Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help removing Alureon.H


  • This topic is locked This topic is locked
22 replies to this topic

#1 melobster

melobster

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 31 May 2010 - 08:48 PM

I ran Microsoft Essentials. shows Alureon.H and VBinject.gen!DG quarantined both now show removed but I am still showing the affects when trying to search on the internet. I click on a searched result in Google(for example) and it brings up a page I didn't want. I also have used/tried Malwarebytes with no luck.
Let me know if you need any other info. Thank you very much in advance!
When I try to post with my DDS and with or without the attachments required in post, I receive page can not be displayed. Please let me know another way to get you this info.
thank you

Vickie
I'm trying to edit my post by adding the DDS info as an attachment to see if it will post. I was able to edit my post and add the two attachments but I'm still unable to cut/past my DDS info. Please help!

I've tried today to past my DDS info but I am still getting 'page can not be displayed' after clicking post reply or post. I also tried to add it as an attachment to my post and it doesn't like it. I can post other things but not the DDS. I hope someone can help me so you can see my DDS info and help me with my virus problem. Thank you in advance!!!


DDS (Ver_10-03-17.01) - NTFSx86
Run by Home User at 19:48:29.26 on Tue 06/01/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.174 [GMT -4:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Home User\Local Settings\Temporary Internet Files\Content.IE5\7L11WOVS\dds[1].scr

============== Pseudo HJT Report ===============
WILL NOT LET ME POST WITH THIS SECTION INFO I HAD TO DELETE IN ORDER TO POST



============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R1 MpKslc5eba61a;MpKslc5eba61a;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{16f87ddc-4c10-48a8-9630-ecba4ce57de8}\MpKslc5eba61a.sys [2010-6-1 28752]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-2-28 54752]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2010-2-27 200192]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]

=============== Created Last 30 ================

2010-06-01 00:24:00 0 ----a-w- c:\documents and settings\home user\defogger_reenable
2010-05-31 13:13:42 0 d-----w- c:\docume~1\homeus~1\applic~1\Malwarebytes
2010-05-31 13:13:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-31 13:13:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-31 13:13:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-31 13:13:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-31 02:24:55 8832 ----a-w- C:\rasacd.sys
2010-05-04 23:31:14 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-05-04 23:31:14 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

==================== Find3M ====================

2010-05-21 18:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-03-20 18:17:02 0 ----a-w- c:\docume~1\homeus~1\applic~1\wklnhst.dat
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-28 22:01:49 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2010-02-28 22:01:49 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010022820100301\index.dat

============= FINISH: 19:49:56.23 ===============

Merged 2 posts. ~ OB

Attached Files


Edited by Orange Blossom, 01 June 2010 - 10:51 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 PM

Posted 02 June 2010 - 03:38 PM

Hi and welcome. smile.gif

My name is Extremeboy (or EB for short), and I will be helping you with your log. I apologize for the delay.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or GMER log please refer to this page and in step #6 and Step #7 and Step #8 for further instructions on downloading and running DDS & GMER. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-Description of any remaining problems you may still have.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 melobster

melobster
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 02 June 2010 - 07:27 PM

Thank you very much in advance for all your help!
I am still showing the virus when I run MS Security Essentials but it doesn't show up in Malwarbytes. I still find I receive hijacks on internet.

I have attached a new attach.txt but my dds still won't let me past the whole think unless I remove the section. I get a page can not be displayed when I try to post my reply. Is there another way I can get this to you? I've tried attaching it instead of pasting but still same problem.




DDS (Ver_10-03-17.01) - NTFSx86
Run by Home User at 20:11:58.25 on Wed 06/02/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.247 [GMT -4:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Home User\Local Settings\Temporary Internet Files\Content.IE5\7L11WOVS\dds[1].scr

============== Pseudo HJT Report ===============
I had to remove in order to post

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-2-28 54752]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2010-2-27 200192]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]

=============== Created Last 30 ================

2010-06-01 00:24:00 0 ----a-w- c:\documents and settings\home user\defogger_reenable
2010-05-31 13:13:42 0 d-----w- c:\docume~1\homeus~1\applic~1\Malwarebytes
2010-05-31 13:13:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-31 13:13:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-31 13:13:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-31 13:13:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-31 02:24:55 8832 ----a-w- C:\rasacd.sys
2010-05-04 23:31:14 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-05-04 23:31:14 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

==================== Find3M ====================

2010-05-21 18:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-03-20 18:17:02 0 ----a-w- c:\docume~1\homeus~1\applic~1\wklnhst.dat
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-28 22:01:49 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2010-02-28 22:01:49 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010022820100301\index.dat

============= FINISH: 20:13:25.35 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 PM

Posted 02 June 2010 - 07:56 PM

Hello.

