Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransom Message


  • This topic is locked This topic is locked
30 replies to this topic

#1 amac210

amac210

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 10 December 2010 - 09:13 AM

Hi,
Hope you can help, a friend brought his "Advent Notebook" to me last night saying it would not
boot up.

Upon further investigation I can login to his user account but then get a black screen with the
following box, and cannot do anything else at all:-

"You have exceeded your internet usage
This computer will not operate unless
You pay $100 to restart PC.
If you try to restart PC all files
will be deleted.

Click box

Card details [box] Pay Now {Button}"

It is running Windows XP Home, and when I boot from a tools cd ( Hirens)
it still shows all the files are there.

Any suggestions please

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:12 AM

Posted 10 December 2010 - 12:05 PM

I will have someone pick this up as it requires particular attention.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:12 AM

Posted 10 December 2010 - 12:23 PM

Hello amac210 ,

Can you please tell me if you get as far as where the desktop can load? We'll go from there. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 amac210

amac210
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 10 December 2010 - 12:49 PM

Hi tea,

I get past the login and get a desktop background but then nothing else, before i found this forum
I just cleared out all temporary files and windows prefetch and dont seem to get the ransom note
anymore but not much else either.

I can do Ctrl+Alt+Del and get Taskmanager and get explorer etc from there also.

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:12 AM

Posted 10 December 2010 - 01:00 PM

Well then you're luckier than most. :thumbup2:

Rather than go through all the long process, what I want you to do is see if you can download ComboFix to a flash/USB and run it in Safe Mode on the infected computer.


This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to amac.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:12 AM

Posted 10 December 2010 - 01:09 PM

Moved from AII to Virus, Trojan, Spyware, and Malware Removal Logs where it will stay. To help prevent others from running the tools here on their own.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 amac210

amac210
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 11 December 2010 - 05:23 PM

Hi tea,

Ok, things not going too good now.

Would not recognise USB in safe mode, so dropped Combofix into folder
on hard drive in normal boot.
Then kept getting blue screen trying to get into safe mode again, eventually
got there, but Combofix will not run because AVG is installed, even though it
is disabled and all services terminated in Task manager.

I cannot uninstall AVG as I get a registry error saying access denied to a
registry entry.

Any further suggestions, or are we getting closer to a format and rebuild ?

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:12 AM

Posted 11 December 2010 - 05:43 PM

or are we getting closer to a format and rebuild ?

These are EVIL words you speak!! :woot:

Run this instead :

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

If it won't run in normal mode, the run it in safe mode. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:12 AM

Posted 11 December 2010 - 06:00 PM

Also, please get me a DDS log, if you can. I have an idea of what we're looking for, or at least where. So if either you can't run MBAM, or it doesn't take this thing out, we'll still have something to go by. :thumbup2:

Get DDS here: http://www.bleepingcomputer.com/download/anti-virus/dds

It's pretty simple, but you can get the schpiel for it here: http://www.bleepingcomputer.com/forums/topic34773.html

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 amac210

amac210
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 12 December 2010 - 05:46 AM

My apologies for speaking EVIL words lol.

