 ----A---- C:\Windows\system32\iphlpsvc.dll
    2010-04-13 17:35:22 ----A---- C:\Windows\system32\cabview.dll
    2010-03-30 14:34:13 ----A---- C:\Windows\system32\mshtml.dll
    2010-03-30 14:34:12 ----A---- C:\Windows\system32\wininet.dll
    2010-03-30 14:34:11 ----A---- C:\Windows\system32\urlmon.dll
    2010-03-30 14:34:10 ----A---- C:\Windows\system32\ieframe.dll
    2010-03-30 14:34:09 ----A---- C:\Windows\system32\mstime.dll
    2010-03-30 14:34:09 ----A---- C:\Windows\system32\ieapfltr.dll
    2010-03-30 14:34:08 ----A---- C:\Windows\system32\occache.dll
    2010-03-30 14:34:08 ----A---- C:\Windows\system32\msfeeds.dll
    2010-03-30 14:34:08 ----A---- C:\Windows\system32\iertutil.dll
    2010-03-30 14:34:08 ----A---- C:\Windows\system32\iepeers.dll
    2010-03-30 14:34:08 ----A---- C:\Windows\system32\iedkcs32.dll
    2010-03-30 14:34:08 ----A---- C:\Windows\system32\ieaksie.dll
    2010-03-30 14:34:08 ----A---- C:\Windows\system32\dxtmsft.dll
    2010-03-30 14:34:07 ----A---- C:\Windows\system32\mshtmled.dll
    2010-03-30 14:34:07 ----A---- C:\Windows\system32\jsproxy.dll
    2010-03-30 14:34:07 ----A---- C:\Windows\system32\ieencode.dll
    2010-03-30 14:34:07 ----A---- C:\Windows\system32\icardie.dll
    2010-03-30 14:34:07 ----A---- C:\Windows\system32\dxtrans.dll
    2010-03-30 14:34:06 ----A---- C:\Windows\system32\pngfilt.dll
    2010-03-30 14:34:06 ----A---- C:\Windows\system32\ieUnatt.exe
    2010-03-30 14:34:06 ----A---- C:\Windows\system32\ieui.dll
    2010-03-30 14:34:06 ----A---- C:\Windows\system32\iesetup.dll
    2010-03-30 14:34:06 ----A---- C:\Windows\system32\iernonce.dll
    2010-03-30 14:34:06 ----A---- C:\Windows\system32\ieakui.dll
    2010-03-30 14:34:06 ----A---- C:\Windows\system32\ie4uinit.exe
    2010-03-30 14:34:06 ----A---- C:\Windows\system32\advpack.dll
    2010-03-30 14:34:06 ----A---- C:\Windows\system32\admparse.dll
    2010-03-30 14:34:05 ----A---- C:\Windows\system32\mshtmler.dll

    ======List of files/folders modified in the last 1 months======

    2010-04-27 11:47:11 ----D---- C:\Windows\Temp
    2010-04-27 11:47:10 ----D---- C:\Windows\Prefetch
    2010-04-27 08:50:43 ----D---- C:\Windows\Tasks
    2010-04-27 04:53:59 ----D---- C:\Windows\SMINST
    2010-04-27 03:00:25 ----SHD---- C:\Windows\Installer
    2010-04-27 03:00:19 ----SHD---- C:\System Volume Information
    2010-04-26 11:54:59 ----D---- C:\Windows\System32
    2010-04-26 11:54:59 ----A---- C:\Windows\system32\PerfStringBackup.INI
    2010-04-26 11:52:08 ----D---- C:\Windows\system32\inetsrv
    2010-04-26 11:50:07 ----D---- C:\windows
    2010-04-22 13:59:58 ----RD---- C:\Program Files
    2010-04-21 17:39:09 ----D---- C:\comments
    2010-04-21 08:53:41 ----RD---- C:\Users
    2010-04-19 09:59:30 ----D---- C:\Windows\system32\drivers
    2010-04-16 14:19:41 ----HD---- C:\ProgramData
    2010-04-16 10:14:28 ----D---- C:\Windows\winsxs
    2010-04-16 10:14:06 ----D---- C:\Program Files\Common Files\microsoft shared
    2010-04-16 10:01:04 ----D---- C:\Windows\system32\catroot2
    2010-04-14 03:23:22 ----D---- C:\Windows\system32\catroot
    2010-04-14 03:20:36 ----D---- C:\Program Files\Windows Mail
    2010-04-14 03:20:35 ----D---- C:\Windows\system32\migration
    2010-04-06 13:52:54 ----A---- C:\Windows\system32\mrt.exe
    2010-03-31 03:18:19 ----D---- C:\Windows\AppPatch
    2010-03-31 03:18:19 ----D---- C:\Program Files\Internet Explorer

    ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

    R1 avipbb;avipbb; C:\Windows\system32\DRIVERS\avipbb.sys [2010-03-01 124784]
    R1 awlegacy;awlegacy; C:\Windows\System32\Drivers\awlegacy.sys [2000-09-11 10816]
    R1 CSC;Offline Files Driver; C:\Windows\system32\drivers\csc.sys [2007-08-30 320000]
    R1 ssmdrv;ssmdrv; C:\Windows\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
    R2 avgntflt;avgntflt; C:\Windows\system32\DRIVERS\avgntflt.sys [2010-02-16 60936]
    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 167936]
    R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-01-02 2016256]
    R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2006-11-08 1647976]
    R3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2006-11-02 35328]
    R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2007-11-15 11264]
    S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2006-11-02 5632]
    S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
    S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2006-11-02 8192]
    S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2006-11-02 5888]
    S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2006-11-02 5504]
    S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2006-11-02 6016]
    S3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS [2007-09-02 57968]
    S3 WimFltr;WimFltr; C:\Windows\system32\DRIVERS\wimfltr.sys [2006-11-02 128104]
    S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2006-11-02 39936]
    S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2006-11-02 82560]
    S4 AW_HOST;AW_HOST; C:\Windows\system32\drivers\aw_host5.sys [2002-02-11 33496]

    ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

    R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
    R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2010-04-20 267432]
    R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service; C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
    R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2006-11-02 22016]
    R2 eMillSrv;eMill Server; C:\Program Files\Active+\eMill\bin\eMillSrv.exe [2008-03-27 1067008]
    R2 IISADMIN;@%windir%\system32\inetsrv\iisres.dll,-30007; C:\Windows\system32\inetsrv\inetinfo.exe [2008-02-14 13824]
    R2 IviRegMgr;IviRegMgr; C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe [2007-01-04 112152]
    R2 MSSQLSERVER;MSSQLSERVER; C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [2000-08-06 7442493]
    R2 pdfcDispatcher;PDF Document Manager; C:\Program Files\PDF Complete\pdfsvc.exe [2007-04-13 540448]
    R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\Windows\System32\svchost.exe [2006-11-02 22016]
    R2 Service1;Service1; c:\iplookup.exe [2007-09-11 24576]
    R2 SQLBrowser;SQL Server Browser; c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2008-11-24 239968]
    R2 SQLWriter;SQL Server VSS Writer; c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2008-11-24 87904]
    R2 W3SVC;@%windir%\system32\inetsrv\iisres.dll,-30003; C:\Windows\system32\svchost.exe [2006-11-02 22016]
    R3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2006-11-02 22016]
    R3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2006-11-02 22016]
    R3 WAS;@%windir%\system32\inetsrv\iisres.dll,-30001; C:\Windows\system32\svchost.exe [2006-11-02 22016]
    S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2010-02-10 135664]
    S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-02-11 194032]
    S3 aspnet_state;@%windir%\system32\inetsrv\iisres.dll,-30009; C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-27 34312]
    S3 awhost32;pcAnywhere Host Service; C:\Program Files\Symantec\pcAnywhere\awhost32.exe [2002-02-15 114749]
    S3 Fax;@%systemroot%\system32\fxsresm.dll,-118; C:\Windows\system32\fxssvc.exe [2006-11-02 521216]
    S3 MSFTPSVC;@%windir%\system32\inetsrv\iisres.dll,-30005; C:\Windows\system32\inetsrv\inetinfo.exe [2008-02-14 13824]
    S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ); c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2009-05-27 29262680]
    S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
    S3 SQLSERVERAGENT;SQLSERVERAGENT; C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE [2000-08-06 303170]
    S3 wbengine;@%systemroot%\system32\wbengine.exe,-104; C:\Windows\system32\wbengine.exe [2006-11-02 562176]
    S3 WMSvc;@%windir%\system32\inetsrv\iisres.dll,-20001; C:\Windows\system32\inetsrv\wmsvc.exe [2006-11-02 10752]
    S4 MSSQLServerADHelper;SQL Server Active Directory Helper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2008-11-24 45408]