Open to the Submission Channel see if you can upload it there and send it to me.

Let me know how it goes. At any time if you can't post it, attach it here.

From the previous logs I saw a TDL3 infection which we will deal. We'll start off with Combofix,

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 melobster

melobster
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 02 June 2010 - 08:58 PM

EB, It won't let me submit the attachment there either. I even tried to change the file name. Have you ever seen it do this before?

Do you want me to the Combofix now?

Vicki

#6 melobster

melobster
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 02 June 2010 - 09:45 PM

EB, I just converted the DDS into a zip file and posted in the submission channel. LEt me know if you don't find it.

Vicki

#7 melobster

melobster
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 02 June 2010 - 10:25 PM

ComboFix 10-06-02.02 - Home User 06/02/2010 23:08:18.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.617 [GMT -4:00]
Running from: c:\documents and settings\Home User\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\ODCTOOLS

Infected copy of c:\windows\system32\drivers\rasacd.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-05-03 to 2010-06-03 )))))))))))))))))))))))))))))))
.

2010-06-03 02:37 . 2010-06-03 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-06-03 02:33 . 2010-06-03 02:33 14497096 ----a-w- c:\program files\winzip145.exe
2010-05-31 13:13 . 2010-05-31 13:13 -------- d-----w- c:\documents and settings\Home User\Application Data\Malwarebytes
2010-05-31 13:13 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-31 13:13 . 2010-05-31 13:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-31 13:13 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-31 13:13 . 2010-05-31 13:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-31 02:24 . 2004-08-04 12:00 8832 ----a-w- C:\rasacd.sys
2010-05-28 02:25 . 2010-05-28 02:25 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-26 23:40 . 2010-05-04 00:20 154376 ----a-w- c:\documents and settings\All Users\Application Data\Sling Media\WebSlingPlayer\{43A4D92F-BA72-4C06-81C4-63F0B17A0FB1}\DXVAProbe.dll
2010-05-26 23:40 . 2010-05-04 00:20 887560 ----a-w- c:\documents and settings\All Users\Application Data\Sling Media\WebSlingPlayer\{43A4D92F-BA72-4C06-81C4-63F0B17A0FB1}\curllib.dll
2010-05-26 23:40 . 2010-05-04 00:19 2057992 ----a-w- c:\documents and settings\All Users\Application Data\Sling Media\WebSlingPlayer\{43A4D92F-BA72-4C06-81C4-63F0B17A0FB1}\SlingPlayerAX.dll
2010-05-26 23:40 . 2010-05-04 00:20 181000 ----a-w- c:\documents and settings\All Users\Application Data\Sling Media\WebSlingPlayer\{43A4D92F-BA72-4C06-81C4-63F0B17A0FB1}\CabinetUtils.dll
2010-05-26 23:40 . 2010-05-04 00:20 297736 ----a-w- c:\documents and settings\All Users\Application Data\Sling Media\WebSlingPlayer\{43A4D92F-BA72-4C06-81C4-63F0B17A0FB1}\RCDownloader.dll
2010-05-26 23:40 . 2010-05-04 00:20 306952 ----a-w- c:\documents and settings\All Users\Application Data\Sling Media\WebSlingPlayer\{43A4D92F-BA72-4C06-81C4-63F0B17A0FB1}\WBSPIESetup.exe
2010-05-26 23:40 . 2010-05-04 00:20 587016 ----a-w- c:\documents and settings\All Users\Application Data\Sling Media\WebSlingPlayer\{43A4D92F-BA72-4C06-81C4-63F0B17A0FB1}\SPRemote.dll
2010-05-26 23:40 . 2010-05-04 00:20 79112 ----a-w- c:\documents and settings\All Users\Application Data\Sling Media\WebSlingPlayer\{43A4D92F-BA72-4C06-81C4-63F0B17A0FB1}\zlib1.dll
2010-05-26 23:40 . 2010-05-04 00:20 2014984 ----a-w- c:\documents and settings\All Users\Application Data\Sling Media\WebSlingPlayer\{43A4D92F-BA72-4C06-81C4-63F0B17A0FB1}\SBIL2.dll
2010-05-26 23:40 . 2010-05-04 00:20 95624 ----a-w- c:\documents and settings\All Users\Application Data\Sling Media\WebSlingPlayer\{43A4D92F-BA72-4C06-81C4-63F0B17A0FB1}\SMST.dll
2010-05-26 23:40 . 2010-05-04 00:19 257800 ----a-w- c:\documents and settings\All Users\Application Data\Sling Media\WebSlingPlayer\{43A4D92F-BA72-4C06-81C4-63F0B17A0FB1}\sling_socket_layer.dll
2010-05-26 23:21 . 2010-05-26 23:21 666112 ----a-w- c:\documents and settings\Home User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv306hw-1004220-0-main.dll