Ok here we go :-


Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5298

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

12/12/2010 10:23:35
mbam-log-2010-12-12 (10-23-35).txt

Scan type: Quick scan
Objects scanned: 177160
Time elapsed: 10 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 26
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 12
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\$ntuninstallmtf197$\cbsxj.dll (Trojan.Agent.Gen) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{D518921A-4A03-425E-9873-B9A71756821E} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Street-Ads (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{279A55A5-62D0-4DF4-AF4D-2A707063E4FB} (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adfarygspr.adfarygspr.1.0 (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adfarygspr.adfarygspr (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{279A55A5-62D0-4DF4-AF4D-2A707063E4FB} (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SSHNAS (Trojan.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{323964D5-F1D5-43BF-B565-103603035D2B} (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{323964D5-F1D5-43BF-B565-103603035D2B} (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\brumarygsgrm.brumarygsgrm.1.0 (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\brumarygsgrm.brumarygsgrm (Adware.AdRotator) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bipro (Trojan.Agent.Gen) -> Value: bipro -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gchk (Trojan.Downloader) -> Value: gchk -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\networkservice\application data\sky-banners (Adware.Adrotator) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\sky-banners\skb (Adware.Adrotator) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\street-ads (Adware.Adrotator) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\street-ads\sta (Adware.Adrotator) -> Quarantined and deleted successfully.
c:\program files\funwebproducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\screensaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\screensaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\Ztepea.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\graham brooks\application data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\fvgqad.dat (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\fvgqad.dat (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\all users\documents\Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\Fonts\Akf7Oe.com (Malware.Generic) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{62c40aa6-4406-467a-a5a5-dfdf1b559b7a}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\$ntuninstallmtf197$\cbsxj.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\screensaver\Images\00197B60.urr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\History\search3 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\WINDOWS\$ntuninstallmtf197$\mrbxl.dll (Adware.AdRotator) -> Quarantined and deleted successfully.



and now DDS :-


DDS (Ver_10-12-12.01) - NTFSx86
Run by graham brooks at 10:34:38.62 on 12/12/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.597 [GMT 0:00]

AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\System Control Manager\MSIService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\AA\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.thetechguys.com
mDefault_Page_URL = hxxp://www.thetechguys.com
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mWinlogon: Shell=c:\docume~1\graham~1\locals~1\temp\fenpcn.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Softonic-Eng7 Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - c:\program files\softonic-eng7\tbSof1.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: Softonic-Eng7 Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - c:\program files\softonic-eng7\tbSof1.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli inauscz.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {23508A9B-2153-4462-B98E-BC3B1DEA088D} - c:\documents and settings\graham brooks\local settings\application data\{23508A9B-2153-4462-B98E-BC3B1DEA088D}
FF - HiddenExtension: XULRunner: {2DD68720-D593-4AE6-9C66-A5243963F4DD} - c:\documents and settings\graham brooks\local settings\application data\{2dd68720-d593-4ae6-9c66-a5243963f4dd}\
FF - HiddenExtension: XULRunner: {71DB096A-0267-4238-9867-502A7B6E84FA} - c:\documents and settings\graham brooks\local settings\application data\{71DB096A-0267-4238-9867-502A7B6E84FA}
FF - HiddenExtension: XULRunner: {035B2C4A-9723-46F4-8526-D501981FCD5E} - c:\documents and settings\graham brooks\local settings\application data\{035B2C4A-9723-46F4-8526-D501981FCD5E}
FF - HiddenExtension: XULRunner: {0A4257BF-89AE-404A-A0AD-13058D72FFCD} - c:\documents and settings\graham brooks\local settings\application data\{0a4257bf-89ae-404a-a0ad-13058d72ffcd}\
FF - HiddenExtension: XULRunner: {D91C7608-13AF-4E23-9860-C1ECA02E065D} - c:\documents and settings\graham brooks\local settings\application data\{D91C7608-13AF-4E23-9860-C1ECA02E065D}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2010-10-3 59240]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-13 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-13 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-9-13 243024]
R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-2-27 390528]
R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\19917\RapportCerberus_19917.sys [2010-10-3 34792]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-10-3 169320]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-5-1 54752]
R2 Micro Star SCM;Micro Star SCM;c:\program files\system control manager\MSIService.exe [2008-5-30 159744]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-10-3 767208]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2008-5-30 153600]
S2 AMService;AMService;c:\windows\temp\xltw\setup.exe run --> c:\windows\temp\xltw\setup.exe run [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-26 135664]
S3 CHORUS2;chorus2usb.sys USB Driver;c:\windows\system32\drivers\chorus2usb.sys [2010-3-18 18048]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S4 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 517448]
S4 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-21 921952]
S4 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-17 308136]