    -----------------EOF-----------------

    Edited by tedjusko, 28 April 2010 - 10:24 AM.


    #11 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:03:38 AM

    Posted 28 April 2010 - 10:56 AM


    Please download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Save ComboFix.exe to your Desktop
    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
    • Double click on ComboFix.exe & follow the prompts.


    When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #12 tedjusko

    tedjusko
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:03:38 AM

    Posted 29 April 2010 - 09:14 AM

    ComboFix 10-04-28.08 - Admin 04/29/2010 10:02:18.1.2 - x86
    Microsoft® Windows Vistaâ„¢ Business 6.0.6000.0.1252.1.1033.18.3063.1376 [GMT -4:00]
    Running from: c:\users\Crew\Desktop\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    SP: AntiVir Desktop *disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\setup.exe
    c:\users\Crew\AppData\Local\{D5322423-FD5C-4FE9-9286-5EDD383250FA}
    c:\users\Crew\AppData\Local\{D5322423-FD5C-4FE9-9286-5EDD383250FA}\chrome.manifest
    c:\users\Crew\AppData\Local\{D5322423-FD5C-4FE9-9286-5EDD383250FA}\chrome\content\_cfg.js
    c:\users\Crew\AppData\Local\{D5322423-FD5C-4FE9-9286-5EDD383250FA}\chrome\content\overlay.xul
    c:\users\Crew\AppData\Local\{D5322423-FD5C-4FE9-9286-5EDD383250FA}\install.rdf
    c:\windows\command
    c:\windows\command\EXTRACT.PIF
    D:\Autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-29 )))))))))))))))))))))))))))))))
    .