2010-05-26 23:21 . 2010-05-26 23:21 319488 ----a-w- c:\documents and settings\Home User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2010-05-23 15:17 . 2010-05-23 15:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-05-23 12:02 . 2010-05-23 12:02 348160 ----a-w- c:\documents and settings\Home User\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4d8b1a50-n\msvcr71.dll
2010-05-23 12:02 . 2010-05-23 12:02 503808 ----a-w- c:\documents and settings\Home User\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4d8b1a50-n\msvcp71.dll
2010-05-23 12:02 . 2010-05-23 12:02 499712 ----a-w- c:\documents and settings\Home User\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4d8b1a50-n\jmc.dll
2010-05-04 23:31 . 2008-04-14 04:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-05-04 23:31 . 2008-04-14 04:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-21 18:14 . 2010-02-28 22:08 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-09 18:42 . 2010-02-28 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-04-20 02:18 . 2010-03-24 22:29 -------- d-----w- c:\documents and settings\Home User\Application Data\Sling Media
2010-04-20 02:18 . 2010-03-24 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Sling Media
2010-04-10 01:29 . 2010-03-01 00:06 -------- d-----w- c:\documents and settings\Home User\Application Data\AdobeUM
2010-03-20 18:17 . 2010-03-20 18:17 0 ----a-w- c:\documents and settings\Home User\Application Data\wklnhst.dat
2010-03-13 01:08 . 2010-03-24 22:29 154376 ----a-w- c:\documents and settings\All Users\Application Data\Sling Media\WebSlingPlayer\{9B9DB604-0B49-43BD-99F2-E7761EB667DA}\DXVAProbe.dll
2010-03-13 01:08 . 2010-03-24 22:29 181000 ----a-w- c:\documents and settings\All Users\Application Data\Sling Media\WebSlingPlayer\{9B9DB604-0B49-43BD-99F2-E7761EB667DA}\CabinetUtils.dll
2010-03-13 01:08 . 2010-03-24 22:29 887560 ----a-w- c:\documents and settings\All Users\Application Data\Sling Media\WebSlingPlayer\{9B9DB604-0B49-43BD-99F2-E7761EB667DA}\curllib.dll
2010-03-13 01:08 . 2010-03-24 22:29 297736 ----a-w- c:\documents and settings\All Users\Application Data\Sling Media\WebSlingPlayer\{9B9DB604-0B49-43BD-99F2-E7761EB667DA}\RCDownloader.dll
2010-03-13 01:08 . 2010-03-24 22:29 306952 ----a-w- c:\documents and settings\All Users\Application Data\Sling Media\WebSlingPlayer\{9B9DB604-0B49-43BD-99F2-E7761EB667DA}\WBSPIESetup.exe
2010-03-13 01:08 . 2010-03-24 22:29 587016 ----a-w- c:\documents and settings\All Users\Application Data\Sling Media\WebSlingPlayer\{9B9DB604-0B49-43BD-99F2-E7761EB667DA}\SPRemote.dll
2010-03-13 01:07 . 2010-03-24 22:29 79112 ----a-w- c:\documents and settings\All Users\Application Data\Sling Media\WebSlingPlayer\{9B9DB604-0B49-43BD-99F2-E7761EB667DA}\zlib1.dll
2010-03-13 01:07 . 2010-03-24 22:29 2009352 ----a-w- c:\documents and settings\All Users\Application Data\Sling Media\WebSlingPlayer\{9B9DB604-0B49-43BD-99F2-E7761EB667DA}\SBIL2.dll
2010-03-13 01:07 . 2010-03-24 22:29 95624 ----a-w- c:\documents and settings\All Users\Application Data\Sling Media\WebSlingPlayer\{9B9DB604-0B49-43BD-99F2-E7761EB667DA}\SMST.dll
2010-03-13 01:07 . 2010-03-24 22:29 257800 ----a-w- c:\documents and settings\All Users\Application Data\Sling Media\WebSlingPlayer\{9B9DB604-0B49-43BD-99F2-E7761EB667DA}\sling_socket_layer.dll
2010-03-13 01:07 . 2010-03-24 22:29 1999624 ----a-w- c:\documents and settings\All Users\Application Data\Sling Media\WebSlingPlayer\{9B9DB604-0B49-43BD-99F2-E7761EB667DA}\SlingPlayerAX.dll
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-23 339968]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-28 149280]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-11 794624]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"Home Theater SchSvr"="c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2005-06-14 106496]
"WINREMOTE"="c:\program files\InterVideo\Common\Bin\WinRemote.exe" [2005-06-14 233472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-4-6 494920]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Security Essentials\\msseces.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Documents and Settings\\Home User\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2/27/2010 7:39 PM 200192]
.
Contents of the 'Scheduled Tasks' folder