=============== Created Last 30 ================

2010-12-12 10:05:57 80386 ----a-w- c:\docume~1\alluse~1\applic~1\DrkFtDpE.exe
2010-12-12 09:58:00 -------- d-----w- c:\docume~1\graham~1.you\applic~1\Malwarebytes
2010-12-12 09:57:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-12 09:57:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-12 09:57:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-12 09:57:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-10 20:39:43 -------- d-----w- C:\AA
2010-11-19 22:24:45 -------- d-----w- c:\program files\iPod
2010-11-19 22:24:19 -------- d-----w- c:\program files\iTunes

==================== Find3M ====================

2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK8037GSX rev.DL250J -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86D6F555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86d757b0]; MOV EAX, [0x86d7582c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86D81AB8]
3 CLASSPNP[0xF7583FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86CF0F18]
\Driver\atapi[0x86D55D10] -> IRP_MJ_CREATE -> 0x86D6F555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK8037GSX_______________________DL250J__#5&2ef5f6c5&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86D6F39B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 10:36:35.32 ===============


over to you :-)

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:12 AM

Posted 12 December 2010 - 10:04 AM

Good Morning :)

Well, they're evil words to me.....they mean defeat! I'm not easily defeated. :wink:

How is it running now? See if you can run ComboFix in the normal way now. MBAM removed a boatload of nasty garbage, but I'm not convinced there isn't more.

And......are you messing around on me???? mDefault_Page_URL = hxxp://www.thetechguys.com :lol:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 amac210

amac210
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 12 December 2010 - 04:20 PM

Well I suppose its good afternoon or evening there now,

No not having a laugh, honest lol,it was where they got the PC from I think.

Ok not able to run it still because of AVG being installed, and not able to
boot into Safe mode now as getting blue screen error again. :-(

Still can't remove AVG because of same error in registry.

Edited by amac210, 12 December 2010 - 04:23 PM.


#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:12 AM

Posted 12 December 2010 - 04:25 PM

Try using the uninstaller here : http://www.avg.com/us-en/download-tools

Yes, late afternoon here in Texas. :)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:12 AM

Posted 12 December 2010 - 04:30 PM

If that doesn't work, then we'll get tough with it :