    2010-04-29 14:08 . 2010-04-29 14:08 -------- d-----w- c:\users\TEMP.PEACH\AppData\Local\temp
    2010-04-29 14:08 . 2010-04-29 14:08 -------- d-----w- c:\users\Guest\AppData\Local\temp
    2010-04-29 14:08 . 2010-04-29 14:08 -------- d-----w- c:\users\Guest.Server1\AppData\Local\temp
    2010-04-29 14:08 . 2010-04-29 14:08 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-04-29 14:08 . 2010-04-29 14:08 -------- d-----w- c:\users\Craig\AppData\Local\temp
    2010-04-29 14:08 . 2010-04-29 14:08 -------- d-----w- c:\users\blc\AppData\Local\temp
    2010-04-29 14:08 . 2010-04-29 14:08 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2010-04-29 13:59 . 2010-04-29 13:59 -------- d-----w- C:\32788R22FWJFW
    2010-04-27 15:47 . 2010-04-28 15:22 -------- d-----w- C:\rsit
    2010-04-22 17:59 . 2010-04-22 18:01 -------- d-----w- c:\program files\FreeMeter
    2010-04-22 17:49 . 2010-04-22 17:51 -------- d-----w- c:\program files\BandwidthMeterPro
    2010-04-19 14:01 . 2010-04-19 14:01 -------- d-----w- c:\users\Crew\AppData\Roaming\Malwarebytes
    2010-04-16 18:19 . 2010-04-16 18:19 -------- d-----w- c:\users\Admin\AppData\Roaming\Malwarebytes
    2010-04-16 18:19 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-16 18:19 . 2010-04-16 18:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-16 18:19 . 2010-04-16 18:19 -------- d-----w- c:\programdata\Malwarebytes
    2010-04-16 18:19 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-16 15:14 . 2006-05-25 18:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
    2010-04-16 15:14 . 2005-08-26 04:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
    2010-04-16 15:14 . 2006-06-19 16:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
    2010-04-16 15:14 . 2003-02-02 23:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
    2010-04-16 15:14 . 2002-03-06 04:00 75264 ----a-w- c:\windows\system32\unacev2.dll
    2010-04-16 15:14 . 2010-04-16 15:14 -------- d-----w- c:\program files\Trojan Remover
    2010-04-16 15:14 . 2010-04-16 15:14 -------- d-----w- c:\users\Admin\AppData\Roaming\Simply Super Software
    2010-04-16 15:14 . 2010-04-16 15:14 -------- d-----w- c:\programdata\Simply Super Software
    2010-04-16 14:46 . 2010-04-16 14:46 -------- d-----w- c:\program files\Trend Micro
    2010-04-16 14:31 . 2010-04-16 14:31 -------- d-----w- c:\users\Crew\AppData\Roaming\Avira
    2010-04-16 14:27 . 2010-03-01 13:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-04-16 14:27 . 2010-02-16 17:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-04-16 14:27 . 2009-05-11 15:49 51992 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-04-16 14:27 . 2009-05-11 15:49 17016 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-04-16 14:27 . 2010-04-16 14:27 -------- d-----w- c:\programdata\Avira
    2010-04-16 14:27 . 2010-04-16 14:27 -------- d-----w- c:\program files\Avira
    2010-04-16 13:58 . 2010-04-16 13:58 120 ----a-w- c:\users\Crew\AppData\Local\Vyezabeg.dat
    2010-04-16 13:58 . 2010-04-16 13:58 0 ----a-w- c:\users\Crew\AppData\Local\Wfagejem.bin
    2010-04-13 21:37 . 2010-02-23 13:14 211968 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2010-04-13 21:37 . 2010-02-23 13:14 58368 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2010-04-13 21:37 . 2010-02-23 13:14 102400 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-04-13 21:37 . 2010-02-18 14:54 3502480 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-04-13 21:37 . 2010-02-18 14:54 3468168 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-04-13 21:37 . 2010-03-04 19:24 434176 ----a-w- c:\windows\system32\vbscript.dll
    2010-04-13 21:37 . 2009-12-23 12:45 171520 ----a-w- c:\windows\system32\wintrust.dll
    2010-04-13 21:36 . 2010-02-18 14:22 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
    2010-04-13 21:36 . 2010-02-18 14:19 179712 ----a-w- c:\windows\system32\iphlpsvc.dll
    2010-04-13 21:36 . 2010-02-18 12:05 815104 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2010-04-13 21:36 . 2010-02-18 12:04 22016 ----a-w- c:\windows\system32\netiougc.exe
    2010-04-13 21:36 . 2010-02-18 12:04 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
    2010-04-13 21:36 . 2010-02-18 12:04 15360 ----a-w- c:\windows\system32\drivers\TUNMP.SYS
    2010-04-13 21:35 . 2010-01-13 18:23 97792 ----a-w- c:\windows\system32\cabview.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-27 22:35 . 2010-02-06 17:56 -------- d-----w- c:\users\Crew\AppData\Roaming\FileZilla
    2010-04-27 17:23 . 2007-11-13 16:53 -------- d-----w- c:\users\Crew\AppData\Roaming\OpenOffice.org2
    2010-04-16 13:56 . 2010-04-16 13:56 20 ----a-w- c:\users\Crew\AppData\Roaming\ubnxsg.dat
    2010-04-14 07:20 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-03-23 20:24 . 2007-11-21 17:00 1 ----a-w- c:\users\Crew\AppData\Roaming\OpenOffice.org2\user\uno_packages\cache\stamp.sys
    2010-03-18 21:43 . 2008-02-14 15:51 102944 ----a-w- c:\users\Administrator.PEACH\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-03-09 16:54 . 2010-03-30 18:34 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-03-09 16:50 . 2010-03-30 18:34 56320 ----a-w- c:\windows\system32\iesetup.dll
    2010-03-09 16:50 . 2010-03-30 18:34 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-03-09 16:50 . 2010-03-30 18:34 52736 ----a-w- c:\windows\AppPatch\iebrshim.dll
    2010-03-09 16:48 . 2010-03-30 18:34 72704 ----a-w- c:\windows\system32\admparse.dll
    2010-03-09 14:17 . 2010-03-30 18:34 26624 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-03-09 12:43 . 2010-03-30 18:34 48128 ----a-w- c:\windows\system32\mshtmler.dll
    2010-02-25 13:56 . 2007-06-26 22:51 102944 ----a-w- c:\users\Crew\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-02-25 10:33 . 2007-06-25 23:48 102944 ----a-w- c:\users\Admin\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-02-24 14:16 . 2009-10-03 11:34 181632 ------w- c:\windows\system32\MpSigStub.exe
    2010-02-20 23:55 . 2010-03-10 08:00 10752 ----a-w- c:\windows\system32\wamregps.dll
    2010-02-20 23:54 . 2010-03-10 08:00 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2010-02-20 23:52 . 2010-03-10 08:00 8192 ----a-w- c:\windows\system32\iisrstap.dll
    2010-02-20 23:52 . 2010-03-10 08:00 148480 ----a-w- c:\windows\system32\iisRtl.dll
    2010-02-20 23:51 . 2010-03-10 08:00 31232 ----a-w- c:\windows\system32\httpapi.dll
    2010-02-20 23:50 . 2010-03-10 08:00 51200 ----a-w- c:\windows\system32\admwprox.dll
    2010-02-20 21:46 . 2010-03-10 08:00 14848 ----a-w- c:\windows\system32\iisreset.exe
    2010-02-20 21:30 . 2010-03-10 08:00 396800 ----a-w- c:\windows\system32\drivers\http.sys
    2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
    2010-02-17 13:58 . 2010-02-17 13:58 33558 ----a-w- c:\programdata\Google\Toolbar for Firefox\Firefox_Toolbar_Uninstaller.exe
    2010-02-10 13:50 . 2010-02-10 13:50 1232496 ----a-w- c:\programdata\Google\Google Toolbar\Component\GoogleCld_D9AEC8D4D1915047.dll
    2007-05-12 09:46 . 2007-05-12 09:46 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-13 39408]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-06-26 1006264]
    "RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
    "PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2007-04-13 331552]
    "SetRefresh"="c:\program files\HP\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
    "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-29 149280]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
    "TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-02-28 1165192]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-30 1086856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "ST Recovery Launcher"="c:\windows\SMINST\launcher.exe" [2007-03-08 44168]