2010-06-02 c:\windows\Tasks\User_Feed_Synchronization-{0B488378-44BC-4B86-9E19-466A74BB228F}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
DPF: {3528A58B-595D-4AFD-A5F6-B914BD306DC3} - hxxp://dishconnectivity.sling.com/dpit/downloads/pc/1.0.0.14/SlingHealth.cab
DPF: {B80CD4E6-5B02-4B6C-99BE-68F1511E9549} - hxxp://plugin.slingbox.com/downloads/pc/1.4.0.88/WebSlingPlayer.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-02 23:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????8?1?9?0??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-854245398-412668190-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-06-02 23:17:28
ComboFix-quarantined-files.txt 2010-06-03 03:17

Pre-Run: 67,221,807,104 bytes free
Post-Run: 67,627,544,576 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /sos

- - End Of File - - 89C90E66AE50EC5F9F6EE557EDA69C06


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 PM

Posted 03 June 2010 - 03:03 PM

Hello.

That's fine.

Looking a lot better, Combofix was able to successfully remove that.

Let's continue here. Please update your Malwarebytes software and run a quick scan with it. Post the log once done.

Then...

Please, run this scan for me to take another look for you.

We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.
  6. Copy and Paste the following code into the textbox. Do not include the word "Code"

    CODE
    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav

  7. Push
  8. Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 melobster

melobster
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 04 June 2010 - 03:57 PM

Hi EB
I did Malwarebytes scan and it showed nothing but I did Microsoft Security Essentials and it showed the Alureon.H virus and it says it removed it and I don't see where I can copy/past a log from MS Security Essentials. I have also attached the two logs from the OTL you had me run. Here's to hoping its all ok!

here is the Malwarebytes log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4168

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/3/2010 9:05:26 PM
mbam-log-2010-06-03 (21-05-26).txt

Scan type: Quick scan
Objects scanned: 118534
Time elapsed: 7 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files



#10 melobster

melobster
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 05 June 2010 - 05:45 PM

EB, I did another MS Security Essentials quick scan today and it found this virus and it says it was removed. Seems every day it finds it and removes it.