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

REGISTRY::
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayRSAlert]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayScanFinished]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayScanFinishedThreatFound]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayScanStarted]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayUpdEnd]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayUpdEndFail]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayUpdStart]
[-HKEY_CURRENT_USER\AppEvents\Schemes\Apps\avgtray]
[-HKEY_CURRENT_USER\Software\Avg]
[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG9 Shell Extension]
[-HKEY_CLASSES_ROOT\.avgdx]
[-HKEY_CLASSES_ROOT\CLSID\{1152F8E0-69DB-4935-AFC3-59F8A5A86A3E}]
[-HKEY_CLASSES_ROOT\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[-HKEY_CLASSES_ROOT\CLSID\{41B21542-2055-4212-A6F2-395CD109B14B}]
[-HKEY_CLASSES_ROOT\CLSID\{6F59E522-4689-156E-316C-D5B48819DE95} ]
[-HKEY_CLASSES_ROOT\CLSID\{86E8C5B0-75B6-4ff2-B04F-6789CC7AE386}]
[-HKEY_CLASSES_ROOT\CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}]
[-HKEY_CLASSES_ROOT\CLSID\{EF0BB4CD-81FA-48AF-99B3-AB6C1F079BEC}]
[-HKEY_CLASSES_ROOT\CLSID\{F1FE4608-7924-4908-8E12-81CFA206F00A}]
[-HKEY_CLASSES_ROOT\CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\AVG9 Shell Extension]
[-HKEY_CLASSES_ROOT\Installer\Features\36E852A15FD8BDA48923830A21D156BE]
[-HKEY_CLASSES_ROOT\Installer\Features\69BC3230A1222404483A39DE4E0799CF]
[-HKEY_CLASSES_ROOT\Installer\Features\CFD2C1F142D260E3CB8B271543DA9F98]
[-HKEY_CLASSES_ROOT\Installer\Products\36E852A15FD8BDA48923830A21D156BE]
[-HKEY_CLASSES_ROOT\Installer\Products\69BC3230A1222404483A39DE4E0799CF]
[-HKEY_CLASSES_ROOT\Installer\Products\CFD2C1F142D260E3CB8B271543DA9F98]
[-HKEY_CLASSES_ROOT\Installer\UpgradeCodes\06DD9E4F7F3FF9C41BC2BD64A2CE18FE]
[-HKEY_CLASSES_ROOT\Installer\UpgradeCodes\38F747DBDC97B4E459142E21199F9D10]
[-HKEY_CLASSES_ROOT\Installer\UpgradeCodes\41A387AA3A7A33D3590FA953D1350011]
[-HKEY_CLASSES_ROOT\LinkScannerIE.NavFilter]
[-HKEY_CLASSES_ROOT\LinkScannerIE.NavFilter.1]
[-HKEY_CLASSES_ROOT\MicroScanner.MicroScanner]
[-HKEY_CLASSES_ROOT\piffile\shellex\ContextMenuHandlers\AVG9 Shell Extension]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Handler\linkscanner]
[-HKEY_LOCAL_MACHINE\SOFTWARE\AVG]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DevDiv\VC]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AVGSE.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0323CB96-221A-4042-84A3-93EDE47099FC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1A258E63-8DF5-4ADB-9832-38A0121D65EB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AlwaysUnloadDll]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG]
[-HKEY_CLASSES_ROOT\CLSID\{50A96677-4378-434d-9F4B-6B28B485933F}\{976BA62F-ABED-40e0-8F7B-6DE4F6756F0B}]
[-HKEY_CLASSES_ROOT\CLSID\{50A96677-4378-434d-9F4B-6B28B485933F}\{976BA62F-ABEE-40e0-8F7B-6DE4F6756F0B}]
[-HKEY_CLASSES_ROOT\CLSID\{50A96677-4378-434d-9F4B-6B28B485933F}\{976BA62F-ABEF-40e0-8F7B-6DE4F6756F0B}]
[-HKEY_CLASSES_ROOT\CLSID\{9781B2D1-AF27-474F-A3A5-C0763FBDF3B7}]
[-HKEY_CLASSES_ROOT\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
[-HKEY_CLASSES_ROOT\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
[-HKEY_CLASSES_ROOT\CLSID\{F2DDE6B2-9684-4A55-86D4-E255E237B77C}]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Handler\avgsecuritytoolbar]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayWSAlert]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
[-HKEY_CURRENT_USER\Software\AppDataLow\Avg]
[-HKEY_CURRENT_USER\Software\AVG Security Toolbar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\AVG Security Toolbar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG9Uninstall]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\AvgEms]
[-HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avgtrayRSAlert]
[-HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avgtrayScanFinished]
[-HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avgtrayScanFinishedThreatFound]
[-HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avgtrayScanStarted]
[-HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avgtrayWSAlert]
[-HKEY_USERS\.DEFAULT\AppEvents\Schemes\Apps\avgtray]
[-HKEY_USERS\.DEFAULT\Software\AppDataLow\Avg]
[-HKEY_USERS\.DEFAULT\Software\Avg]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"=-
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"=-
"avg@igeared"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GroupOrderList]
"AVG"=-

DRIVER::
Avg
AVGIDSAgent
AVGIDSDriver
AVGIDSEH
AVGIDSFilter
AVGIDSShim
Avgldx86
Avgmfx86
Avgrkx86
Avgtdix
avgwd
AVG Security Toolbar Service
avg9emc
avg9wd