    c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Billing.appref-ms [2008-5-19 264]

    c:\users\Crew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-6-26 113664]
    Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2000-8-6 69632]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "LocalAccountTokenFilterPolicy"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
    2002-02-15 14:51 24638 ----a-w- c:\windows\System32\PCANotify.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 135664]
    R3 WMSvc;Web Management Service;c:\windows\system32\inetsrv\wmsvc.exe [2006-11-02 10752]
    S0 AFS;AFS; [x]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
    S2 eMillSrv;eMill Server;c:\program files\Active+\eMill\bin\eMillSrv.exe [2008-03-27 1067008]
    S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2007-04-13 540448]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 167936]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-29 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-26 14:54]

    2010-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cac66ec1954ace.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 08:20]

    2010-04-27 c:\windows\Tasks\SyncBack Peach Backup.job
    - c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-02-22 16:19]

    2010-04-29 c:\windows\Tasks\User_Feed_Synchronization-{8976DA08-340C-4843-9E7B-95F1724B0C6D}.job
    - c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = https://www.wlb.com/tools/main.asp
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    TCP: {EFC70CA1-F3AC-4CC8-A30C-855B5C3A37BC} = 4.2.2.2
    FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1o5vcw79.default\
    FF - prefs.js: browser.startup.homepage - hxxps://www.wlb.com/tools/main.asp
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-zzzHPSETUP - F:\Setup.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-29 10:10
    Windows 6.0.6000 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pdfcDispatcher]
    "ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2010-04-29 10:12:33
    ComboFix-quarantined-files.txt 2010-04-29 14:12

    Pre-Run: 8,430,350,336 bytes free
    Post-Run: 11,027,664,896 bytes free

    - - End Of File - - 6D00CA35025077606BF1C0287A519860

    Edited by tedjusko, 29 April 2010 - 09:19 AM.