Vicki

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 PM

Posted 05 June 2010 - 09:23 PM

Can you show me what is that, that MSE detects and removes? What it detected may just be what we already removed and is under quarantine. We'll see. ;)




Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 melobster

melobster
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 05 June 2010 - 10:04 PM

I can't seem to figure how to attach, copy/paste or paste a print screen of the MSE history. So I'm going to try writing what I see.

Spammer:Win32/EmailBomb.G Severe 6/5/2010 removed
Spammer:Win32/EmailBomb.h same as above
TrojanDownloader:JS/Renos same as above
Virus:Win32/Alureon.H same as above

The first two are new today.



I also ran Malwarebytes this evening and this is what was found: (I ran this twice and found a few more the second time and it says they were removed.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4171

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/5/2010 9:37:42 PM
mbam-log-2010-06-05 (21-37-42).txt

Scan type: Quick scan
Objects scanned: 127145
Time elapsed: 19 minute(s), 21 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 5
Files Infected: 43

Memory Processes Infected:
C:\Program Files\Sysinternals Antivirus\Sysinternals Antivirus.exe (Rogue.SysinternalsAntivirus) -> Unloaded process successfully.
C:\Program Files\svchost.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{149256d5-e103-4523-bb43-2cfb066839d6} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{149256d5-e103-4523-bb43-2cfb066839d6} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{149256d5-e103-4523-bb43-2cfb066839d6} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Sysinternals Antivirus (Rogue.SysinternalsAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\adbupd (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ADBUPD (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\Program Files\alggui.exe "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Home User\Start Menu\Programs\Sysinternals Antivirus (Rogue.SysinternalsAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Sysinternals Antivirus (Rogue.SysinternalsAntivirus) -> Quarantined and deleted successfully.
C:\Sysinternals Antivirus (Rogue.SysinternalsAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\scdata (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images (Trojan.Dropper) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\adc_w32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\wpp.exe (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Documents and Settings\Home User\Local Settings\Temporary Internet Files\Content.IE5\3K7KYB10\PC_protect[1].exe (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LF7AEOMI\p1[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Home User\Start Menu\Programs\Sysinternals Antivirus\Sysinternals Antivirus.lnk (Rogue.SysinternalsAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Sysinternals Antivirus\Sysinternals Antivirus.exe (Rogue.SysinternalsAntivirus) -> Quarantined and deleted successfully.
C:\Sysinternals Antivirus\Sysinternals Antivirus.lnk (Rogue.SysinternalsAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\scdata\dbsinit.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\wispex.html (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\i1.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\i2.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\i3.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\j1.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\j2.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\j3.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\jj1.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\jj2.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\jj3.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\l1.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\l2.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\l3.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\pix.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\t1.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\t2.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\Thumbs.db (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\up1.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\up2.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\w1.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\w11.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\w2.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\w3.jpg (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\word.doc (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\wt1.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\wt2.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\wt3.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Home User\Desktop\Sysinternals Antivirus.LNK (Rogue.SysinternalsAntivirus) -> Quarantined and deleted successfully.
C:\Sysinternals Antivirus.LNK (Rogue.SysinternalsAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\alggui.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\nuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\skynet.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\wp3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\wp4.dat (Malware.Trace) -> Quarantined and deleted successfully.


#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 PM

Posted 06 June 2010 - 01:15 PM

It seems you got infected somehow, as those were not there previously.

Does MSE still detect anything besides what you mentioned previously? Next time, please post the file or entry that it detects and/or tries to remove.

Download and run DDS

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results soon.
  • Follow the instructions that pop up for posting the results and then click Ok.
  • The black and message box window shall then disappear.
  • Please save both log files on your desktop and post the DDS.txt and zip up and attach Attach.txt as instructed.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 melobster

melobster
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 06 June 2010 - 03:58 PM

I'm not sure what's going on. I'm still not able to use a search engine (yahoo, google, bing) and selecting a result and it hijacks and brings up an advertised pages.

Here is the DDS results:

Attached Files



#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 PM

Posted 06 June 2010 - 06:29 PM

Is this happening in FireFox, IE or both?

Can you run Combofix again, so I can see the log... You may have bee re-infected.

Download and Run Combofix

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users