FOLDER::
%SYSTEMDRIVE%\$AVG
%COMMONAPPDATA%\AVG10
%COMMONAPPDATA%\MFAData
%COMMONPROGRAMS%\AVG 2011
%APPDATA%\AVG10
%PROGRAMFILES%\AVG
%SYSTEM%\drivers\AVG
%COMMONAPPDATA%\AVG Security Toolbar
%COMMONAPPDATA%\avg9
%COMMONPrograms%\AVG Free 9.0

File::
%COMMONAPPDATA%\Common Files\6F59E522-4689-156E-316C-D5B48819DE95.dat
%COMMONDESKTOP%\AVG 2011.lnk
%SYSTEM%\drivers\AVGIDSDriver.sys
%SYSTEM%\drivers\AVGIDSEH.sys
%SYSTEM%\drivers\AVGIDSFilter.sys
%SYSTEM%\drivers\AVGIDSShim.sys
%SYSTEM%\drivers\avgldx86.sys
%SYSTEM%\drivers\avgmfx86.sys
%SYSTEM%\drivers\avgrkx86.sys
%SYSTEM%\drivers\avgtdix.sys
%COMMONDesktop%\AVG Free 9.0.lnk
%PROGRAMFILES%\Mozilla Firefox\searchplugins\avg_igeared.xml
%SYSTEM%\avgrsstx.dll

SECCENTER::
AVG Anti-Virus Free


Save this as txtfile CFScript_AVG2011.txt

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

tea

Edited by teacup61, 12 December 2010 - 04:38 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 amac210

amac210
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 13 December 2010 - 05:27 AM

Hi tea,
eventually got there, had to run that script in the end to get Combofix to work.

Here is the log file:-

ComboFix 10-12-11.06 - graham brooks 13/12/2010 9:47.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.693 [GMT 0:00]
Running from: c:\aa\ComboFix.exe
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\DrkFtDpE.exe
c:\documents and settings\graham brooks\Application Data\B8F363C2A0EEAD23869C91993EC43DC4
c:\documents and settings\graham brooks\Application Data\B8F363C2A0EEAD23869C91993EC43DC4\enemies-names.txt
c:\documents and settings\graham brooks\Application Data\B8F363C2A0EEAD23869C91993EC43DC4\local.ini
c:\program files\Malwarebytes' Anti-Malware\mbam.exe
c:\windows\Fonts\Akf7Oe.com
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PASSWORD
-------\Legacy_SSHNAS


((((((((((((((((((((((((( Files Created from 2004-12-01 to 2005-01-01 )))))))))))))))))))))))))))))))
.

2010-12-13 09:45 . 2010-12-13 09:46 -------- d-----r- C:\32788R22FWJFW
2010-12-10 20:39 . 2010-12-13 09:45 -------- d-----w- C:\AA
2010-05-15 15:41 . 2010-05-15 15:41 -------- d-----w- C:\$AVG
2010-01-11 12:17 . 2010-01-11 12:17 -------- d-----w- C:\Kontiki
2009-08-06 10:43 . 2009-08-06 10:44 -------- d-----w- C:\acb4def75ce978c4a38c713d52
2008-05-30 15:25 . 2008-05-30 15:25 -------- d-----w- C:\Intel
2008-05-30 15:18 . 2008-05-30 15:18 -------- d-----w- C:\My Advent Information
2008-05-30 15:18 . 2008-05-30 15:18 -------- d-----w- C:\Applications
2008-05-30 00:00 . 2010-07-02 23:06 -------- d---a-w- C:\boot