    #13 tedjusko

    tedjusko
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:03:38 AM

    Posted 29 April 2010 - 09:17 AM

    ComboFix 10-04-28.08 - Admin 04/29/2010 10:02:18.1.2 - x86
    Microsoft® Windows Vista™ Business 6.0.6000.0.1252.1.1033.18.3063.1376 [GMT -4:00]
    Running from: c:\users\Crew\Desktop\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    SP: AntiVir Desktop *disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\setup.exe
    c:\users\Crew\AppData\Local\{D5322423-FD5C-4FE9-9286-5EDD383250FA}
    c:\users\Crew\AppData\Local\{D5322423-FD5C-4FE9-9286-5EDD383250FA}\chrome.manifest
    c:\users\Crew\AppData\Local\{D5322423-FD5C-4FE9-9286-5EDD383250FA}\chrome\content\_cfg.js
    c:\users\Crew\AppData\Local\{D5322423-FD5C-4FE9-9286-5EDD383250FA}\chrome\content\overlay.xul
    c:\users\Crew\AppData\Local\{D5322423-FD5C-4FE9-9286-5EDD383250FA}\install.rdf
    c:\windows\command
    c:\windows\command\EXTRACT.PIF
    D:\Autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-29 )))))))))))))))))))))))))))))))
    .