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-14 14:31 . 2008-05-15 19:20 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-21 15:51 . 2008-05-15 19:07 471552 ----a-w- c:\windows\apppatch\aclayers.dll
2008-04-14 12:00 . 2008-05-15 19:20 99840 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpHost.exe
2008-04-14 12:00 . 2008-05-15 19:20 6656 ----a-w- c:\windows\pchealth\helpctr\binaries\HCAppRes.dll
2008-04-14 12:00 . 2008-05-15 19:20 35328 ----a-w- c:\windows\pchealth\helpctr\binaries\notiflag.exe
2008-04-14 12:00 . 2008-05-15 19:20 21504 ----a-w- c:\windows\pchealth\helpctr\binaries\brpinfo.dll
2008-04-14 12:00 . 2008-05-15 19:20 726078 ----a-w- c:\windows\srchasst\srchui.dll
2008-04-14 12:00 . 2008-05-15 19:20 58434 ----a-w- c:\windows\srchasst\srchctls.dll
2008-04-14 12:00 . 2008-05-15 19:20 3166208 ----a-w- c:\windows\srchasst\msgr3en.dll
2008-04-14 12:00 . 2008-05-15 19:20 769024 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpCtr.exe
2008-04-14 12:00 . 2008-05-15 19:20 38400 ----a-w- c:\windows\pchealth\helpctr\binaries\pchsvc.dll
2008-04-14 12:00 . 2008-05-15 19:20 376832 ----a-w- c:\windows\pchealth\helpctr\binaries\msinfo.dll
2008-04-14 12:00 . 2008-05-15 19:20 18432 ----a-w- c:\windows\pchealth\helpctr\binaries\HscUpd.exe
2008-04-14 12:00 . 2008-05-15 19:20 169984 ----a-w- c:\windows\pchealth\helpctr\binaries\msconfig.exe
2008-04-14 12:00 . 2008-05-15 19:20 150528 ----a-w- c:\windows\pchealth\UploadLB\Binaries\UploadM.exe
2008-04-14 12:00 . 2008-05-15 19:20 102912 ----a-w- c:\windows\pchealth\helpctr\binaries\pchshell.dll
2008-04-14 12:00 . 2008-05-15 19:08 3374640 ----a-w- c:\windows\help\Tours\mmTour\tour.exe
2008-04-14 12:00 . 2008-05-15 19:08 33280 ----a-w- c:\windows\help\sstub.dll
2008-04-14 12:00 . 2008-05-15 19:08 279040 ----a-w- c:\windows\help\tshoot.dll
2008-04-14 12:00 . 2008-05-15 19:07 34816 ----a-w- c:\windows\help\sniffpol.dll
2008-04-14 12:00 . 2008-05-15 19:07 39424 ----a-w- c:\windows\apppatch\AcAdProc.dll
2008-04-14 12:00 . 2008-05-15 19:07 245248 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2008-04-14 12:00 . 2008-05-15 19:07 1852928 ----a-w- c:\windows\apppatch\AcGenral.dll
2008-04-14 12:00 . 2008-05-15 19:07 152576 ----a-w- c:\windows\help\bnts.dll
2008-04-14 12:00 . 2008-05-15 19:07 141312 ----a-w- c:\windows\apppatch\AcLua.dll
2008-04-14 12:00 . 2008-05-15 19:07 116224 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2008-04-14 12:00 . 2001-08-17 22:37 77891 ----a-w- c:\windows\system32\usrmlnka.exe
2008-04-14 12:00 . 2001-08-17 22:37 69700 ----a-w- c:\windows\system32\usrshuta.exe
2008-04-14 12:00 . 2001-08-17 22:37 61508 ----a-w- c:\windows\system32\usrprbda.exe
2008-04-14 12:00 . 2001-08-17 22:36 55296 ----a-w- c:\windows\system32\dvdplay.exe
2008-04-14 12:00 . 2001-08-17 22:36 3200 ----a-w- c:\windows\system32\wowfax.dll
2008-04-14 12:00 . 2001-08-17 22:36 13824 ----a-w- c:\windows\system32\wowfaxui.dll
2008-04-14 12:00 . 2001-08-17 22:36 86073 ----a-w- c:\windows\system32\usrfaxa.dll
2008-04-14 12:00 . 2001-08-17 22:36 77890 ----a-w- c:\windows\system32\usrdpa.dll
2008-04-14 12:00 . 2001-08-17 22:36 77883 ----a-w- c:\windows\system32\usrrtosa.dll
2008-04-14 12:00 . 2001-08-17 22:36 69699 ----a-w- c:\windows\system32\usrcoina.dll
2008-04-14 12:00 . 2001-08-17 22:36 61500 ----a-w- c:\windows\system32\usrcntra.dll
2008-04-14 12:00 . 2001-08-17 22:36 53305 ----a-w- c:\windows\system32\usrlbva.dll
2008-04-14 12:00 . 2001-08-17 22:36 49211 ----a-w- c:\windows\system32\usrvpa.dll
2008-04-14 12:00 . 2001-08-17 22:36 49211 ----a-w- c:\windows\system32\usrsdpia.dll
2008-04-14 12:00 . 2001-08-17 22:36 49209 ----a-w- c:\windows\system32\usrv80a.dll
2008-04-14 12:00 . 2001-08-17 22:36 45116 ----a-w- c:\windows\system32\usrvoica.dll
2008-04-14 12:00 . 2001-08-17 22:36 41019 ----a-w- c:\windows\system32\usrsvpia.dll
2008-04-14 12:00 . 2001-08-17 22:36 323641 ----a-w- c:\windows\system32\usrdtea.dll
2008-04-14 12:00 . 2001-08-17 22:36 102457 ----a-w- c:\windows\system32\usrv42a.dll
2008-04-14 12:00 . 2001-08-17 22:36 8192 ----a-w- c:\windows\system32\streamci.dll
2008-04-14 12:00 . 2001-08-17 22:36 72192 ----a-w- c:\windows\system32\sprio800.dll
2008-04-14 12:00 . 2001-08-17 22:36 70656 ----a-w- c:\windows\system32\sprio600.dll
2008-04-14 12:00 . 2001-08-17 22:36 69632 ----a-w- c:\windows\system32\spnike.dll
2008-04-14 12:00 . 2001-08-17 22:36 157696 ----a-w- c:\windows\system32\paqsp.dll
2008-04-14 12:00 . 2001-08-17 22:36 147968 ----a-w- c:\windows\system32\mdwmdmsp.dll
2008-04-14 12:00 . 2001-08-17 14:06 21376 ----a-w- c:\windows\system32\drivers\tsbvcap.sys
2008-04-14 12:00 . 2001-08-17 14:03 4736 ----a-w- c:\windows\system32\drivers\usbd.sys
2008-04-14 12:00 . 2001-08-17 14:02 262528 ----a-w- c:\windows\system32\drivers\cinemst2.sys
2008-04-14 12:00 . 2001-08-17 14:02 58112 ----a-w- c:\windows\system32\drivers\vdmindvd.sys
2008-04-14 12:00 . 2001-08-17 14:01 51712 ----a-w- c:\windows\system32\drivers\tosdvd.sys
2008-04-14 12:00 . 2001-08-17 13:57 3456 ----a-w- c:\windows\system32\drivers\oprghdlr.sys
2008-04-14 12:00 . 2001-08-17 13:57 11648 ----a-w- c:\windows\system32\drivers\acpiec.sys
2008-04-14 12:00 . 2001-08-17 13:57 12160 ----a-w- c:\windows\system32\drivers\fsvga.sys
2008-04-14 12:00 . 2001-08-17 13:52 125056 ----a-w- c:\windows\system32\drivers\ftdisk.sys
2008-04-14 12:00 . 2001-08-17 13:52 18688 ----a-w- c:\windows\system32\drivers\cdaudio.sys
2008-04-14 12:00 . 2001-08-17 13:52 13952 ----a-w- c:\windows\system32\drivers\cbidf2k.sys
2008-04-14 12:00 . 2001-08-17 13:24 12032 ----a-w- c:\windows\system32\drivers\riodrv.sys
2008-04-14 12:00 . 2001-08-17 13:24 12032 ----a-w- c:\windows\system32\drivers\rio8drv.sys
2008-04-14 12:00 . 2001-08-17 13:24 12032 ----a-w- c:\windows\system32\drivers\nikedrv.sys
2008-04-14 12:00 . 2001-08-17 13:24 11776 ----a-w- c:\windows\system32\drivers\cpqdap01.sys
.
<pre>
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
2010-08-20 14:27 2734688 ----a-w- c:\program files\Softonic-Eng7\tbSof1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\tbSof1.dll" [2010-08-20 2734688]