    2010-04-29 14:08 . 2010-04-29 14:08 -------- d-----w- c:\users\TEMP.PEACH\AppData\Local\temp
    2010-04-29 14:08 . 2010-04-29 14:08 -------- d-----w- c:\users\Guest\AppData\Local\temp
    2010-04-29 14:08 . 2010-04-29 14:08 -------- d-----w- c:\users\Guest.Server1\AppData\Local\temp
    2010-04-29 14:08 . 2010-04-29 14:08 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-04-29 14:08 . 2010-04-29 14:08 -------- d-----w- c:\users\Craig\AppData\Local\temp
    2010-04-29 14:08 . 2010-04-29 14:08 -------- d-----w- c:\users\wlb\AppData\Local\temp
    2010-04-29 14:08 . 2010-04-29 14:08 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2010-04-29 13:59 . 2010-04-29 13:59 -------- d-----w- C:\32788R22FWJFW
    2010-04-27 15:47 . 2010-04-28 15:22 -------- d-----w- C:\rsit
    2010-04-22 17:59 . 2010-04-22 18:01 -------- d-----w- c:\program files\FreeMeter
    2010-04-22 17:49 . 2010-04-22 17:51 -------- d-----w- c:\program files\BandwidthMeterPro
    2010-04-19 14:01 . 2010-04-19 14:01 -------- d-----w- c:\users\Crew\AppData\Roaming\Malwarebytes
    2010-04-16 18:19 . 2010-04-16 18:19 -------- d-----w- c:\users\Admin\AppData\Roaming\Malwarebytes
    2010-04-16 18:19 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-16 18:19 . 2010-04-16 18:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-16 18:19 . 2010-04-16 18:19 -------- d-----w- c:\programdata\Malwarebytes
    2010-04-16 18:19 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-16 15:14 . 2006-05-25 18:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
    2010-04-16 15:14 . 2005-08-26 04:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
    2010-04-16 15:14 . 2006-06-19 16:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
    2010-04-16 15:14 . 2003-02-02 23:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
    2010-04-16 15:14 . 2002-03-06 04:00 75264 ----a-w- c:\windows\system32\unacev2.dll
    2010-04-16 15:14 . 2010-04-16 15:14 -------- d-----w- c:\program files\Trojan Remover
    2010-04-16 15:14 . 2010-04-16 15:14 -------- d-----w- c:\users\Admin\AppData\Roaming\Simply Super Software
    2010-04-16 15:14 . 2010-04-16 15:14 -------- d-----w- c:\programdata\Simply Super Software
    2010-04-16 14:46 . 2010-04-16 14:46 -------- d-----w- c:\program files\Trend Micro
    2010-04-16 14:31 . 2010-04-16 14:31 -------- d-----w- c:\users\Crew\AppData\Roaming\Avira
    2010-04-16 14:27 . 2010-03-01 13:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-04-16 14:27 . 2010-02-16 17:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-04-16 14:27 . 2009-05-11 15:49 51992 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-04-16 14:27 . 2009-05-11 15:49 17016 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-04-16 14:27 . 2010-04-16 14:27 -------- d-----w- c:\programdata\Avira
    2010-04-16 14:27 . 2010-04-16 14:27 -------- d-----w- c:\program files\Avira
    2010-04-16 13:58 . 2010-04-16 13:58 120 ----a-w- c:\users\Crew\AppData\Local\Vyezabeg.dat
    2010-04-16 13:58 . 2010-04-16 13:58 0 ----a-w- c:\users\Crew\AppData\Local\Wfagejem.bin
    2010-04-13 21:37 . 2010-02-23 13:14 211968 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2010-04-13 21:37 . 2010-02-23 13:14 58368 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2010-04-13 21:37 . 2010-02-23 13:14 102400 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-04-13 21:37 . 2010-02-18 14:54 3502480 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-04-13 21:37 . 2010-02-18 14:54 3468168 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-04-13 21:37 . 2010-03-04 19:24 434176 ----a-w- c:\windows\system32\vbscript.dll
    2010-04-13 21:37 . 2009-12-23 12:45 171520 ----a-w- c:\windows\system32\wintrust.dll
    2010-04-13 21:36 . 2010-02-18 14:22 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
    2010-04-13 21:36 . 2010-02-18 14:19 179712 ----a-w- c:\windows\system32\iphlpsvc.dll
    2010-04-13 21:36 . 2010-02-18 12:05 815104 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2010-04-13 21:36 . 2010-02-18 12:04 22016 ----a-w- c:\windows\system32\netiougc.exe
    2010-04-13 21:36 . 2010-02-18 12:04 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
    2010-04-13 21:36 . 2010-02-18 12:04 15360 ----a-w- c:\windows\system32\drivers\TUNMP.SYS
    2010-04-13 21:35 . 2010-01-13 18:23 97792 ----a-w- c:\windows\system32\cabview.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-27 22:35 . 2010-02-06 17:56 -------- d-----w- c:\users\Crew\AppData\Roaming\FileZilla
    2010-04-27 17:23 . 2007-11-13 16:53 -------- d-----w- c:\users\Crew\AppData\Roaming\OpenOffice.org2
    2010-04-16 13:56 . 2010-04-16 13:56 20 ----a-w- c:\users\Crew\AppData\Roaming\ubnxsg.dat
    2010-04-14 07:20 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-03-23 20:24 . 2007-11-21 17:00 1 ----a-w- c:\users\Crew\AppData\Roaming\OpenOffice.org2\user\uno_packages\cache\stamp.sys
    2010-03-18 21:43 . 2008-02-14 15:51 102944 ----a-w- c:\users\Administrator.PEACH\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-03-09 16:54 . 2010-03-30 18:34 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-03-09 16:50 . 2010-03-30 18:34 56320 ----a-w- c:\windows\system32\iesetup.dll
    2010-03-09 16:50 . 2010-03-30 18:34 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-03-09 16:50 . 2010-03-30 18:34 52736 ----a-w- c:\windows\AppPatch\iebrshim.dll
    2010-03-09 16:48 . 2010-03-30 18:34 72704 ----a-w- c:\windows\system32\admparse.dll
    2010-03-09 14:17 . 2010-03-30 18:34 26624 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-03-09 12:43 . 2010-03-30 18:34 48128 ----a-w- c:\windows\system32\mshtmler.dll
    2010-02-25 13:56 . 2007-06-26 22:51 102944 ----a-w- c:\users\Crew\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-02-25 10:33 . 2007-06-25 23:48 102944 ----a-w- c:\users\Admin\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-02-24 14:16 . 2009-10-03 11:34 181632 ------w- c:\windows\system32\MpSigStub.exe
    2010-02-20 23:55 . 2010-03-10 08:00 10752 ----a-w- c:\windows\system32\wamregps.dll
    2010-02-20 23:54 . 2010-03-10 08:00 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2010-02-20 23:52 . 2010-03-10 08:00 8192 ----a-w- c:\windows\system32\iisrstap.dll
    2010-02-20 23:52 . 2010-03-10 08:00 148480 ----a-w- c:\windows\system32\iisRtl.dll
    2010-02-20 23:51 . 2010-03-10 08:00 31232 ----a-w- c:\windows\system32\httpapi.dll
    2010-02-20 23:50 . 2010-03-10 08:00 51200 ----a-w- c:\windows\system32\admwprox.dll
    2010-02-20 21:46 . 2010-03-10 08:00 14848 ----a-w- c:\windows\system32\iisreset.exe
    2010-02-20 21:30 . 2010-03-10 08:00 396800 ----a-w- c:\windows\system32\drivers\http.sys
    2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
    2010-02-17 13:58 . 2010-02-17 13:58 33558 ----a-w- c:\programdata\Google\Toolbar for Firefox\Firefox_Toolbar_Uninstaller.exe
    2010-02-10 13:50 . 2010-02-10 13:50 1232496 ----a-w- c:\programdata\Google\Google Toolbar\Component\GoogleCld_D9AEC8D4D1915047.dll
    2007-05-12 09:46 . 2007-05-12 09:46 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-13 39408]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-06-26 1006264]
    "RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
    "PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2007-04-13 331552]
    "SetRefresh"="c:\program files\HP\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
    "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-29 149280]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
    "TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-02-28 1165192]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-30 1086856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "ST Recovery Launcher"="c:\windows\SMINST\launcher.exe" [2007-03-08 44168]

    c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Billing.appref-ms [2008-5-19 264]

    c:\users\Crew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-6-26 113664]
    Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2000-8-6 69632]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "LocalAccountTokenFilterPolicy"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
    2002-02-15 14:51 24638 ----a-w- c:\windows\System32\PCANotify.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 135664]
    R3 WMSvc;Web Management Service;c:\windows\system32\inetsrv\wmsvc.exe [2006-11-02 10752]
    S0 AFS;AFS; [x]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
    S2 eMillSrv;eMill Server;c:\program files\Active+\eMill\bin\eMillSrv.exe [2008-03-27 1067008]
    S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2007-04-13 540448]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 167936]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-29 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-26 14:54]

    2010-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cac66ec1954ace.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 08:20]

    2010-04-27 c:\windows\Tasks\SyncBack Peach Backup.job
    - c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-02-22 16:19]

    2010-04-29 c:\windows\Tasks\User_Feed_Synchronization-{8976DA08-340C-4843-9E7B-95F1724B0C6D}.job
    - c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = https://www.wlb.com/tools/main.asp
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    TCP: {EFC70CA1-F3AC-4CC8-A30C-855B5C3A37BC} = 4.2.2.2
    FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1o5vcw79.default\
    FF - prefs.js: browser.startup.homepage - hxxps://www.wlb.com/tools/main.asp
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-zzzHPSETUP - F:\Setup.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-29 10:10
    Windows 6.0.6000 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pdfcDispatcher]
    "ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2010-04-29 10:12:33
    ComboFix-quarantined-files.txt 2010-04-29 14:12

    Pre-Run: 8,430,350,336 bytes free
    Post-Run: 11,027,664,896 bytes free

    - - End Of File - - 6D00CA35025077606BF1C0287A519860

    Edited by tedjusko, 29 April 2010 - 09:20 AM.


    #14 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:03:38 AM

    Posted 29 April 2010 - 02:07 PM

    I'd like us to scan your machine with ESET OnlineScan
    1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    2. Click the button.
    3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      1. Click on to download the ESET Smart Installer. Save it to your desktop.
      2. Double click on the icon on your desktop.
    4. Check
    5. Click the button.
    6. Accept any security warnings from your browser.
    7. Check
    8. Push the Start button.
    9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    10. When the scan completes, push
    11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    12. Push the button.
    13. Push

    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #15 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:03:38 AM

    Posted 03 May 2010 - 07:08 PM

    Are you still with me?
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users