[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 05:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ITSecMng]
%ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 15:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\EpsonNet\\EpsonNet Setup\\tool09\\ENEasyApp.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [03/10/2010 22:43 59240]
R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [27/02/2010 16:18 390528]
R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [03/10/2010 22:54 34792]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 22:43 169320]
R2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [30/05/2008 15:31 159744]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 22:43 767208]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [30/05/2008 15:43 153600]
S2 AMService;AMService;c:\windows\TEMP\xltw\setup.exe run --> c:\windows\TEMP\xltw\setup.exe run [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26/12/2009 10:48 135664]
S3 CHORUS2;chorus2usb.sys USB Driver;c:\windows\system32\drivers\chorus2usb.sys [18/03/2010 11:52 18048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-09-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]

2010-12-10 c:\windows\Tasks\Epson Printer Software Downloader.job
- c:\program files\EPSON\EPAPDL\E_SAPDL2.EXE [2009-01-23 14:03]

2005-01-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-14 13:45]

2005-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-26 10:47]

2010-12-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-26 10:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.thetechguys.com
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
FF - ProfilePath -
FF - HiddenExt: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExt: XULRunner: {23508A9B-2153-4462-B98E-BC3B1DEA088D} - c:\documents and settings\graham brooks\Local Settings\Application Data\{23508A9B-2153-4462-B98E-BC3B1DEA088D}
FF - HiddenExt: XULRunner: {2DD68720-D593-4AE6-9C66-A5243963F4DD} - c:\documents and settings\graham brooks\Local Settings\Application Data\{2DD68720-D593-4AE6-9C66-A5243963F4DD}\
FF - HiddenExt: XULRunner: {71DB096A-0267-4238-9867-502A7B6E84FA} - c:\documents and settings\graham brooks\Local Settings\Application Data\{71DB096A-0267-4238-9867-502A7B6E84FA}
FF - HiddenExt: XULRunner: {035B2C4A-9723-46F4-8526-D501981FCD5E} - c:\documents and settings\graham brooks\Local Settings\Application Data\{035B2C4A-9723-46F4-8526-D501981FCD5E}
FF - HiddenExt: XULRunner: {0A4257BF-89AE-404A-A0AD-13058D72FFCD} - c:\documents and settings\graham brooks\Local Settings\Application Data\{0A4257BF-89AE-404A-A0AD-13058D72FFCD}\
FF - HiddenExt: XULRunner: {D91C7608-13AF-4E23-9860-C1ECA02E065D} - c:\documents and settings\graham brooks\Local Settings\Application Data\{D91C7608-13AF-4E23-9860-C1ECA02E065D}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2005-01-01 00:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK8037GSX rev.DL250J -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86D14555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86d1a7b0]; MOV EAX, [0x86d1a82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86D63AB8]
3 CLASSPNP[0xF7593FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86CF3708]
\Driver\atapi[0x86D62270] -> IRP_MJ_CREATE -> 0x86D14555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK8037GSX_______________________DL250J__#5&2ef5f6c5&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86D1439B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(7020)
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2005-01-01 00:07:59 - machine was rebooted
ComboFix-quarantined-files.txt 2005-01-01 00:07

Pre-Run: 50,471,608,320 bytes free
Post-Run: 50,903,433,216 bytes free

- - End Of File - - F1C32CD054DB494A97862684F6D3196D


I now appear to have a desktop back and most functionality, however I will
await your final verdict before doing anything else.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users